Automatically link the superuser account to federated service for auth

When the user commits the configuration, if they have chosen a non-DB auth system, we now auto-link the superuser account to that auth system, to ensure they can login again after restart.
2015-07-20 13:18:07 -04:00 · 2015-07-20 13:18:07 -04:00 · 38a6b3621c
commit 38a6b3621c
parent 33b54218cc
5 changed files with 37 additions and 5 deletions
--- a/data/model/user.py
+++ b/data/model/user.py
@ -295,6 +295,15 @@ def list_entity_robot_permission_teams(entity_name, include_permissions=False):
  return TupleSelector(query, fields)


+def confirm_attached_federated_login(user, service_name):
+  """ Verifies that the given user has a federated service identity for the specified service.
+      If none found, a row is added for that service and user.
+  """
+  with db_transaction():
+    if not lookup_federated_login(user, service_name):
+      attach_federated_login(user, service_name, user.username)
+
+
 def create_federated_user(username, email, service_name, service_id,
                          set_password_notification, metadata={}):
  if not is_create_user_allowed():
--- a/data/users/init.py
+++ b/data/users/init.py
@ -15,6 +15,19 @@ from util.aes import AESCipher

 logger = logging.getLogger(__name__)

+def get_federated_service_name(authentication_type):
+  if authentication_type == 'LDAP':
+    return 'ldap'
+
+  if authentication_type == 'JWT':
+    return 'jwtauthn'
+
+  if authentication_type == 'Keystone':
+    return 'keystone'
+
+  raise Exception('Unknown auth type: %s' % authentication_type)
+
+
 class UserAuthentication(object):
  def __init__(self, app=None, override_config_dir=None):
    self.app_secret_key = None
@ -45,8 +58,8 @@ class UserAuthentication(object):
      verify_url = app.config.get('JWT_VERIFY_ENDPOINT')
      issuer = app.config.get('JWT_AUTH_ISSUER')
      max_fresh_s = app.config.get('JWT_AUTH_MAX_FRESH_S', 300)
-      users = ExternalJWTAuthN(verify_url, issuer, override_config_dir, max_fresh_s,
-                               app.config['HTTPCLIENT'])
+      users = ExternalJWTAuthN(verify_url, issuer, override_config_dir,
+                               app.config['HTTPCLIENT'], max_fresh_s)
    elif authentication_type == 'Keystone':
      auth_url = app.config.get('KEYSTONE_AUTH_URL')
      keystone_admin_username = app.config.get('KEYSTONE_ADMIN_USERNAME')