diff options
| author | Simo Sorce <simo@redhat.com> | 2014-03-02 18:29:15 -0500 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2014-03-02 18:35:39 -0500 |
| commit | 2cf4bcfe804aaa01e4587388e0870274c20ca428 (patch) | |
| tree | 5393a06591d553227d430a8f9ea305cf36192fd5 /ipsilon/providers/saml2 | |
| parent | ad6e5efc6347639f4edfba94375151ccdbc5f7a8 (diff) | |
| download | ipsilon-2cf4bcfe804aaa01e4587388e0870274c20ca428.tar.gz ipsilon-2cf4bcfe804aaa01e4587388e0870274c20ca428.tar.xz ipsilon-2cf4bcfe804aaa01e4587388e0870274c20ca428.zip | |
Unsplit checking functions
Easier to deal with stuff if they are a single validation function.
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'ipsilon/providers/saml2')
| -rwxr-xr-x | ipsilon/providers/saml2/auth.py | 18 |
1 files changed, 6 insertions, 12 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 3d63deb..64d9835 100755 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -55,12 +55,10 @@ class AuthenticateRequest(ProviderPageBase): self.STAGE_INIT = 0 self.STAGE_AUTH = 1 self.stage = self.STAGE_INIT - self.nameidfmt = None def auth(self, login): try: self.saml2checks(login) - self.saml2assertion(login) except AuthenticationError, e: self.saml2error(login, e.code, e.message) return self.reply(login) @@ -138,7 +136,7 @@ class AuthenticateRequest(ProviderPageBase): try: provider = ServiceProvider(self.cfg, login.remoteProviderId) - nameid = provider.get_valid_nameid(login.request.nameIdPolicy) + nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy) except NameIdNotAllowed, e: raise AuthenticationError( str(e), lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY) @@ -146,14 +144,10 @@ class AuthenticateRequest(ProviderPageBase): raise AuthenticationError( str(e), lasso.SAML2_STATUS_CODE_AUTHN_FAILED) - self.nameidfmt = nameid - # TODO: check login.request.forceAuthn login.validateRequestMsg(not user.is_anonymous, consent) - def saml2assertion(self, login): - authtime = datetime.datetime.utcnow() skew = datetime.timedelta(0, 60) authtime_notbefore = authtime - skew @@ -175,19 +169,19 @@ class AuthenticateRequest(ProviderPageBase): authtime_notafter.strftime(timeformat)) nameid = None - if self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT: + if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT: nameid = user.name ## TODO map to something else ? - elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: + elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = user.name ## TODO map to something else ? - elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: + elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: nameid = us.get_data('user', 'krb_principal_name') - elif self.nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: + elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: nameid = us.get_user().email if not nameid: nameid = '%s@%s' % (user.name, self.cfg.default_email_domain) if nameid: - login.assertion.subject.nameId.format = self.nameidfmt + login.assertion.subject.nameId.format = nameidfmt login.assertion.subject.nameId.content = nameid else: raise AuthenticationError("Unavailable Name ID type", |