0001-use-a-mapping-instead-of-hard-coded-string.patch
README | ||
---|---|---|
216 | 216 |
must be obtained from your identity provider but SHOULD come from the |
217 | 217 |
SAML 2.0 specification. |
218 | 218 | |
219 |
MELLON_AUTHN_CLASSREF_LEVELS
|
|
220 |
----------------------------
|
|
219 |
MELLON_AUTH_LEVELS_MAPPING
|
|
220 |
-------------------------- |
|
221 | 221 | |
222 |
When working with an idp which provides authentication levels, this |
|
223 |
should be the URI it is expecting as a class reference, to which |
|
224 |
will be appended the authentication level passed as a GET parameter |
|
225 |
to LOGIN_URL. |
|
222 |
When working with an idp which provides authentication levels, this should be a |
|
223 |
mapping from the authentication class references the idp provides to their |
|
224 |
respective authentication level. Default is {}. Ex.:: |
|
226 | 225 | |
226 |
MELLON_AUTH_LEVELS_MAPPING = { |
|
227 |
'https://entrouvert.org/auth-level/1': 1, |
|
228 |
'https://entrouvert.org/auth-level/2': 2, |
|
229 |
'https://entrouvert.org/auth-level/3': 3, |
|
230 |
} |
|
227 | 231 | |
228 | 232 |
MELLON_GROUP_ATTRIBUTE |
229 | 233 |
---------------------- |
mellon/app_settings.py | ||
---|---|---|
39 | 39 |
'LOGOUT_URL': 'mellon_logout', |
40 | 40 |
'ARTIFACT_RESOLVE_TIMEOUT': 10.0, |
41 | 41 |
'LOGIN_HINTS': [], |
42 |
'AUTHN_CLASSREF_LEVELS': 'https://entrouvert.org/auth-level/',
|
|
42 |
'AUTH_LEVELS_MAPPING': {},
|
|
43 | 43 |
} |
44 | 44 | |
45 | 45 |
@property |
mellon/views.py | ||
---|---|---|
219 | 219 |
utils.login(request, user) |
220 | 220 |
class_ref = attributes['authn_context_class_ref'] |
221 | 221 |
idp = self.get_idp(request) |
222 |
authn_classref_levels = utils.get_setting(idp, 'AUTHN_CLASSREF_LEVELS')
|
|
223 |
if authn_classref_levels and class_ref.startswith(authn_classref_levels):
|
|
224 |
request.session['auth_level'] = int(class_ref.split('/')[-1])
|
|
222 |
authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING')
|
|
223 |
if class_ref in authn_classref_levels:
|
|
224 |
request.session['auth_level'] = authn_classref_levels[class_ref]
|
|
225 | 225 |
self.log.info('user %s (NameID is %r) logged in using SAML', user, |
226 | 226 |
attributes['name_id_content']) |
227 | 227 |
request.session['mellon_session'] = utils.flatten_datetime(attributes) |
... | ... | |
400 | 400 |
authn_request.isPassive = True |
401 | 401 |
# configure requested AuthnClassRef |
402 | 402 |
authn_classref = utils.get_setting(idp, 'AUTHN_CLASSREF') |
403 |
authn_classref_levels = utils.get_setting(idp, 'AUTHN_CLASSREF_LEVELS')
|
|
403 |
authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING')
|
|
404 | 404 |
if requested_auth_level and authn_classref_levels: |
405 |
authn_classref = (authn_classref_levels + str(requested_auth_level),) |
|
405 |
authn_classref = tuple(cr for cr, lvl in authn_classref_levels.items() |
|
406 |
if lvl == int(requested_auth_level)) |
|
406 | 407 |
req_authncontext = lasso.Samlp2RequestedAuthnContext() |
407 | 408 |
authn_request.requestedAuthnContext = req_authncontext |
408 | 409 |
req_authncontext.authnContextClassRef = authn_classref |
409 |
- |