haiwen/seahub
1
0
Fork 0
mirror of https://github.com/haiwen/seahub.git synced 2025-08-20 07:55:06 +00:00
Code Issues Releases Wiki Activity

[shib] Add affiliation role map

Browse Source
This commit is contained in:
zhengxie 2017-01-17 10:38:56 +08:00
parent 19beb9a7c8
commit 1832b2b0c0
2 changed files with 62 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
tests/seahub/thirdpart/shibboleth/test_middleware.py
View File

@ -1,9 +1,11 @@
import os import os
import pytest import pytest
from mock import patch
from django.conf import settings from django.conf import settings
from django.test import RequestFactory from django.test import RequestFactory, override_settings
from seahub.base.accounts import User
from seahub.profile.models import Profile from seahub.profile.models import Profile
from seahub.test_utils import BaseTestCase from seahub.test_utils import BaseTestCase
from shibboleth import backends from shibboleth import backends
@ -39,16 +41,56 @@ class ShibbolethRemoteUserMiddlewareTest(BaseTestCase):
self.request.META['REMOTE_USER'] = 'sampledeveloper@school.edu' self.request.META['REMOTE_USER'] = 'sampledeveloper@school.edu'
self.request.META['givenname'] = 'test_gname' self.request.META['givenname'] = 'test_gname'
self.request.META['surname'] = 'test_sname' self.request.META['surname'] = 'test_sname'
self.request.META['Shibboleth-displayName'] = 'Sample Developer'
self.request.META['Shibboleth-affiliation'] = 'employee@school.edu;member@school.edu;faculty@school.edu;staff@school.edu'
# default settings # default settings
assert getattr(settings, 'SHIB_ACTIVATE_AFTER_CREATION', True) is True assert getattr(settings, 'SHIB_ACTIVATE_AFTER_CREATION', True) is True
@patch('shibboleth.middleware.SHIB_ATTRIBUTE_MAP', {
"Shibboleth-eppn": (True, "username"),
"givenname": (False, "givenname"),
"surname": (False, "surname"),
"emailaddress": (False, "contact_email"),
"organization": (False, "institution"),
"Shibboleth-displayName": (False, "display_name"),
})
def test_can_process(self): def test_can_process(self):
assert len(Profile.objects.all()) == 0 assert len(Profile.objects.all()) == 0
self.middleware.process_request(self.request) self.middleware.process_request(self.request)
assert self.request.user.username == 'sampledeveloper@school.edu'
assert len(Profile.objects.all()) == 1 assert len(Profile.objects.all()) == 1
assert self.request.shib_login is True assert self.request.shib_login is True
assert Profile.objects.all()[0].user == 'sampledeveloper@school.edu'
assert Profile.objects.all()[0].nickname == 'Sample Developer'
@override_settings(SHIBBOLETH_AFFILIATION_ROLE_MAP={
'employee@school.edu': 'staff',
'member@school.edu': 'staff',
'student@school.edu': 'student',
})
@patch('shibboleth.middleware.SHIB_ATTRIBUTE_MAP', {
"Shibboleth-eppn": (True, "username"),
"givenname": (False, "givenname"),
"surname": (False, "surname"),
"emailaddress": (False, "contact_email"),
"organization": (False, "institution"),
"Shibboleth-affiliation": (False, "affiliation"),
"Shibboleth-displayName": (False, "display_name"),
})
def test_can_process_user_role(self):
assert len(Profile.objects.all()) == 0
self.middleware.process_request(self.request)
assert self.request.user.username == 'sampledeveloper@school.edu'
assert len(Profile.objects.all()) == 1
assert self.request.shib_login is True
assert Profile.objects.all()[0].user == 'sampledeveloper@school.edu'
assert Profile.objects.all()[0].nickname == 'Sample Developer'
assert User.objects.get(self.request.user.username).role == 'staff'
@pytest.mark.skipif(TRAVIS, reason="TODO: this test can only be run seperately due to the url module init in django, we may need to reload url conf: https://gist.github.com/anentropic/9ac47f6518c88fa8d2b0") @pytest.mark.skipif(TRAVIS, reason="TODO: this test can only be run seperately due to the url module init in django, we may need to reload url conf: https://gist.github.com/anentropic/9ac47f6518c88fa8d2b0")
def test_process_inactive_user(self): def test_process_inactive_user(self):

19
thirdpart/shibboleth/middleware.py
View File

@ -1,3 +1,4 @@
from django.conf import settings
from django.contrib.auth.middleware import RemoteUserMiddleware from django.contrib.auth.middleware import RemoteUserMiddleware
from django.core.exceptions import ImproperlyConfigured from django.core.exceptions import ImproperlyConfigured
from django.core.urlresolvers import reverse from django.core.urlresolvers import reverse
@ -6,6 +7,7 @@ from django.http import HttpResponseRedirect
from shibboleth.app_settings import SHIB_ATTRIBUTE_MAP, LOGOUT_SESSION_KEY, SHIB_USER_HEADER from shibboleth.app_settings import SHIB_ATTRIBUTE_MAP, LOGOUT_SESSION_KEY, SHIB_USER_HEADER
from seahub import auth from seahub import auth
from seahub.base.accounts import User
from seahub.base.sudo_mode import update_sudo_mode_ts from seahub.base.sudo_mode import update_sudo_mode_ts
from seahub.profile.models import Profile from seahub.profile.models import Profile
@ -77,6 +79,7 @@ class ShibbolethRemoteUserMiddleware(RemoteUserMiddleware):
user.save() user.save()
# call make profile. # call make profile.
self.make_profile(user, shib_meta) self.make_profile(user, shib_meta)
self.update_user_role(user, shib_meta)
#setup session. #setup session.
self.setup_session(request) self.setup_session(request)
request.shib_login = True request.shib_login = True
@ -142,6 +145,22 @@ class ShibbolethRemoteUserMiddleware(RemoteUserMiddleware):
p.save() p.save()
def update_user_role(self, user, shib_meta):
affiliation = shib_meta.get('affiliation', '')
if not affiliation:
return
try:
role_map = settings.SHIBBOLETH_AFFILIATION_ROLE_MAP
except AttributeError:
return
for e in affiliation.split(';'):
role = role_map.get(e)
if role:
User.objects.update_role(user.email, role)
return
def setup_session(self, request): def setup_session(self, request):
""" """
If you want to add custom code to setup user sessions, you If you want to add custom code to setup user sessions, you