Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import NameIdNotAllowed
from ipsilon.providers.saml2.sessions import SAMLSessionsContainer
from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import NameIdNotAllowed
from ipsilon.providers.saml2.sessions import SAMLSessionsContainer
+from ipsilon.util.policy import Policy
from ipsilon.util.user import UserSession
from ipsilon.util.trans import Transaction
import cherrypy
from ipsilon.util.user import UserSession
from ipsilon.util.trans import Transaction
import cherrypy
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
raise AuthenticationError("Unavailable Name ID type",
lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
- # TODO: filter user attributes as policy requires from 'usersession'
if not login.assertion.attributeStatement:
attrstat = lasso.Saml2AttributeStatement()
login.assertion.attributeStatement = [attrstat]
if not login.assertion.attributeStatement:
attrstat = lasso.Saml2AttributeStatement()
login.assertion.attributeStatement = [attrstat]
if not attrstat.attribute:
attrstat.attribute = ()
if not attrstat.attribute:
attrstat.attribute = ()
- attributes = us.get_user_attrs()
+ # Check attribute policy and perform mapping and filtering
+ policy = Policy(self.cfg.default_attribute_mapping,
+ self.cfg.default_allowed_attributes)
+ userattrs = us.get_user_attrs()
+ mappedattrs, _ = policy.map_attributes(userattrs)
+ attributes = policy.filter_attributes(mappedattrs)
+
+ self.debug("%s's attributes: %s" % (user.name, attributes))
for key in attributes:
values = attributes[key]
for key in attributes:
values = attributes[key]
'default email domain',
'Used for users missing the email property.',
'example.com'),
'default email domain',
'Used for users missing the email property.',
'example.com'),
+ pconfig.MappingList(
+ 'default attribute mapping',
+ 'Defines how to map attributes before returning them to SPs',
+ [['*', '*']]),
+ pconfig.ComplexList(
+ 'default allowed attributes',
+ 'Defines a list of allowed attributes, applied after mapping',
+ ['*']),
)
if cherrypy.config.get('debug', False):
import logging
)
if cherrypy.config.get('debug', False):
import logging
def default_email_domain(self):
return self.get_config_value('default email domain')
def default_email_domain(self):
return self.get_config_value('default email domain')
+ @property
+ def default_attribute_mapping(self):
+ return self.get_config_value('default attribute mapping')
+
+ @property
+ def default_allowed_attributes(self):
+ return self.get_config_value('default allowed attributes')
+
def get_tree(self, site):
self.idp = self.init_idp()
self.page = SAML2(site, self)
def get_tree(self, site):
self.idp = self.init_idp()
self.page = SAML2(site, self)