TMSS-719: handle system roles coming from Keycloak

fbce182a · Jörn Künsemöller · b6f83742 · fbce182a
Commit fbce182a authored 3 years ago by Jörn Künsemöller
--- a/SAS/TMSS/backend/src/tmss/authentication_backends.py
+++ b/SAS/TMSS/backend/src/tmss/authentication_backends.py
 from mozilla_django_oidc.auth import OIDCAuthenticationBackend
 import logging
 from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
+from django.contrib.auth.models import Group

 logger = logging.getLogger(__name__)

@@ -13,29 +14,59 @@ class TMSSOIDCAuthenticationBackend(OIDCAuthenticationBackend):

    def _set_user_project_roles_from_claims(self, user, claims):
        project_roles = []
-        prefix = 'urn:mace:astron.nl:science:group:lofar:project:'
+        project_role_prefix = 'urn:mace:astron.nl:science:group:lofar:project:'
+        system_role_prefix = 'urn:mace:astron.nl:science:group:community:'
+        system_role_map = {'expert scientist': Group.objects.get(name='Scientist (Expert)')}   # usually, we can use the entitlement name as group name, but some groups have weird names and need to be translated
        for entitlement in claims.get('eduperson_entitlement', []):
            try:
-                if entitlement.startswith(prefix):
-                    project, role = entitlement.replace(prefix, '').split(':')
-                    role = role.replace('role=', '')
-                    if ProjectRole.objects.filter(value=role).count() > 0:
-                        project_roles.append({'project': project, 'role': role})
+                if entitlement.startswith(project_role_prefix):
+                    project_entitlement = entitlement.replace(project_role_prefix, '')
+                    if 'role' in project_entitlement:
+                        project_name, role_name = project_entitlement.split(':role=')
+                        if ProjectRole.objects.filter(value=role_name).count() > 0:
+                            project_roles.append({'project': project_name, 'role': role_name})
+                        else:
+                            logger.error('could not handle entitlement=%s because no project role exists that matches the entitlement role=%s' % (entitlement, role_name))
                    else:
-                        logger.error('could not parse entitlement=%s because no project role exists that matches the entitlement role=%s' % (entitlement, role))
+                        # we only care about explicit roles, 'general' membership of a project is not relevant to TMSS
+                        pass
            except Exception as e:
-                logger.error('could not parse entitlement=%s because of exception=%s' % (entitlement, e))
+                logger.error('could not handle entitlement=%s because of exception=%s' % (entitlement, e))
        user.project_roles = project_roles
        logger.info("### assigned project_roles=%s to user=%s" % (project_roles, user))
        user.save()

+    def _set_user_system_roles_from_claims(self, user, claims):
+        groups = []
+        system_role_prefix = 'urn:mace:astron.nl:science:group:community:role='
+        system_role_map = {'expert scientist': Group.objects.get(name='Scientist (Expert)')}   # usually, we can use the entitlement name as group name, but some groups have weird names and need to be translated
+        for entitlement in claims.get('eduperson_entitlement', []):
+            try:
+                if entitlement.startswith(system_role_prefix):
+                    role_name = entitlement.replace(system_role_prefix, '')
+                    if role_name in system_role_map:
+                        groups.append(system_role_map[role_name])
+                    else:
+                        role_name = role_name.replace('_', ' ')
+                        if Group.objects.filter(name__iexact=role_name).count() > 0:
+                            groups.append(Group.objects.filter(name__iexact=role_name).first())
+                        else:
+                            logger.error('could not handle entitlement=%s because no system role / group exists that matches the entitlement role=%s' % (entitlement, role_name))
+            except Exception as e:
+                logger.error('could not handle entitlement=%s because of exception=%s' % (entitlement, e))
+        logger.info("### assigned groups=%s to user=%s" % (groups, user))
+        user.groups.add(*groups)
+        user.save()
+
    def create_user(self, claims):
        user = super(TMSSOIDCAuthenticationBackend, self).create_user(claims)
        logger.info('### create user=%s claims=%s' % (user, claims))
        self._set_user_project_roles_from_claims(user, claims)
+        self._set_user_system_roles_from_claims(user, claims)
        return user

    def update_user(self, user, claims):
        logger.info('### update user=%s claims=%s' % (user, claims))
        self._set_user_project_roles_from_claims(user, claims)
+        self._set_user_system_roles_from_claims(user, claims)
        return user
\ No newline at end of file