Cian-H/invenio-config-iform
1
0
Fork 0
mirror of https://github.com/Cian-H/invenio-config-iform.git synced 2025-12-22 21:11:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
52fb93cc43ce4d796444ad249b3dc26593c7e0f3
invenio-config-iform/invenio_config_tugraz/utils.py
Martin Obersteiner 52fb93cc43 utils: add invenio_saml-compatible account-setup
2024-07-08 10:03:01 +02:00

68 lines
2.3 KiB
Python
Raw Blame History

# -*- coding: utf-8 -*-
#
# Copyright (C) 2022 Graz University of Technology.
#
# invenio-config-tugraz is free software; you can redistribute it and/or
# modify it under the terms of the MIT License; see LICENSE file for more
# details.
"""Utils file."""
from flask_principal import Identity
from invenio_access import any_user
from invenio_access.utils import get_identity
from invenio_accounts import current_accounts
def get_identity_from_user_by_email(email: str = None) -> Identity:
"""Get the user specified via email or ID."""
if email is None:
raise ValueError("the email has to be set to get a identity")
user = current_accounts.datastore.get_user(email)
if user is None:
raise LookupError(f"user with {email} not found")
identity = get_identity(user)
# TODO: this is a temporary solution. this should be done with data from the db
identity.provides.add(any_user)
return identity
def tugraz_account_setup_extension(user, account_info): # noqa: W0613
"""Add tugraz_authenticated role to user after SAML-login was acknowledged.
To use, have `acs_handler_factory` call invenio_saml's `default_account_setup` first,
then this function second.
.. code-block:: python
# invenio.cfg
from invenio_saml.handlers import default_account_setup, acs_handler_factory
def tugraz_account_setup(user, account_info):
# links external `account_info` with our database's `user` for future logins
default_account_setup(user, account_info)
tugraz_account_setup_extension(user, account_info)
SSO_SAML_IDPS = {
"my-tugraz-idp": {
...
"acs_handler": acs_handler_factory(
"my-tugraz-idp", account_setup=tugraz_account_setup
)
}
}
For this to work, the role tugraz_authenticated must have been created
(e.g. via `invenio roles create tugraz_authenticated`).
"""
user_email = account_info["user"]["email"]
# NOTE: `datastore.commit`ing will be done by acs_handler that calls this func
# NOTE: this is a No-Op when user_email already has role tugraz_authenticated
current_accounts.datastore.add_role_to_user(user_email, "tugraz_authenticated")
Reference in New Issue View Git Blame Copy Permalink