def create_user_info(client, user, scope_set, id_token=False):
'''Create user info dictionnary'''
user_info = {'sub': make_sub(client, user)}
attributes = get_attributes({
'user':
user,
'request':
None,
'service':
client,
'__wanted_attributes':
client.get_wanted_attributes()
})
for claim in client.oidcclaim_set.filter(name__isnull=False):
if not set(claim.get_scopes()).intersection(scope_set):
continue
if not claim.value in attributes:
continue
user_info[claim.name] = normalize_claim_values(attributes[claim.value])
# check if attribute is verified
if claim.value + ':verified' in attributes:
user_info[claim.value + '_verified'] = True
hooks.call_hooks('idp_oidc_modify_user_info', client, user, scope_set,
user_info)
return user_info
def get_attributes(self, request, st):
'''Retrieve attribute for users of the session linked to the ticket'''
if not hasattr(st, 'attributes'):
wanted_attributes = st.service.get_wanted_attributes()
user = get_user_from_session_key(st.session_key)
assert user.pk # not an annymous user
assert st.user_id == user.pk # session user matches ticket user
st.attributes = get_attributes({
'request': request,
'user': user,
'service': st.service,
'__wanted_attributes': wanted_attributes,
})
return st.attributes
def get_attributes(self, request, st):
'''Retrieve attribute for users of the session linked to the ticket'''
if not hasattr(st, 'attributes'):
wanted_attributes = st.service.get_wanted_attributes()
user = get_user_from_session_key(st.session_key)
assert user.pk # not an annymous user
assert st.user_id == user.pk # session user matches ticket user
st.attributes = get_attributes({
'request':
request,
'user':
user,
'service':
st.service,
'__wanted_attributes':
wanted_attributes,
})
return st.attributes
def sync_ldap_ressource(self, ressource, **options):
verbosity = int(options['verbosity'])
fake = options['fake']
# FIXME: Check ressource well formedness
conn = paged.PagedLDAPObject(ressource['url'],
retry_max=10,
retry_delay=2)
base_dn = ressource['base_dn']
use_tls = ressource.get('use_tls')
bind_dn = ressource.get('bind_dn')
bind_pw = ressource.get('bind_pw')
if use_tls:
conn.start_tls_s()
if bind_dn:
conn.simple_bind_s(bind_dn, bind_pw)
attribute_mapping = utils.lower_keys(ressource['attribute_mapping'])
static_attributes = utils.lower_keys(
ressource.get('static_attributes', {}))
format_mapping = utils.lower_keys(ressource.get('format_mapping', {}))
attributes = set(attribute_mapping.keys()) | set(
static_attributes.keys())
default_ctx = ressource.get('attribute_context', {})
ldap_filter = ressource.get('ldap_filter', '(objectclass=*)')
delete = ressource.get('delete', True)
User = compat.get_user_model()
qs = User.objects.filter(**ressource.get('a2_filter', {}))
todelete = set()
user_dns = set()
for batch in utils.batch(qs, options['batch_size']):
ldap_users = {}
filters = []
for user in batch:
ctx = default_ctx.copy()
ctx['user'] = user
ctx = get_attributes(ctx)
ldap_attributes = {}
for ldap_attribute, a2_attributes in attribute_mapping.iteritems(
):
if not isinstance(a2_attributes, (tuple, list)):
a2_attributes = [a2_attributes]
for a2_attribute in a2_attributes:
self.add_values(ldap_attributes, ldap_attribute,
ctx.get(a2_attribute))
for ldap_attribute, values in static_attributes.iteritems():
self.add_values(ldap_attributes, ldap_attribute, values)
for ldap_attribute, fmt_tpls in format_mapping.iteritems():
for fmt_tpl in fmt_tpls:
self.add_values(ldap_attributes, ldap_attribute,
[fmt_tpl.format(**ctx)])
dn, filt = self.build_dn_and_filter(ressource, ldap_attributes)
user_dns.add(dn)
ldap_users[dn] = ldap_attributes
filters.append(filt)
batch_filter = ldap_filter
if filters:
batch_filter = self.format_filter(
('&', (batch_filter, ('|', filters))))
existing_dn = set()
for dn, entry in conn.paged_search_ext_s(base_dn,
ldap.SCOPE_SUBTREE,
batch_filter,
list(attributes)):
entry = utils.to_dict_of_set(utils.lower_keys(entry))
if dn not in ldap_users:
todelete.add(dn)
continue
if entry == utils.to_dict_of_set(ldap_users[dn]):
# no need to update, entry is already ok
del ldap_users[dn]
continue
existing_dn.add(dn)
