From 062c18efa0580dbca2b548c3092b6271324e7934 Mon Sep 17 00:00:00 2001
From: Antony PERIGAULT <antony.perigault@polyconseil.fr>
Date: Thu, 15 Mar 2018 17:37:32 +0100
Subject: [PATCH] Map users in organizations based on saml groups

---
 awx/sso/pipeline.py | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/awx/sso/pipeline.py b/awx/sso/pipeline.py
index 23d603275f..8c89d629a0 100644
--- a/awx/sso/pipeline.py
+++ b/awx/sso/pipeline.py
@@ -54,7 +54,7 @@ def prevent_inactive_login(backend, details, user=None, *args, **kwargs):
         raise AuthInactive(backend)
 
 
-def _update_m2m_from_expression(user, rel, expr, remove=True):
+def _update_m2m_from_expression(user, rel, expr, remove=True, saml_team_names=False):
     '''
     Helper function to update m2m relationship based on user matching one or
     more expressions.
@@ -70,6 +70,9 @@ def _update_m2m_from_expression(user, rel, expr, remove=True):
         if isinstance(expr, (six.string_types, type(re.compile('')))):
             expr = [expr]
         for ex in expr:
+            if saml_team_names:
+                if ex in saml_team_names:
+                    should_add = True
             if isinstance(ex, six.string_types):
                 if user.username == ex or user.email == ex:
                     should_add = True
@@ -104,16 +107,24 @@ def update_user_orgs(backend, details, user=None, *args, **kwargs):
             except IndexError:
                 continue
 
+        team_map = backend.setting('SOCIAL_AUTH_SAML_TEAM_ATTR') or {}
+        saml_team_names = False
+        if team_map.get('saml_attr'):
+            saml_team_names = set(kwargs
+                                  .get('response', {})
+                                  .get('attributes', {})
+                                  .get(team_map['saml_attr'], []))
+
         # Update org admins from expression(s).
         remove = bool(org_opts.get('remove', True))
         admins_expr = org_opts.get('admins', None)
         remove_admins = bool(org_opts.get('remove_admins', remove))
-        _update_m2m_from_expression(user, org.admin_role.members, admins_expr, remove_admins)
+        _update_m2m_from_expression(user, org.admin_role.members, admins_expr, remove_admins, saml_team_names)
 
         # Update org users from expression(s).
         users_expr = org_opts.get('users', None)
         remove_users = bool(org_opts.get('remove_users', remove))
-        _update_m2m_from_expression(user, org.member_role.members, users_expr, remove_users)
+        _update_m2m_from_expression(user, org.member_role.members, users_expr, remove_users, saml_team_names)
 
 
 def update_user_teams(backend, details, user=None, *args, **kwargs):