def ldap_populate_user_profile(sender, user=None, ldap_user=None, **kwargs):
"""Populate the user role after authentication."""
if not settings.LDAP_AUTHENTICATION:
return
LOGGER.debug("django_auth_ldap.backend.populate_user signal received")
if user is None or ldap_user is None:
return
if user.is_superuser:
return
role = roles.USER_ROLE_READER
if settings.AUTH_LDAP_ADMIN_GROUP in ldap_user.group_names:
role = roles.USER_ROLE_ADMIN
elif settings.AUTH_LDAP_MANAGER_GROUP in ldap_user.group_names:
role = roles.USER_ROLE_MANAGER
elif settings.AUTH_LDAP_REVIEWER_GROUP in ldap_user.group_names:
role = roles.USER_ROLE_REVIEWER
role = roles.promoted_role(role)
LOGGER.debug("Setting role %s for user %s", role, user.username)
user.set_role(role)
def test_promoted_role(
user, settings, default_user_role, input_role, is_superuser, groups
):
settings.DEFAULT_USER_ROLE = default_user_role
role = roles.promoted_role(input_role)
user.set_role(role)
assert user.is_superuser is is_superuser
assert list(user.groups.values_list("name", flat=True)) == groups
def make_profile(self, user, shib_meta):
"""
Customize the user based on shib_meta mappings (anything that's not
already covered by the attribute map)
"""
entitlements = shib_meta["entitlement"].split(";")
# Assign the role that corresponds to the entitlement.
role = roles.USER_ROLE_READER
if settings.SHIBBOLETH_ADMIN_ENTITLEMENT in entitlements:
role = roles.USER_ROLE_ADMIN
elif settings.SHIBBOLETH_MANAGER_ENTITLEMENT in entitlements:
role = roles.USER_ROLE_MANAGER
elif settings.SHIBBOLETH_REVIEWER_ENTITLEMENT in entitlements:
role = roles.USER_ROLE_REVIEWER
role = roles.promoted_role(role)
user.set_role(role)
def cas_user_authenticated_callback(sender, **kwargs):
"""Set user.is_superuser based on CAS attributes.
When a user is authenticated, django_cas_ng sends the
cas_user_authenticated signal, which includes any attributes
returned by the CAS server during p3/serviceValidate.
When the CAS_CHECK_ADMIN_ATTRIBUTES setting is enabled, we use this
receiver to set user.is_superuser to True if we find the expected
key-value combination configured with CAS_ADMIN_ATTRIBUTE and
CAS_ADMIN_ATTRIBUTE_VALUE in the CAS attributes, and False if not.
This check happens for both new and existing users, so that changes
in group membership on the CAS server (e.g. a user being added or
removed from the administrator group) are applied in Archivematica
on the next login.
"""
if not settings.CAS_CHECK_ADMIN_ATTRIBUTES:
return
LOGGER.debug("cas_user_authenticated signal received")
username = kwargs.get("user")
attributes = kwargs.get("attributes")
if not attributes:
return
User = get_user_model()
role = _cas_user_role(attributes)
role = roles.promoted_role(role)
with transaction.atomic():
user = User.objects.select_for_update().get(username=username)
user.set_role(role)
def set_user_role(self, user):
# TODO: use user claims accessible via user's authentication tokens.
role = roles.promoted_role(roles.USER_ROLE_READER)
user.set_role(role)