18 |
18 |
import urlparse
|
19 |
19 |
import time
|
20 |
20 |
import sys
|
|
21 |
import re
|
21 |
22 |
|
22 |
23 |
try:
|
23 |
24 |
import lasso
|
... | ... | |
91 |
92 |
code += ':' + response.status.statusCode.statusCode.value
|
92 |
93 |
return code
|
93 |
94 |
|
|
95 |
def get_remote_provider_cfg(profile):
|
|
96 |
'''Lookup the configuration for a remote provider given a profile'''
|
|
97 |
remote_provider_key = misc.get_provider_key(profile.remoteProviderId)
|
|
98 |
return get_cfg('idp', {}).get(remote_provider_key)
|
|
99 |
|
94 |
100 |
class Saml2Directory(Directory):
|
95 |
101 |
_q_exports = ['login',
|
96 |
102 |
'singleSignOnArtifact', 'singleSignOnPost', 'singleSignOnSOAP', 'singleSignOnRedirect',
|
... | ... | |
353 |
359 |
return error_page(_('Unknown error'))
|
354 |
360 |
return self.sso_after_response(login)
|
355 |
361 |
|
|
362 |
def fill_user_attributes(self, session, login, user):
|
|
363 |
'''Fill user fields from SAML2 assertion attributes'''
|
|
364 |
logger = get_logger()
|
|
365 |
|
|
366 |
save = False
|
|
367 |
idp = get_remote_provider_cfg(login)
|
|
368 |
# lookup for attributes in assertion and automatically create identity
|
|
369 |
lasso_session = lasso.Session.newFromDump(session.lasso_session_dump)
|
|
370 |
try:
|
|
371 |
assertion = lasso_session.getAssertions(None)[0]
|
|
372 |
except:
|
|
373 |
get_logger().warn('failed to lookup assertion')
|
|
374 |
return user
|
|
375 |
|
|
376 |
d = {}
|
|
377 |
m = {}
|
|
378 |
try:
|
|
379 |
for attribute in assertion.attributeStatement[0].attribute:
|
|
380 |
try:
|
|
381 |
d[attribute.name] = attribute.attributeValue[0].any[0].content
|
|
382 |
for attribute_value in attribute.attributeValue:
|
|
383 |
l = m.setdefault(attribute.name, [])
|
|
384 |
l.append(attribute_value.any[0].content)
|
|
385 |
except IndexError:
|
|
386 |
pass
|
|
387 |
except IndexError:
|
|
388 |
pass
|
|
389 |
logger.debug('fill_user_attributes: received attributes %r', m)
|
|
390 |
admin_attributes = idp.get('admin-attributes') or {}
|
|
391 |
if admin_attributes:
|
|
392 |
is_admin = False
|
|
393 |
for key, matching_value in admin_attributes.iteritems():
|
|
394 |
for value in m.get(key, []):
|
|
395 |
if value == matching_value:
|
|
396 |
is_admin = True
|
|
397 |
if user.is_admin != is_admin:
|
|
398 |
user.is_admin = is_admin
|
|
399 |
if user.is_admin:
|
|
400 |
logger.info('giving user %s the admin rights', user.id)
|
|
401 |
else:
|
|
402 |
logger.info('taking user %s the admin rights', user.id)
|
|
403 |
save = True
|
|
404 |
attribute_mapping = idp.get('attribute-mapping') or {}
|
|
405 |
for key, field_id in attribute_mapping.iteritems():
|
|
406 |
if key in d and user.form_data.get(field_id) != d[key]:
|
|
407 |
user.form_data[field_id] = d[key]
|
|
408 |
logger.info('setting field %s of user %s to value %r', field_id, user.id, d[key])
|
|
409 |
save = True
|
|
410 |
if save:
|
|
411 |
user.store()
|
|
412 |
|
356 |
413 |
def lookup_user(self, session, login = None, name_id = None):
|
357 |
414 |
if login:
|
358 |
415 |
ni = login.nameIdentifier.content
|
... | ... | |
380 |
437 |
user.lasso_dump = login.identity.dump()
|
381 |
438 |
user.store()
|
382 |
439 |
|
|
440 |
self.fill_user_attributes(session, login, user)
|
|
441 |
|
383 |
442 |
return user
|
384 |
443 |
|
385 |
444 |
def slo_sp(self, method = None):
|
386 |
|
-
|