Add support for attribute policies in openidp

author Simo Sorce <simo@redhat.com>

Mon, 16 Feb 2015 18:47:33 +0000 (13:47 -0500)

committer Patrick Uiterwijk <puiterwijk@redhat.com>

Tue, 24 Feb 2015 15:58:20 +0000 (16:58 +0100)
author Simo Sorce <simo@redhat.com>
Mon, 16 Feb 2015 18:47:33 +0000 (13:47 -0500)
committer Patrick Uiterwijk <puiterwijk@redhat.com>
Tue, 24 Feb 2015 15:58:20 +0000 (16:58 +0100)
diff --git a/ipsilon/providers/openid/auth.py b/ipsilon/providers/openid/auth.py

index 824f4f8..2510ff4 100644 (file)
--- a/ipsilon/providers/openid/auth.py
+++ b/ipsilon/providers/openid/auth.py
@@ -4,6 +4,7 @@ from ipsilon.providers.common import ProviderPageBase
  from ipsilon.providers.common import AuthenticationError, InvalidRequest
  from ipsilon.providers.openid.meta import XRDSHandler, UserXRDSHandler
  from ipsilon.providers.openid.meta import IDHandler
+from ipsilon.util.policy import Policy
  from ipsilon.util.trans import Transaction
  from ipsilon.util.user import UserSession
  
@@ -60,6 +61,16 @@ class AuthenticateRequest(ProviderPageBase):
                  raise cherrypy.HTTPError(e.code, e.msg)
              return self._respond(request.answer(False))
  
+    # get attributes, and apply policy mapping and filtering
+    def _source_attributes(self, session):
+        policy = Policy(self.cfg.default_attribute_mapping,
+                        self.cfg.default_allowed_attributes)
+        userattrs = session.get_user_attrs()
+        mappedattrs, _ = policy.map_attributes(userattrs)
+        attributes = policy.filter_attributes(mappedattrs)
+        self.debug('Filterd attributes: %s' % repr(attributes))
+        return attributes
+
      def _parse_request(self, **kwargs):
          request = None
          try:
@@ -165,7 +176,7 @@ class AuthenticateRequest(ProviderPageBase):
              ad = {
                  "Trust Root": request.trust_root,
              }
-            userattrs = us.get_user_attrs()
+            userattrs = self._source_attributes(us)
              for n, e in self.cfg.extensions.available().items():
                  data = e.get_display_data(request, userattrs)
                  self.debug('%s returned %s' % (n, repr(data)))
@@ -191,7 +202,7 @@ class AuthenticateRequest(ProviderPageBase):
              identity=identity_url,
              claimed_id=identity_url
          )
-        userattrs = session.get_user_attrs()
+        userattrs = self._source_attributes(session)
          for _, e in self.cfg.extensions.available().items():
              resp = e.get_response(request, userattrs)
              if resp is not None:
diff --git a/ipsilon/providers/openid/extensions/cla.py b/ipsilon/providers/openid/extensions/cla.py

index 830e3a3..d021afa 100644 (file)
--- a/ipsilon/providers/openid/extensions/cla.py
+++ b/ipsilon/providers/openid/extensions/cla.py
@@ -19,7 +19,7 @@ class OpenidExtension(OpenidExtensionBase):
          self.debug(req)
          if req is None:
              return {}
-        data = userdata['_extras'].get('cla', [])
+        data = userdata.get('_extras', {}).get('cla', [])
          return cla.CLAResponse.extractResponse(req, data)
  
      def _display(self, request, userdata):
diff --git a/ipsilon/providers/openidp.py b/ipsilon/providers/openidp.py

index 13f6819..6bdf557 100644 (file)
--- a/ipsilon/providers/openidp.py
+++ b/ipsilon/providers/openidp.py
@@ -53,6 +53,14 @@ Provides OpenID 2.0 authentication infrastructure. """
                  'enabled extensions',
                  'Choose the extensions to enable',
                  self.extensions.available().keys()),
+            pconfig.MappingList(
+                'default attribute mapping',
+                'Defines how to map attributes before calling extensions',
+                [['*', '*']]),
+            pconfig.ComplexList(
+                'default allowed attributes',
+                'Defines a list of allowed attributes, applied after mapping',
+                ['*']),
          )
  
      @property
@@ -87,6 +95,14 @@ Provides OpenID 2.0 authentication infrastructure. """
      def enabled_extensions(self):
          return self.get_config_value('enabled extensions')
  
+    @property
+    def default_attribute_mapping(self):
+        return self.get_config_value('default attribute mapping')
+
+    @property
+    def default_allowed_attributes(self):
+        return self.get_config_value('default allowed attributes')
+
      def get_tree(self, site):
          self.init_idp()
          self.page = OpenID(site, self)
author	Simo Sorce <simo@redhat.com>
	Mon, 16 Feb 2015 18:47:33 +0000 (13:47 -0500)
committer	Patrick Uiterwijk <puiterwijk@redhat.com>
	Tue, 24 Feb 2015 15:58:20 +0000 (16:58 +0100)
ipsilon/providers/openid/auth.py		patch \| blob \| history
ipsilon/providers/openid/extensions/cla.py		patch \| blob \| history
ipsilon/providers/openidp.py		patch \| blob \| history