0001-use-a-mapping-instead-of-hard-coded-string.patch
| README | ||
|---|---|---|
| 216 | 216 |
must be obtained from your identity provider but SHOULD come from the |
| 217 | 217 |
SAML 2.0 specification. |
| 218 | 218 | |
| 219 |
MELLON_AUTHN_CLASSREF_LEVELS
|
|
| 220 |
----------------------------
|
|
| 219 |
MELLON_AUTH_LEVELS_MAPPING
|
|
| 220 |
-------------------------- |
|
| 221 | 221 | |
| 222 |
When working with an idp which provides authentication levels, this |
|
| 223 |
should be the URI it is expecting as a class reference, to which |
|
| 224 |
will be appended the authentication level passed as a GET parameter |
|
| 225 |
to LOGIN_URL. |
|
| 222 |
When working with an idp which provides authentication levels, this should be a |
|
| 223 |
mapping from the authentication class references the idp provides to their |
|
| 224 |
respective authentication level. Default is {}. Ex.::
|
|
| 226 | 225 | |
| 226 |
MELLON_AUTH_LEVELS_MAPPING = {
|
|
| 227 |
'https://entrouvert.org/auth-level/1': 1, |
|
| 228 |
'https://entrouvert.org/auth-level/2': 2, |
|
| 229 |
'https://entrouvert.org/auth-level/3': 3, |
|
| 230 |
} |
|
| 227 | 231 | |
| 228 | 232 |
MELLON_GROUP_ATTRIBUTE |
| 229 | 233 |
---------------------- |
| mellon/app_settings.py | ||
|---|---|---|
| 39 | 39 |
'LOGOUT_URL': 'mellon_logout', |
| 40 | 40 |
'ARTIFACT_RESOLVE_TIMEOUT': 10.0, |
| 41 | 41 |
'LOGIN_HINTS': [], |
| 42 |
'AUTHN_CLASSREF_LEVELS': 'https://entrouvert.org/auth-level/',
|
|
| 42 |
'AUTH_LEVELS_MAPPING': {},
|
|
| 43 | 43 |
} |
| 44 | 44 | |
| 45 | 45 |
@property |
| mellon/views.py | ||
|---|---|---|
| 219 | 219 |
utils.login(request, user) |
| 220 | 220 |
class_ref = attributes['authn_context_class_ref'] |
| 221 | 221 |
idp = self.get_idp(request) |
| 222 |
authn_classref_levels = utils.get_setting(idp, 'AUTHN_CLASSREF_LEVELS')
|
|
| 223 |
if authn_classref_levels and class_ref.startswith(authn_classref_levels):
|
|
| 224 |
request.session['auth_level'] = int(class_ref.split('/')[-1])
|
|
| 222 |
authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING')
|
|
| 223 |
if class_ref in authn_classref_levels:
|
|
| 224 |
request.session['auth_level'] = authn_classref_levels[class_ref]
|
|
| 225 | 225 |
self.log.info('user %s (NameID is %r) logged in using SAML', user,
|
| 226 | 226 |
attributes['name_id_content']) |
| 227 | 227 |
request.session['mellon_session'] = utils.flatten_datetime(attributes) |
| ... | ... | |
| 400 | 400 |
authn_request.isPassive = True |
| 401 | 401 |
# configure requested AuthnClassRef |
| 402 | 402 |
authn_classref = utils.get_setting(idp, 'AUTHN_CLASSREF') |
| 403 |
authn_classref_levels = utils.get_setting(idp, 'AUTHN_CLASSREF_LEVELS')
|
|
| 403 |
authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING')
|
|
| 404 | 404 |
if requested_auth_level and authn_classref_levels: |
| 405 |
authn_classref = (authn_classref_levels + str(requested_auth_level),) |
|
| 405 |
authn_classref = tuple(cr for cr, lvl in authn_classref_levels.items() |
|
| 406 |
if lvl == int(requested_auth_level)) |
|
| 406 | 407 |
req_authncontext = lasso.Samlp2RequestedAuthnContext() |
| 407 | 408 |
authn_request.requestedAuthnContext = req_authncontext |
| 408 | 409 |
req_authncontext.authnContextClassRef = authn_classref |
| 409 |
- |
|