0001-views-handle-authentication-level-increase-requests.patch
| README | ||
|---|---|---|
| 216 | 216 |
must be obtained from your identity provider but SHOULD come from the |
| 217 | 217 |
SAML 2.0 specification. |
| 218 | 218 | |
| 219 |
MELLON_AUTH_LEVELS_MAPPING |
|
| 220 |
-------------------------- |
|
| 221 | ||
| 222 |
When working with an idp which provides authentication levels, this should be a |
|
| 223 |
mapping from the authentication class references the idp provides to their |
|
| 224 |
respective authentication level. Default is {}. Ex.::
|
|
| 225 | ||
| 226 |
MELLON_AUTH_LEVELS_MAPPING = {
|
|
| 227 |
'https://entrouvert.org/auth-level/1': 1, |
|
| 228 |
'https://entrouvert.org/auth-level/2': 2, |
|
| 229 |
'https://entrouvert.org/auth-level/3': 3, |
|
| 230 |
} |
|
| 231 | ||
| 219 | 232 |
MELLON_GROUP_ATTRIBUTE |
| 220 | 233 |
---------------------- |
| 221 | 234 | |
| mellon/app_settings.py | ||
|---|---|---|
| 40 | 40 |
'ARTIFACT_RESOLVE_TIMEOUT': 10.0, |
| 41 | 41 |
'LOGIN_HINTS': [], |
| 42 | 42 |
'SIGNATURE_METHOD': 'RSA-SHA256', |
| 43 |
'AUTH_LEVELS_MAPPING': {},
|
|
| 43 | 44 |
} |
| 44 | 45 | |
| 45 | 46 |
@property |
| mellon/exceptions.py | ||
|---|---|---|
| 1 |
class RoleNotInSession(Exception): |
|
| 2 | ||
| 3 |
def __init__(self, value): |
|
| 4 |
self.value = value |
|
| mellon/utils.py | ||
|---|---|---|
| 6 | 6 |
from xml.parsers import expat |
| 7 | 7 | |
| 8 | 8 |
from django.contrib import auth |
| 9 |
from django.contrib.auth.models import Group |
|
| 9 | 10 |
from django.core.urlresolvers import reverse |
| 10 | 11 |
from django.template.loader import render_to_string |
| 11 | 12 |
from django.utils.timezone import make_aware, now, make_naive, is_aware, get_default_timezone |
| ... | ... | |
| 14 | 15 |
import lasso |
| 15 | 16 | |
| 16 | 17 |
from . import app_settings |
| 18 |
from .exceptions import RoleNotInSession |
|
| 17 | 19 | |
| 18 | 20 | |
| 19 | 21 |
def create_metadata(request): |
| ... | ... | |
| 271 | 273 |
if request.META.get('SCRIPT_NAME'):
|
| 272 | 274 |
path = path[len(request.META['SCRIPT_NAME']):] |
| 273 | 275 |
return path |
| 276 | ||
| 277 | ||
| 278 |
def user_has_role(request, role_id): |
|
| 279 |
try: |
|
| 280 |
group = request.user.groups.get(id=role_id) |
|
| 281 |
except Group.DoesNotExist: |
|
| 282 |
return False |
|
| 283 |
role = getattr(group, 'role') |
|
| 284 |
if not role: |
|
| 285 |
return True |
|
| 286 |
if role.uuid in request.session['role_uuids']: |
|
| 287 |
return True |
|
| 288 |
raise RoleNotInSession(role.auth_level) |
|
| mellon/views.py | ||
|---|---|---|
| 375 | 375 |
request, is_passive=request.GET.get('passive') == '1')
|
| 376 | 376 | |
| 377 | 377 |
next_url = check_next_url(self.request, request.GET.get(REDIRECT_FIELD_NAME)) |
| 378 |
requested_auth_level = request.GET.get('auth_level')
|
|
| 378 | 379 |
idp = self.get_idp(request) |
| 379 | 380 |
if idp is None: |
| 380 | 381 |
return HttpResponseBadRequest('no idp found')
|
| ... | ... | |
| 394 | 395 |
authn_request.isPassive = True |
| 395 | 396 |
# configure requested AuthnClassRef |
| 396 | 397 |
authn_classref = utils.get_setting(idp, 'AUTHN_CLASSREF') |
| 397 |
if authn_classref: |
|
| 398 |
authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING') |
|
| 399 |
if requested_auth_level and authn_classref_levels: |
|
| 400 |
authn_classref = tuple(cr for cr, lvl in authn_classref_levels.items() |
|
| 401 |
if lvl == int(requested_auth_level)) |
|
| 402 |
req_authncontext = lasso.Samlp2RequestedAuthnContext() |
|
| 403 |
authn_request.requestedAuthnContext = req_authncontext |
|
| 404 |
req_authncontext.authnContextClassRef = authn_classref |
|
| 405 |
elif authn_classref: |
|
| 398 | 406 |
authn_classref = tuple([str(x) for x in authn_classref]) |
| 399 | 407 |
req_authncontext = lasso.Samlp2RequestedAuthnContext() |
| 400 | 408 |
authn_request.requestedAuthnContext = req_authncontext |
| 401 |
- |
|