From 2cf4bcfe804aaa01e4587388e0870274c20ca428 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Sun, 2 Mar 2014 18:29:15 -0500
Subject: [PATCH] Unsplit checking functions

Easier to deal with stuff if they are a single validation function.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 ipsilon/providers/saml2/auth.py | 18 ++++++------------
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py
index 3d63deb..64d9835 100755
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -55,12 +55,10 @@ class AuthenticateRequest(ProviderPageBase):
         self.STAGE_INIT = 0
         self.STAGE_AUTH = 1
         self.stage = self.STAGE_INIT
-        self.nameidfmt = None
 
     def auth(self, login):
         try:
             self.saml2checks(login)
-            self.saml2assertion(login)
         except AuthenticationError, e:
             self.saml2error(login, e.code, e.message)
         return self.reply(login)
@@ -138,7 +136,7 @@ class AuthenticateRequest(ProviderPageBase):
 
         try:
             provider = ServiceProvider(self.cfg, login.remoteProviderId)
-            nameid = provider.get_valid_nameid(login.request.nameIdPolicy)
+            nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy)
         except NameIdNotAllowed, e:
             raise AuthenticationError(
                 str(e), lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
@@ -146,14 +144,10 @@ class AuthenticateRequest(ProviderPageBase):
             raise AuthenticationError(
                 str(e), lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
 
-        self.nameidfmt = nameid
-
         # TODO: check login.request.forceAuthn
 
         login.validateRequestMsg(not user.is_anonymous, consent)
 
-    def saml2assertion(self, login):
-
         authtime = datetime.datetime.utcnow()
         skew = datetime.timedelta(0, 60)
         authtime_notbefore = authtime - skew
@@ -175,19 +169,19 @@ class AuthenticateRequest(ProviderPageBase):
                              authtime_notafter.strftime(timeformat))
 
         nameid = None
-        if self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+        if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
             nameid = user.name  ## TODO map to something else ?
-        elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
             nameid = user.name  ## TODO map to something else ?
-        elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
             nameid = us.get_data('user', 'krb_principal_name')
-        elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
             nameid = us.get_user().email
             if not nameid:
                 nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
 
         if nameid:
-            login.assertion.subject.nameId.format = self.nameidfmt
+            login.assertion.subject.nameId.format = nameidfmt
             login.assertion.subject.nameId.content = nameid
         else:
             raise AuthenticationError("Unavailable Name ID type",
-- 
2.20.1