# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-from ipsilon.providers.common import ProviderPageBase
+from ipsilon.providers.common import ProviderPageBase, ProviderException
from ipsilon.providers.saml2.provider import ServiceProvider
from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import NameIdNotAllowed
import lasso
-class AuthenticationError(Exception):
+class AuthenticationError(ProviderException):
def __init__(self, message, code):
super(AuthenticationError, self).__init__(message)
- self.message = message
self.code = code
+ self._debug('%s [%s]' % (message, code))
- def __str__(self):
- return repr(self.message)
-
-class InvalidRequest(Exception):
+class InvalidRequest(ProviderException):
def __init__(self, message):
super(InvalidRequest, self).__init__(message)
- self.message = message
+ self._debug(message)
+
+
+class UnknownProvider(ProviderException):
- def __str__(self):
- return repr(self.message)
+ def __init__(self, message):
+ super(UnknownProvider, self).__init__(message)
+ self._debug(message)
class AuthenticateRequest(ProviderPageBase):
def _parse_request(self, message):
- login = lasso.Login(self.cfg.idp)
+ login = self.cfg.idp.get_login_handler()
try:
login.processAuthnRequestMsg(message)
msg = 'Invalid SP [%s] (%r [%r])' % (login.remoteProviderId,
e, message)
- raise InvalidRequest(msg)
+ raise UnknownProvider(msg)
self._debug('SP %s requested authentication' % login.remoteProviderId)
except InvalidRequest, e:
self._debug(str(e))
raise cherrypy.HTTPError(400, 'Invalid SAML request token')
+ except UnknownProvider, e:
+ self._debug(str(e))
+ raise cherrypy.HTTPError(400, 'Unknown Service Provider')
except Exception, e: # pylint: disable=broad-except
self._debug(str(e))
raise cherrypy.HTTPError(500)
nameid = None
if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
- nameid = user.name ## TODO map to something else ?
+ # TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
- nameid = user.name ## TODO map to something else ?
+ # TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
nameid = us.get_data('user', 'krb_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
- # TODO: add user attributes as policy requires taking from 'usersession'
+ # TODO: add user attributes as policy requires from 'usersession'
def saml2error(self, login, code, message):
status = lasso.Samlp2Status()