Add support for autoregistering identities

qwc-services · Sep 19, 2024 · 3d21e7b · 3d21e7b
1 parent b1b73e0
commit 3d21e7b
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 3 deletions.
diff --git a/schemas/sogis-mysoch-auth.json b/schemas/sogis-mysoch-auth.json
@@ -67,6 +67,14 @@
           "description": "Query which verifies whether the userid exist. Must contain the :id placeholder",
           "type": "string"
         },
+        "autoregistration_allowed_query": {
+          "description": "Query which checks whether autoregistration is allowed. Can reference claim parameters in placeholders, with dashes replaced by _ (i.e. :x_igov_login_email )",
+          "type": "string"
+        },
+        "autoregistration_query": {
+          "description": "Query which performs autoregistration. Can reference claim parameters in placeholders, with dashes replaced by _ (i.e. :x_igov_login_email ), and :id as the user id.",
+          "type": "string"
+        },
         "tenant_header_name": {
           "description": "Name of tenant header to set when redirecting on successfull mysoch-auth",
           "type": "string"

diff --git a/src/server.py b/src/server.py
@@ -167,9 +167,31 @@ def login():
     user_exists = False
     with db.connect() as connection:
 
-        sql = sql_text(config.get("userid_verify_sql", ""))
-        result = connection.execute(sql, {"id": userid})
-        user_exists = result.first() is not None
+        sql = sql_text(config.get("userid_verify_sql", "SELECT"))
+        result = connection.execute(sql, {"id": userid}).first()
+        user_exists = result is not None
+
+    # Check if user can be automatically registered
+    if not user_exists:
+        claim_params = dict([(key.replace("-", "_"), claims[key]) for key in claims])
+        claim_params["id"] = userid
+        registration_allowed = False
+        with db.connect() as connection:
+            sql = sql_text(config.get("autoregistration_allowed_query", "SELECT FALSE"))
+            result = connection.execute(sql, claim_params).first()
+            registration_allowed = result and result[0] == True
+        app.logger.debug("userid %s verification failed, autoregistration allowed: %d" % (userid, registration_allowed))
+
+        if registration_allowed:
+            with db.connect() as connection:
+                sql = sql_text(config.get("autoregistration_query", "SELECT"))
+                try:
+                    connection.execute(sql, claim_params)
+                    connection.commit()
+                    user_exists = True
+                    app.logger.debug("autoregistration succeeded")
+                except Exception as e:
+                    app.logger.debug("autoregistration failed: %s" % str(e))
 
     parts = urlparse(target_url)
     target_query = dict(parse_qsl(parts.query))