projects / cascardo / ipsilon.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add ability to strip domain/realm per provider
[cascardo/ipsilon.git] / ipsilon / providers / saml2 / auth.py
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 4adb959..7f92d77 100755 (executable)
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -18,6 +18,9 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipsilon.providers.common import ProviderPageBase
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 from ipsilon.providers.common import ProviderPageBase
+from ipsilon.providers.saml2.provider import ServiceProvider
+from ipsilon.providers.saml2.provider import InvalidProviderId
+from ipsilon.providers.saml2.provider import NameIdNotAllowed
 from ipsilon.util.user import UserSession
 import cherrypy
 import datetime
 from ipsilon.util.user import UserSession
 import cherrypy
 import datetime
@@ -56,7 +59,6 @@ class AuthenticateRequest(ProviderPageBase):
     def auth(self, login):
         try:
             self.saml2checks(login)
     def auth(self, login):
         try:
             self.saml2checks(login)
-            self.saml2assertion(login)
         except AuthenticationError, e:
             self.saml2error(login, e.code, e.message)
         return self.reply(login)
         except AuthenticationError, e:
             self.saml2error(login, e.code, e.message)
         return self.reply(login)
@@ -130,20 +132,29 @@ class AuthenticateRequest(ProviderPageBase):
         # record it
         consent = True
 
         # record it
         consent = True
 
-        # TODO: check Name-ID Policy
+        # TODO: check destination
+
+        try:
+            provider = ServiceProvider(self.cfg, login.remoteProviderId)
+            nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy)
+        except NameIdNotAllowed, e:
+            raise AuthenticationError(
+                str(e), lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
+        except InvalidProviderId, e:
+            raise AuthenticationError(
+                str(e), lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
 
         # TODO: check login.request.forceAuthn
 
         login.validateRequestMsg(not user.is_anonymous, consent)
 
 
         # TODO: check login.request.forceAuthn
 
         login.validateRequestMsg(not user.is_anonymous, consent)
 
-    def saml2assertion(self, login):
-
         authtime = datetime.datetime.utcnow()
         skew = datetime.timedelta(0, 60)
         authtime_notbefore = authtime - skew
         authtime_notafter = authtime + skew
 
         authtime = datetime.datetime.utcnow()
         skew = datetime.timedelta(0, 60)
         authtime_notbefore = authtime - skew
         authtime_notafter = authtime + skew
 
-        user = UserSession().get_user()
+        us = UserSession()
+        user = us.get_user()
 
         # TODO: get authentication type fnd name format from session
         # need to save which login manager authenticated and map it to a
 
         # TODO: get authentication type fnd name format from session
         # need to save which login manager authenticated and map it to a
@@ -156,11 +167,29 @@ class AuthenticateRequest(ProviderPageBase):
                              None,
                              authtime_notbefore.strftime(timeformat),
                              authtime_notafter.strftime(timeformat))
                              None,
                              authtime_notbefore.strftime(timeformat),
                              authtime_notafter.strftime(timeformat))
-        login.assertion.subject.nameId.format = \
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
-        login.assertion.subject.nameId.content = user.name
 
 
-        # TODO: add user attributes as policy requires taking from 'user'
+        nameid = None
+        if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+            ## TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+            ## TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+            nameid = us.get_data('user', 'krb_principal_name')
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+            nameid = us.get_user().email
+            if not nameid:
+                nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+
+        if nameid:
+            login.assertion.subject.nameId.format = nameidfmt
+            login.assertion.subject.nameId.content = nameid
+        else:
+            raise AuthenticationError("Unavailable Name ID type",
+                                      lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
+
+        # TODO: add user attributes as policy requires taking from 'usersession'
 
     def saml2error(self, login, code, message):
         status = lasso.Samlp2Status()
 
     def saml2error(self, login, code, message):
         status = lasso.Samlp2Status()
Unnamed repository; edit this file 'description' to name the repository.