From 0f268067912fafe66203a09905d4a7b85637734e Mon Sep 17 00:00:00 2001
From: Valentin Deniaud <vdeniaud@entrouvert.com>
Date: Tue, 21 May 2019 11:55:25 +0200
Subject: [PATCH 1/5] views: handle role requests

Allows an application to request specific roles from the idp, using
"roles" query parameters.
---
 mellon/views.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/mellon/views.py b/mellon/views.py
index 5a39adf..4a3da73 100644
--- a/mellon/views.py
+++ b/mellon/views.py
@@ -19,6 +19,7 @@ from django.utils import six
 from django.utils.encoding import force_text
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.db import transaction
+from django.utils.six.moves.urllib.parse import urljoin
 from django.utils.translation import ugettext as _
 
 from . import app_settings, utils
@@ -375,6 +376,7 @@ class LoginView(ProfileMixin, LogMixin, View):
                 request, is_passive=request.GET.get('passive') == '1')
 
         next_url = check_next_url(self.request, request.GET.get(REDIRECT_FIELD_NAME))
+        requested_roles = request.GET.getlist('roles')
         idp = self.get_idp(request)
         if idp is None:
             return HttpResponseBadRequest('no idp found')
@@ -394,7 +396,13 @@ class LoginView(ProfileMixin, LogMixin, View):
                 authn_request.isPassive = True
             # configure requested AuthnClassRef
             authn_classref = utils.get_setting(idp, 'AUTHN_CLASSREF')
-            if authn_classref:
+            if requested_roles:
+                prefix = 'https://entrouvert.com/authn-class-ref/role-uuid/' # TODO add setting
+                authn_classref = tuple(str(urljoin(prefix, role)) for role in requested_roles)
+                req_authncontext = lasso.Samlp2RequestedAuthnContext()
+                authn_request.requestedAuthnContext = req_authncontext
+                req_authncontext.authnContextClassRef = authn_classref
+            elif authn_classref:
                 authn_classref = tuple([str(x) for x in authn_classref])
                 req_authncontext = lasso.Samlp2RequestedAuthnContext()
                 authn_request.requestedAuthnContext = req_authncontext
-- 
2.20.1