From d5bdefa0f90033cd18f10da4ad2f98af8205a5da Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 16 Apr 2019 10:12:55 +0200
Subject: [PATCH 5/7] idp_saml: send authentication level in SAML assertion

---
 src/authentic2/idp/saml/app_settings.py    |  5 ++++
 src/authentic2/idp/saml/saml2_endpoints.py | 28 +++++++++++++++-------
 2 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/src/authentic2/idp/saml/app_settings.py b/src/authentic2/idp/saml/app_settings.py
index f32c3947..1570606c 100644
--- a/src/authentic2/idp/saml/app_settings.py
+++ b/src/authentic2/idp/saml/app_settings.py
@@ -52,6 +52,11 @@ TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
 -----END RSA PRIVATE KEY-----''',
             ADD_CERTIFICATE_TO_KEY_INFO=True,
             SIGNATURE_METHOD='RSA-SHA256',
+            AUTH_LEVELS_MAPPING = {
+                'https://entrouvert.org/auth-level/1': 1,
+                'https://entrouvert.org/auth-level/2': 2,
+                'https://entrouvert.org/auth-level/3': 3,
+            },
     )
 
     def __init__(self, prefix):
diff --git a/src/authentic2/idp/saml/saml2_endpoints.py b/src/authentic2/idp/saml/saml2_endpoints.py
index c8f28270..1274dad4 100644
--- a/src/authentic2/idp/saml/saml2_endpoints.py
+++ b/src/authentic2/idp/saml/saml2_endpoints.py
@@ -325,15 +325,22 @@ def build_assertion(request, login, nid_format='transient'):
     notOnOrAfter = now + datetime.timedelta(0, app_settings.SECONDS_TOLERANCE)
     ssl = 'HTTPS' in request.environ
     if app_settings.AUTHN_CONTEXT_FROM_SESSION:
-        backend = request.session[BACKEND_SESSION_KEY]
-        logger.debug('authentication from session with backend %s', backend)
-        backend = load_backend(backend)
-        if hasattr(backend, 'get_saml2_authn_context'):
-            authn_context = backend.get_saml2_authn_context()
+        auth_level = request.session.get('auth_level', 1)
+        if auth_level > 1:
+            authn_context = next(
+                uri for uri, lvl in app_settings.AUTH_LEVELS_MAPPING.items()
+                if lvl == auth_level
+            )
         else:
-            raise Exception('backend unsupported: ' + backend)
-        if authn_context == lasso.SAML2_AUTHN_CONTEXT_PASSWORD and ssl:
-            authn_context = lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
+            backend = request.session[BACKEND_SESSION_KEY]
+            logger.debug('authentication from session with backend %s', backend)
+            backend = load_backend(backend)
+            if hasattr(backend, 'get_saml2_authn_context'):
+                authn_context = backend.get_saml2_authn_context()
+            else:
+                raise Exception('backend unsupported: ' + backend)
+            if authn_context == lasso.SAML2_AUTHN_CONTEXT_PASSWORD and ssl:
+                authn_context = lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
     else:
         try:
             event = find_authentication_event(request, login.request.id)
@@ -346,6 +353,11 @@ def build_assertion(request, login, nid_format='transient'):
                     lasso.SAML2_AUTHN_CONTEXT_PASSWORD_PROTECTED_TRANSPORT
             elif how == 'ssl':
                 authn_context = lasso.SAML2_AUTHN_CONTEXT_X509
+            elif event.get('auth_level'):
+                authn_context = next(
+                    uri for uri, lvl in app_settings.AUTH_LEVELS_MAPPING.items()
+                    if lvl == event['auth_level']
+                )
             else:
                 raise NotImplementedError('Unknown authentication method %s',
                         how)
-- 
2.20.1