added feature to grant access permissions via SSO groups

2024-09-16 13:20:19 +02:00 · 2024-09-16 13:20:19 +02:00 · b5fbe28146
commit b5fbe28146
parent 09b2375d79
5 changed files with 102 additions and 0 deletions
--- a/src/c3nav/mapdata/migrations/0109_accesspermissionssogrant_accesspermission_sso_grant.py
+++ b/src/c3nav/mapdata/migrations/0109_accesspermissionssogrant_accesspermission_sso_grant.py
@ -0,0 +1,42 @@
+# Generated by Django 5.0.8 on 2024-09-12 21:22
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('mapdata', '0108_in_legend'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='AccessPermissionSSOGrant',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('provider', models.CharField(max_length=32, verbose_name='SSO Backend')),
+                ('group', models.CharField(max_length=64, verbose_name='SSO Group')),
+                ('access_restriction', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='mapdata.accessrestriction')),
+                ('access_restriction_group', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to='mapdata.accessrestrictiongroup')),
+            ],
+            options={
+                'verbose_name': 'Access Permission SSO Grant',
+                'verbose_name_plural': 'Access Permission SSO Grants',
+                'default_related_name': 'accesspermission_sso_grants',
+            },
+        ),
+        migrations.AddField(
+            model_name='accesspermission',
+            name='sso_grant',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='mapdata.accesspermissionssogrant', verbose_name='Access Permission SSO Grant'),
+        ),
+        migrations.AddConstraint(
+            model_name='accesspermissionssogrant',
+            constraint=models.CheckConstraint(check=models.Q(models.Q(('access_restriction__isnull', True), ('access_restriction_group__isnull', True), _negated=True), models.Q(('access_restriction__isnull', False), ('access_restriction_group__isnull', False), _negated=True)), name='sso_permission_grant_needs_restriction_or_restriction_group'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='accesspermissionssogrant',
+            unique_together={('provider', 'group', 'access_restriction', 'access_restriction_group')},
+        ),
+    ]
--- a/src/c3nav/mapdata/models/access.py
+++ b/src/c3nav/mapdata/models/access.py
@ -187,6 +187,28 @@ class AccessPermissionToken(models.Model):
        return ngettext_lazy('Area successfully unlocked.', 'Areas successfully unlocked.', len(self.restrictions))


+class AccessPermissionSSOGrant(models.Model):
+
+    provider = models.CharField(max_length=32, verbose_name=_('SSO Backend'))
+    group = models.CharField(max_length=64, verbose_name=_('SSO Group'))
+    access_restriction = models.ForeignKey(AccessRestriction, on_delete=models.CASCADE, null=True, blank=True)
+    access_restriction_group = models.ForeignKey(AccessRestrictionGroup, on_delete=models.CASCADE, null=True,
+                                                 blank=True)
+
+    class Meta:
+        verbose_name = _('Access Permission SSO Grant')
+        verbose_name_plural = _('Access Permission SSO Grants')
+        default_related_name = 'accesspermission_sso_grants'
+        unique_together = (
+            ('provider', 'group', 'access_restriction', 'access_restriction_group')
+        )
+        constraints = (
+            CheckConstraint(check=(~Q(access_restriction__isnull=True, access_restriction_group__isnull=True) &
+                                   ~Q(access_restriction__isnull=False, access_restriction_group__isnull=False)),
+                            name="sso_permission_grant_needs_restriction_or_restriction_group"),
+        )
+
+
 class AccessPermission(models.Model):
    user = models.ForeignKey(settings.AUTH_USER_MODEL, null=True, on_delete=models.CASCADE)
    session_token = models.UUIDField(null=True, editable=False)
@ -199,6 +221,8 @@ class AccessPermission(models.Model):
    unique_key = models.CharField(max_length=32, null=True, verbose_name=_('unique key'))
    token = models.ForeignKey(AccessPermissionToken, null=True, on_delete=models.CASCADE,
                              verbose_name=_('Access permission token'))
+    sso_grant = models.ForeignKey(AccessPermissionSSOGrant, null=True, on_delete=models.CASCADE,
+                                  verbose_name=_('Access Permission SSO Grant'))

    class Meta:
        verbose_name = _('Access Permission')