idp/extra/modules/saml2.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

from quixote import get_session

from qommon import get_cfg
from qommon import errors
from qommon import template

import liberty.saml2

import misc

import directory

def check_access_authorizations(provider_key):
    session = get_session()
    if not session or session.user is None:
        return False

    user = get_session().get_user_object()
    if user.is_admin():
        return True

    collectivity = user.get_collectivity()
    service_instances = directory.get_service_instances(collectivity)

    providers = get_cfg('providers', {})
    accesses = user.get_as_agent().cdg59serviceAccesses or []

    for service in service_instances:
        if not service.cdg59siid in accesses:
            continue
        if not service.cdg59metadataURL:
            continue

        try:
            klp = [x for x, y in providers.items() if \
                  service.cdg59metadataURL == y.get('metadata_url')] [0]
        except IndexError:
            continue

        if provider_key == klp:
            return True

    return False
    

class AccessControlSpUI(liberty.saml2.SpUI):
    def _q_access(self):
        authorized = check_access_authorizations(self.provider_key)
        if not authorized:
            if get_session():
                raise errors.AccessForbiddenError()
            else:
                raise errors.AccessUnauthorizedError()

    def login(self, encryption_mode = None, method = None, nid_format = None, relay_state = None):
        return liberty.saml2.SpUI.login(self, encryption_mode, method, nid_format, 'backoffice')


class AccessControlSpDir(liberty.saml2.SpDir):
    def _q_lookup(self, component):
        return AccessControlSpUI(component)


class AlternateSaml2Directory(liberty.saml2.RootDirectory):
    sp = AccessControlSpDir()

    def check_access_authorizations(self, login):
        provider_id = login.remoteProviderId
        provider_key = misc.get_provider_key(provider_id)
        return check_access_authorizations(provider_key)

    def sso_after_authentication(self, login, user_authenticated, proxied = False):
        if user_authenticated:
            if not self.check_access_authorizations(login):
                provider_id = login.remoteProviderId
                provider_key = misc.get_provider_key(provider_id)
                try:
                    label = misc.get_provider_and_label(provider_key)[1]
                except KeyError:
                    return template.error_page(_('''\
You do not have required authorizations to access the service,
you should contact the administration of your collectivity.'''))

                return template.error_page(_('''\
You do not have required authorizations to access the "%s" service,
you should contact the administration of your collectivity.''') % label)
        return liberty.saml2.RootDirectory.sso_after_authentication(
                self, login, user_authenticated, proxied=proxied)