⚙ Group settings propagate

Author: danyi1212

docs/source/installation/migration.rst

@@ -38,6 +38,11 @@ In case you would still want to **also** migrate all users now, you can do this
 >>> for user in LDAPUsers.objects.all():
 >>>     user.sync()
 
+To 1.4.0
+--------
+
+- (optional) Remove duplicated groups between ``SUPERUSER_GROUPS``, ``STAFF_GROUPS`` and ``ACTIVE_GROUPS`` ldap settings, or set ``PROPAGATE_GROUPS`` to ``False``.
+
 To 1.3.0
 --------
 

docs/source/reference/change_log.rst

@@ -2,6 +2,14 @@
 Change Log
 =============
 
+1.4.0
+-----
+
+Release date: coming soon
+
+- **ADDED**: LDAPUserManager for manually creating users from LDAP.
+- **IMPROVED**: LDAP Settings for Group Membership check propagate to one another.
+
 1.3.2
 -----
 

docs/source/reference/ldap_settings.rst

@@ -351,7 +351,7 @@ If the user is member in **one** of the listed LDAP groups, the ``is_superuser``
 The group membership is checked by comparing the **groups listed in this setting** to the **LDAP Group Attributes** listed in ``GROUP_ATTRS`` setting.
 
 STAFF_GROUPS
-~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~
 
 | Type ``tuple`` or ``str``; Default to ``Administrators``; Not Required.
 | LDAP Groups to check membership for setting Django User's "is_staff" flag.
@@ -365,7 +365,7 @@ If the user is member in **one** of the listed LDAP groups, the ``is_staff`` fla
 The group membership is checked by comparing the **groups listed in this setting** to the **LDAP Group Attributes** listed in ``GROUP_ATTRS`` setting.
 
 ACTIVE_GROUPS
-~~~~~~~~~~~~~~~~
+~~~~~~~~~~~~~
 
 | Type ``tuple`` or ``str``; Default to ``None``; Not Required.
 | LDAP Groups to check membership for setting Django User's "is_active" flag.
@@ -379,6 +379,16 @@ If the user is member in **one** of the listed LDAP groups, the ``is_active`` fl
 The group membership is checked by comparing the **groups listed in this setting** to the **LDAP Group Attributes** listed in ``GROUP_ATTRS`` setting.
 
