Store project affiliation

61800b41 · Frank Sauerburger · 72ad7ecc · 61800b41 · 61800b41
Verified Commit 61800b41 authored 4 years ago by Frank Sauerburger
--- a/uhepp_org/uhepp_org/settings.py
+++ b/uhepp_org/uhepp_org/settings.py
@@ -43,6 +43,9 @@ OIDC_OP_USER_ENDPOINT = "https://auth.cern.ch/auth/realms/cern/protocol/openid-c
 LOGIN_REDIRECT_URL = "http://dev.uhepp.org:8000/accounts/"
 LOGOUT_REDIRECT_URL = "https://uhepp.org/"

+OIDC_RP_SCOPES = 'openid'
+OIDC_APP_NAME = "uhepp-dev"
+
 INSTALLED_APPS = [
    'uhepp_vault',
    'uhepp_api',

--- a/uhepp_org/uhepp_vault/auth.py
+++ b/uhepp_org/uhepp_vault/auth.py

+from django.conf import settings
 from django.contrib.auth.models import User
 from mozilla_django_oidc.auth import OIDCAuthenticationBackend
 from .models import Profile

 class UHeppOIDCAB(OIDCAuthenticationBackend):
+
+    PROJECTS = ["atlas"]
+
+    def get_userinfo(self, access_token, id_token, payload):
+        """Return user details dictionary. The user details are extracted from
+        the id_token's payload. The userinfo endpoint is not contacted"""
+        return payload
+
    def filter_users_by_claims(self, claims):
        upn = claims.get('cern_upn')
        if not upn:
@@ -16,17 +25,25 @@ class UHeppOIDCAB(OIDCAuthenticationBackend):
        except Profile.DoesNotExist:
            return self.UserModel.objects.none()

+    def _claims_to_project(self, claims):
+        app_name = settings.OIDC_APP_NAME
+        roles = claims.get("resource_access", {}).get(app_name, {}).get("roles", [])
+        projects = [project for project in self.PROJECTS if project in roles]
+        return ";".join(projects)
+
    def create_user(self, claims):
        username = "ch.cern." + claims["cern_upn"]
        user = User.objects.create(username=username,
                                   first_name=claims.get('given_name', ''),
                                   last_name=claims.get('family_name', ''),
                                   email=claims.get('email', ''))
+
        profile = Profile.objects.create(user=user,
-                                          cern_upn=claims['cern_upn'],
-                                          cern_uid=claims.get('cern_uid'),
-                                          cern_person_id=claims.get('cern_person_id'),
-                                          home_institute=claims.get('home_institute'))
+                                         project=self._claims_to_project(claims),
+                                         cern_upn=claims['cern_upn'],
+                                         cern_uid=claims.get('cern_uid'),
+                                         cern_person_id=claims.get('cern_person_id'),
+                                         home_institute=claims.get('home_institute'))
        return user

    def update_user(self, user, claims):
@@ -37,6 +54,7 @@ class UHeppOIDCAB(OIDCAuthenticationBackend):
        user.profile.uid = claims.get('cern_uid')
        user.profile.cern_person_id = claims.get('cern_person_id')
        user.profile.home_institute = claims.get('home_institute')
+        user.profile.project=self._claims_to_project(claims)
        user.profile.save()
        user.save()