[shib] Add affiliation role map

2025-08-02 07:47:32 +00:00 · 2017-01-17 10:38:56 +08:00 · 2017-01-17 10:38:56 +08:00 · 1832b2b0c0
commit 1832b2b0c0
parent 19beb9a7c8
2 changed files with 62 additions and 1 deletions
--- a/tests/seahub/thirdpart/shibboleth/test_middleware.py
+++ b/tests/seahub/thirdpart/shibboleth/test_middleware.py
@ -1,9 +1,11 @@
 import os
 import pytest

+from mock import patch
 from django.conf import settings
-from django.test import RequestFactory
+from django.test import RequestFactory, override_settings

+from seahub.base.accounts import User
 from seahub.profile.models import Profile
 from seahub.test_utils import BaseTestCase
 from shibboleth import backends
@ -39,16 +41,56 @@ class ShibbolethRemoteUserMiddlewareTest(BaseTestCase):
        self.request.META['REMOTE_USER'] = 'sampledeveloper@school.edu'
        self.request.META['givenname'] = 'test_gname'
        self.request.META['surname'] = 'test_sname'
+        self.request.META['Shibboleth-displayName'] = 'Sample Developer'
+        self.request.META['Shibboleth-affiliation'] = 'employee@school.edu;member@school.edu;faculty@school.edu;staff@school.edu'

        # default settings
        assert getattr(settings, 'SHIB_ACTIVATE_AFTER_CREATION', True) is True

+    @patch('shibboleth.middleware.SHIB_ATTRIBUTE_MAP', {
+        "Shibboleth-eppn": (True, "username"),
+        "givenname": (False, "givenname"),
+        "surname": (False, "surname"),
+        "emailaddress": (False, "contact_email"),
+        "organization": (False, "institution"),
+        "Shibboleth-displayName": (False, "display_name"),
+    })
    def test_can_process(self):
        assert len(Profile.objects.all()) == 0

        self.middleware.process_request(self.request)
+        assert self.request.user.username == 'sampledeveloper@school.edu'
+
        assert len(Profile.objects.all()) == 1
        assert self.request.shib_login is True
+        assert Profile.objects.all()[0].user == 'sampledeveloper@school.edu'
+        assert Profile.objects.all()[0].nickname == 'Sample Developer'
+
+    @override_settings(SHIBBOLETH_AFFILIATION_ROLE_MAP={
+        'employee@school.edu': 'staff',
+        'member@school.edu': 'staff',
+        'student@school.edu': 'student',
+    })
+    @patch('shibboleth.middleware.SHIB_ATTRIBUTE_MAP', {
+        "Shibboleth-eppn": (True, "username"),
+        "givenname": (False, "givenname"),
+        "surname": (False, "surname"),
+        "emailaddress": (False, "contact_email"),
+        "organization": (False, "institution"),
+        "Shibboleth-affiliation": (False, "affiliation"),
+        "Shibboleth-displayName": (False, "display_name"),
+    })
+    def test_can_process_user_role(self):
+        assert len(Profile.objects.all()) == 0
+
+        self.middleware.process_request(self.request)
+        assert self.request.user.username == 'sampledeveloper@school.edu'
+
+        assert len(Profile.objects.all()) == 1
+        assert self.request.shib_login is True
+        assert Profile.objects.all()[0].user == 'sampledeveloper@school.edu'
+        assert Profile.objects.all()[0].nickname == 'Sample Developer'
+        assert User.objects.get(self.request.user.username).role == 'staff'

    @pytest.mark.skipif(TRAVIS, reason="TODO: this test can only be run seperately due to the url module init in django, we may need to reload url conf: https://gist.github.com/anentropic/9ac47f6518c88fa8d2b0")
    def test_process_inactive_user(self):
--- a/thirdpart/shibboleth/middleware.py
+++ b/thirdpart/shibboleth/middleware.py
@ -1,3 +1,4 @@
+from django.conf import settings
 from django.contrib.auth.middleware import RemoteUserMiddleware
 from django.core.exceptions import ImproperlyConfigured
 from django.core.urlresolvers import reverse
@ -6,6 +7,7 @@ from django.http import HttpResponseRedirect
 from shibboleth.app_settings import SHIB_ATTRIBUTE_MAP, LOGOUT_SESSION_KEY, SHIB_USER_HEADER

 from seahub import auth
+from seahub.base.accounts import User
 from seahub.base.sudo_mode import update_sudo_mode_ts
 from seahub.profile.models import Profile

@ -77,6 +79,7 @@ class ShibbolethRemoteUserMiddleware(RemoteUserMiddleware):
            user.save()
            # call make profile.
            self.make_profile(user, shib_meta)
+            self.update_user_role(user, shib_meta)
            #setup session.
            self.setup_session(request)
            request.shib_login = True
@ -142,6 +145,22 @@ class ShibbolethRemoteUserMiddleware(RemoteUserMiddleware):

        p.save()

+    def update_user_role(self, user, shib_meta):
+        affiliation = shib_meta.get('affiliation', '')
+        if not affiliation:
+            return
+
+        try:
+            role_map = settings.SHIBBOLETH_AFFILIATION_ROLE_MAP
+        except AttributeError:
+            return
+
+        for e in affiliation.split(';'):
+            role = role_map.get(e)
+            if role:
+                User.objects.update_role(user.email, role)
+                return
+
    def setup_session(self, request):
        """
        If you want to add custom code to setup user sessions, you