X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=ipsilon%2Fproviders%2Fsaml2%2Fauth.py;h=bac73a54d9608beac7515400849b0f268ac0cb92;hp=9d796c5fb27d3e5d5b1179889ca7cd7c9e3595fa;hb=ed5ed179806c921036cf811e1890408aac072bef;hpb=3983bef596613acf4576957cfeea34dc7be421c4

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 9d796c5..bac73a5 100755
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -17,7 +17,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipsilon.providers.common import ProviderPageBase
+from ipsilon.providers.common import ProviderPageBase, ProviderException
 from ipsilon.providers.saml2.provider import ServiceProvider
 from ipsilon.providers.saml2.provider import InvalidProviderId
 from ipsilon.providers.saml2.provider import NameIdNotAllowed
@@ -27,25 +27,19 @@ import datetime
 import lasso
 
 
-class AuthenticationError(Exception):
+class AuthenticationError(ProviderException):
 
     def __init__(self, message, code):
         super(AuthenticationError, self).__init__(message)
-        self.message = message
         self.code = code
+        self._debug('%s [%s]' % (message, code))
 
-    def __str__(self):
-        return repr(self.message)
 
-
-class InvalidRequest(Exception):
+class InvalidRequest(ProviderException):
 
     def __init__(self, message):
         super(InvalidRequest, self).__init__(message)
-        self.message = message
-
-    def __str__(self):
-        return repr(self.message)
+        self._debug(message)
 
 
 class AuthenticateRequest(ProviderPageBase):
@@ -55,19 +49,17 @@ class AuthenticateRequest(ProviderPageBase):
         self.STAGE_INIT = 0
         self.STAGE_AUTH = 1
         self.stage = self.STAGE_INIT
-        self.nameidfmt = None
 
     def auth(self, login):
         try:
             self.saml2checks(login)
-            self.saml2assertion(login)
         except AuthenticationError, e:
             self.saml2error(login, e.code, e.message)
         return self.reply(login)
 
     def _parse_request(self, message):
 
-        login = lasso.Login(self.cfg.idp)
+        login = self.cfg.idp.get_login_handler()
 
         try:
             login.processAuthnRequestMsg(message)
@@ -138,7 +130,7 @@ class AuthenticateRequest(ProviderPageBase):
 
         try:
             provider = ServiceProvider(self.cfg, login.remoteProviderId)
-            nameid = provider.get_valid_nameid(login.request.nameIdPolicy)
+            nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy)
         except NameIdNotAllowed, e:
             raise AuthenticationError(
                 str(e), lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
@@ -146,20 +138,17 @@ class AuthenticateRequest(ProviderPageBase):
             raise AuthenticationError(
                 str(e), lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
 
-        self.nameidfmt = nameid
-
         # TODO: check login.request.forceAuthn
 
         login.validateRequestMsg(not user.is_anonymous, consent)
 
-    def saml2assertion(self, login):
-
         authtime = datetime.datetime.utcnow()
         skew = datetime.timedelta(0, 60)
         authtime_notbefore = authtime - skew
         authtime_notafter = authtime + skew
 
-        user = UserSession().get_user()
+        us = UserSession()
+        user = us.get_user()
 
         # TODO: get authentication type fnd name format from session
         # need to save which login manager authenticated and map it to a
@@ -174,19 +163,27 @@ class AuthenticateRequest(ProviderPageBase):
                              authtime_notafter.strftime(timeformat))
 
         nameid = None
-        if self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
-            nameid = user.name  ## TODO map to something else ?
-        elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
-            nameid = user.name  ## TODO map to something else ?
+        if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+            ## TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+            ## TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+            nameid = us.get_data('user', 'krb_principal_name')
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+            nameid = us.get_user().email
+            if not nameid:
+                nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
 
         if nameid:
-            login.assertion.subject.nameId.format = self.nameidfmt
+            login.assertion.subject.nameId.format = nameidfmt
             login.assertion.subject.nameId.content = nameid
         else:
             raise AuthenticationError("Unavailable Name ID type",
                                       lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
 
-        # TODO: add user attributes as policy requires taking from 'usersession'
+        # TODO: add user attributes as policy requires from 'usersession'
 
     def saml2error(self, login, code, message):
         status = lasso.Samlp2Status()