91 |
91 |
code += ':' + response.status.statusCode.statusCode.value
|
92 |
92 |
return code
|
93 |
93 |
|
|
94 |
def get_remote_provider_cfg(profile):
|
|
95 |
'''Lookup the configuration for a remote provider given a profile'''
|
|
96 |
remote_provider_key = misc.get_provider_key(profile.remoteProviderId)
|
|
97 |
return get_cfg('idp', {}).get(remote_provider_key)
|
|
98 |
|
94 |
99 |
class Saml2Directory(Directory):
|
95 |
100 |
_q_exports = ['login',
|
96 |
101 |
'singleSignOnArtifact', 'singleSignOnPost', 'singleSignOnSOAP', 'singleSignOnRedirect',
|
... | ... | |
353 |
358 |
return error_page(_('Unknown error'))
|
354 |
359 |
return self.sso_after_response(login)
|
355 |
360 |
|
|
361 |
def fill_user_attributes(self, session, login, user):
|
|
362 |
'''Fill user fields from SAML2 assertion attributes'''
|
|
363 |
idp_cfg = get_remote_provider_cfg(login)
|
|
364 |
# lookup for attributes in assertion and automatically create identity
|
|
365 |
lasso_session = lasso.Session.newFromDump(session.lasso_session_dump)
|
|
366 |
try:
|
|
367 |
assertion = lasso_session.getAssertions(None)[0]
|
|
368 |
except:
|
|
369 |
get_logger().warn('failed to lookup assertion')
|
|
370 |
return user
|
|
371 |
|
|
372 |
d = {}
|
|
373 |
m = {}
|
|
374 |
try:
|
|
375 |
for attribute in assertion.attributeStatement[0].attribute:
|
|
376 |
try:
|
|
377 |
d[attribute.name] = attribute.attributeValue[0].any[0].content
|
|
378 |
for attribute_value in attribute.attributeValue:
|
|
379 |
l = m.setdefault(attribute.name, [])
|
|
380 |
l.append(attribute_value.any[0].content)
|
|
381 |
except IndexError:
|
|
382 |
pass
|
|
383 |
except IndexError:
|
|
384 |
pass
|
|
385 |
admin_regexp = idp.get('admin-regexp', {})
|
|
386 |
old_is_admin = user.is_admin
|
|
387 |
if admin_regexp:
|
|
388 |
is_admin = False
|
|
389 |
for key, regexp in admin_regexp.iteritems():
|
|
390 |
for value in m.get(key, []):
|
|
391 |
if re.match(regexp, value):
|
|
392 |
break
|
|
393 |
else:
|
|
394 |
break
|
|
395 |
else:
|
|
396 |
is_admin = True
|
|
397 |
if user.is_admin != is_admin:
|
|
398 |
user.is_admin = is_admin
|
|
399 |
save = True
|
|
400 |
attribute_mapping = idp.get('attribute-mapping', {})
|
|
401 |
for key, field_id in attribute_mapping.iteritems():
|
|
402 |
if key in d and user.form_data.get(field_id) != d[key]:
|
|
403 |
user.form_data[field_id] = d[key]
|
|
404 |
save = True
|
|
405 |
if save:
|
|
406 |
user.store()
|
|
407 |
|
356 |
408 |
def lookup_user(self, session, login = None, name_id = None):
|
357 |
409 |
if login:
|
358 |
410 |
ni = login.nameIdentifier.content
|
359 |
|
-
|