Update backends.py

.github/workflows/pod_dev.yml

@@ -92,7 +92,7 @@ jobs:
       - name: cat env
         run: cat .env.dev
 
-      - name: make Build container
+      - name: Build containers
         run: |
           sudo rm -rf ./pod/log
           sudo rm -rf ./pod/static
@@ -105,29 +105,29 @@ jobs:
         with:
           time: '60s'
 
-      - name: show running container
+      - name: Show running containers
         run: |
           docker ps
           echo "🍏 Docker is UP ${{ job.status }}."
           docker exec pod-back-with-volumes ps auxf
           docker exec pod-back-with-volumes python manage.py loaddata pod/video/fixtures/sample_videos.json
 
-      - name: run test in docker
+      - name: Run test_remote_encode_transcode in docker
         run: docker exec pod-back-with-volumes coverage run --append manage.py test -v 3 --keepdb pod.video_encode_transcript.tests.test_remote_encode_transcode
 
-      - name: Run pa11y-ci full
+      - name: Run pa11y-ci
         run: docker exec pa11y-ci pa11y-ci -c /usr/src/app/dockerfile-dev-with-volumes/pa11y-ci/config.json
 
       - name: Run pa11y-ci mobile
         run: docker exec pa11y-ci pa11y-ci -c /usr/src/app/dockerfile-dev-with-volumes/pa11y-ci/config_mobile.json
 
-      - name: show pa11y results
+      - name: Show pa11y results
         run: cat pa11y-results.json
 
       - name: Stop containers
         if: always()
         run: docker compose -f ./docker-compose-full-dev-with-volumes-test.yml down
-      - name: delete unused file and change owner
+      - name: Delete unused file and change owner
         run: |
           sudo rm -f pod/custom/settings_local.py
           sudo chown -R runner:runner .

CONFIGURATION_EN.md

@@ -498,6 +498,9 @@ Set `USE_AI_ENHANCEMENT` to True to activate this application.<br>
 * `OIDC_DEFAULT_AFFILIATION`
   > default value: ``
   >>
+* `OIDC_DEFAULT_AFFILIATION`
+  > valeur par défaut : ``
+  >> Affiliation par défaut d’un utilisateur authentifié par OIDC.<br>
 * `OIDC_NAME`
   > default value: ``
   >>

CONFIGURATION_FR.md

@@ -857,6 +857,10 @@ Mettre `USE_AI_ENHANCEMENT` à True pour activer cette application.<br>
   > valeur par défaut : `preferred_username`
   >> Noms des Claim permettant de récupérer<br>
   >> l’attribut login mais dépendant de l’attribut du client dans l’IDP.<br>
+* `OIDC_CLAIM_AFFILIATION`
+  > valeur par défaut : `affiliations`
+  >> Noms des Claim permettant de récupérer<br>
+  >> l’attribut affiliations.<br>
 * `OIDC_CLAIM_GIVEN_NAME`
   > valeur par défaut : `given_name`
   >> Noms des Claim permettant de récupérer les attributs nom, prénom, email<br>

Makefile

@@ -54,10 +54,15 @@ lang:
 	echo "Processing javascript files..."
 	python3 manage.py makemessages -d djangojs -l fr -l nl -i "*.min.js" -i "pod/static/*" -i "opencast-studio/*" -i "*/node_modules/*"  -i "node_modules/*" -i "pod/custom/*" --add-location=file
 
-#compilation des fichiers de langue
+# Compilation des fichiers de langue
 compilelang:
 	python3 manage.py compilemessages -l fr -l nl
 
+# Suppression des sessions inutilisées
+clearsessions:
+	python3 manage.py clearsessions
+	python3 manage.py django_cas_ng_clean_sessions
+
 # Look for changes to apply in DB
 updatedb:
 	python3 manage.py makemigrations

pod/authentication/apps.py

@@ -7,6 +7,7 @@
 
 
 def create_groupsite_if_not_exists(g) -> None:
+    """Create a GroupSite if it does not exist."""
     from pod.authentication.models import GroupSite
 
     try:
@@ -16,6 +17,7 @@ def create_groupsite_if_not_exists(g) -> None:
 
 
 def set_default_site(sender, **kwargs) -> None:
+    """Set the default site for all groups and owners."""
     from pod.authentication.models import Owner
     from django.contrib.sites.models import Site
     from django.contrib.auth.models import Group
@@ -34,9 +36,12 @@ def set_default_site(sender, **kwargs) -> None:
 
 
 class AuthConfig(AppConfig):
+    """Authentication configuration."""
+
     name = "pod.authentication"
     default_auto_field = "django.db.models.BigAutoField"
     verbose_name = _("Authentication")
 
     def ready(self) -> None:
+        """Called after the Django app registry is ready."""
         post_migrate.connect(set_default_site, sender=self)

pod/authentication/backends.py

@@ -7,9 +7,11 @@
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
 from django.core.exceptions import ObjectDoesNotExist
-
+import logging
 from pod.authentication.models import AccessGroup, DEFAULT_AFFILIATION, AFFILIATION_STAFF
+from django.contrib.sites.models import Site
 
