X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Fproviders%2Fopenid%2Fauth.py;h=1ecbe439e93af3e9a23126df49a96156469e2a6d;hp=fba8d10285f3c3e6080764c5cd71366c11f7b66b;hb=0efe98eece9af222009fb90bed7c81aa380de0e3;hpb=83da2bf3963db3e4427bced3b4c0681e751e54da diff --git a/ipsilon/providers/openid/auth.py b/ipsilon/providers/openid/auth.py old mode 100755 new mode 100644 index fba8d10..1ecbe43 --- a/ipsilon/providers/openid/auth.py +++ b/ipsilon/providers/openid/auth.py @@ -1,11 +1,10 @@ -#!/usr/bin/python -# -# Copyright (C) 2014 Ipsilon project Contributors, for licensee see COPYING +# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING from ipsilon.providers.common import ProviderPageBase from ipsilon.providers.common import AuthenticationError, InvalidRequest from ipsilon.providers.openid.meta import XRDSHandler, UserXRDSHandler from ipsilon.providers.openid.meta import IDHandler +from ipsilon.util.policy import Policy from ipsilon.util.trans import Transaction from ipsilon.util.user import UserSession @@ -27,7 +26,8 @@ class AuthenticateRequest(ProviderPageBase): try: # generate a new id or get current one self.trans = Transaction('openid', **kwargs) - if self.trans.cookie.value != self.trans.provider: + if (self.trans.cookie and + self.trans.cookie.value != self.trans.provider): self.debug('Invalid transaction, %s != %s' % ( self.trans.cookie.value, self.trans.provider)) except Exception, e: # pylint: disable=broad-except @@ -45,7 +45,7 @@ class AuthenticateRequest(ProviderPageBase): if args is not None: first = args[0] if len(args) > 0 else None second = first[0] if len(first) > 0 else None - if type(second) is dict: + if isinstance(second, dict): form = second.get('form', None) return form @@ -62,6 +62,16 @@ class AuthenticateRequest(ProviderPageBase): raise cherrypy.HTTPError(e.code, e.msg) return self._respond(request.answer(False)) + # get attributes, and apply policy mapping and filtering + def _source_attributes(self, session): + policy = Policy(self.cfg.default_attribute_mapping, + self.cfg.default_allowed_attributes) + userattrs = session.get_user_attrs() + mappedattrs, _ = policy.map_attributes(userattrs) + attributes = policy.filter_attributes(mappedattrs) + self.debug('Filterd attributes: %s' % repr(attributes)) + return attributes + def _parse_request(self, **kwargs): request = None try: @@ -110,13 +120,13 @@ class AuthenticateRequest(ProviderPageBase): else: return self._respond(self.cfg.server.handleRequest(request)) - # check if this is discovery or ned identity matching checks + # check if this is discovery or needs identity matching checks if not request.idSelect(): idurl = self.cfg.identity_url_template % {'username': user.name} if request.identity != idurl: raise AuthenticationError("User ID mismatch!", 401) - # check if the ralying party is trusted + # check if the relying party is trusted if request.trust_root in self.cfg.untrusted_roots: raise AuthenticationError("Untrusted Relying party", 401) @@ -167,7 +177,7 @@ class AuthenticateRequest(ProviderPageBase): ad = { "Trust Root": request.trust_root, } - userattrs = us.get_user_attrs() + userattrs = self._source_attributes(us) for n, e in self.cfg.extensions.available().items(): data = e.get_display_data(request, userattrs) self.debug('%s returned %s' % (n, repr(data))) @@ -182,7 +192,6 @@ class AuthenticateRequest(ProviderPageBase): "authz_details": ad, } context.update(dict((self.trans.get_POST_tuple(),))) - # pylint: disable=star-args return self._template('openid/consent_form.html', **context) def _response(self, request, session): @@ -193,7 +202,7 @@ class AuthenticateRequest(ProviderPageBase): identity=identity_url, claimed_id=identity_url ) - userattrs = session.get_user_attrs() + userattrs = self._source_attributes(session) for _, e in self.cfg.extensions.available().items(): resp = e.get_response(request, userattrs) if resp is not None: