Delegate remote_user_id mapping to the saml mapping provider (#6723)
Turns out that figuring out a remote user id for the SAML user isn't quite as obvious as it seems. Factor it out to the SamlMappingProvider so that it's easy to control.
This commit is contained in:
parent
a8a50f5b57
commit
2b6a77fcde
|
@ -0,0 +1 @@
|
||||||
|
Updates to the SAML mapping provider API.
|
|
@ -121,6 +121,7 @@ class SAML2Config(Config):
|
||||||
required_methods = [
|
required_methods = [
|
||||||
"get_saml_attributes",
|
"get_saml_attributes",
|
||||||
"saml_response_to_user_attributes",
|
"saml_response_to_user_attributes",
|
||||||
|
"get_remote_user_id",
|
||||||
]
|
]
|
||||||
missing_methods = [
|
missing_methods = [
|
||||||
method
|
method
|
||||||
|
|
|
@ -135,14 +135,15 @@ class SamlHandler:
|
||||||
logger.info("SAML2 response: %s", saml2_auth.origxml)
|
logger.info("SAML2 response: %s", saml2_auth.origxml)
|
||||||
logger.info("SAML2 mapped attributes: %s", saml2_auth.ava)
|
logger.info("SAML2 mapped attributes: %s", saml2_auth.ava)
|
||||||
|
|
||||||
try:
|
|
||||||
remote_user_id = saml2_auth.ava["uid"][0]
|
|
||||||
except KeyError:
|
|
||||||
logger.warning("SAML2 response lacks a 'uid' attestation")
|
|
||||||
raise SynapseError(400, "'uid' not in SAML2 response")
|
|
||||||
|
|
||||||
self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)
|
self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)
|
||||||
|
|
||||||
|
remote_user_id = self._user_mapping_provider.get_remote_user_id(
|
||||||
|
saml2_auth, client_redirect_url
|
||||||
|
)
|
||||||
|
|
||||||
|
if not remote_user_id:
|
||||||
|
raise Exception("Failed to extract remote user id from SAML response")
|
||||||
|
|
||||||
with (await self._mapping_lock.queue(self._auth_provider_id)):
|
with (await self._mapping_lock.queue(self._auth_provider_id)):
|
||||||
# first of all, check if we already have a mapping for this user
|
# first of all, check if we already have a mapping for this user
|
||||||
logger.info(
|
logger.info(
|
||||||
|
@ -279,6 +280,20 @@ class DefaultSamlMappingProvider(object):
|
||||||
self._mxid_source_attribute = parsed_config.mxid_source_attribute
|
self._mxid_source_attribute = parsed_config.mxid_source_attribute
|
||||||
self._mxid_mapper = parsed_config.mxid_mapper
|
self._mxid_mapper = parsed_config.mxid_mapper
|
||||||
|
|
||||||
|
self._grandfathered_mxid_source_attribute = (
|
||||||
|
module_api._hs.config.saml2_grandfathered_mxid_source_attribute
|
||||||
|
)
|
||||||
|
|
||||||
|
def get_remote_user_id(
|
||||||
|
self, saml_response: saml2.response.AuthnResponse, client_redirect_url: str
|
||||||
|
):
|
||||||
|
"""Extracts the remote user id from the SAML response"""
|
||||||
|
try:
|
||||||
|
return saml_response.ava["uid"][0]
|
||||||
|
except KeyError:
|
||||||
|
logger.warning("SAML2 response lacks a 'uid' attestation")
|
||||||
|
raise SynapseError(400, "'uid' not in SAML2 response")
|
||||||
|
|
||||||
def saml_response_to_user_attributes(
|
def saml_response_to_user_attributes(
|
||||||
self,
|
self,
|
||||||
saml_response: saml2.response.AuthnResponse,
|
saml_response: saml2.response.AuthnResponse,
|
||||||
|
|
Loading…
Reference in New Issue