3 |
3 |
except ImportError:
|
4 |
4 |
pass
|
5 |
5 |
|
6 |
|
from quixote import get_publisher
|
7 |
|
|
8 |
|
from wcs.roles import Role
|
9 |
|
|
10 |
6 |
from qommon import get_cfg, get_logger
|
11 |
7 |
import qommon.saml2
|
12 |
8 |
|
... | ... | |
15 |
11 |
def extract_attributes(self, session, login):
|
16 |
12 |
'''Separate attributes as two dictionaries: one for last value, one for
|
17 |
13 |
the list of values.'''
|
|
14 |
d = {}
|
|
15 |
m = {}
|
|
16 |
|
18 |
17 |
lasso_session = lasso.Session.newFromDump(session.lasso_session_dump)
|
19 |
18 |
try:
|
20 |
19 |
assertion = lasso_session.getAssertions(None)[0]
|
21 |
20 |
except:
|
22 |
21 |
get_logger().warn('failed to lookup assertion')
|
23 |
|
return user
|
|
22 |
return d, m
|
24 |
23 |
|
25 |
|
d = {}
|
26 |
|
m = {}
|
27 |
24 |
try:
|
28 |
25 |
for attribute in assertion.attributeStatement[0].attribute:
|
29 |
26 |
try:
|
... | ... | |
37 |
34 |
pass
|
38 |
35 |
return d, m
|
39 |
36 |
|
|
37 |
def fill_user_attributes(self, session, login, user):
|
|
38 |
qommon.saml2.Saml2Directory.fill_user_attributes(self, session, login, user)
|
|
39 |
|
|
40 |
idp = qommon.saml2.get_remote_provider_cfg(login)
|
|
41 |
if not idp.get('attribute-mapping'):
|
|
42 |
self.legacy_fill_user_attributes(session, login, user)
|
|
43 |
|
40 |
44 |
def legacy_fill_user_attributes(self, session, login, user):
|
41 |
45 |
'''Fill fields using a legacy attribute to field varname mapping'''
|
42 |
46 |
d, m = self.extract_attributes(session, login)
|
... | ... | |
83 |
87 |
for field in user.get_formdef().fields:
|
84 |
88 |
if field.varname in field_varnames:
|
85 |
89 |
user.form_data[field.id] = d.get(attribute_key)
|
86 |
|
|
87 |
|
def lookup_user(self, session, login = None, name_id = None):
|
88 |
|
user = qommon.saml2.Saml2Directory.lookup_user(self, session, login, name_id)
|
89 |
|
|
90 |
|
if not user:
|
91 |
|
user = get_publisher().user_class()
|
92 |
|
# already done by parent.lookup_user() for existing users
|
93 |
|
self.fill_user_attributes(session, login, user)
|
94 |
|
|
95 |
|
# apply legacy mapping when not configured
|
96 |
|
idp = qommon.saml2.get_remote_provider_cfg(login)
|
97 |
|
if not idp.get('attribute-mapping'):
|
98 |
|
self.legacy_fill_user_attributes(session, login, user)
|
99 |
|
|
100 |
|
if user.form_data:
|
101 |
|
user.set_attributes_from_formdata(user.form_data)
|
102 |
|
|
103 |
|
if not (user.name and user.email):
|
104 |
|
# we didn't get useful attributes, forget it.
|
105 |
|
get_logger().warn('failed to get useful attributes from the assertion')
|
106 |
|
return None
|
107 |
|
|
108 |
|
if not login.nameIdentifier.content in user.name_identifiers:
|
109 |
|
user.name_identifiers.append(login.nameIdentifier.content)
|
110 |
|
|
111 |
|
if login and login.identity:
|
112 |
|
user.lasso_dump = login.identity.dump()
|
113 |
|
|
114 |
|
lasso_session = lasso.Session.newFromDump(session.lasso_session_dump)
|
115 |
|
assertion = lasso_session.getAssertions(None)[0]
|
116 |
|
for attribute in assertion.attributeStatement[0].attribute:
|
117 |
|
if attribute.name == 'verified_attributes':
|
118 |
|
verified_attributes = [x.any[0].content for x in attribute.attributeValue]
|
119 |
|
if verified_attributes:
|
120 |
|
# XXX: if there are any verified attributes we consider
|
121 |
|
# first and last names are also verified. This is to work
|
122 |
|
# around the fact that those attributes are handled
|
123 |
|
# differently in authentic and cannot be marked as
|
124 |
|
# verified.
|
125 |
|
verified_attributes.extend(['first_name', 'last_name'])
|
126 |
|
verified_fields = []
|
127 |
|
if user.get_formdef() and user.get_formdef().fields:
|
128 |
|
for field in user.get_formdef().fields:
|
129 |
|
if field.varname in verified_attributes:
|
130 |
|
verified_fields.append(field.id)
|
131 |
|
user.verified_fields = verified_fields
|
132 |
|
break
|
133 |
|
|
134 |
|
user.store()
|
135 |
|
return user
|
136 |
|
-
|