def sync_oidc(self, iam_users):
for user in iam_users:
username = user['userName']
email = user['emails'][0]['value']
user_subject = user['id']
if not user['active']:
logging.debug(
'Skipped OIDC identity for User {} [not active]'.format(
username))
continue
# Rucio DB schema restriction
if len(username) > 25:
logging.debug(
'Skipped OIDC identity for User {} [len(username) > 25]'.
format(username))
continue
try:
internal_account = InternalAccount(username)
user_identity = "SUB={}, ISS={}".format(
user_subject, self.iam_server)
if not identity.exist_identity_account(
user_identity, IdentityType.OIDC, internal_account):
identity.add_account_identity(user_identity,
IdentityType.OIDC,
internal_account, email)
logging.debug(
'Added OIDC identity for User {}'.format(username))
except Exception as e:
logging.debug(e)
def perm_get_auth_token_saml(issuer, kwargs):
"""
Checks if a user can request a token with user_pass for an account.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:returns: True if account is allowed, otherwise False
"""
if exist_identity_account(identity=kwargs['saml_nameid'], type=IdentityType.SAML, account=kwargs['account']):
return True
return False
def perm_get_auth_token_x509(issuer, kwargs, session=None):
"""
Checks if a user can request a token with user_pass for an account.
:param issuer: Account identifier which issues the command.
:param kwargs: List of arguments for the action.
:param session: The DB session to use
:returns: True if account is allowed, otherwise False
"""
if exist_identity_account(identity=kwargs['dn'], type_=IdentityType.X509, account=kwargs['account'], session=session):
return True
return False
def sync_x509(self, iam_users):
for user in iam_users:
username = user['userName']
email = user['emails'][0]['value']
if not user['active']:
logging.debug(
'Skipped X509 identity for User {} [not active]'.format(
username))
continue
# Rucio DB schema restriction
if len(username) > 25:
logging.debug(
'Skipped X509 identity for User {} [len(username) > 25]'.
format(username))
continue
if 'urn:indigo-dc:scim:schemas:IndigoUser' in user:
indigo_user = user['urn:indigo-dc:scim:schemas:IndigoUser']
if 'certificates' in indigo_user:
for certificate in indigo_user['certificates']:
if 'subjectDn' in certificate:
subjectDn = self.make_gridmap_compatible(
certificate['subjectDn'])
try:
internal_account = InternalAccount(username)
if not identity.exist_identity_account(
subjectDn, IdentityType.X509,
internal_account):
identity.add_account_identity(
subjectDn, IdentityType.X509,
internal_account, email)
logging.debug(
'Added X509 identity for User {}'.
format(username))
except Exception as e:
logging.debug(e)
