[Python-modules-commits] [python-social-auth] 05/15: Add an integration point for extra security layers like eduPersonEntitlement
Wolfgang Borgert
debacle at moszumanska.debian.org
Sat Dec 24 15:13:34 UTC 2016
This is an automated email from the git hooks/post-receive script.
debacle pushed a commit to tag v0.2.11
in repository python-social-auth.
commit de8152360b9f1c644fa3192bd601cf9452cd6a22
Author: Braden MacDonald <braden at opencraft.com>
Date: Wed May 20 23:47:46 2015 -0700
Add an integration point for extra security layers like eduPersonEntitlement
---
social/backends/saml.py | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/social/backends/saml.py b/social/backends/saml.py
index 0a50c96..703a886 100644
--- a/social/backends/saml.py
+++ b/social/backends/saml.py
@@ -14,6 +14,7 @@ from social.exceptions import AuthFailed
# Helpful constants:
OID_COMMON_NAME = "urn:oid:2.5.4.3"
OID_EDU_PERSON_PRINCIPAL_NAME = "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
+OID_EDU_PERSON_ENTITLEMENT = "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"
OID_GIVEN_NAME = "urn:oid:2.5.4.42"
OID_MAIL = "urn:oid:0.9.2342.19200300.100.1.3"
OID_SURNAME = "urn:oid:2.5.4.4"
@@ -210,11 +211,11 @@ class SAMLAuth(BaseAuth):
errors = saml_settings.validate_metadata(metadata)
return metadata, errors
- def _create_saml_auth(self, idp_name):
+ def _create_saml_auth(self, idp):
"""
Get an instance of OneLogin_Saml2_Auth
"""
- config = self.generate_saml_config(idp=self.get_idp(idp_name))
+ config = self.generate_saml_config(idp)
request_info = {
'https': 'on' if self.strategy.request_is_secure() else 'off',
'http_host': self.strategy.request_host(),
@@ -228,7 +229,7 @@ class SAMLAuth(BaseAuth):
def auth_url(self):
""" Get the URL to which we must redirect in order to authenticate the user """
idp_name = self.strategy.request_data()['idp']
- auth = self._create_saml_auth(idp_name)
+ auth = self._create_saml_auth(idp=self.get_idp(idp_name))
# Below, return_to sets the RelayState, which can contain arbitrary data.
# We use it to store the specific SAML IdP backend name, since we combine
# many backends to a single URL.
@@ -257,7 +258,8 @@ class SAMLAuth(BaseAuth):
everything checks out.
"""
idp_name = self.strategy.request_data()['RelayState']
- auth = self._create_saml_auth(idp_name)
+ idp = self.get_idp(idp_name)
+ auth = self._create_saml_auth(idp)
auth.process_response()
errors = auth.get_errors()
if errors or not auth.is_authenticated():
@@ -267,6 +269,8 @@ class SAMLAuth(BaseAuth):
attributes = auth.get_attributes()
attributes['name_id'] = auth.get_nameid()
+ self._check_entitlements(idp, attributes)
+
response = {
'idp_name': idp_name,
'attributes': attributes,
@@ -276,3 +280,15 @@ class SAMLAuth(BaseAuth):
kwargs.update({'response': response, 'backend': self})
return self.strategy.authenticate(*args, **kwargs)
+
+ def _check_entitlements(self, idp, attributes):
+ """
+ Additional verification of a SAML response before authenticating the user.
+
+ Subclasses can override this method if they need custom validation code,
+ such as requiring the presence of an eduPersonEntitlement.
+
+ raise social.exceptions.AuthForbidden if the user should not be authenticated,
+ or do nothing to allow the login pipeline to continue.
+ """
+ pass
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/python-modules/packages/python-social-auth.git
More information about the Python-modules-commits
mailing list