From: Simo Sorce Date: Mon, 16 Feb 2015 18:47:33 +0000 (-0500) Subject: Add support for attribute policies in openidp X-Git-Tag: v0.4.0~17 X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=commitdiff_plain;h=db88788fe906f315733b6ae67929f62cfc307d24 Add support for attribute policies in openidp Signed-off-by: Simo Sorce Reviewed-by: Patrick Uiterwijk --- diff --git a/ipsilon/providers/openid/auth.py b/ipsilon/providers/openid/auth.py index 824f4f8..2510ff4 100644 --- a/ipsilon/providers/openid/auth.py +++ b/ipsilon/providers/openid/auth.py @@ -4,6 +4,7 @@ from ipsilon.providers.common import ProviderPageBase from ipsilon.providers.common import AuthenticationError, InvalidRequest from ipsilon.providers.openid.meta import XRDSHandler, UserXRDSHandler from ipsilon.providers.openid.meta import IDHandler +from ipsilon.util.policy import Policy from ipsilon.util.trans import Transaction from ipsilon.util.user import UserSession @@ -60,6 +61,16 @@ class AuthenticateRequest(ProviderPageBase): raise cherrypy.HTTPError(e.code, e.msg) return self._respond(request.answer(False)) + # get attributes, and apply policy mapping and filtering + def _source_attributes(self, session): + policy = Policy(self.cfg.default_attribute_mapping, + self.cfg.default_allowed_attributes) + userattrs = session.get_user_attrs() + mappedattrs, _ = policy.map_attributes(userattrs) + attributes = policy.filter_attributes(mappedattrs) + self.debug('Filterd attributes: %s' % repr(attributes)) + return attributes + def _parse_request(self, **kwargs): request = None try: @@ -165,7 +176,7 @@ class AuthenticateRequest(ProviderPageBase): ad = { "Trust Root": request.trust_root, } - userattrs = us.get_user_attrs() + userattrs = self._source_attributes(us) for n, e in self.cfg.extensions.available().items(): data = e.get_display_data(request, userattrs) self.debug('%s returned %s' % (n, repr(data))) @@ -191,7 +202,7 @@ class AuthenticateRequest(ProviderPageBase): identity=identity_url, claimed_id=identity_url ) - userattrs = session.get_user_attrs() + userattrs = self._source_attributes(session) for _, e in self.cfg.extensions.available().items(): resp = e.get_response(request, userattrs) if resp is not None: diff --git a/ipsilon/providers/openid/extensions/cla.py b/ipsilon/providers/openid/extensions/cla.py index 830e3a3..d021afa 100644 --- a/ipsilon/providers/openid/extensions/cla.py +++ b/ipsilon/providers/openid/extensions/cla.py @@ -19,7 +19,7 @@ class OpenidExtension(OpenidExtensionBase): self.debug(req) if req is None: return {} - data = userdata['_extras'].get('cla', []) + data = userdata.get('_extras', {}).get('cla', []) return cla.CLAResponse.extractResponse(req, data) def _display(self, request, userdata): diff --git a/ipsilon/providers/openidp.py b/ipsilon/providers/openidp.py index 13f6819..6bdf557 100644 --- a/ipsilon/providers/openidp.py +++ b/ipsilon/providers/openidp.py @@ -53,6 +53,14 @@ Provides OpenID 2.0 authentication infrastructure. """ 'enabled extensions', 'Choose the extensions to enable', self.extensions.available().keys()), + pconfig.MappingList( + 'default attribute mapping', + 'Defines how to map attributes before calling extensions', + [['*', '*']]), + pconfig.ComplexList( + 'default allowed attributes', + 'Defines a list of allowed attributes, applied after mapping', + ['*']), ) @property @@ -87,6 +95,14 @@ Provides OpenID 2.0 authentication infrastructure. """ def enabled_extensions(self): return self.get_config_value('enabled extensions') + @property + def default_attribute_mapping(self): + return self.get_config_value('default attribute mapping') + + @property + def default_allowed_attributes(self): + return self.get_config_value('default allowed attributes') + def get_tree(self, site): self.init_idp() self.page = OpenID(site, self)