-#!/usr/bin/python
-#
-# Copyright (C) 2014 Ipsilon project Contributors, for licensee see COPYING
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
from ipsilon.providers.common import ProviderPageBase
from ipsilon.providers.common import AuthenticationError, InvalidRequest
from ipsilon.providers.openid.meta import XRDSHandler, UserXRDSHandler
from ipsilon.providers.openid.meta import IDHandler
+from ipsilon.util.policy import Policy
from ipsilon.util.trans import Transaction
from ipsilon.util.user import UserSession
try:
# generate a new id or get current one
self.trans = Transaction('openid', **kwargs)
- if self.trans.cookie.value != self.trans.provider:
+ if (self.trans.cookie and
+ self.trans.cookie.value != self.trans.provider):
self.debug('Invalid transaction, %s != %s' % (
self.trans.cookie.value, self.trans.provider))
except Exception, e: # pylint: disable=broad-except
if args is not None:
first = args[0] if len(args) > 0 else None
second = first[0] if len(first) > 0 else None
- if type(second) is dict:
+ if isinstance(second, dict):
form = second.get('form', None)
return form
raise cherrypy.HTTPError(e.code, e.msg)
return self._respond(request.answer(False))
+ # get attributes, and apply policy mapping and filtering
+ def _source_attributes(self, session):
+ policy = Policy(self.cfg.default_attribute_mapping,
+ self.cfg.default_allowed_attributes)
+ userattrs = session.get_user_attrs()
+ mappedattrs, _ = policy.map_attributes(userattrs)
+ attributes = policy.filter_attributes(mappedattrs)
+ self.debug('Filterd attributes: %s' % repr(attributes))
+ return attributes
+
def _parse_request(self, **kwargs):
request = None
try:
else:
return self._respond(self.cfg.server.handleRequest(request))
- # check if this is discovery or ned identity matching checks
+ # check if this is discovery or needs identity matching checks
if not request.idSelect():
idurl = self.cfg.identity_url_template % {'username': user.name}
if request.identity != idurl:
raise AuthenticationError("User ID mismatch!", 401)
- # check if the ralying party is trusted
+ # check if the relying party is trusted
if request.trust_root in self.cfg.untrusted_roots:
raise AuthenticationError("Untrusted Relying party", 401)
ad = {
"Trust Root": request.trust_root,
}
- userattrs = us.get_user_attrs()
+ userattrs = self._source_attributes(us)
for n, e in self.cfg.extensions.available().items():
data = e.get_display_data(request, userattrs)
self.debug('%s returned %s' % (n, repr(data)))
"authz_details": ad,
}
context.update(dict((self.trans.get_POST_tuple(),)))
- # pylint: disable=star-args
return self._template('openid/consent_form.html', **context)
def _response(self, request, session):
identity=identity_url,
claimed_id=identity_url
)
- userattrs = session.get_user_attrs()
+ userattrs = self._source_attributes(session)
for _, e in self.cfg.extensions.available().items():
resp = e.get_response(request, userattrs)
if resp is not None: