1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
from quixote import get_session
from qommon import get_cfg
from qommon import errors
from qommon import template
import liberty.saml2
import misc
import directory
def check_access_authorizations(provider_key):
session = get_session()
if not session or session.user is None:
return False
user = get_session().get_user_object()
if user.is_admin():
return True
collectivity = user.get_collectivity()
service_instances = directory.get_service_instances(collectivity)
providers = get_cfg('providers', {})
accesses = user.get_as_agent().cdg59serviceAccesses or []
for service in service_instances:
if not service.cdg59siid in accesses:
continue
if not service.cdg59metadataURL:
continue
try:
klp = [x for x, y in providers.items() if \
service.cdg59metadataURL == y.get('metadata_url')] [0]
except IndexError:
continue
if provider_key == klp:
return True
return False
class AccessControlSpUI(liberty.saml2.SpUI):
def _q_access(self):
authorized = check_access_authorizations(self.provider_key)
if not authorized:
if get_session():
raise errors.AccessForbiddenError()
else:
raise errors.AccessUnauthorizedError()
def login(self, encryption_mode = None, method = None, nid_format = None, relay_state = None):
return liberty.saml2.SpUI.login(self, encryption_mode, method, nid_format, 'backoffice')
class AccessControlSpDir(liberty.saml2.SpDir):
def _q_lookup(self, component):
return AccessControlSpUI(component)
class AlternateSaml2Directory(liberty.saml2.RootDirectory):
sp = AccessControlSpDir()
def check_access_authorizations(self, login):
provider_id = login.remoteProviderId
provider_key = misc.get_provider_key(provider_id)
return check_access_authorizations(provider_key)
def sso_after_authentication(self, login, user_authenticated, proxied = False):
if user_authenticated:
if not self.check_access_authorizations(login):
provider_id = login.remoteProviderId
provider_key = misc.get_provider_key(provider_id)
try:
label = misc.get_provider_and_label(provider_key)[1]
except KeyError:
return template.error_page(_('''\
You do not have required authorizations to access the service,
you should contact the administration of your collectivity.'''))
return template.error_page(_('''\
You do not have required authorizations to access the "%s" service,
you should contact the administration of your collectivity.''') % label)
return liberty.saml2.RootDirectory.sso_after_authentication(
self, login, user_authenticated, proxied=proxied)
|