0002-profile-add-csam-account-un-linking-capabilities-608.patch
| src/authentic2_auth_fedict/authenticators.py | ||
|---|---|---|
| 49 | 49 |
def profile(self, request, *args, **kwargs): |
| 50 | 50 |
context = kwargs.get('context', {}).copy()
|
| 51 | 51 |
user_saml_identifiers = request.user.saml_identifiers.all() |
| 52 |
if not user_saml_identifiers: |
|
| 53 |
return '' |
|
| 54 | 52 |
for user_saml_identifier in user_saml_identifiers: |
| 55 | 53 |
user_saml_identifier.idp = get_idp(user_saml_identifier.issuer) |
| 56 | 54 |
context['user_saml_identifiers'] = user_saml_identifiers |
| src/authentic2_auth_fedict/backends.py | ||
|---|---|---|
| 14 | 14 |
# You should have received a copy of the GNU Affero General Public License |
| 15 | 15 |
# along with this program. If not, see <http://www.gnu.org/licenses/>. |
| 16 | 16 | |
| 17 |
import logging |
|
| 18 | ||
| 17 | 19 |
import lasso |
| 20 |
from django.contrib import messages |
|
| 21 |
from django.utils.translation import ugettext_lazy as _ |
|
| 18 | 22 |
from mellon.backends import SAMLBackend |
| 23 |
from mellon.utils import get_adapters, get_idp |
|
| 24 | ||
| 25 |
logger = logging.getLogger(__name__) |
|
| 19 | 26 | |
| 20 | 27 | |
| 21 | 28 |
class FedictBackend(SAMLBackend): |
| ... | ... | |
| 28 | 35 |
# but we do not expose this detail to the service provider as all it |
| 29 | 36 |
# needs to know is "strong authentication". |
| 30 | 37 |
return lasso.SAML2_AUTHN_CONTEXT_SMARTCARD_PKI |
| 38 | ||
| 39 |
def authenticate(self, request=None, **credentials): |
|
| 40 |
saml_attributes = credentials.get('saml_attributes') or {}
|
|
| 41 |
if 'issuer' not in saml_attributes: |
|
| 42 |
logger.debug('no idp in saml_attributes')
|
|
| 43 |
return None |
|
| 44 |
idp = get_idp(saml_attributes['issuer']) |
|
| 45 |
if not idp: |
|
| 46 |
logger.debug('unknown idp %s', saml_attributes['issuer'])
|
|
| 47 |
return None |
|
| 48 |
adapters = get_adapters(idp, request=request) |
|
| 49 |
for adapter in adapters: |
|
| 50 |
if not hasattr(adapter, 'authorize'): |
|
| 51 |
continue |
|
| 52 |
if not adapter.authorize(idp, saml_attributes): |
|
| 53 |
return |
|
| 54 |
for adapter in adapters: |
|
| 55 |
if hasattr(adapter, 'lookup_by_attributes'): |
|
| 56 |
user = adapter.lookup_by_attributes(idp, saml_attributes) |
|
| 57 |
for adapter in adapters: |
|
| 58 |
if not hasattr(adapter, 'lookup_user'): |
|
| 59 |
continue |
|
| 60 |
user = adapter.lookup_user(idp, saml_attributes) |
|
| 61 |
if user: |
|
| 62 |
request_user = getattr(request, 'user', None) if request else None |
|
| 63 |
if request_user != user and request_user.is_authenticated: |
|
| 64 |
messages.warning(request, _('Your account is now linked to your eID card.'))
