Merge remote-tracking branch 'upstream/develop' into feature/django_upgrade

Author: cslzchen

addons/bitbucket/api.py

@@ -3,14 +3,14 @@
 from addons.bitbucket import settings
 
 from framework.exceptions import HTTPError
-
+from osf.utils.fields import ensure_str
 from website.util.client import BaseClient
 
 
 class BitbucketClient(BaseClient):
 
     def __init__(self, access_token=None):
-        self.access_token = access_token
+        self.access_token = ensure_str(access_token)
 
     @property
     def _default_headers(self):

api/institutions/authentication.py

@@ -17,46 +17,38 @@
 
 from osf import features
 from osf.models import Institution
+from osf.models.institution import SharedSsoAffiliationFilterCriteriaAction
 
 from website.mails import send_mail, WELCOME_OSF4I
 from website.settings import OSF_SUPPORT_EMAIL, DOMAIN
 
 logger = logging.getLogger(__name__)
 
-# This map defines how to find the secondary institution IdP which uses the shared SSO of a primary
-# IdP. Each map entry has the following format.
+# This map defines how to find the secondary institution which uses SSO of a primary one. Each map
+# entry has the following format.
 #
 #    '<ID of the primary institution A>': {
-#        'criteria': 'attribute',
-#        'attribute': '<the attribute name for identifying secondary institutions>',
-#        'institutions': {
-#            '<attribute value for identifying institution A1>': '<ID of secondary institution A1>',
-#            '<attribute value for identifying institution A2>': '<ID of secondary institution A2>',
-#            ...
-#        },
-#        ...
-#    }
-#
-# Currently, the only active criteria is "attribute", which the primary institution IdP releases to
-# OSF for us to identify the secondary institution. Another option is "emailDomain". For example:
-#
-#    '<ID of the primary institution B>': {
-#        'criteria': 'emailDomain',
-#        'institutions': {
-#            '<the email domain for identifying institution B1>': '<ID of secondary institution B1',
-#            '<the email domain for identifying institution B2>': '<ID of secondary institution B2',
-#            ...
-#        }
-#        ...
+#        'attribute_name': '<the attribute name for identifying secondary institutions>',
+#        'criteria_action': '<the action to perform between the attribute value and criteria value',
+#        'criteria_value': '<the value that>
+#        'institution_id': 'the ID of the secondary institution',
 #    }
+# For now, this map is temporarily defined here but will be moved to settings or be re-implemented
+# in model via relationships later. In addition, we should be able to make the attribute name fixed
+# since CAS can normalize them into "sharedSsoFilter" ahead of time.
 #
 INSTITUTION_SHARED_SSO_MAP = {
     'brown': {
-        'criteria': 'attribute',
-        'attribute': 'isMemberOf',
-        'institutions': {
-            'thepolicylab': 'thepolicylab',
-        },
+        'attribute_name': 'isMemberOf',
+        'criteria_action': SharedSsoAffiliationFilterCriteriaAction.EQUALS_TO.value,
+        'criteria_value': 'thepolicylab',
+        'institution_id': 'thepolicylab',
+    },
+    'fsu': {
+        'attribute_name': 'userRoles',
+        'criteria_action': SharedSsoAffiliationFilterCriteriaAction.CONTAINS.value,
+        'criteria_value': 'FSU_OSF_MAGLAB',
+        'institution_id': 'nationalmaglab',
     },
 }
 
@@ -158,34 +150,42 @@ def authenticate(self, request):
         secondary_institution = None
         if provider['id'] in INSTITUTION_SHARED_SSO_MAP:
             switch_map = INSTITUTION_SHARED_SSO_MAP[provider['id']]
-            criteria_type = switch_map.get('criteria')
-            if criteria_type == 'attribute':
-                attribute_name = switch_map.get('attribute')
-                attribute_value = provider['user'].get(attribute_name)
-                if attribute_value:
-                    secondary_institution_id = switch_map.get(
-                        'institutions',
-                        {},
-                    ).get(attribute_value)
-                    logger.info('Institution SSO: primary=[{}], secondary=[{}], '
-                                'username=[{}]'.format(provider['id'], secondary_institution_id, username))
-                    secondary_institution = Institution.load(secondary_institution_id)
-                    if not secondary_institution:
-                        # Log errors and inform Sentry but do not raise an exception if OSF fails
-                        # to load the secondary institution from database
-                        message = 'Institution SSO Error: invalid secondary institution [{}]; ' \
-                                  'primary=[{}], username=[{}]'.format(attribute_value, provider['id'], username)
-                        logger.error(message)
-                        sentry.log_message(message)
-                else:
-                    # SSO from primary institution only
-                    logger.info('Institution SSO: primary=[{}], secondary=[None], '
-                                'username=[{}]'.format(provider['id'], username))
+            attribute_name = switch_map.get('attribute_name')
+            criteria_action = switch_map.get('criteria_action')
+            criteria_value = switch_map.get('criteria_value')
+            attribute_value = provider['user'].get(attribute_name)
+            # Check affiliation filter criteria and retrieve the secondary institution ID
+            secondary_institution_id = None
+            if criteria_action == SharedSsoAffiliationFilterCriteriaAction.EQUALS_TO.value:
+                secondary_institution_id = switch_map.get('institution_id') if criteria_value == attribute_value else None
+            elif criteria_action == SharedSsoAffiliationFilterCriteriaAction.CONTAINS.value:
+                secondary_institution_id = switch_map.get('institution_id') if criteria_value in attribute_value else None
             else:
-                message = 'Institution SSO Error: invalid criteria [{}]; ' \
-                          'primary=[{}], username=[{}]'.format(criteria_type, provider['id'], username)
+                message = 'Institution Shared SSO Error: invalid affiliation filter criteria action [{}]; ' \
+                          'primary=[{}], username=[{}]'.format(criteria_action, provider['id'], username)
                 logger.error(message)
                 sentry.log_message(message)
+            # Attempt to load the secondary institution by ID
+            if secondary_institution_id:
+                logger.info(
+                    'Institution Shared SSO Eligible: primary=[{}], secondary=[{}], '
+                    'filter=[{}: {} {} {}], username=[{}]'.format(
+                        provider['id'], secondary_institution_id, attribute_name,
+                        attribute_value, criteria_action, criteria_value, username,
+                    ),
+                )
+                secondary_institution = Institution.load(secondary_institution_id)
+                if not secondary_institution:
+                    # Log errors and inform Sentry but do not raise an exception if OSF fails
+                    # to load the secondary institution from database
+                    message = 'Institution Shared SSO Warning: invalid secondary institution [{}], primary=[{}], ' \
+                              'username=[{}]'.format(secondary_institution_id, provider['id'], username)
+                    logger.error(message)
+                    sentry.log_message(message)
+            else:
+                # SSO from primary institution only
+                logger.info('Institution SSO: primary=[{}], secondary=[None], '
+                            'username=[{}]'.format(provider['id'], username))
 
         # Use given name and family name to build full name if it is not provided
         if given_name and family_name and not fullname: