def create_user_info(client, user, scope_set, id_token=False): '''Create user info dictionnary''' user_info = {'sub': make_sub(client, user)} attributes = get_attributes({ 'user': user, 'request': None, 'service': client, '__wanted_attributes': client.get_wanted_attributes() }) for claim in client.oidcclaim_set.filter(name__isnull=False): if not set(claim.get_scopes()).intersection(scope_set): continue if not claim.value in attributes: continue user_info[claim.name] = normalize_claim_values(attributes[claim.value]) # check if attribute is verified if claim.value + ':verified' in attributes: user_info[claim.value + '_verified'] = True hooks.call_hooks('idp_oidc_modify_user_info', client, user, scope_set, user_info) return user_info
def get_attributes(self, request, st): '''Retrieve attribute for users of the session linked to the ticket''' if not hasattr(st, 'attributes'): wanted_attributes = st.service.get_wanted_attributes() user = get_user_from_session_key(st.session_key) assert user.pk # not an annymous user assert st.user_id == user.pk # session user matches ticket user st.attributes = get_attributes({ 'request': request, 'user': user, 'service': st.service, '__wanted_attributes': wanted_attributes, }) return st.attributes
def sync_ldap_ressource(self, ressource, **options): verbosity = int(options['verbosity']) fake = options['fake'] # FIXME: Check ressource well formedness conn = paged.PagedLDAPObject(ressource['url'], retry_max=10, retry_delay=2) base_dn = ressource['base_dn'] use_tls = ressource.get('use_tls') bind_dn = ressource.get('bind_dn') bind_pw = ressource.get('bind_pw') if use_tls: conn.start_tls_s() if bind_dn: conn.simple_bind_s(bind_dn, bind_pw) attribute_mapping = utils.lower_keys(ressource['attribute_mapping']) static_attributes = utils.lower_keys( ressource.get('static_attributes', {})) format_mapping = utils.lower_keys(ressource.get('format_mapping', {})) attributes = set(attribute_mapping.keys()) | set( static_attributes.keys()) default_ctx = ressource.get('attribute_context', {}) ldap_filter = ressource.get('ldap_filter', '(objectclass=*)') delete = ressource.get('delete', True) User = compat.get_user_model() qs = User.objects.filter(**ressource.get('a2_filter', {})) todelete = set() user_dns = set() for batch in utils.batch(qs, options['batch_size']): ldap_users = {} filters = [] for user in batch: ctx = default_ctx.copy() ctx['user'] = user ctx = get_attributes(ctx) ldap_attributes = {} for ldap_attribute, a2_attributes in attribute_mapping.iteritems( ): if not isinstance(a2_attributes, (tuple, list)): a2_attributes = [a2_attributes] for a2_attribute in a2_attributes: self.add_values(ldap_attributes, ldap_attribute, ctx.get(a2_attribute)) for ldap_attribute, values in static_attributes.iteritems(): self.add_values(ldap_attributes, ldap_attribute, values) for ldap_attribute, fmt_tpls in format_mapping.iteritems(): for fmt_tpl in fmt_tpls: self.add_values(ldap_attributes, ldap_attribute, [fmt_tpl.format(**ctx)]) dn, filt = self.build_dn_and_filter(ressource, ldap_attributes) user_dns.add(dn) ldap_users[dn] = ldap_attributes filters.append(filt) batch_filter = ldap_filter if filters: batch_filter = self.format_filter( ('&', (batch_filter, ('|', filters)))) existing_dn = set() for dn, entry in conn.paged_search_ext_s(base_dn, ldap.SCOPE_SUBTREE, batch_filter, list(attributes)): entry = utils.to_dict_of_set(utils.lower_keys(entry)) if dn not in ldap_users: todelete.add(dn) continue if entry == utils.to_dict_of_set(ldap_users[dn]): # no need to update, entry is already ok del ldap_users[dn] continue existing_dn.add(dn) for dn, ldap_attributes in ldap_users.iteritems(): if dn in existing_dn: modlist = [] for key, values in ldap_attributes: modlist.append((ldap.MOD_REPLACE, key, values)) if not fake: conn.modify(dn, modlist) if verbosity > 1: print '- Replace %s values for %s' % (dn, ', '.join( ldap_attributes.keys())) else: if not fake: conn.add(dn, ldap.modlist.addModlist(ldap_attributes)) if verbosity > 1: print '- Add %s with values for %s' % (dn, ', '.join( ldap_attributes.keys())) # wait for results if not fake: for x in ldap_users: conn.result() for dn, entry in conn.paged_search_ext_s(base_dn, ldap.SCOPE_SUBTREE, ldap_filter): # ignore the basedn if dn == base_dn: continue if dn not in user_dns and dn not in todelete: if not fake: todelete.add(dn) if delete: if verbosity > 1: print '- Deleting:', ', '.join(todelete) if not fake: for dn in todelete: conn.delete(dn) for dn in todelete: conn.result()
def sync_ldap_ressource(self, ressource, **options): verbosity = int(options['verbosity']) fake = options['fake'] # FIXME: Check ressource well formedness conn = ldap_utils.PagedLDAPObject(ressource['url'], retry_max=10, retry_delay=2) base_dn = ressource['base_dn'] use_tls = ressource.get('use_tls') bind_dn = ressource.get('bind_dn') bind_pw = ressource.get('bind_pw') if use_tls: conn.start_tls_s() if bind_dn: conn.simple_bind_s(bind_dn, bind_pw) attribute_mapping = utils.lower_keys(ressource['attribute_mapping']) static_attributes = utils.lower_keys(ressource.get('static_attributes', {})) format_mapping = utils.lower_keys(ressource.get('format_mapping', {})) attributes = set(attribute_mapping.keys()) | set(static_attributes.keys()) default_ctx = ressource.get('attribute_context', {}) ldap_filter = ressource.get('ldap_filter', '(objectclass=*)') delete = ressource.get('delete', True) User = compat.get_user_model() qs = User.objects.filter(**ressource.get('a2_filter', {})) todelete = set() user_dns = set() for batch in utils.batch(qs, options['batch_size']): ldap_users = {} filters = [] for user in batch: ctx = default_ctx.copy() ctx['user'] = user ctx = get_attributes(ctx) ldap_attributes = {} for ldap_attribute, a2_attributes in attribute_mapping.iteritems(): if not isinstance(a2_attributes, (tuple, list)): a2_attributes = [a2_attributes] for a2_attribute in a2_attributes: self.add_values(ldap_attributes, ldap_attribute, ctx.get(a2_attribute)) for ldap_attribute, values in static_attributes.iteritems(): self.add_values(ldap_attributes, ldap_attribute, values) for ldap_attribute, fmt_tpls in format_mapping.iteritems(): for fmt_tpl in fmt_tpls: self.add_values(ldap_attributes, ldap_attribute, [fmt_tpl.format(**ctx)]) dn, filt = self.build_dn_and_filter(ressource, ldap_attributes) user_dns.add(dn) ldap_users[dn] = ldap_attributes filters.append(filt) batch_filter = ldap_filter if filters: batch_filter = self.format_filter(('&', (batch_filter, ('|', filters)))) existing_dn = set() for dn, entry in conn.paged_search_ext_s(base_dn, ldap.SCOPE_SUBTREE, batch_filter, list(attributes)): entry = utils.to_dict_of_set(utils.lower_keys(entry)) if dn not in ldap_users: todelete.add(dn) continue if entry == utils.to_dict_of_set(ldap_users[dn]): # no need to update, entry is already ok del ldap_users[dn] continue existing_dn.add(dn) for dn, ldap_attributes in ldap_users.iteritems(): if dn in existing_dn: modlist = [] for key, values in ldap_attributes: modlist.append((ldap.MOD_REPLACE, key, values)) if not fake: conn.modify(dn, modlist) if verbosity > 1: print '- Replace %s values for %s' % (dn, ', '.join(ldap_attributes.keys())) else: if not fake: conn.add(dn, ldap.modlist.addModlist(ldap_attributes)) if verbosity > 1: print '- Add %s with values for %s' % (dn, ', '.join(ldap_attributes.keys())) # wait for results if not fake: for x in ldap_users: conn.result() for dn, entry in conn.paged_search_ext_s(base_dn, ldap.SCOPE_SUBTREE, ldap_filter): # ignore the basedn if dn == base_dn: continue if dn not in user_dns and dn not in todelete: if not fake: todelete.add(dn) if delete: if verbosity > 1: print '- Deleting:', ', '.join(todelete) if not fake: for dn in todelete: conn.delete(dn) for dn in todelete: conn.result()