Update Copyright header point to COPYING file

[cascardo/ipsilon.git] / ipsilon / providers / openid / auth.py

diff --git a/ipsilon/providers/openid/auth.py b/ipsilon/providers/openid/auth.py
old mode 100755 (executable)
new mode 100644 (file)
index fba8d10..64245f5
--- a/ipsilon/providers/openid/auth.py
+++ b/ipsilon/providers/openid/auth.py
@@ -1,11 +1,10 @@
-#!/usr/bin/python
-#
-# Copyright (C) 2014  Ipsilon project Contributors, for licensee see COPYING
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
 
 from ipsilon.providers.common import ProviderPageBase
 from ipsilon.providers.common import AuthenticationError, InvalidRequest
 from ipsilon.providers.openid.meta import XRDSHandler, UserXRDSHandler
 from ipsilon.providers.openid.meta import IDHandler
+from ipsilon.util.policy import Policy
 from ipsilon.util.trans import Transaction
 from ipsilon.util.user import UserSession
 
@@ -45,7 +44,7 @@ class AuthenticateRequest(ProviderPageBase):
         if args is not None:
             first = args[0] if len(args) > 0 else None
             second = first[0] if len(first) > 0 else None
-            if type(second) is dict:
+            if isinstance(second, dict):
                 form = second.get('form', None)
         return form
 
@@ -62,6 +61,16 @@ class AuthenticateRequest(ProviderPageBase):
                 raise cherrypy.HTTPError(e.code, e.msg)
             return self._respond(request.answer(False))
 
+    # get attributes, and apply policy mapping and filtering
+    def _source_attributes(self, session):
+        policy = Policy(self.cfg.default_attribute_mapping,
+                        self.cfg.default_allowed_attributes)
+        userattrs = session.get_user_attrs()
+        mappedattrs, _ = policy.map_attributes(userattrs)
+        attributes = policy.filter_attributes(mappedattrs)
+        self.debug('Filterd attributes: %s' % repr(attributes))
+        return attributes
+
     def _parse_request(self, **kwargs):
         request = None
         try:
@@ -110,13 +119,13 @@ class AuthenticateRequest(ProviderPageBase):
         else:
             return self._respond(self.cfg.server.handleRequest(request))
 
-        # check if this is discovery or ned identity matching checks
+        # check if this is discovery or needs identity matching checks
         if not request.idSelect():
             idurl = self.cfg.identity_url_template % {'username': user.name}
             if request.identity != idurl:
                 raise AuthenticationError("User ID mismatch!", 401)
 
-        # check if the ralying party is trusted
+        # check if the relying party is trusted
         if request.trust_root in self.cfg.untrusted_roots:
             raise AuthenticationError("Untrusted Relying party", 401)
 
@@ -167,7 +176,7 @@ class AuthenticateRequest(ProviderPageBase):
             ad = {
                 "Trust Root": request.trust_root,
             }
-            userattrs = us.get_user_attrs()
+            userattrs = self._source_attributes(us)
             for n, e in self.cfg.extensions.available().items():
                 data = e.get_display_data(request, userattrs)
                 self.debug('%s returned %s' % (n, repr(data)))
@@ -182,7 +191,6 @@ class AuthenticateRequest(ProviderPageBase):
                 "authz_details": ad,
             }
             context.update(dict((self.trans.get_POST_tuple(),)))
-            # pylint: disable=star-args
             return self._template('openid/consent_form.html', **context)
 
     def _response(self, request, session):
@@ -193,7 +201,7 @@ class AuthenticateRequest(ProviderPageBase):
             identity=identity_url,
             claimed_id=identity_url
         )
-        userattrs = session.get_user_attrs()
+        userattrs = self._source_attributes(session)
         for _, e in self.cfg.extensions.available().items():
             resp = e.get_response(request, userattrs)
             if resp is not None: