531 |
531 |
return sso_after_process_request(request, login, nid_format=nid_format)
|
532 |
532 |
|
533 |
533 |
|
534 |
|
def need_login(request, login, nid_format, service):
|
|
534 |
def need_login(request, login, nid_format, service, auth_level=None):
|
535 |
535 |
"""Redirect to the login page with a nonce parameter to verify later that
|
536 |
536 |
the login form was submitted
|
537 |
537 |
"""
|
538 |
538 |
nonce = login.request.id or get_nonce()
|
539 |
539 |
save_key_values(nonce, login.dump(), False, nid_format)
|
540 |
|
next_url = make_url(continue_sso, params={NONCE_FIELD_NAME: nonce})
|
|
540 |
params = {
|
|
541 |
NONCE_FIELD_NAME: nonce
|
|
542 |
}
|
|
543 |
next_url = make_url(continue_sso, params=params)
|
|
544 |
if auth_level:
|
|
545 |
params['auth_level'] = auth_level
|
541 |
546 |
logger.debug('redirect to login page with next url %s', next_url)
|
542 |
|
return login_require(request, next_url=next_url, params={NONCE_FIELD_NAME: nonce},
|
543 |
|
service=service)
|
|
547 |
return login_require(request, next_url=next_url, params=params, service=service)
|
544 |
548 |
|
545 |
549 |
|
546 |
550 |
def get_url_with_nonce(request, function, nonce):
|
... | ... | |
642 |
646 |
did_auth = find_authentication_event(request, nonce) is not None
|
643 |
647 |
force_authn = login.request.forceAuthn
|
644 |
648 |
passive = login.request.isPassive
|
|
649 |
requested_auth_level = False
|
|
650 |
if login.request.requestedAuthnContext:
|
|
651 |
authn_classref = login.request.requestedAuthnContext.authnContextClassRef
|
|
652 |
if authn_classref and app_settings.AUTH_LEVELS_MAPPING.get(authn_classref[0]):
|
|
653 |
requested_auth_level = app_settings.AUTH_LEVELS_MAPPING[authn_classref[0]]
|
645 |
654 |
|
646 |
655 |
logger.debug('NameIDFormat is %s', nid_format)
|
647 |
656 |
logger.debug('nonce is %s', nonce)
|
... | ... | |
650 |
659 |
service = LibertyServiceProvider.objects.get(
|
651 |
660 |
liberty_provider__entity_id=login.remoteProviderId).liberty_provider
|
652 |
661 |
|
|
662 |
current_auth_level = request.session.get('auth_level', 1)
|
|
663 |
if not user.is_anonymous() and requested_auth_level > current_auth_level:
|
|
664 |
requested_auth_level = current_auth_level + 1 # progressively increase auth level
|
|
665 |
return need_login(request, login, nid_format, service, requested_auth_level)
|
|
666 |
|
653 |
667 |
if not passive and \
|
654 |
668 |
(user.is_anonymous() or (force_authn and not did_auth)):
|
655 |
669 |
logger.debug('login required')
|
656 |
670 |
return need_login(request, login, nid_format, service)
|
657 |
671 |
|
658 |
|
# No user is authenticated and passive is True, deny request
|
659 |
|
if passive and user.is_anonymous():
|
|
672 |
# No user is authenticated or authentication level is too low and passive
|
|
673 |
# is True, deny request
|
|
674 |
if passive and (user.is_anonymous() or requested_auth_level > current_auth_level):
|
660 |
675 |
logger.debug('no user connected and passive request, returning NoPassive')
|
661 |
676 |
set_saml2_response_responder_status_code(login.response,
|
662 |
677 |
lasso.SAML2_STATUS_CODE_NO_PASSIVE)
|
663 |
|
-
|