saml2: use new w.c.s method for filling user fields from assertion attributes
Old method is kept as legacy and is only active if the new method is not configured. fixes #3854
This commit is contained in:
parent
77733384a5
commit
e80f903b36
|
@ -12,11 +12,9 @@ import qommon.saml2
|
|||
|
||||
|
||||
class Saml2Directory(qommon.saml2.Saml2Directory):
|
||||
|
||||
def lookup_user(self, session, login = None, name_id = None):
|
||||
user = qommon.saml2.Saml2Directory.lookup_user(self, session, login, name_id)
|
||||
|
||||
# lookup for attributes in assertion and automatically create identity
|
||||
def extract_attributes(self, session, login):
|
||||
'''Separate attributes as two dictionaries: one for last value, one for
|
||||
the list of values.'''
|
||||
lasso_session = lasso.Session.newFromDump(session.lasso_session_dump)
|
||||
try:
|
||||
assertion = lasso_session.getAssertions(None)[0]
|
||||
|
@ -37,17 +35,18 @@ class Saml2Directory(qommon.saml2.Saml2Directory):
|
|||
pass
|
||||
except IndexError:
|
||||
pass
|
||||
return d, m
|
||||
|
||||
if not user:
|
||||
user = get_publisher().user_class()
|
||||
|
||||
def legacy_fill_user_attributes(self, session, login, user):
|
||||
'''Fill fields using a legacy attribute to field varname mapping'''
|
||||
d, m = self.extract_attributes(session, login)
|
||||
users_cfg = get_cfg('users', {}) or {}
|
||||
get_logger().debug('using legacy attribute filling')
|
||||
|
||||
# standard attributes
|
||||
user.name = d.get('cn')
|
||||
user.email = d.get('mail')
|
||||
|
||||
formdata = {}
|
||||
# email field
|
||||
field_email = users_cfg.get('field_email')
|
||||
if field_email:
|
||||
|
@ -85,25 +84,32 @@ class Saml2Directory(qommon.saml2.Saml2Directory):
|
|||
if field.varname in field_varnames:
|
||||
formdata[field.id] = d.get(attribute_key)
|
||||
|
||||
if formdata:
|
||||
user.set_attributes_from_formdata(formdata)
|
||||
user.form_data = formdata
|
||||
def lookup_user(self, session, login = None, name_id = None):
|
||||
user = qommon.saml2.Saml2Directory.lookup_user(self, session, login, name_id)
|
||||
|
||||
if not user:
|
||||
user = get_publisher().user_class()
|
||||
# already done by parent.lookup_user() for existing users
|
||||
self.fill_user_attributes(session, login, user)
|
||||
|
||||
# apply legacy mapping when not configured
|
||||
idp = qommon.saml2.get_remote_provider_cfg(login)
|
||||
if not idp.get('attribute-mapping'):
|
||||
self.legacy_fill_user_attributes(session, login, user)
|
||||
|
||||
if user.form_data:
|
||||
user.set_attributes_from_formdata(user.form_data)
|
||||
|
||||
if not (user.name and user.email):
|
||||
# we didn't get useful attributes, forget it.
|
||||
get_logger().warn('failed to get useful attributes from the assertion')
|
||||
get_logger().debug('received attributes: %s', repr(d))
|
||||
return None
|
||||
|
||||
if d.get('local-admin') == 'true':
|
||||
user.is_admin = True
|
||||
|
||||
if not login.nameIdentifier.content in user.name_identifiers:
|
||||
user.name_identifiers.append(login.nameIdentifier.content)
|
||||
user.store()
|
||||
|
||||
if login:
|
||||
user.lasso_dump = login.identity.dump()
|
||||
user.store()
|
||||
|
||||
user.store()
|
||||
return user
|
||||
|
|
Reference in New Issue