 
+PROPAGATE_GROUPS
+~~~~~~~~~~~~~~~~
+
+| Type ``bool``; Default to ``True``; Not Required.
+| Propagate groups in order Superusers > Staff > Active.
+
+When set to ``True``, all groups configured in ``SUPERUSER_GROUPS`` will be added to ``STAFF_GROUPS``
+and ``ACTIVE_GROUPS``, and groups configured in ``STAFF_GROUPS`` with be added to ``ACTIVE_GROUPS``.
+
+
 GROUP_MAP
 ~~~~~~~~~
 
@@ -397,3 +407,21 @@ Groups that are **not listed** in this setting will **not be affected** by this.
 
 .. warning::
     When a group that is configured in this setting is missing, it will be **created automatically**.
+
+FLAG_MAP
+~~~~~~~~
+
+| Type ``dict``; Default is ``{}``; Not Required.
+| Map User object boolean fields to one or more LDAP Groups membership check.
+
+Used to synchronize boolean fields from the User object as a group membership check.
+If the user is member in **one** of the listed LDAP groups, the respective boolean field will be set to ``True``,
+otherwise it is set to ``False``.
+
+| Configuring this setting to ``None`` will not modify the field.
+| Configuring this setting to a **string** is equal to a **single length tuple**.
+
+The group membership is checked by comparing the **groups listed in this setting** to the **LDAP Group Attributes** listed in ``GROUP_ATTRS`` setting.
+
+User's ``is_superuser``, ``is_staff`` and ``is_active`` are added automatically from settings ``SUPERUSER_GROUPS``,
+``STAFF_GROUPS`` and ``ACTIVE_GROUPS`` respectively.

testproj/demo/tests.py

@@ -1,3 +1,52 @@
-from django.test import TestCase
+from django.test import TestCase, override_settings
 
-# Create your tests here.
+from windows_auth.models import LDAPUser
+from windows_auth.settings import LDAPSettings
+
+
+class ModelTestCase(TestCase):
+
+    def test_create_user(self):
+        user = LDAPUser.objects.create_user("EXAMPLE\\Administrator")
+        self.assertEqual(user.ldap.domain, "EXAMPLE")
+
+
+class SettingsTestCase(TestCase):
+
+    def test_flag_settings(self):
+        settings = LDAPSettings(
+            SERVER="example.local",
+            SEARCH_BASE="DC=example,DC=local",
+            USERNAME="EXAMPLE\\django_sync",
+            PASSWORD="Aa123456!",
+            SUPERUSER_GROUPS=None,
+            STAFF_GROUPS=["List"],
+            ACTIVE_GROUPS=["Explicit"],
+            FLAG_MAP={
+                "extra": "Hello world!",
+            },
+        )
+        # check propagation
+        self.assertEqual(settings.get_flag_map(), {
+            "is_superuser": [],
+            "is_staff": ["List"],
+            "is_active": ["Explicit", "List"],
+            "extra": ["Hello world!"],
+        })
+        # check without propagation
+        settings.PROPAGATE_GROUPS = False
+        self.assertEqual(settings.get_flag_map(), {
+            "is_superuser": [],
+            "is_staff": ["List"],
+            "is_active": ["Explicit"],
+            "extra": ["Hello world!"],
+        })
+        # check unique
+        settings.PROPAGATE_GROUPS = True
+        settings.ACTIVE_GROUPS = ["Explicit", "List"]
+        self.assertEqual(settings.get_flag_map(), {
+            "is_superuser": [],
+            "is_staff": ["List"],
+            "is_active": ["Explicit", "List"],
+            "extra": ["Hello world!"],
+        })

windows_auth/models.py

@@ -164,17 +164,9 @@ def sync(self) -> None:
         }
 
         # check user flags
-        flags = []
-        if manager.settings.SUPERUSER_GROUPS:
-            flags.append(("is_superuser", manager.settings.SUPERUSER_GROUPS, False))
-        if manager.settings.STAFF_GROUPS:
-            flags.append(("is_staff", manager.settings.STAFF_GROUPS, False))
-        if manager.settings.ACTIVE_GROUPS:
-            flags.append(("is_active", manager.settings.ACTIVE_GROUPS, True))
-
-        # update user flags
-        for flag, groups, default in flags:
-            updated_fields[flag] = _match_groups(group_reader, groups, manager.settings.GROUP_ATTRS, default=default)
+        for flag, groups in manager.settings.get_flag_map().items():
+            if groups:
+                updated_fields[flag] = _match_groups(group_reader, groups, manager.settings.GROUP_ATTRS)
 
         # check group membership
         group_membership: Dict[Group, bool] = {}

windows_auth/settings.py

@@ -1,12 +1,21 @@
 from dataclasses import dataclass, field, asdict, MISSING, fields
-from typing import Dict, Any, Optional, Iterable, Union, Tuple
+from typing import Dict, Any, Optional, Iterable, Union, Tuple, List
 
 from django.core.exceptions import ImproperlyConfigured
 
 # domain name to use as a fallback setting for domain missing from WAUTH_DOMAINS
 DEFAULT_DOMAIN_SETTING = "__default__"
 
 
+def _get_group_list(value) -> List[str]:
+    if value is None:
+        return []
+    elif isinstance(value, str):
+        return [value]
+    else:
+        return value
+
+
 @dataclass()
 class LDAPSettings:
     # connection settings
@@ -39,7 +48,9 @@ class LDAPSettings:
     SUPERUSER_GROUPS: Optional[Union[str, Iterable[str]]] = "Domain Admins"
     STAFF_GROUPS: Optional[Union[str, Iterable[str]]] = "Administrators"
     ACTIVE_GROUPS: Optional[Union[str, Iterable[str]]] = None
-    GROUP_MAP: Dict[str, str] = field(default_factory=dict)
+    PROPAGATE_GROUPS: bool = True
+    GROUP_MAP: Dict[str, Union[str, Iterable[str]]] = field(default_factory=dict)
+    FLAG_MAP: Dict[str, Union[str, Iterable[str]]] = field(default_factory=dict)
 
     @classmethod
     def for_domain(cls, domain: str):
@@ -72,3 +83,30 @@ def for_domain(cls, domain: str):
            for setting, value in merged_settings.items()
            if setting in cls_fields
         })
+
+    def get_superuser_groups(self):
+        return _get_group_list(self.SUPERUSER_GROUPS)
+
+    def get_staff_groups(self):
+        if self.PROPAGATE_GROUPS:
+            return list({*_get_group_list(self.STAFF_GROUPS), *self.get_superuser_groups()})
+        else:
+            return _get_group_list(self.STAFF_GROUPS)
+
+    def get_active_groups(self):
+        if self.PROPAGATE_GROUPS:
+            return list({*_get_group_list(self.ACTIVE_GROUPS), *self.get_staff_groups()})
+        else:
+            return _get_group_list(self.ACTIVE_GROUPS)
+
+    def get_flag_map(self):
+        return {
+            "is_superuser": self.get_superuser_groups(),
+            "is_staff": self.get_staff_groups(),
+            "is_active": self.get_active_groups(),
+            **{
+                k: _get_group_list(v)
+                for k, v in self.FLAG_MAP.items()
+            }
+        }
+