views: handle role requests

Allows an application to request specific roles from the idp, using "roles" query parameters.
2019-05-21 11:55:25 +02:00 · 2019-05-21 11:55:25 +02:00 · 0f26806791
parent e1fa70d28d
commit 0f26806791
1 changed files with 9 additions and 1 deletions
--- a/mellon/views.py
+++ b/mellon/views.py
@ -19,6 +19,7 @@ from django.utils import six
 from django.utils.encoding import force_text
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.db import transaction
+from django.utils.six.moves.urllib.parse import urljoin
 from django.utils.translation import ugettext as _

 from . import app_settings, utils
@ -375,6 +376,7 @@ class LoginView(ProfileMixin, LogMixin, View):
                request, is_passive=request.GET.get('passive') == '1')

        next_url = check_next_url(self.request, request.GET.get(REDIRECT_FIELD_NAME))
+        requested_roles = request.GET.getlist('roles')
        idp = self.get_idp(request)
        if idp is None:
            return HttpResponseBadRequest('no idp found')
@ -394,7 +396,13 @@ class LoginView(ProfileMixin, LogMixin, View):
                authn_request.isPassive = True
            # configure requested AuthnClassRef
            authn_classref = utils.get_setting(idp, 'AUTHN_CLASSREF')
-            if authn_classref:
+            if requested_roles:
+                prefix = 'https://entrouvert.com/authn-class-ref/role-uuid/' # TODO add setting
+                authn_classref = tuple(str(urljoin(prefix, role)) for role in requested_roles)
+                req_authncontext = lasso.Samlp2RequestedAuthnContext()
+                authn_request.requestedAuthnContext = req_authncontext
+                req_authncontext.authnContextClassRef = authn_classref
+            elif authn_classref:
                authn_classref = tuple([str(x) for x in authn_classref])
                req_authncontext = lasso.Samlp2RequestedAuthnContext()
                authn_request.requestedAuthnContext = req_authncontext