Newer
Older
Jörn Künsemöller
committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from mozilla_django_oidc.auth import OIDCAuthenticationBackend
import logging
from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
logger = logging.getLogger(__name__)
class TMSSOIDCAuthenticationBackend(OIDCAuthenticationBackend):
"""
A custom OIDCAuthenticationBackend, that allows us to perform extra actions when a user gets authenticated,
most importantly we can assign the user's system and project roles according to the claims that we get from the
identity provider.
"""
def _set_user_project_roles_from_claims(self, user, claims):
project_roles = []
prefix = 'urn:mace:astron.nl:science:group:lofar:project:'
for entitlement in claims.get('eduperson_entitlement', []):
try:
if entitlement.startswith(prefix):
project, role = entitlement.replace(prefix, '').split(':')
role = role.replace('role=', '')
if ProjectRole.objects.filter(value=role).count() > 0:
project_roles.append({'project': project, 'role': role})
else:
logger.error('could not parse entitlement=%s because no project role exists that matches the entitlement role=%s' % (entitlement, role))
except Exception as e:
logger.error('could not parse entitlement=%s because of exception=%s' % (entitlement, e))
user.project_roles = project_roles
logger.info("### assigned project_roles=%s to user=%s" % (project_roles, user))
user.save()
def create_user(self, claims):
user = super(TMSSOIDCAuthenticationBackend, self).create_user(claims)
logger.info('### create user=%s claims=%s' % (user, claims))
self._set_user_project_roles_from_claims(user, claims)
return user
def update_user(self, user, claims):
logger.info('### update user=%s claims=%s' % (user, claims))
self._set_user_project_roles_from_claims(user, claims)
return user