def _auth_saml_validate(self, provider_id, token):
""" return the validation data corresponding to the access token """
p = self.env['auth.saml.provider'].browse(provider_id)
# we are not yet logged in, so the userid cannot have access to the
# fields we need yet
login = p.sudo()._get_lasso_for_provider()
matching_attribute = p._get_matching_attr_for_provider()
try:
login.processAuthnResponseMsg(token)
except (lasso.DsError, lasso.ProfileCannotVerifySignatureError):
raise Exception('Lasso Profile cannot verify signature')
except lasso.ProfileStatusNotSuccessError:
raise Exception('Profile Status Not Success Error')
except lasso.Error as e:
raise Exception(repr(e))
try:
login.acceptSso()
except lasso.Error as error:
raise Exception(
'Invalid assertion : %s' % lasso.strError(error[0]))
attrs = {}
for att_statement in login.assertion.attributeStatement:
for attribute in att_statement.attribute:
name = None
lformat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
nickname = None
try:
name = attribute.name.decode('ascii')
except Exception as e:
_logger.warning('sso_after_response: error decoding name \
of attribute %s' % attribute.dump())
else:
try:
if attribute.nameFormat:
lformat = attribute.nameFormat.decode('ascii')
if attribute.friendlyName:
nickname = attribute.friendlyName
except Exception as e:
message = 'sso_after_response: name or format of an \
attribute failed to decode as ascii: %s due to %s'
_logger.warning(message % (attribute.dump(), str(e)))
try:
if name:
if lformat:
if nickname:
key = (name, lformat, nickname)
else:
key = (name, lformat)
else:
key = name
attrs[key] = list()
for value in attribute.attributeValue:
content = [a.exportToXml() for a in value.any]
content = ''.join(content)
attrs[key].append(content.decode('utf8'))
except Exception as e:
message = 'sso_after_response: value of an \
attribute failed to decode as ascii: %s due to %s'
_logger.warning(message % (attribute.dump(), str(e)))
matching_value = None
for k in attrs:
if isinstance(k, tuple) and k[0] == matching_attribute:
matching_value = attrs[k][0]
break
if not matching_value and matching_attribute == "subject.nameId":
matching_value = login.assertion.subject.nameId.content
elif not matching_value and matching_attribute != "subject.nameId":
raise Exception(
"Matching attribute %s not found in user attrs: %s" % (
matching_attribute, attrs))
validation = {'user_id': matching_value}
return validation
def _auth_saml_validate(self, cr, uid, provider, token, context=None):
""" return the validation data corresponding to the access token """
p = self.pool.get('auth.saml.provider')
login = p._get_lasso_for_provider(cr, uid, provider, context=context)
matching_attribute = p._get_matching_attr_for_provider(cr, uid, provider, context=context)
try:
login.processAuthnResponseMsg(token)
except (lasso.DsError, lasso.ProfileCannotVerifySignatureError):
raise Exception('Lasso Profile cannot verify signature')
except lasso.Error as e:
raise Exception(repr(e))
try:
login.acceptSso()
except lasso.Error as error:
raise Exception(
'Invalid assertion : %s' % lasso.strError(error[0])
)
attrs = {}
for att_statement in login.assertion.attributeStatement:
for attribute in att_statement.attribute:
name = None
lformat = lasso.SAML2_ATTRIBUTE_NAME_FORMAT_BASIC
nickname = None
try:
name = attribute.name.decode('ascii')
except Exception as e:
_logger.warning('sso_after_response: error decoding name of \
attribute %s' % attribute.dump())
else:
try:
if attribute.nameFormat:
lformat = attribute.nameFormat.decode('ascii')
if attribute.friendlyName:
nickname = attribute.friendlyName
except Exception as e:
message = 'sso_after_response: name or format of an \
attribute failed to decode as ascii: %s due to %s'
_logger.warning(message % (attribute.dump(), str(e)))
try:
if name:
if lformat:
if nickname:
key = (name, lformat, nickname)
else:
key = (name, lformat)
else:
key = name
attrs[key] = list()
for value in attribute.attributeValue:
content = [a.exportToXml() for a in value.any]
content = ''.join(content)
attrs[key].append(content.decode('utf8'))
except Exception as e:
message = 'sso_after_response: value of an \
attribute failed to decode as ascii: %s due to %s'
_logger.warning(message % (attribute.dump(), str(e)))
matching_value = None
for k in attrs:
if isinstance(k, tuple) and k[0] == matching_attribute:
matching_value = attrs[k][0]
break
if not matching_value and matching_attribute == "subject.nameId":
matching_value = login.assertion.subject.nameId.content
elif not matching_value and matching_attribute != "subject.nameId":
raise Exception(
"Matching attribute %s not found in user attrs: %s" % (
matching_attribute,
attrs,
)
)
validation = {'user_id': matching_value}
return validation