diff options
author | Simo Sorce <simo@redhat.com> | 2015-02-16 11:13:29 -0500 |
---|---|---|
committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-02-24 16:37:48 +0100 |
commit | edfd8d4b514a4089108d19026bc38c656f49bbee (patch) | |
tree | bae1811ec9c571151155fb8d0c5ba274caa0af80 /ipsilon/providers/saml2/auth.py | |
parent | 7aa8e0744f50e4f94a58b318fa4bfb43f4128a12 (diff) | |
download | ipsilon-edfd8d4b514a4089108d19026bc38c656f49bbee.tar.gz ipsilon-edfd8d4b514a4089108d19026bc38c656f49bbee.tar.xz ipsilon-edfd8d4b514a4089108d19026bc38c656f49bbee.zip |
Add support for attribute policies in samlidp
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Diffstat (limited to 'ipsilon/providers/saml2/auth.py')
-rw-r--r-- | ipsilon/providers/saml2/auth.py | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index a65b52a..95751aa 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -21,6 +21,7 @@ from ipsilon.providers.saml2.provider import ServiceProvider from ipsilon.providers.saml2.provider import InvalidProviderId from ipsilon.providers.saml2.provider import NameIdNotAllowed from ipsilon.providers.saml2.sessions import SAMLSessionsContainer +from ipsilon.util.policy import Policy from ipsilon.util.user import UserSession from ipsilon.util.trans import Transaction import cherrypy @@ -201,7 +202,6 @@ class AuthenticateRequest(ProviderPageBase): raise AuthenticationError("Unavailable Name ID type", lasso.SAML2_STATUS_CODE_AUTHN_FAILED) - # TODO: filter user attributes as policy requires from 'usersession' if not login.assertion.attributeStatement: attrstat = lasso.Saml2AttributeStatement() login.assertion.attributeStatement = [attrstat] @@ -210,7 +210,14 @@ class AuthenticateRequest(ProviderPageBase): if not attrstat.attribute: attrstat.attribute = () - attributes = us.get_user_attrs() + # Check attribute policy and perform mapping and filtering + policy = Policy(self.cfg.default_attribute_mapping, + self.cfg.default_allowed_attributes) + userattrs = us.get_user_attrs() + mappedattrs, _ = policy.map_attributes(userattrs) + attributes = policy.filter_attributes(mappedattrs) + + self.debug("%s's attributes: %s" % (user.name, attributes)) for key in attributes: values = attributes[key] |