0001-views-handle-authentication-level-increase-requests.patch
README | ||
---|---|---|
216 | 216 |
must be obtained from your identity provider but SHOULD come from the |
217 | 217 |
SAML 2.0 specification. |
218 | 218 | |
219 |
MELLON_AUTH_LEVELS_MAPPING |
|
220 |
-------------------------- |
|
221 | ||
222 |
When working with an idp which provides authentication levels, this should be a |
|
223 |
mapping from the authentication class references the idp provides to their |
|
224 |
respective authentication level. Default is {}. Ex.:: |
|
225 | ||
226 |
MELLON_AUTH_LEVELS_MAPPING = { |
|
227 |
'https://entrouvert.org/auth-level/1': 1, |
|
228 |
'https://entrouvert.org/auth-level/2': 2, |
|
229 |
'https://entrouvert.org/auth-level/3': 3, |
|
230 |
} |
|
231 | ||
219 | 232 |
MELLON_GROUP_ATTRIBUTE |
220 | 233 |
---------------------- |
221 | 234 |
mellon/app_settings.py | ||
---|---|---|
40 | 40 |
'ARTIFACT_RESOLVE_TIMEOUT': 10.0, |
41 | 41 |
'LOGIN_HINTS': [], |
42 | 42 |
'SIGNATURE_METHOD': 'RSA-SHA256', |
43 |
'AUTH_LEVELS_MAPPING': {}, |
|
43 | 44 |
} |
44 | 45 | |
45 | 46 |
@property |
mellon/exceptions.py | ||
---|---|---|
1 |
class RoleNotInSession(Exception): |
|
2 | ||
3 |
def __init__(self, value): |
|
4 |
self.value = value |
mellon/utils.py | ||
---|---|---|
6 | 6 |
from xml.parsers import expat |
7 | 7 | |
8 | 8 |
from django.contrib import auth |
9 |
from django.contrib.auth.models import Group |
|
9 | 10 |
from django.core.urlresolvers import reverse |
10 | 11 |
from django.template.loader import render_to_string |
11 | 12 |
from django.utils.timezone import make_aware, now, make_naive, is_aware, get_default_timezone |
... | ... | |
14 | 15 |
import lasso |
15 | 16 | |
16 | 17 |
from . import app_settings |
18 |
from .exceptions import RoleNotInSession |
|
17 | 19 | |
18 | 20 | |
19 | 21 |
def create_metadata(request): |
... | ... | |
271 | 273 |
if request.META.get('SCRIPT_NAME'): |
272 | 274 |
path = path[len(request.META['SCRIPT_NAME']):] |
273 | 275 |
return path |
276 | ||
277 | ||
278 |
def user_has_role(request, role_id): |
|
279 |
try: |
|
280 |
group = request.user.groups.get(id=role_id) |
|
281 |
except Group.DoesNotExist: |
|
282 |
return False |
|
283 |
role = getattr(group, 'role') |
|
284 |
if not role: |
|
285 |
return True |
|
286 |
if role.uuid in request.session['role_uuids']: |
|
287 |
return True |
|
288 |
raise RoleNotInSession(role.auth_level) |
mellon/views.py | ||
---|---|---|
375 | 375 |
request, is_passive=request.GET.get('passive') == '1') |
376 | 376 | |
377 | 377 |
next_url = check_next_url(self.request, request.GET.get(REDIRECT_FIELD_NAME)) |
378 |
requested_auth_level = request.GET.get('auth_level') |
|
378 | 379 |
idp = self.get_idp(request) |
379 | 380 |
if idp is None: |
380 | 381 |
return HttpResponseBadRequest('no idp found') |
... | ... | |
394 | 395 |
authn_request.isPassive = True |
395 | 396 |
# configure requested AuthnClassRef |
396 | 397 |
authn_classref = utils.get_setting(idp, 'AUTHN_CLASSREF') |
397 |
if authn_classref: |
|
398 |
authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING') |
|
399 |
if requested_auth_level and authn_classref_levels: |
|
400 |
authn_classref = tuple(cr for cr, lvl in authn_classref_levels.items() |
|
401 |
if lvl == int(requested_auth_level)) |
|
402 |
req_authncontext = lasso.Samlp2RequestedAuthnContext() |
|
403 |
authn_request.requestedAuthnContext = req_authncontext |
|
404 |
req_authncontext.authnContextClassRef = authn_classref |
|
405 |
elif authn_classref: |
|
398 | 406 |
authn_classref = tuple([str(x) for x in authn_classref]) |
399 | 407 |
req_authncontext = lasso.Samlp2RequestedAuthnContext() |
400 | 408 |
authn_request.requestedAuthnContext = req_authncontext |
401 |
- |