ljg.sh/ljg/core/auth.py

50 lines
1.5 KiB
Python

from django.conf import settings
from django.contrib.auth.models import Permission
from django.db import transaction
from mozilla_django_oidc.auth import \
OIDCAuthenticationBackend as BaseOIDCAuthenticationBackend
from .models import OIDCUser
def get_permissions(claims):
return Permission.objects.filter(
codename__in=claims.get("resource_access")[settings.OIDC_RP_CLIENT_ID]["roles"]
)
class OIDCAuthenticationBackend(BaseOIDCAuthenticationBackend):
@transaction.atomic
def create_user(self, claims):
user = self.UserModel.objects.create_user(
claims.get("preferred_username"), claims.get("email")
)
user.first_name = claims.get("given_name")
user.last_name = claims.get("family_name")
user.user_permissions.set(get_permissions(claims))
user.save()
OIDCUser.objects.create(uuid=claims.get("sub"), user=user)
return user
def update_user(self, user, claims):
user.user_permissions.set(get_permissions(claims))
user.save()
return user
def filter_users_by_claims(self, claims):
uuid = claims.get("sub")
if not uuid:
return self.UserModel.objects.none()
try:
oidc_user = OIDCUser.object.get(uuid=uuid)
return [oidc_user.user]
except OIDCUser.DoesNotExist:
return self.UserModel.objects.none()
def verify_claims(self, claims):
return settings.OIDC_RP_CLIENT_ID in claims.get("resource_access")