Despagettify hsh app compat and make it more straightforward

README.md

@@ -28,7 +28,6 @@ If you are not sure whether you need it: you don't need it.
 Use this only if you want an actual SSO with SAML2. For extra details see the default settings in `ssoauth.app_settings.defaults`. You might also need SSL, try using `nginx` for it.
 
 ```python
-""" settings/dev.py """
 import os, socket
 from django import urls
 

ssoauth/app_settings/defaults.py

@@ -31,8 +31,6 @@ SSO_REQUIRED_OUTSIDE_MANAGE_PY = True  # enabled to ensure that production (that
 SP_SLS_ENABLED = False  # single log out creates too many problems, so it is disabled for now
 SP_SLS_X_FRAME_OPTIONS = None  # in case you encounter problems with SLS view not allowed inside of an iframe, e.g. "ALLOW-FROM idp-test.it.hs-hannover.de idp.hs-hannover.de"
 
-GROUP_RESOLVER = "ssoauth.auth_utils.groups_from_group_names"  # in case you want to override how groups are resolved for users
-
 LOGIN_PERM_CODENAME = None  # None or str; value "can_log_in" will require this permission for users to log in
 
 PREDEFINED_GROUPS = {
@@ -80,6 +78,7 @@ ATTRIBUTE_SURNAME = "urn:oid:2.5.4.4"  # "sn"
 ATTRIBUTE_ACCOUNT_UUID = "UUID"  # custom stuff, this one has no OID
 ATTRIBUTE_GROUPS = "urn:oid:1.3.6.1.4.1.5923.1.5.1.1"  # "isMemberOf"
 
+GROUP_RESOLVER = None  # deprecated
 
 """
 This information will be published in this SP metadata...

ssoauth/auth_utils.py

+from uuid import UUID
 from django.db import transaction
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
-from uuid import UUID
 from . import models
 from . import logger
 from . import app_settings
 from . import SUPERUSER_PERM_CODENAME, STAFF_PERM_CODENAME
-import importlib
+from .extras import hsh_compat
 
 
 def _validate_username(username):
@@ -96,20 +96,24 @@ def update_user_data(user, surname=None, forename=None, email=None):
     user.save()
 
 
-def set_user_groups(user, raw_values):
-    """ Updates groups for the user. """
-    # get the group resolver method
-    try:
-        resolver_path = app_settings.GROUP_RESOLVER.split(".")
-        assert len(resolver_path) >= 2, "need full path of the resolver method"
-        resolver_module_name = ".".join(resolver_path[:-1])
-        resolver_method_name = resolver_path[-1]
-        resolver_module = importlib.import_module(resolver_module_name)
-        resolver_method = getattr(resolver_module, resolver_method_name)
-    except Exception as e:
-        raise ImportError("Could not import {r}. {e.__class__.__name__}: {e}".format(r=app_settings.GROUP_RESOLVER, e=e))
-    # resolve the groups
-    groups = set(resolver_method(user, raw_values))
+def _groups_from_group_names(group_names):
+    """ This default group resolver returns list of Group objects based on group names """
+    groups = set(Group.objects.filter(name__in=group_names))
+    # log missing groups, might help to understand what is going on
+    found_group_names = {g.name for g in groups}
+    missing_group_names = set(group_names) - found_group_names
+    if missing_group_names:
+        n = len(missing_group_names)
+        logger.info("Received {n} names of nonexistent groups: {missing_group_names}".format(**locals()))
+    # done
+    return groups
+
+
+def set_user_groups(user, group_names):
+    if hsh_compat.HSH_APP_COMPAT_POSSIBLE:
+        logger.info("Resolving groups names for {user} directly from hsh app.".format(user=user))
+        group_names = hsh_compat.get_group_names_for_user(user)
+    groups = set(_groups_from_group_names(group_names))
     # update user groups
     if set(user.groups.all()) != groups:
         user.groups.set(groups)
@@ -119,17 +123,6 @@ def set_user_groups(user, raw_values):
     logger.info("User {user} is member of: {groups}".format(user=user, groups=[str(g) for g in groups]))
 
 
-def groups_from_group_names(user, saml2_raw_values):
-    """ This default group resolver returns list of Group objects based on group names as raw_values """
-    groups = set(Group.objects.filter(name__in=saml2_raw_values))
-    # perform some sanity checks
-    group_names_redundant = set(saml2_raw_values) - {g.name for g in groups}
-    if group_names_redundant:
-        logger.warning("Received redundant group names (clean up the configs): {0}".format(group_names_redundant))
-    # done
-    return groups
-
-
 def cleanup_direct_permissions(user):
     if user.user_permissions.exists():
         logger.critical("Who attached permissions directly to {user} ?!?!".format(**locals()))

ssoauth/checks.py

@@ -136,3 +136,14 @@ def production_entity_id(app_configs, **kwargs):
         ))
     return errors
 
+
+@register(Tags.compatibility)
+def group_resolver_deprecated(app_configs, **kwargs):
+    errors = list()
+    if app_settings.GROUP_RESOLVER is not None:
+        errors.append(Warning(
+            "GROUP_RESOLVER is deprecated. If hsh app is present, groups are resolved from it automatically instead of the received SAML group names.",
+            obj=conf.settings,
+        ))
+    return errors
+

ssoauth/extras/hsh_compat.py

+"""
+Compatibility features with the `hsh` app.
+"""
+
+from .. import logger
+
+
+try:
+    from hsh.models import Account
+    HSH_APP_COMPAT_POSSIBLE = True
+except ImportError:
+    HSH_APP_COMPAT_POSSIBLE = False
+
+
+ALLOWED_AUTH_PROVIDERS = ["fh-h.de"]
+GROUP_NAME_LOOKUP = dict(name__istartswith="WEB_")
+
+
+def get_group_names_for_user(user):
+    """
+    Resolve group names for the user directly from hsh app.
+    It's better to get groups directly from the database, instead of trusting AD data received via SAML2.
+    """
+    try:
+        hsh_account = Account.objects.get(username=user.username, auth_provider__in=ALLOWED_AUTH_PROVIDERS)
+    except (Account.DoesNotExist, Account.MultipleObjectsReturned,) as e:
+        logger.error("hsh.Account not found for {user}. {e.__class__.__name__}: {e}".format(user=user, e=e))
+        return set()
+    hsh_groups = {hsh_account.auth_groups.filter(**GROUP_NAME_LOOKUP)}
+    return {g.name for g in hsh_groups}
+

ssoauth/urls.py

@@ -15,5 +15,5 @@ urlpatterns = (
 if conf.settings.DEBUG:
     # add the dev view
     urlpatterns += (
-        url(r"^dev/?$", views.DevView.as_view(), name="sso-dev"),
+        url(r"^sso-dev/?$", views.DevView.as_view(), name="sso-dev"),
     )

ssoauth/views.py

@@ -204,7 +204,7 @@ class ACSAuthNView(SAMLMixin, View):
         )
         auth_utils.set_user_groups(
             user=user,
-            raw_values=get_attr(app_settings.ATTRIBUTE_GROUPS, nullable=True, multivalued=True) or list()
+            group_names=get_attr(app_settings.ATTRIBUTE_GROUPS, nullable=True, multivalued=True) or list()
         )
         # other necessary steps
         auth_utils.cleanup_direct_permissions(user=user)  # in case somebody was acting funny