from mozilla_django_oidc.auth import OIDCAuthenticationBackend
import logging
from lofar.sas.tmss.tmss.tmssapp.models import ProjectRole
from django.contrib.auth.models import Group
logger = logging.getLogger(__name__)
class TMSSOIDCAuthenticationBackend(OIDCAuthenticationBackend):
"""
A custom OIDCAuthenticationBackend, that allows us to perform extra actions when a user gets authenticated,
most importantly we can assign the user's system and project roles according to the claims that we get from the
identity provider.
"""
def _set_user_project_roles_from_claims(self, user, claims):
project_roles = []
project_role_prefix = 'urn:mace:astron.nl:science:group:lofar:project:'
project_role_map = {'contact': 'contact_author'}
for entitlement in claims.get('eduperson_entitlement', []):
try:
if entitlement.startswith(project_role_prefix):
project_entitlement = entitlement.replace(project_role_prefix, '')
if 'role' in project_entitlement:
project_name, role_name = project_entitlement.split(':role=')
if role_name in project_role_map:
role_name = project_role_map[role_name]
if ProjectRole.objects.filter(value=role_name).count() > 0:
project_roles.append({'project': project_name, 'role': role_name})
else:
logger.error('could not handle entitlement=%s because no project role exists that matches the entitlement role=%s' % (entitlement, role_name))
else:
# we only care about explicit roles, 'general' membership of a project is not relevant to TMSS
pass
except Exception as e:
logger.error('could not handle entitlement=%s because of exception=%s' % (entitlement, e))
user.project_roles = project_roles
logger.info("### assigned project_roles=%s to user=%s" % (project_roles, user))
user.save()
def _set_user_system_roles_from_claims(self, user, claims):
groups = []
system_role_prefix = 'urn:mace:astron.nl:science:group:lofar:role='
system_role_map = {'expert scientist': Group.objects.get(name='Scientist (Expert)')} # usually, we can use the entitlement name as group name, but some groups have weird names and need to be translated
for entitlement in claims.get('eduperson_entitlement', []):
try:
if entitlement.startswith(system_role_prefix):
role_name = entitlement.replace(system_role_prefix, '')
if role_name in system_role_map:
groups.append(system_role_map[role_name])
else:
role_name = role_name.replace('_', ' ')
if Group.objects.filter(name__iexact=role_name).count() > 0:
groups.append(Group.objects.filter(name__iexact=role_name).first())
else:
logger.error('could not handle entitlement=%s because no system role / group exists that matches the entitlement role=%s' % (entitlement, role_name))
except Exception as e:
logger.error('could not handle entitlement=%s because of exception=%s' % (entitlement, e))
logger.info("### assigned groups=%s to user=%s" % (groups, user))
user.groups.set(groups)
user.save()
def create_user(self, claims):
user = super(TMSSOIDCAuthenticationBackend, self).create_user(claims)
logger.info('### create user=%s claims=%s' % (user, claims))
self._set_user_project_roles_from_claims(user, claims)
self._set_user_system_roles_from_claims(user, claims)
return user
def update_user(self, user, claims):
logger.info('### update user=%s claims=%s' % (user, claims))
self._set_user_project_roles_from_claims(user, claims)
self._set_user_system_roles_from_claims(user, claims)
return user