authentik/passbook/sources/saml/utils.py

84 lines
2.8 KiB
Python
Raw Normal View History

2019-11-07 16:02:56 +00:00
"""saml sp helpers"""
from django.http import HttpRequest
from django.shortcuts import reverse
from passbook.core.models import User
from passbook.sources.saml.models import SAMLSource
def get_entity_id(request: HttpRequest, source: SAMLSource):
"""Get Source's entity ID, falling back to our Metadata URL if none is set"""
entity_id = source.entity_id
if entity_id is None:
2019-12-31 11:51:16 +00:00
return build_full_url("metadata", request, source)
2019-11-07 16:02:56 +00:00
return entity_id
def build_full_url(view: str, request: HttpRequest, source: SAMLSource) -> str:
"""Build Full ACS URL to be used in IDP"""
return request.build_absolute_uri(
2019-12-31 11:51:16 +00:00
reverse(f"passbook_sources_saml:{view}", kwargs={"source": source.slug})
)
2019-11-07 16:02:56 +00:00
def _get_email_from_response(root):
"""
Returns the email out of the response.
At present, response must pass the email address as the Subject, eg.:
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:email"
SPNameQualifier=""
>email@example.com</saml:NameID>
"""
assertion = root.find("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
subject = assertion.find("{urn:oasis:names:tc:SAML:2.0:assertion}Subject")
name_id = subject.find("{urn:oasis:names:tc:SAML:2.0:assertion}NameID")
return name_id.text
def _get_attributes_from_response(root):
"""
Returns the SAML Attributes (if any) that are present in the response.
NOTE: Technically, attribute values could be any XML structure.
But for now, just assume a single string value.
"""
flat_attributes = {}
assertion = root.find("{urn:oasis:names:tc:SAML:2.0:assertion}Assertion")
2019-12-31 11:51:16 +00:00
attributes = assertion.find(
"{urn:oasis:names:tc:SAML:2.0:assertion}AttributeStatement"
)
2019-11-07 16:02:56 +00:00
for attribute in attributes.getchildren():
2019-12-31 11:51:16 +00:00
name = attribute.attrib.get("Name")
2019-11-07 16:02:56 +00:00
children = attribute.getchildren()
if not children:
# Ignore empty-valued attributes. (I think these are not allowed.)
continue
if len(children) == 1:
2019-12-31 11:51:16 +00:00
# See NOTE:
2019-11-07 16:02:56 +00:00
flat_attributes[name] = children[0].text
else:
# It has multiple values.
for child in children:
2019-12-31 11:51:16 +00:00
# See NOTE:
2019-11-07 16:02:56 +00:00
flat_attributes.setdefault(name, []).append(child.text)
return flat_attributes
def _get_user_from_response(root):
"""
Gets info out of the response and locally logs in this user.
May create a local user account first.
Returns the user object that was created.
"""
email = _get_email_from_response(root)
try:
user = User.objects.get(email=email)
except User.DoesNotExist:
2019-12-31 11:51:16 +00:00
user = User.objects.create_user(username=email, email=email)
2019-11-07 16:02:56 +00:00
user.set_unusable_password()
user.save()
return user