350 |
350 |
lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
|
351 |
351 |
elif how == 'ssl':
|
352 |
352 |
authn_context = lasso.SAML2_AUTHN_CONTEXT_X509
|
|
353 |
elif event.get('auth_level'):
|
|
354 |
authn_context = app_settings.AUTHN_CLASSREF_LEVELS + event['auth_level']
|
353 |
355 |
else:
|
354 |
356 |
raise NotImplementedError('Unknown authentication method %s',
|
355 |
357 |
how)
|
... | ... | |
523 |
525 |
return sso_after_process_request(request, login, nid_format=nid_format)
|
524 |
526 |
|
525 |
527 |
|
526 |
|
def need_login(request, login, nid_format, service):
|
|
528 |
def need_login(request, login, nid_format, service, auth_level=None):
|
527 |
529 |
"""Redirect to the login page with a nonce parameter to verify later that
|
528 |
530 |
the login form was submitted
|
529 |
531 |
"""
|
530 |
532 |
nonce = login.request.id or get_nonce()
|
531 |
533 |
save_key_values(nonce, login.dump(), False, nid_format)
|
532 |
|
next_url = make_url(continue_sso, params={NONCE_FIELD_NAME: nonce})
|
|
534 |
params = {
|
|
535 |
NONCE_FIELD_NAME: nonce
|
|
536 |
}
|
|
537 |
next_url = make_url(continue_sso, params=params)
|
|
538 |
if auth_level:
|
|
539 |
params['auth_level'] = auth_level
|
533 |
540 |
logger.debug('redirect to login page with next url %s', next_url)
|
534 |
|
return login_require(request, next_url=next_url, params={NONCE_FIELD_NAME: nonce},
|
535 |
|
service=service)
|
|
541 |
return login_require(request, next_url=next_url, params=params, service=service)
|
536 |
542 |
|
537 |
543 |
|
538 |
544 |
def get_url_with_nonce(request, function, nonce):
|
... | ... | |
634 |
640 |
did_auth = find_authentication_event(request, nonce) is not None
|
635 |
641 |
force_authn = login.request.forceAuthn
|
636 |
642 |
passive = login.request.isPassive
|
|
643 |
requested_auth_level = False
|
|
644 |
if login.request.requestedAuthnContext:
|
|
645 |
authn_classref = login.request.requestedAuthnContext.authnContextClassRef
|
|
646 |
if authn_classref and authn_classref[0].startswith(app_settings.AUTHN_CLASSREF_LEVELS):
|
|
647 |
requested_auth_level = int(authn_classref[0].split('/')[-1])
|
637 |
648 |
|
638 |
649 |
logger.debug('NameIDFormat is %s', nid_format)
|
639 |
650 |
logger.debug('nonce is %s', nonce)
|
... | ... | |
642 |
653 |
service = LibertyServiceProvider.objects.get(
|
643 |
654 |
liberty_provider__entity_id=login.remoteProviderId).liberty_provider
|
644 |
655 |
|
|
656 |
current_auth_level = request.session.get('auth_level', 1)
|
|
657 |
if not user.is_anonymous() and requested_auth_level > current_auth_level:
|
|
658 |
requested_auth_level = current_auth_level + 1 # progressively increase auth level
|
|
659 |
return need_login(request, login, nid_format, service, requested_auth_level)
|
|
660 |
|
645 |
661 |
if not passive and \
|
646 |
662 |
(user.is_anonymous() or (force_authn and not did_auth)):
|
647 |
663 |
logger.debug('login required')
|
648 |
664 |
return need_login(request, login, nid_format, service)
|
649 |
665 |
|
650 |
|
# No user is authenticated and passive is True, deny request
|
651 |
|
if passive and user.is_anonymous():
|
|
666 |
# No user is authenticated or authentication level is too low and passive
|
|
667 |
# is True, deny request
|
|
668 |
if passive and (user.is_anonymous() or requested_auth_level > current_auth_level):
|
652 |
669 |
logger.debug('no user connected and passive request, returning NoPassive')
|
653 |
670 |
set_saml2_response_responder_status_code(login.response,
|
654 |
671 |
lasso.SAML2_STATUS_CODE_NO_PASSIVE)
|
655 |
|
-
|