| 531 |
531 |
return sso_after_process_request(request, login, nid_format=nid_format)
|
| 532 |
532 |
|
| 533 |
533 |
|
| 534 |
|
def need_login(request, login, nid_format, service):
|
|
534 |
def need_login(request, login, nid_format, service, auth_level=None):
|
| 535 |
535 |
"""Redirect to the login page with a nonce parameter to verify later that
|
| 536 |
536 |
the login form was submitted
|
| 537 |
537 |
"""
|
| 538 |
538 |
nonce = login.request.id or get_nonce()
|
| 539 |
539 |
save_key_values(nonce, login.dump(), False, nid_format)
|
| 540 |
|
next_url = make_url(continue_sso, params={NONCE_FIELD_NAME: nonce})
|
|
540 |
params = {
|
|
541 |
NONCE_FIELD_NAME: nonce
|
|
542 |
}
|
|
543 |
next_url = make_url(continue_sso, params=params)
|
|
544 |
if auth_level:
|
|
545 |
params['auth_level'] = auth_level
|
| 541 |
546 |
logger.debug('redirect to login page with next url %s', next_url)
|
| 542 |
|
return login_require(request, next_url=next_url, params={NONCE_FIELD_NAME: nonce},
|
| 543 |
|
service=service)
|
|
547 |
return login_require(request, next_url=next_url, params=params, service=service)
|
| 544 |
548 |
|
| 545 |
549 |
|
| 546 |
550 |
def get_url_with_nonce(request, function, nonce):
|
| ... | ... | |
| 642 |
646 |
did_auth = find_authentication_event(request, nonce) is not None
|
| 643 |
647 |
force_authn = login.request.forceAuthn
|
| 644 |
648 |
passive = login.request.isPassive
|
|
649 |
requested_auth_level = False
|
|
650 |
if login.request.requestedAuthnContext:
|
|
651 |
authn_classref = login.request.requestedAuthnContext.authnContextClassRef
|
|
652 |
if authn_classref and app_settings.AUTH_LEVELS_MAPPING.get(authn_classref[0]):
|
|
653 |
requested_auth_level = app_settings.AUTH_LEVELS_MAPPING[authn_classref[0]]
|
| 645 |
654 |
|
| 646 |
655 |
logger.debug('NameIDFormat is %s', nid_format)
|
| 647 |
656 |
logger.debug('nonce is %s', nonce)
|
| ... | ... | |
| 650 |
659 |
service = LibertyServiceProvider.objects.get(
|
| 651 |
660 |
liberty_provider__entity_id=login.remoteProviderId).liberty_provider
|
| 652 |
661 |
|
|
662 |
current_auth_level = request.session.get('auth_level', 1)
|
|
663 |
if not user.is_anonymous() and requested_auth_level > current_auth_level:
|
|
664 |
requested_auth_level = current_auth_level + 1 # progressively increase auth level
|
|
665 |
return need_login(request, login, nid_format, service, requested_auth_level)
|
|
666 |
|
| 653 |
667 |
if not passive and \
|
| 654 |
668 |
(user.is_anonymous() or (force_authn and not did_auth)):
|
| 655 |
669 |
logger.debug('login required')
|
| 656 |
670 |
return need_login(request, login, nid_format, service)
|
| 657 |
671 |
|
| 658 |
|
# No user is authenticated and passive is True, deny request
|
| 659 |
|
if passive and user.is_anonymous():
|
|
672 |
# No user is authenticated or authentication level is too low and passive
|
|
673 |
# is True, deny request
|
|
674 |
if passive and (user.is_anonymous() or requested_auth_level > current_auth_level):
|
| 660 |
675 |
logger.debug('no user connected and passive request, returning NoPassive')
|
| 661 |
676 |
set_saml2_response_responder_status_code(login.response,
|
| 662 |
677 |
lasso.SAML2_STATUS_CODE_NO_PASSIVE)
|
| 663 |
|
-
|