Allow mapping org auditors where we map org admins.

2026-01-11 10:00:01 -03:30 · 2019-07-18 15:06:21 -04:00 · 2019-07-18 15:06:21 -04:00 · bbf28f50bd
commit bbf28f50bd
parent 0cc9199f23
5 changed files with 18 additions and 1 deletions
--- a/awx/sso/backends.py
+++ b/awx/sso/backends.py
@ -369,6 +369,10 @@ def on_populate_user(sender, **kwargs):
        remove_admins = bool(org_opts.get('remove_admins', remove))
        _update_m2m_from_groups(user, ldap_user, org.admin_role.members, admins_opts,
                                remove_admins)
+        auditors_opts = org_opts.get('auditors', None)
+        remove_auditors = bool(org_opts.get('remove_auditors', remove))
+        _update_m2m_from_groups(user, ldap_user, org.auditor_role.members, auditors_opts,
+                                remove_auditors)
        users_opts = org_opts.get('users', None)
        remove_users = bool(org_opts.get('remove_users', remove))
        _update_m2m_from_groups(user, ldap_user, org.member_role.members, users_opts,
--- a/awx/sso/conf.py
+++ b/awx/sso/conf.py
@ -53,6 +53,7 @@ SOCIAL_AUTH_ORGANIZATION_MAP_PLACEHOLDER = collections.OrderedDict([
    ])),
    ('Test Org', collections.OrderedDict([
        ('admins', ['admin@example.com']),
+        ('auditors', ['auditor@example.com']),
        ('users', True),
    ])),
    ('Test Org 2', collections.OrderedDict([
@ -379,6 +380,7 @@ def _register_ldap(append=None):
        placeholder=collections.OrderedDict([
            ('Test Org', collections.OrderedDict([
                ('admins', 'CN=Domain Admins,CN=Users,DC=example,DC=com'),
+                ('auditors', 'CN=Domain Auditors,CN=Users,DC=example,DC=com'),
                ('users', ['CN=Domain Users,CN=Users,DC=example,DC=com']),
                ('remove_users', True),
                ('remove_admins', True),
@ -1170,8 +1172,10 @@ register(
    placeholder=collections.OrderedDict([
        ('saml_attr', 'organization'),
        ('saml_admin_attr', 'organization_admin'),
+        ('saml_auditor_attr', 'organization_auditor'),
        ('remove', True),
        ('remove_admins', True),
+        ('remove_auditors', True),
    ]),
 )

--- a/awx/sso/fields.py
+++ b/awx/sso/fields.py
@ -532,8 +532,10 @@ class LDAPSingleOrganizationMapField(HybridDictField):

    admins = LDAPDNMapField(allow_null=True, required=False)
    users = LDAPDNMapField(allow_null=True, required=False)
+    auditors = LDAPDNMapField(allow_null=True, required=False)
    remove_admins = fields.BooleanField(required=False)
    remove_users = fields.BooleanField(required=False)
+    remove_auditors = fields.BooleanField(required=False)

    child = _Forbidden()

@ -729,6 +731,8 @@ class SAMLOrgAttrField(HybridDictField):
    saml_attr = fields.CharField(required=False, allow_null=True)
    remove_admins = fields.BooleanField(required=False)
    saml_admin_attr = fields.CharField(required=False, allow_null=True)
+    remove_auditors = fields.BooleanField(required=False)
+    saml_auditor_attr = fields.CharField(required=False, allow_null=True)

    child = _Forbidden()

--- a/awx/sso/pipeline.py
+++ b/awx/sso/pipeline.py
@ -151,17 +151,20 @@ def update_user_orgs_by_saml_attr(backend, details, user=None, *args, **kwargs):
        return
    from django.conf import settings
    org_map = settings.SOCIAL_AUTH_SAML_ORGANIZATION_ATTR
-    if org_map.get('saml_attr') is None and org_map.get('saml_admin_attr') is None:
+    if org_map.get('saml_attr') is None and org_map.get('saml_admin_attr') is None and org_map.get('saml_auditor_attr') is None:
        return

    remove = bool(org_map.get('remove', True))
    remove_admins = bool(org_map.get('remove_admins', True))
+    remove_auditors = bool(org_map.get('remove_auditors', True))

    attr_values = kwargs.get('response', {}).get('attributes', {}).get(org_map['saml_attr'], [])
    attr_admin_values = kwargs.get('response', {}).get('attributes', {}).get(org_map['saml_admin_attr'], [])
+    attr_auditor_values = kwargs.get('response', {}).get('attributes', {}).get(org_map['saml_auditor_attr'], [])

    _update_org_from_attr(user, "member_role", attr_values, remove, False)
    _update_org_from_attr(user, "admin_role", attr_admin_values, False, remove_admins)
+    _update_org_from_attr(user, "auditor_role", attr_auditor_values, False, remove_auditors)


 def update_user_teams_by_saml_attr(backend, details, user=None, *args, **kwargs):
--- a/awx/sso/tests/functional/test_pipeline.py
+++ b/awx/sso/tests/functional/test_pipeline.py
@ -150,6 +150,7 @@ class TestSAMLAttr():
                'attributes': {
                    'memberOf': ['Default1', 'Default2'],
                    'admins': ['Default3'],
+                    'auditors': ['Default4'],
                    'groups': ['Blue', 'Red'],
                    'User.email': ['cmeyers@redhat.com'],
                    'User.LastName': ['Meyers'],
@ -178,6 +179,7 @@ class TestSAMLAttr():
            SOCIAL_AUTH_SAML_ORGANIZATION_ATTR = {
                'saml_attr': 'memberOf',
                'saml_admin_attr': 'admins',
+                'saml_auditor_attr': 'auditors',
                'remove': True,
                'remove_admins': True,
            }