diff options
| author | Simo Sorce <simo@redhat.com> | 2015-02-16 11:13:29 -0500 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-02-24 16:37:48 +0100 |
| commit | edfd8d4b514a4089108d19026bc38c656f49bbee (patch) | |
| tree | bae1811ec9c571151155fb8d0c5ba274caa0af80 | |
| parent | 7aa8e0744f50e4f94a58b318fa4bfb43f4128a12 (diff) | |
| download | ipsilon-edfd8d4b514a4089108d19026bc38c656f49bbee.tar.gz ipsilon-edfd8d4b514a4089108d19026bc38c656f49bbee.tar.xz ipsilon-edfd8d4b514a4089108d19026bc38c656f49bbee.zip | |
Add support for attribute policies in samlidp
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
| -rw-r--r-- | ipsilon/providers/saml2/auth.py | 11 | ||||
| -rw-r--r-- | ipsilon/providers/saml2idp.py | 16 |
2 files changed, 25 insertions, 2 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index a65b52a..95751aa 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -21,6 +21,7 @@ from ipsilon.providers.saml2.provider import ServiceProvider from ipsilon.providers.saml2.provider import InvalidProviderId from ipsilon.providers.saml2.provider import NameIdNotAllowed from ipsilon.providers.saml2.sessions import SAMLSessionsContainer +from ipsilon.util.policy import Policy from ipsilon.util.user import UserSession from ipsilon.util.trans import Transaction import cherrypy @@ -201,7 +202,6 @@ class AuthenticateRequest(ProviderPageBase): raise AuthenticationError("Unavailable Name ID type", lasso.SAML2_STATUS_CODE_AUTHN_FAILED) - # TODO: filter user attributes as policy requires from 'usersession' if not login.assertion.attributeStatement: attrstat = lasso.Saml2AttributeStatement() login.assertion.attributeStatement = [attrstat] @@ -210,7 +210,14 @@ class AuthenticateRequest(ProviderPageBase): if not attrstat.attribute: attrstat.attribute = () - attributes = us.get_user_attrs() + # Check attribute policy and perform mapping and filtering + policy = Policy(self.cfg.default_attribute_mapping, + self.cfg.default_allowed_attributes) + userattrs = us.get_user_attrs() + mappedattrs, _ = policy.map_attributes(userattrs) + attributes = policy.filter_attributes(mappedattrs) + + self.debug("%s's attributes: %s" % (user.name, attributes)) for key in attributes: values = attributes[key] diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index 256fcf9..9fa2fd6 100644 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -209,6 +209,14 @@ Provides SAML 2.0 authentication infrastructure. """ 'default email domain', 'Used for users missing the email property.', 'example.com'), + pconfig.MappingList( + 'default attribute mapping', + 'Defines how to map attributes before returning them to SPs', + [['*', '*']]), + pconfig.ComplexList( + 'default allowed attributes', + 'Defines a list of allowed attributes, applied after mapping', + ['*']), ) if cherrypy.config.get('debug', False): import logging @@ -253,6 +261,14 @@ Provides SAML 2.0 authentication infrastructure. """ def default_email_domain(self): return self.get_config_value('default email domain') + @property + def default_attribute_mapping(self): + return self.get_config_value('default attribute mapping') + + @property + def default_allowed_attributes(self): + return self.get_config_value('default allowed attributes') + def get_tree(self, site): self.idp = self.init_idp() self.page = SAML2(site, self) |