for dn, ldap_attributes in ldap_users.iteritems():
if dn in existing_dn:
modlist = []
for key, values in ldap_attributes:
modlist.append((ldap.MOD_REPLACE, key, values))
if not fake:
conn.modify(dn, modlist)
if verbosity > 1:
print '- Replace %s values for %s' % (dn, ', '.join(
ldap_attributes.keys()))
else:
if not fake:
conn.add(dn, ldap.modlist.addModlist(ldap_attributes))
if verbosity > 1:
print '- Add %s with values for %s' % (dn, ', '.join(
ldap_attributes.keys()))
# wait for results
if not fake:
for x in ldap_users:
conn.result()
for dn, entry in conn.paged_search_ext_s(base_dn, ldap.SCOPE_SUBTREE,
ldap_filter):
# ignore the basedn
if dn == base_dn:
continue
if dn not in user_dns and dn not in todelete:
if not fake:
todelete.add(dn)
if delete:
if verbosity > 1:
print '- Deleting:', ', '.join(todelete)
if not fake:
for dn in todelete:
conn.delete(dn)
for dn in todelete:
conn.result()
def sync_ldap_ressource(self, ressource, **options):
verbosity = int(options['verbosity'])
fake = options['fake']
# FIXME: Check ressource well formedness
conn = ldap_utils.PagedLDAPObject(ressource['url'], retry_max=10,
retry_delay=2)
base_dn = ressource['base_dn']
use_tls = ressource.get('use_tls')
bind_dn = ressource.get('bind_dn')
bind_pw = ressource.get('bind_pw')
if use_tls:
conn.start_tls_s()
if bind_dn:
conn.simple_bind_s(bind_dn, bind_pw)
attribute_mapping = utils.lower_keys(ressource['attribute_mapping'])
static_attributes = utils.lower_keys(ressource.get('static_attributes', {}))
format_mapping = utils.lower_keys(ressource.get('format_mapping', {}))
attributes = set(attribute_mapping.keys()) | set(static_attributes.keys())
default_ctx = ressource.get('attribute_context', {})
ldap_filter = ressource.get('ldap_filter', '(objectclass=*)')
delete = ressource.get('delete', True)
User = compat.get_user_model()
qs = User.objects.filter(**ressource.get('a2_filter', {}))
todelete = set()
user_dns = set()
for batch in utils.batch(qs, options['batch_size']):
ldap_users = {}
filters = []
for user in batch:
ctx = default_ctx.copy()
ctx['user'] = user
ctx = get_attributes(ctx)
ldap_attributes = {}
for ldap_attribute, a2_attributes in attribute_mapping.iteritems():
if not isinstance(a2_attributes, (tuple, list)):
a2_attributes = [a2_attributes]
for a2_attribute in a2_attributes:
self.add_values(ldap_attributes, ldap_attribute, ctx.get(a2_attribute))
for ldap_attribute, values in static_attributes.iteritems():
self.add_values(ldap_attributes, ldap_attribute, values)
for ldap_attribute, fmt_tpls in format_mapping.iteritems():
for fmt_tpl in fmt_tpls:
self.add_values(ldap_attributes, ldap_attribute,
[fmt_tpl.format(**ctx)])
dn, filt = self.build_dn_and_filter(ressource, ldap_attributes)
user_dns.add(dn)
ldap_users[dn] = ldap_attributes
filters.append(filt)
batch_filter = ldap_filter
if filters:
batch_filter = self.format_filter(('&', (batch_filter, ('|',
filters))))
existing_dn = set()
for dn, entry in conn.paged_search_ext_s(base_dn,
ldap.SCOPE_SUBTREE,
batch_filter, list(attributes)):
entry = utils.to_dict_of_set(utils.lower_keys(entry))
if dn not in ldap_users:
todelete.add(dn)
continue
if entry == utils.to_dict_of_set(ldap_users[dn]):
# no need to update, entry is already ok
del ldap_users[dn]
continue
existing_dn.add(dn)
for dn, ldap_attributes in ldap_users.iteritems():
if dn in existing_dn:
modlist = []
for key, values in ldap_attributes:
modlist.append((ldap.MOD_REPLACE, key, values))
if not fake:
conn.modify(dn, modlist)
if verbosity > 1:
print '- Replace %s values for %s' % (dn, ', '.join(ldap_attributes.keys()))
else:
if not fake:
conn.add(dn, ldap.modlist.addModlist(ldap_attributes))
if verbosity > 1:
print '- Add %s with values for %s' % (dn, ', '.join(ldap_attributes.keys()))
# wait for results
if not fake:
for x in ldap_users:
conn.result()
for dn, entry in conn.paged_search_ext_s(base_dn,
ldap.SCOPE_SUBTREE, ldap_filter):
# ignore the basedn
if dn == base_dn:
continue
if dn not in user_dns and dn not in todelete:
if not fake:
todelete.add(dn)
if delete:
if verbosity > 1:
print '- Deleting:', ', '.join(todelete)
if not fake:
for dn in todelete:
conn.delete(dn)
for dn in todelete:
conn.result()
