diff options
| author | Simo Sorce <simo@redhat.com> | 2015-02-16 14:04:49 -0500 |
|---|---|---|
| committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-02-24 16:37:38 +0100 |
| commit | 771b8fd095f3bcb922f761d297c62f1a56a997d5 (patch) | |
| tree | a0b588a1135f97abf6ddff141cb461b1fd389685 | |
| parent | dd8a2ecf15a7f74e2fe3d8c5ea0ff5e2fed20927 (diff) | |
| download | ipsilon-771b8fd095f3bcb922f761d297c62f1a56a997d5.tar.gz ipsilon-771b8fd095f3bcb922f761d297c62f1a56a997d5.tar.xz ipsilon-771b8fd095f3bcb922f761d297c62f1a56a997d5.zip | |
Prefix userdata hives with _ to avoid conflicts
The main userdata dict contains common attributes, but we add
a sepcial groups list and unmapped extras, as well as indicators
like auth_type.
All these additional attributes are now prefixed by a _ character
so that conflicts with legitimate attributes are improbable.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
| -rw-r--r-- | ipsilon/info/infoldap.py | 6 | ||||
| -rw-r--r-- | ipsilon/info/infosssd.py | 6 | ||||
| -rw-r--r-- | ipsilon/info/nss.py | 6 | ||||
| -rw-r--r-- | ipsilon/login/authfas.py | 11 | ||||
| -rw-r--r-- | ipsilon/login/authldap.py | 10 | ||||
| -rw-r--r-- | ipsilon/login/common.py | 33 | ||||
| -rw-r--r-- | ipsilon/providers/openid/extensions/cla.py | 2 | ||||
| -rw-r--r-- | ipsilon/providers/saml2/auth.py | 15 |
8 files changed, 41 insertions, 48 deletions
diff --git a/ipsilon/info/infoldap.py b/ipsilon/info/infoldap.py index efdb649..0ec6dd1 100644 --- a/ipsilon/info/infoldap.py +++ b/ipsilon/info/infoldap.py @@ -129,9 +129,9 @@ Info plugin that uses LDAP to retrieve user data. """ ldapattrs = self._get_user_data(conn, dn) userattrs, extras = self.mapper.map_attrs(ldapattrs) groups = self._get_user_groups(conn, dn, ldapattrs) - reply['userdata'] = userattrs - reply['groups'] = groups - reply['extras'] = {'ldap': extras} + reply = userattrs + reply['_groups'] = groups + reply['_extras'] = {'ldap': extras} except Exception, e: # pylint: disable=broad-except self.error(e) diff --git a/ipsilon/info/infosssd.py b/ipsilon/info/infosssd.py index b187567..63ffecc 100644 --- a/ipsilon/info/infosssd.py +++ b/ipsilon/info/infosssd.py @@ -72,9 +72,9 @@ class InfoProvider(InfoProviderBase): try: attrs, groups = self._get_user_data(user) userattrs, extras = self.mapper.map_attrs(attrs) - reply['userdata'] = userattrs - reply['groups'] = groups - reply['extras'] = {'sssd': extras} + reply = userattrs + reply['_groups'] = groups + reply['_extras'] = {'sssd': extras} except KeyError: pass diff --git a/ipsilon/info/nss.py b/ipsilon/info/nss.py index 1107387..2f4039a 100644 --- a/ipsilon/info/nss.py +++ b/ipsilon/info/nss.py @@ -61,9 +61,9 @@ class InfoProvider(InfoProviderBase): userattrs, extras = self.mapper.map_attrs(posix_user) groups = self._get_posix_groups(posix_user['username'], posix_user['gidNumber']) - reply['userdata'] = userattrs - reply['groups'] = groups - reply['extras'] = {'posix': extras} + reply = userattrs + reply['_groups'] = groups + reply['_extras'] = {'posix': extras} except KeyError: pass diff --git a/ipsilon/login/authfas.py b/ipsilon/login/authfas.py index 33d1ac5..3697c1a 100644 --- a/ipsilon/login/authfas.py +++ b/ipsilon/login/authfas.py @@ -82,18 +82,19 @@ class FAS(LoginFormBase): userdata, fas_extra = self.mapper.map_attrs(fas_data) # compute and store groups and cla groups - userdata['groups'] = [] - userdata['extras'] = {'fas': fas_extra, 'cla': []} + userdata['_groups'] = [] + userdata['_extras'] = {'fas': fas_extra, 'cla': []} for group in fas_data.get('approved_memberships', {}): if 'name' not in group: continue if group.get('group_type') == 'cla': if group['name'] in CLA_GROUPS: - userdata['extras']['cla'].append(CLA_GROUPS[group['name']]) + group_name = CLA_GROUPS[group['name']] else: - userdata['extras']['cla'].append(group['name']) + group_name = group['name'] + userdata['_extras']['cla'].append(group_name) else: - userdata['groups'].append(group['name']) + userdata['_groups'].append(group['name']) return userdata diff --git a/ipsilon/login/authldap.py b/ipsilon/login/authldap.py index 5899ed2..8958410 100644 --- a/ipsilon/login/authldap.py +++ b/ipsilon/login/authldap.py @@ -62,15 +62,7 @@ class LDAP(LoginFormBase, Log): if username and password: try: - userdata = self._authenticate(username, password) - if userdata: - userattrs = dict() - for d, v in userdata.get('userdata', {}).items(): - userattrs[d] = v - if 'groups' in userdata: - userattrs['groups'] = userdata['groups'] - if 'extras' in userdata: - userattrs['extras'] = userdata['extras'] + userattrs = self._authenticate(username, password) authed = True except Exception, e: # pylint: disable=broad-except errmsg = "Authentication failed" diff --git a/ipsilon/login/common.py b/ipsilon/login/common.py index 2dcdb67..3002d78 100644 --- a/ipsilon/login/common.py +++ b/ipsilon/login/common.py @@ -44,27 +44,34 @@ class LoginManagerBase(PluginConfig, PluginObject): def auth_successful(self, trans, username, auth_type=None, userdata=None): session = UserSession() + # merge attributes from login plugin and info plugin if self.info: - userattrs = self.info.get_user_attrs(username) - if userdata: - userdata.update(userattrs.get('userdata', {})) - else: - userdata = userattrs.get('userdata', {}) + infoattrs = self.info.get_user_attrs(username) + else: + infoattrs = dict() + + if userdata is None: + userdata = dict() + + if '_groups' in infoattrs: + userdata['_groups'] = list(set(userdata.get('_groups', []) + + infoattrs['_groups'])) + del infoattrs['_groups'] - # merge groups and extras from login plugin and info plugin - userdata['groups'] = list(set(userdata.get('groups', []) + - userattrs.get('groups', []))) + if '_extras' in infoattrs: + userdata['_extras'] = userdata.get('_extras', {}) + userdata['_extras'].update(infoattrs['_extras']) + del infoattrs['_extras'] - userdata['extras'] = userdata.get('extras', {}) - userdata['extras'].update(userattrs.get('extras', {})) + userdata.update(infoattrs) - self.debug("User %s attributes: %s" % (username, repr(userdata))) + self.debug("User %s attributes: %s" % (username, repr(userdata))) if auth_type: if userdata: - userdata.update({'auth_type': auth_type}) + userdata.update({'_auth_type': auth_type}) else: - userdata = {'auth_type': auth_type} + userdata = {'_auth_type': auth_type} # create session login including all the userdata just gathered session.login(username, userdata) diff --git a/ipsilon/providers/openid/extensions/cla.py b/ipsilon/providers/openid/extensions/cla.py index e260f1d..830e3a3 100644 --- a/ipsilon/providers/openid/extensions/cla.py +++ b/ipsilon/providers/openid/extensions/cla.py @@ -19,7 +19,7 @@ class OpenidExtension(OpenidExtensionBase): self.debug(req) if req is None: return {} - data = userdata['extras'].get('cla', []) + data = userdata['_extras'].get('cla', []) return cla.CLAResponse.extractResponse(req, data) def _display(self, request, userdata): diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 44ed834..a65b52a 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -210,20 +210,13 @@ class AuthenticateRequest(ProviderPageBase): if not attrstat.attribute: attrstat.attribute = () - attributes = dict() - userattrs = us.get_user_attrs() - for key, value in userattrs.get('userdata', {}).iteritems(): - if type(value) is str: - attributes[key] = value - if 'groups' in userattrs: - attributes['group'] = userattrs['groups'] - for _, info in userattrs.get('extras', {}).iteritems(): - for key, value in info.items(): - attributes[key] = value + attributes = us.get_user_attrs() for key in attributes: values = attributes[key] - if type(values) is not list: + if isinstance(values, dict): + continue + if not isinstance(values, list): values = [values] for value in values: attr = lasso.Saml2Attribute() |