1
|
try:
|
2
|
import lasso
|
3
|
except ImportError:
|
4
|
pass
|
5
|
|
6
|
from quixote import get_publisher
|
7
|
|
8
|
from wcs.roles import Role
|
9
|
|
10
|
from qommon import get_cfg, get_logger
|
11
|
import qommon.saml2
|
12
|
|
13
|
|
14
|
class Saml2Directory(qommon.saml2.Saml2Directory):
|
15
|
def extract_attributes(self, session, login):
|
16
|
'''Separate attributes as two dictionaries: one for last value, one for
|
17
|
the list of values.'''
|
18
|
lasso_session = lasso.Session.newFromDump(session.lasso_session_dump)
|
19
|
try:
|
20
|
assertion = lasso_session.getAssertions(None)[0]
|
21
|
except:
|
22
|
get_logger().warn('failed to lookup assertion')
|
23
|
return user
|
24
|
|
25
|
d = {}
|
26
|
m = {}
|
27
|
try:
|
28
|
for attribute in assertion.attributeStatement[0].attribute:
|
29
|
try:
|
30
|
d[attribute.name] = attribute.attributeValue[0].any[0].content
|
31
|
for attribute_value in attribute.attributeValue:
|
32
|
l = m.setdefault(attribute.name, [])
|
33
|
l.append(attribute_value.any[0].content)
|
34
|
except IndexError:
|
35
|
pass
|
36
|
except IndexError:
|
37
|
pass
|
38
|
return d, m
|
39
|
|
40
|
def legacy_fill_user_attributes(self, session, login, user):
|
41
|
'''Fill fields using a legacy attribute to field varname mapping'''
|
42
|
d, m = self.extract_attributes(session, login)
|
43
|
users_cfg = get_cfg('users', {}) or {}
|
44
|
get_logger().debug('using legacy attribute filling')
|
45
|
|
46
|
# standard attributes
|
47
|
user.name = d.get('cn')
|
48
|
user.email = d.get('mail')
|
49
|
|
50
|
# email field
|
51
|
field_email = users_cfg.get('field_email')
|
52
|
if field_email:
|
53
|
user.form_data[field_email] = d.get('mail') or d.get('email')
|
54
|
|
55
|
# name field, this only works if there's a single field for the name
|
56
|
field_name_values = users_cfg.get('field_name')
|
57
|
if field_name_values:
|
58
|
if type(field_name_values) is str: # it was a string in previous versions
|
59
|
field_name_values = [field_name_values]
|
60
|
if len(field_name_values) == 1:
|
61
|
user.form_data[field_name_values[0]] = d.get('cn')
|
62
|
|
63
|
# other fields, matching is done on known LDAP attribute names and
|
64
|
# common variable names
|
65
|
extra_field_mappings = [
|
66
|
('gn', ('firstname', 'prenom')),
|
67
|
('givenName', ('firstname', 'prenom')),
|
68
|
('surname', ('surname', 'name', 'nom',)),
|
69
|
('sn', ('surname', 'name', 'nom',)),
|
70
|
('personalTitle', ('personalTitle', 'civilite',)),
|
71
|
('l', ('location', 'commune', 'ville',)),
|
72
|
('streetAddress', ('streetAddress', 'address', 'adresse', 'street',)),
|
73
|
('street', ('streetAddress', 'address', 'adresse', 'street',)),
|
74
|
('postalCode', ('postalCode', 'codepostal', 'cp',)),
|
75
|
('telephoneNumber', ('telephoneNumber', 'telephonefixe', 'telephone',)),
|
76
|
('mobile', ('mobile', 'telephonemobile',)),
|
77
|
('faxNumber', ('faxNumber', 'fax')),
|
78
|
]
|
79
|
|
80
|
for attribute_key, field_varnames in extra_field_mappings:
|
81
|
if not attribute_key in d:
|
82
|
continue
|
83
|
for field in user.get_formdef().fields:
|
84
|
if field.varname in field_varnames:
|
85
|
user.form_data[field.id] = d.get(attribute_key)
|
86
|
|
87
|
def lookup_user(self, session, login = None, name_id = None):
|
88
|
user = qommon.saml2.Saml2Directory.lookup_user(self, session, login, name_id)
|
89
|
|
90
|
if not user:
|
91
|
user = get_publisher().user_class()
|
92
|
# already done by parent.lookup_user() for existing users
|
93
|
self.fill_user_attributes(session, login, user)
|
94
|
|
95
|
# apply legacy mapping when not configured
|
96
|
idp = qommon.saml2.get_remote_provider_cfg(login)
|
97
|
if not idp.get('attribute-mapping'):
|
98
|
self.legacy_fill_user_attributes(session, login, user)
|
99
|
|
100
|
if user.form_data:
|
101
|
user.set_attributes_from_formdata(user.form_data)
|
102
|
|
103
|
if not (user.name and user.email):
|
104
|
# we didn't get useful attributes, forget it.
|
105
|
get_logger().warn('failed to get useful attributes from the assertion')
|
106
|
return None
|
107
|
|
108
|
if not login.nameIdentifier.content in user.name_identifiers:
|
109
|
user.name_identifiers.append(login.nameIdentifier.content)
|
110
|
|
111
|
if login and login.identity:
|
112
|
user.lasso_dump = login.identity.dump()
|
113
|
|
114
|
user.store()
|
115
|
return user
|