def _subject_from_member(self, member, sp, format, ok_create=False):
format = normalize_nameid_format(format)
nifs = INameidFormatSupport(self)
if format not in nifs.supported: return "InvalidNameIDPolicy"
nid = NameID(NameQualifier=self._get_authority().entity_id,
Format=format)
subject = Subject(nid, )
i = nifs.make_id(member, sp, ok_create, nid)
if i is None: return "InvalidNameIDPolicy" # may not be adequate
nid._resetContent()
nid.append(i)
return subject
def _subject_from_member(self, member, sp, format, ok_create=False):
format = normalize_nameid_format(format)
nifs = INameidFormatSupport(self)
if format not in nifs.supported: return "InvalidNameIDPolicy"
nid = NameID(NameQualifier=self._get_authority().entity_id, Format=format)
subject = Subject(
nid,
)
i = nifs.make_id(member, sp, ok_create, nid)
if i is None: return "InvalidNameIDPolicy" # may not be adequate
nid._resetContent(); nid.append(i)
return subject
def subject_from_member(self, member, target, req):
"""construct a subject description for *member*.
The description is tailored for *target* and *req*.
In case of a problem, error information (currently in the form of
a string) it returned.
"""
if member is None: return "AuthnFailed"
auth = self._get_authority()
us = auth.entity_id
teid = target.eid
if teid is None: teid = target.eid = req.Issuer.value()
subject = None
# if *req* contains a subject, ensure it identifies *member*
if req.Subject:
# we only support `NameID` (and get an exception for something else)
sn = req.Subject.NameID
# ensure the subject specifies one of our subjects
if sn.NameQualifier and sn.NameQualifier != us:
return self.SUBJECT_MISMATCH
subject = self._subject_from_member(member, sn.SPNameQualifier,
sn.Format)
if not isinstance(subject, SubjectType): return subject
if sn.value() != subject.NameID.value():
return self.SUBJECT_MISMATCH
# Note: we make assumptions below which might only hold for
# `AuthnRequest`.
# determine the required name id policy
unspecified = normalize_nameid_format("unspecified")
format, sp, ok_create = None, teid, True
if req.NameIDPolicy:
nip = req.NameIDPolicy
format, sp, ok_create = nip.Format, nip.SPNameQualifier, nip.AllowCreate
if format in (None, unspecified):
# find a format supported by us and the requester
rd = target.get_role_descriptor(self._get_authority())
supported = INameidFormatSupport(self).supported
for nif in rd.NameIDFormat:
if nif in supported:
format = nif
break
else:
if not rd.NameIDFormat or unspecified in rd.NameIDFormat:
# we can choose the format
format = supported[0]
else:
return "InvalidNameIDPolicy"
if sp is None: sp = teid
return self._subject_from_member(member, sp, format, ok_create)
class NameidFormatSupport(object):
"""Default name id format support."""
def __init__(self, context):
self.context = context
def make_id(self, member, sp, ok_create, nid):
return self._dispatcher[nid.Format](self, member, sp, ok_create, nid)
def _unspecified(self, member, *unused):
return member.getId()
_dispatcher = {
normalize_nameid_format("unspecified"): _unspecified,
}
supported = _dispatcher.keys()
def subject_from_member(self, member, target, req):
"""construct a subject description for *member*.
The description is tailored for *target* and *req*.
In case of a problem, error information (currently in the form of
a string) it returned.
"""
if member is None: return "AuthnFailed"
auth = self._get_authority(); us = auth.entity_id
teid = target.eid
if teid is None: teid = target.eid = req.Issuer.value()
subject = None
# if *req* contains a subject, ensure it identifies *member*
if req.Subject:
# we only support `NameID` (and get an exception for something else)
sn = req.Subject.NameID
# ensure the subject specifies one of our subjects
if sn.NameQualifier and sn.NameQualifier != us:
return self.SUBJECT_MISMATCH
subject = self._subject_from_member(member, sn.SPNameQualifier, sn.Format)
if not isinstance(subject, SubjectType): return subject
if sn.value() != subject.NameID.value(): return self.SUBJECT_MISMATCH
# Note: we make assumptions below which might only hold for
# `AuthnRequest`.
# determine the required name id policy
unspecified = normalize_nameid_format("unspecified")
format, sp, ok_create = None, teid, True
if req.NameIDPolicy:
nip = req.NameIDPolicy
format, sp, ok_create = nip.Format, nip.SPNameQualifier, nip.AllowCreate
if format in (None, unspecified):
# find a format supported by us and the requester
rd = target.get_role_descriptor(self._get_authority())
supported = INameidFormatSupport(self).supported
for nif in rd.NameIDFormat:
if nif in supported: format = nif; break
else:
if not rd.NameIDFormat or unspecified in rd.NameIDFormat:
# we can choose the format
format = supported[0]
else: return "InvalidNameIDPolicy"
if sp is None: sp = teid
return self._subject_from_member(member, sp, format, ok_create)