+logger = logging.getLogger(__name__)
 User = get_user_model()
 
 CREATE_GROUP_FROM_AFFILIATION = getattr(settings, "CREATE_GROUP_FROM_AFFILIATION", False)
@@ -76,9 +78,8 @@ def update_owner_params(user, params) -> None:
 OIDC_DEFAULT_AFFILIATION = getattr(
     settings, "OIDC_DEFAULT_AFFILIATION", DEFAULT_AFFILIATION
 )
-OIDC_DEFAULT_ACCESS_GROUP_CODE_NAMES = getattr(
-    settings, "OIDC_DEFAULT_ACCESS_GROUP_CODE_NAMES", []
-)
+
+OIDC_CLAIM_AFFILIATION = getattr(settings, "OIDC_CLAIM_AFFILIATION", "affiliations")
 
 
 class OIDCBackend(OIDCAuthenticationBackend):
@@ -87,32 +88,68 @@ class OIDCBackend(OIDCAuthenticationBackend):
     def create_user(self, claims):
         """Create user connectd by OIDC."""
         user = super(OIDCBackend, self).create_user(claims)
-
-        user.first_name = claims.get(OIDC_CLAIM_GIVEN_NAME, "")
-        user.last_name = claims.get(OIDC_CLAIM_FAMILY_NAME, "")
-        user.username = claims.get(OIDC_CLAIM_PREFERRED_USERNAME, "")
-        user.owner.affiliation = OIDC_DEFAULT_AFFILIATION
-        for code_name in OIDC_DEFAULT_ACCESS_GROUP_CODE_NAMES:
-            try:
-                user.owner.accessgroup_set.add(
-                    AccessGroup.objects.get(code_name=code_name)
-                )
-            except ObjectDoesNotExist:
-                pass
-        user.is_staff = is_staff_affiliation(affiliation=user.owner.affiliation)
+        self._initialize_user(user, claims)
+        user.is_staff = is_staff_affiliation(user.owner.affiliation)
         user.owner.save()
         user.save()
-
         return user
 
     def update_user(self, user, claims):
         """Update OIDC user."""
         user.first_name = claims.get(OIDC_CLAIM_GIVEN_NAME, "")
         user.last_name = claims.get(OIDC_CLAIM_FAMILY_NAME, "")
         user.username = claims.get(OIDC_CLAIM_PREFERRED_USERNAME, "")
+        user.owner.accessgroup_set.clear()
+        self._assign_affiliations(user, claims)
+        user.is_staff = is_staff_affiliation(user.owner.affiliation)
+
         user.save()
 
         user.owner.auth_type = "OIDC"
         user.owner.save()
 
         return user
+
+    def _initialize_user(self, user, claims):
+        """Initialize user object from OIDC claims."""
+        user.first_name = claims.get(OIDC_CLAIM_GIVEN_NAME, "")
+        user.last_name = claims.get(OIDC_CLAIM_FAMILY_NAME, "")
+        user.username = claims.get(OIDC_CLAIM_PREFERRED_USERNAME, "")
+        self._assign_affiliations(user, claims)
+        return user
+
+    def _assign_affiliations(self, user, claims) -> None:
+        """Assign affiliations and access groups to user."""
+        affiliations = claims.get(OIDC_CLAIM_AFFILIATION, [OIDC_DEFAULT_AFFILIATION])
+
+        for affiliation in affiliations:
+            self._add_access_group(user, affiliation)
+
+        OIDC_DEFAULT_ACCESS_GROUP_CODE_NAMES = getattr(
+            settings, "OIDC_DEFAULT_ACCESS_GROUP_CODE_NAMES", []
+        )
+
+        # Add default access groups
+        for code_name in OIDC_DEFAULT_ACCESS_GROUP_CODE_NAMES:
+            self._safe_assign_access_group(user, code_name)
+
+        user.owner.affiliation = (
+            affiliations[0] if affiliations else OIDC_DEFAULT_AFFILIATION
+        )
+
+    def _add_access_group(self, user, affiliation) -> None:
+        """Create or retrieve access group and assign to user."""
+        accessgroup, created = AccessGroup.objects.get_or_create(code_name=affiliation)
+        if created:
+            accessgroup.display_name = affiliation
+            accessgroup.auto_sync = True
+            accessgroup.sites.add(Site.objects.get_current())
+            accessgroup.save()
+        user.owner.accessgroup_set.add(accessgroup)
+
+    def _safe_assign_access_group(self, user, code_name) -> None:
+        """Safely add an access group if it exists."""
+        try:
+            user.owner.accessgroup_set.add(AccessGroup.objects.get(code_name=code_name))
+        except ObjectDoesNotExist:
+            pass