summaryrefslogtreecommitdiffstats
path: root/idp/extra/modules/saml2.py
diff options
context:
space:
mode:
authorFrederic Peters <fpeters@0d.be>2008-04-10 13:08:31 (GMT)
committerFrederic Peters <fpeters@0d.be>2008-04-10 13:08:31 (GMT)
commit23ec1c52c005e53ac3bd511d12b008f4e8b2a7de (patch)
tree57e9e3b6fa5b995d43fb7293749c9c85a28f1e88 /idp/extra/modules/saml2.py
parent0471aa89415932d05f3c6f8ad3800bf55d3e02c5 (diff)
downloadpratic-23ec1c52c005e53ac3bd511d12b008f4e8b2a7de.zip
pratic-23ec1c52c005e53ac3bd511d12b008f4e8b2a7de.tar.gz
pratic-23ec1c52c005e53ac3bd511d12b008f4e8b2a7de.tar.bz2
look at authorization accesses to display services on homepage, and to forbid
SAML operations
Diffstat (limited to 'idp/extra/modules/saml2.py')
-rw-r--r--idp/extra/modules/saml2.py69
1 files changed, 69 insertions, 0 deletions
diff --git a/idp/extra/modules/saml2.py b/idp/extra/modules/saml2.py
new file mode 100644
index 0000000..c86fd6c
--- /dev/null
+++ b/idp/extra/modules/saml2.py
@@ -0,0 +1,69 @@
+from quixote import get_session
+
+from qommon import get_cfg
+from qommon import errors
+
+import liberty.saml2
+
+import misc
+
+import directory
+
+def check_access_authorizations(provider_key):
+ session = get_session()
+ if not session or session.user is None:
+ return False
+
+ user = get_session().get_user_object()
+
+ collectivity = user.get_collectivity()
+ service_instances = directory.get_service_instances(collectivity)
+
+ providers = get_cfg('providers', {})
+ accesses = user.get_as_agent().cdg59serviceAccesses or []
+
+ for service in service_instances:
+ if not service.cdg59siid in accesses:
+ continue
+ if not service.cdg59metadataURL:
+ continue
+
+ try:
+ klp = [x for x, y in providers.items() if \
+ service.cdg59metadataURL == y.get('metadata_url')] [0]
+ except IndexError:
+ continue
+
+ if provider_key == klp:
+ return True
+
+ return False
+
+
+
+class AccessControlSpUI(liberty.saml2.SpUI):
+ def _q_access(self):
+ authorized = check_access_authorizations(self.provider_key)
+ if not authorized:
+ if get_session():
+ raise errors.AccessForbiddenError()
+ else:
+ raise errors.AccessUnauthorizedError()
+
+ def login(self, encryption_mode = None, method = None, nid_format = None, relay_state = None):
+ return liberty.saml2.SpUI.login(self, encryption_mode, method, nid_format, 'backoffice')
+
+
+class AccessControlSpDir(liberty.saml2.SpDir):
+ def _q_lookup(self, component):
+ return AccessControlSpUI(component)
+
+
+class AlternateSaml2Directory(liberty.saml2.RootDirectory):
+ sp = AccessControlSpDir()
+
+ def check_access_authorizations(self, login):
+ provider_id = login.remoteProviderId
+ provider_key = misc.get_provider_key(provider_id)
+ return check_access_authorizations(provider_key)
+