From 93d4e52712767fe955f3a44a60a6c6f0f909423b Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 5 May 2015 12:37:31 -0400 Subject: [PATCH] Pull the GSSAPI principal out of the userattrs This was originally getting the principal from the user object itself which meant it was looking for it in the database. Look in the attributes instead which are stored in the user session. Signed-off-by: Rob Crittenden Reviewed-by: Simo Sorce --- ipsilon/providers/saml2/auth.py | 3 ++- tests/helpers/http.py | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index b2c9549..8b84bc2 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -197,7 +197,8 @@ class AuthenticateRequest(ProviderPageBase): elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = '_' + uuid.uuid4().hex elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: - nameid = us.get_data('user', 'gssapi_principal_name') + userattrs = us.get_user_attrs() + nameid = userattrs.get('gssapi_principal_name') elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: nameid = us.get_user().email if not nameid: diff --git a/tests/helpers/http.py b/tests/helpers/http.py index 0da7ee2..97098c8 100755 --- a/tests/helpers/http.py +++ b/tests/helpers/http.py @@ -94,8 +94,9 @@ class HttpSessions(object): session = self.get_session(url) allow_redirects = False if krb: - # In at least the test instance we don't get back a negotiate - # blob to do mutual authentication against. + # python-requests-kerberos isn't too bright about doing mutual + # authentication and it tries to do it on any non-401 response + # which doesn't work in our case since we follow redirects. kerberos_auth = HTTPKerberosAuth(mutual_authentication=OPTIONAL) kwargs['auth'] = kerberos_auth allow_redirects = True -- 2.20.1