CAS: Support group whitelisting

Allow the user to configure a group whitelist.
Any user not a member of the one or more of the
whitelisted groups will not allowed to
authenticate, if the social_auth.auth_allowed
is enabled.

Author: slyngshede

social_core/backends/cas.py

@@ -25,6 +25,7 @@ class CASOpenIdConnectAuth(OpenIdConnectAuth):
     SOCIAL_AUTH_CAS_OIDC_ENDPOINT = 'https://.....'  # endpoint without /.well-known/openid-configuration
     SOCIAL_AUTH_CAS_KEY = '<client_id>'
     SOCIAL_AUTH_CAS_SECRET = '<client_secret>'
+    SOCIAL_AUTH_CAS_ALLOW_GROUPS = []
     """
 
     name = "cas"
@@ -59,3 +60,17 @@ def get_user_details(self, response):
             "first_name": attributes.get("given_name"),
             "last_name": attributes.get("family_name"),
         }
+
+    def auth_allowed(self, response, details):
+        if not super().auth_allowed(response, details):
+            return False
+
+        allow_groups = self.setting("ALLOW_GROUPS", [])
+        if not allow_groups:
+            return True
+
+        groups = response.get('groups', [])
+        for group in groups:
+            if group in allow_groups:
+                return True
+        return False

social_core/tests/backends/test_cas.py

@@ -47,6 +47,8 @@ def extra_settings(self):
         settings.update(
             {
                 f"SOCIAL_AUTH_{self.name}_OIDC_ENDPOINT": f"{ROOT_URL}oidc",
+                f"SOCIAL_AUTH_{self.name}_ALLOW_GROUPS": ["users",],
+                f"SOCIAL_AUTH_{self.name}_WHITELISTED_DOMAINS": ["example.net",]
             }
         )
         return settings