|
|
| 65 |
saml_identifier = user.saml_identifier |
|
| 66 |
saml_identifier.user = request_user |
|
| 67 |
saml_identifier.save(update_fields=['user']) |
|
| 68 |
user.mark_as_inactive(reason='fedict link to manually-created account') |
|
| 69 |
user = request_user |
|
| 70 |
user.saml_identifier = saml_identifier |
|
| 71 |
break |
|
| 72 |
else: # no user found |
|
| 73 |
return |
|
| 74 |
for adapter in adapters: |
|
| 75 |
if not hasattr(adapter, 'provision'): |
|
| 76 |
continue |
|
| 77 |
adapter.provision(user, idp, saml_attributes) |
|
| 78 |
return user |
|
| src/authentic2_auth_fedict/templates/authentic2_auth_fedict/profile.html | ||
|---|---|---|
| 1 |
<p> |
|
| 2 |
Ce compte est relié à votre carte d'identité électronique. |
|
| 3 |
</p> |
|
| 1 |
{% load i18n static %}
|
|
| 2 |
<div> |
|
| 3 |
<img src="{% static "authentic2_auth_fedict/img/beid_image_mini.png" %}" alt="">
|
|
| 4 |
{% if user_saml_identifiers %}
|
|
| 5 |
<p>{% blocktrans %}This account is linked to your eID card.{% endblocktrans %}</p>
|
|
| 6 |
<p> |
|
| 7 |
{% blocktrans %}
|
|
| 8 |
You may want to unlink your account, although you will not be able to |
|
| 9 |
connect to your account using your eID card (without re-doing the linking |
|
| 10 |
procedure). |
|
| 11 |
{% endblocktrans %}
|
|
| 12 |
</p> |
|
| 13 |
<p><a class="button" href="{% url "fedict-unlink" %}">{% trans "Unlink my account" %}</a></p>
|
|
| 14 |
{% else %}
|
|
| 15 |
<p> |
|
| 16 |
{% blocktrans %}
|
|
| 17 |
You may want to link your existing Publik account to your eID. In order to |
|
| 18 |
do so, you will either need your eID card and its card reader |
|
| 19 |
or your list of personal tokens. |
|
| 20 |
{% endblocktrans %}
|
|
| 21 |
</p> |
|
| 22 |
<p><a class="button" href="{% url "fedict-login" %}?next=/accounts/">{% trans "Link my account to my eID card" %}</a></p>
|
|
| 23 |
{% endif %}
|
|
| 24 |
</div> |
|
| src/authentic2_auth_fedict/urls.py | ||
|---|---|---|
| 21 | 21 |
urlpatterns = [ |
| 22 | 22 |
url(r'^accounts/saml/', include('mellon.urls')),
|
| 23 | 23 |
url(r'^accounts/fedict/login/$', views.login, name='fedict-login'), |
| 24 |
url(r'^accounts/fedict/unlink/$', views.unlink, name='fedict-unlink'), |
|
| 24 | 25 |
] |
| src/authentic2_auth_fedict/views.py | ||
|---|---|---|
| 18 | 18 |
import urllib.parse |
| 19 | 19 | |
| 20 | 20 |
from django.conf import settings |
| 21 |
from django.contrib import messages |
|
| 21 | 22 |
from django.core import signing |
| 22 | 23 |
from django.db import transaction |
| 23 | 24 |
from django.http import HttpResponseRedirect |
| 24 |
from django.shortcuts import resolve_url |
|
| 25 |
from django.shortcuts import redirect, resolve_url
|
|
| 25 | 26 |
from django.urls import reverse |
| 27 |
from django.utils.translation import ugettext_lazy as _ |
|
| 26 | 28 |
from django.views.decorators.csrf import csrf_exempt |
| 27 | 29 |
from django.views.generic import View |
| 28 | 30 | |
| ... | ... | |
| 69 | 71 | |
| 70 | 72 | |
| 71 | 73 |
login = transaction.non_atomic_requests(csrf_exempt(LoginView.as_view())) |
| 74 | ||
| 75 | ||
| 76 |
def unlink(request): |
|
| 77 |
if not hasattr(request, 'user') or not hasattr(request.user, 'saml_identifiers'): |
|
| 78 |
return |
|
| 79 |
unlink_performed = False |
|
| 80 |
for saml_identifier in request.user.saml_identifiers.all(): |
|
| 81 |
saml_identifier.delete() |
|
| 82 |
unlink_performed = True |
|
| 83 |
if unlink_performed: |
|
| 84 |
messages.success(request, message=_('Unlinking complete.'))
|
|
| 85 |
return redirect('account_management')
|
|
| 72 |
- |
|