From f85788748679e6379537d6dc3c7c32449458c309 Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 16 Apr 2019 17:51:22 +0200
Subject: [PATCH] use a mapping instead of hard-coded string

---
 README                 | 16 ++++++++++------
 mellon/app_settings.py |  2 +-
 mellon/views.py        | 11 ++++++-----
 3 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/README b/README
index 9afb0f2..43227f0 100644
--- a/README
+++ b/README
@@ -216,14 +216,18 @@ value means everything is authorized. Authentication class reference
 must be obtained from your identity provider but SHOULD come from the
 SAML 2.0 specification.
 
-MELLON_AUTHN_CLASSREF_LEVELS
-----------------------------
+MELLON_AUTH_LEVELS_MAPPING
+--------------------------
 
-When working with an idp which provides authentication levels, this
-should be the URI it is expecting as a class reference, to which
-will be appended the authentication level passed as a GET parameter
-to LOGIN_URL.
+When working with an idp which provides authentication levels, this should be a
+mapping from the authentication class references the idp provides to their
+respective authentication level. Default is {}. Ex.::
 
+    MELLON_AUTH_LEVELS_MAPPING = {
+        'https://entrouvert.org/auth-level/1': 1,
+        'https://entrouvert.org/auth-level/2': 2,
+        'https://entrouvert.org/auth-level/3': 3,
+    }
 
 MELLON_GROUP_ATTRIBUTE
 ----------------------
diff --git a/mellon/app_settings.py b/mellon/app_settings.py
index d15aa21..0ebb52a 100644
--- a/mellon/app_settings.py
+++ b/mellon/app_settings.py
@@ -39,7 +39,7 @@ class AppSettings(object):
         'LOGOUT_URL': 'mellon_logout',
         'ARTIFACT_RESOLVE_TIMEOUT': 10.0,
         'LOGIN_HINTS': [],
-        'AUTHN_CLASSREF_LEVELS': 'https://entrouvert.org/auth-level/',
+        'AUTH_LEVELS_MAPPING': {},
     }
 
     @property
diff --git a/mellon/views.py b/mellon/views.py
index 7a4764a..2e6702d 100644
--- a/mellon/views.py
+++ b/mellon/views.py
@@ -219,9 +219,9 @@ class LoginView(ProfileMixin, LogMixin, View):
                 utils.login(request, user)
                 class_ref = attributes['authn_context_class_ref']
                 idp = self.get_idp(request)
-                authn_classref_levels = utils.get_setting(idp, 'AUTHN_CLASSREF_LEVELS')
-                if authn_classref_levels and class_ref.startswith(authn_classref_levels):
-                    request.session['auth_level'] = int(class_ref.split('/')[-1])
+                authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING')
+                if class_ref in authn_classref_levels:
+                    request.session['auth_level'] = authn_classref_levels[class_ref]
                 self.log.info('user %s (NameID is %r) logged in using SAML', user,
                               attributes['name_id_content'])
                 request.session['mellon_session'] = utils.flatten_datetime(attributes)
@@ -400,9 +400,10 @@ class LoginView(ProfileMixin, LogMixin, View):
                 authn_request.isPassive = True
             # configure requested AuthnClassRef
             authn_classref = utils.get_setting(idp, 'AUTHN_CLASSREF')
-            authn_classref_levels = utils.get_setting(idp, 'AUTHN_CLASSREF_LEVELS')
+            authn_classref_levels = utils.get_setting(idp, 'AUTH_LEVELS_MAPPING')
             if requested_auth_level and authn_classref_levels:
-                authn_classref = (authn_classref_levels + str(requested_auth_level),)
+                authn_classref = tuple(cr for cr, lvl in authn_classref_levels.items()
+                                       if lvl == int(requested_auth_level))
                 req_authncontext = lasso.Samlp2RequestedAuthnContext()
                 authn_request.requestedAuthnContext = req_authncontext
                 req_authncontext.authnContextClassRef = authn_classref
-- 
2.20.1