summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--idp/extra/modules/root.ptl10
-rw-r--r--idp/extra/modules/saml2.py69
-rw-r--r--idp/extra/modules/store.py28
3 files changed, 102 insertions, 5 deletions
diff --git a/idp/extra/modules/root.ptl b/idp/extra/modules/root.ptl
index a38dbf8..54c0822 100644
--- a/idp/extra/modules/root.ptl
+++ b/idp/extra/modules/root.ptl
@@ -1,6 +1,6 @@
import lasso
-from quixote import redirect
+from quixote import redirect, get_session
from qommon import get_cfg, get_logger
from qommon.form import *
from qommon import template
@@ -15,11 +15,16 @@ import admin
OldRootDirectory = authentic.root.RootDirectory
+from saml2 import AlternateSaml2Directory
+
+
class AlternateRootDirectory(OldRootDirectory):
backoffice = None
admin = admin.AdminRootDirectory()
+ saml = AlternateSaml2Directory()
+
def __init__(self):
OldRootDirectory.__init__(self)
self._q_exports = OldRootDirectory._q_exports + ['backoffice']
@@ -41,8 +46,11 @@ class AlternateRootDirectory(OldRootDirectory):
service_instances = directory.get_service_instances(collectivity)
providers = get_cfg('providers', {})
+ accesses = user.get_as_agent().cdg59serviceAccesses or []
'<ul>'
for service in service_instances:
+ if not service.cdg59siid in accesses:
+ continue
service_type = directory.get_service(service.cdg59serviceType)
service_label = service_type.cn
service_description = service_type.description
diff --git a/idp/extra/modules/saml2.py b/idp/extra/modules/saml2.py
new file mode 100644
index 0000000..c86fd6c
--- /dev/null
+++ b/idp/extra/modules/saml2.py
@@ -0,0 +1,69 @@
+from quixote import get_session
+
+from qommon import get_cfg
+from qommon import errors
+
+import liberty.saml2
+
+import misc
+
+import directory
+
+def check_access_authorizations(provider_key):
+ session = get_session()
+ if not session or session.user is None:
+ return False
+
+ user = get_session().get_user_object()
+
+ collectivity = user.get_collectivity()
+ service_instances = directory.get_service_instances(collectivity)
+
+ providers = get_cfg('providers', {})
+ accesses = user.get_as_agent().cdg59serviceAccesses or []
+
+ for service in service_instances:
+ if not service.cdg59siid in accesses:
+ continue
+ if not service.cdg59metadataURL:
+ continue
+
+ try:
+ klp = [x for x, y in providers.items() if \
+ service.cdg59metadataURL == y.get('metadata_url')] [0]
+ except IndexError:
+ continue
+
+ if provider_key == klp:
+ return True
+
+ return False
+
+
+
+class AccessControlSpUI(liberty.saml2.SpUI):
+ def _q_access(self):
+ authorized = check_access_authorizations(self.provider_key)
+ if not authorized:
+ if get_session():
+ raise errors.AccessForbiddenError()
+ else:
+ raise errors.AccessUnauthorizedError()
+
+ def login(self, encryption_mode = None, method = None, nid_format = None, relay_state = None):
+ return liberty.saml2.SpUI.login(self, encryption_mode, method, nid_format, 'backoffice')
+
+
+class AccessControlSpDir(liberty.saml2.SpDir):
+ def _q_lookup(self, component):
+ return AccessControlSpUI(component)
+
+
+class AlternateSaml2Directory(liberty.saml2.RootDirectory):
+ sp = AccessControlSpDir()
+
+ def check_access_authorizations(self, login):
+ provider_id = login.remoteProviderId
+ provider_key = misc.get_provider_key(provider_id)
+ return check_access_authorizations(provider_key)
+
diff --git a/idp/extra/modules/store.py b/idp/extra/modules/store.py
index 1adac77..c2dc654 100644
--- a/idp/extra/modules/store.py
+++ b/idp/extra/modules/store.py
@@ -152,10 +152,7 @@ class MiniIdentityPratic(StorableObject):
return directory.get_collectivity(collectivity_ou)
def get_attributes(self):
- store = directory.get_store()
- ldap_conn = ldap.initialize(store.pratic_ldap_url)
- record = ldap_conn.search_s(self.id, ldap.SCOPE_BASE)[0]
- agent = directory.Agent(record)
+ agent = self.get_as_agent()
attributes = {}
for k in ('username', 'cn', 'mail'):
v = getattr(agent, k)
@@ -171,5 +168,28 @@ class MiniIdentityPratic(StorableObject):
return attributes
attributes = property(get_attributes)
+ _agent = None
+ def get_as_agent(self):
+ if self._agent:
+ return self._agent
+ store = directory.get_store()
+ ldap_conn = ldap.initialize(store.pratic_ldap_url)
+ record = ldap_conn.search_s(self.id, ldap.SCOPE_BASE)[0]
+ print 'record:', record
+ self._agent = directory.Agent(record)
+ return self._agent
+
+ # don't pickle _agent cache
+ def __getstate__(self):
+ odict = self.__dict__
+ if odict.has_key('_agent'):
+ del odict['_agent']
+ return odict
+
+ def __setstate__(self, dict):
+ self.__dict__ = dict
+ self._agent = None
+
+
identities.stores['pratic'] = IdentitiesStorePratic