diff options
| author | Simo Sorce <simo@redhat.com> | 2015-02-16 13:47:33 -0500 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-02-24 16:58:20 +0100 |
| commit | db88788fe906f315733b6ae67929f62cfc307d24 (patch) | |
| tree | 6d23f1c8a315068eeb4cecefd65cfe04336af679 | |
| parent | edfd8d4b514a4089108d19026bc38c656f49bbee (diff) | |
| download | ipsilon-db88788fe906f315733b6ae67929f62cfc307d24.tar.gz ipsilon-db88788fe906f315733b6ae67929f62cfc307d24.tar.xz ipsilon-db88788fe906f315733b6ae67929f62cfc307d24.zip | |
Add support for attribute policies in openidp
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
| -rw-r--r-- | ipsilon/providers/openid/auth.py | 15 | ||||
| -rw-r--r-- | ipsilon/providers/openid/extensions/cla.py | 2 | ||||
| -rw-r--r-- | ipsilon/providers/openidp.py | 16 |
3 files changed, 30 insertions, 3 deletions
diff --git a/ipsilon/providers/openid/auth.py b/ipsilon/providers/openid/auth.py index 824f4f8..2510ff4 100644 --- a/ipsilon/providers/openid/auth.py +++ b/ipsilon/providers/openid/auth.py @@ -4,6 +4,7 @@ from ipsilon.providers.common import ProviderPageBase from ipsilon.providers.common import AuthenticationError, InvalidRequest from ipsilon.providers.openid.meta import XRDSHandler, UserXRDSHandler from ipsilon.providers.openid.meta import IDHandler +from ipsilon.util.policy import Policy from ipsilon.util.trans import Transaction from ipsilon.util.user import UserSession @@ -60,6 +61,16 @@ class AuthenticateRequest(ProviderPageBase): raise cherrypy.HTTPError(e.code, e.msg) return self._respond(request.answer(False)) + # get attributes, and apply policy mapping and filtering + def _source_attributes(self, session): + policy = Policy(self.cfg.default_attribute_mapping, + self.cfg.default_allowed_attributes) + userattrs = session.get_user_attrs() + mappedattrs, _ = policy.map_attributes(userattrs) + attributes = policy.filter_attributes(mappedattrs) + self.debug('Filterd attributes: %s' % repr(attributes)) + return attributes + def _parse_request(self, **kwargs): request = None try: @@ -165,7 +176,7 @@ class AuthenticateRequest(ProviderPageBase): ad = { "Trust Root": request.trust_root, } - userattrs = us.get_user_attrs() + userattrs = self._source_attributes(us) for n, e in self.cfg.extensions.available().items(): data = e.get_display_data(request, userattrs) self.debug('%s returned %s' % (n, repr(data))) @@ -191,7 +202,7 @@ class AuthenticateRequest(ProviderPageBase): identity=identity_url, claimed_id=identity_url ) - userattrs = session.get_user_attrs() + userattrs = self._source_attributes(session) for _, e in self.cfg.extensions.available().items(): resp = e.get_response(request, userattrs) if resp is not None: diff --git a/ipsilon/providers/openid/extensions/cla.py b/ipsilon/providers/openid/extensions/cla.py index 830e3a3..d021afa 100644 --- a/ipsilon/providers/openid/extensions/cla.py +++ b/ipsilon/providers/openid/extensions/cla.py @@ -19,7 +19,7 @@ class OpenidExtension(OpenidExtensionBase): self.debug(req) if req is None: return {} - data = userdata['_extras'].get('cla', []) + data = userdata.get('_extras', {}).get('cla', []) return cla.CLAResponse.extractResponse(req, data) def _display(self, request, userdata): diff --git a/ipsilon/providers/openidp.py b/ipsilon/providers/openidp.py index 13f6819..6bdf557 100644 --- a/ipsilon/providers/openidp.py +++ b/ipsilon/providers/openidp.py @@ -53,6 +53,14 @@ Provides OpenID 2.0 authentication infrastructure. """ 'enabled extensions', 'Choose the extensions to enable', self.extensions.available().keys()), + pconfig.MappingList( + 'default attribute mapping', + 'Defines how to map attributes before calling extensions', + [['*', '*']]), + pconfig.ComplexList( + 'default allowed attributes', + 'Defines a list of allowed attributes, applied after mapping', + ['*']), ) @property @@ -87,6 +95,14 @@ Provides OpenID 2.0 authentication infrastructure. """ def enabled_extensions(self): return self.get_config_value('enabled extensions') + @property + def default_attribute_mapping(self): + return self.get_config_value('default attribute mapping') + + @property + def default_allowed_attributes(self): + return self.get_config_value('default allowed attributes') + def get_tree(self, site): self.init_idp() self.page = OpenID(site, self) |