nigzak commented on issue #19510:
URL: https://github.com/apache/superset/issues/19510#issuecomment-1195459638
found a solution for this: overwrite in custom_sso_security_manager.py
required
in addition this code has a modification for add_user (only adding an user
if ANY relevant entitlement is available)
in this example code the user must have ANY role which contains "MY_ROLE"
(refer matcher variable) to be added
user is known => sync userdetails (+email + username)
user is not known
a) has relevant entitlement => add him
b) has no relevant entitlement => no adding
```
def auth_user_oauth(self, userinfo):
logging.debug('calling auth_user_oauth')
try:
# CLONED ORIGIN FROM
https://flask-appbuilder.readthedocs.io/en/latest/_modules/flask_appbuilder/security/manager.html
if "username" in userinfo:
username = userinfo["username"]
elif "email" in userinfo:
username = userinfo["email"]
else:
log.error(
"OAUTH userinfo does not have
username or email {0}".format(userinfo)
)
return None
# If username is empty, go away
if (username is None) or username == "":
return None
# Search the DB for this user
user = self.find_user(username=username)
log.debug(user)
# If user is not active, go away
if user and (not user.is_active):
return None
# If user is not registered, and not self-registration,
go away
if (not user) and (not self.auth_user_registration):
return None
# Sync the user's roles
if user and self.auth_roles_sync_at_login:
user.roles =
self._oauth_calculate_user_roles(userinfo)
log.debug(
"Calculated new roles for
user='{0}' as: {1}".format(
username, user.roles
)
)
rolecheck = userinfo.get("role_keys")
matcher = "MY_ROLE"
# If the user is new, register them
if (not user) and self.auth_user_registration:
## MANUAL ADDED: add
user only if relevant entitlement_group
if (rolecheck is None):
return # no role
addAllowed = False
for r in rolecheck:
if matcher in r:
addAllowed = True
log.debug("adding allowed
because of %s", r)
log.debug(addAllowed)
if (addAllowed):
user = self.add_user(
username=username,
first_name=userinfo.get("first_name", ""),
last_name=userinfo.get("last_name", ""),
email=userinfo.get("email", "") or f"{username}@email.notfound",
role=self._oauth_calculate_user_roles(userinfo),
)
log.debug("New user registered:
{0}".format(user))
# If user registration failed, go away
if not user:
log.error("Error
creating a new OAuth user {0}".format(username))
return None
else:
## MANUAL ADDED: sync data if already registered
logging.debug("SYNCING USER")
user.first_name = userinfo.get("first_name")
## MANUAL ADDED: sync data
user.last_name = userinfo.get("last_name")
## MANUAL ADDED: sync data
user.email = userinfo.get("email")
## MANUAL ADDED: sync data
# LOGIN SUCCESS (only if user is now registered)
if user:
self.update_user_auth_stat(user)
return user
else:
return None
except ValueError as err:
logging.debug("ERROR CSOM")
logging.debug(err)
logging.debug(err.args)
raise
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
