def _subject_from_member(self, member, sp, format, ok_create=False): format = normalize_nameid_format(format) nifs = INameidFormatSupport(self) if format not in nifs.supported: return "InvalidNameIDPolicy" nid = NameID(NameQualifier=self._get_authority().entity_id, Format=format) subject = Subject(nid, ) i = nifs.make_id(member, sp, ok_create, nid) if i is None: return "InvalidNameIDPolicy" # may not be adequate nid._resetContent() nid.append(i) return subject
def _subject_from_member(self, member, sp, format, ok_create=False): format = normalize_nameid_format(format) nifs = INameidFormatSupport(self) if format not in nifs.supported: return "InvalidNameIDPolicy" nid = NameID(NameQualifier=self._get_authority().entity_id, Format=format) subject = Subject( nid, ) i = nifs.make_id(member, sp, ok_create, nid) if i is None: return "InvalidNameIDPolicy" # may not be adequate nid._resetContent(); nid.append(i) return subject
def subject_from_member(self, member, target, req): """construct a subject description for *member*. The description is tailored for *target* and *req*. In case of a problem, error information (currently in the form of a string) it returned. """ if member is None: return "AuthnFailed" auth = self._get_authority() us = auth.entity_id teid = target.eid if teid is None: teid = target.eid = req.Issuer.value() subject = None # if *req* contains a subject, ensure it identifies *member* if req.Subject: # we only support `NameID` (and get an exception for something else) sn = req.Subject.NameID # ensure the subject specifies one of our subjects if sn.NameQualifier and sn.NameQualifier != us: return self.SUBJECT_MISMATCH subject = self._subject_from_member(member, sn.SPNameQualifier, sn.Format) if not isinstance(subject, SubjectType): return subject if sn.value() != subject.NameID.value(): return self.SUBJECT_MISMATCH # Note: we make assumptions below which might only hold for # `AuthnRequest`. # determine the required name id policy unspecified = normalize_nameid_format("unspecified") format, sp, ok_create = None, teid, True if req.NameIDPolicy: nip = req.NameIDPolicy format, sp, ok_create = nip.Format, nip.SPNameQualifier, nip.AllowCreate if format in (None, unspecified): # find a format supported by us and the requester rd = target.get_role_descriptor(self._get_authority()) supported = INameidFormatSupport(self).supported for nif in rd.NameIDFormat: if nif in supported: format = nif break else: if not rd.NameIDFormat or unspecified in rd.NameIDFormat: # we can choose the format format = supported[0] else: return "InvalidNameIDPolicy" if sp is None: sp = teid return self._subject_from_member(member, sp, format, ok_create)
class NameidFormatSupport(object): """Default name id format support.""" def __init__(self, context): self.context = context def make_id(self, member, sp, ok_create, nid): return self._dispatcher[nid.Format](self, member, sp, ok_create, nid) def _unspecified(self, member, *unused): return member.getId() _dispatcher = { normalize_nameid_format("unspecified"): _unspecified, } supported = _dispatcher.keys()
def subject_from_member(self, member, target, req): """construct a subject description for *member*. The description is tailored for *target* and *req*. In case of a problem, error information (currently in the form of a string) it returned. """ if member is None: return "AuthnFailed" auth = self._get_authority(); us = auth.entity_id teid = target.eid if teid is None: teid = target.eid = req.Issuer.value() subject = None # if *req* contains a subject, ensure it identifies *member* if req.Subject: # we only support `NameID` (and get an exception for something else) sn = req.Subject.NameID # ensure the subject specifies one of our subjects if sn.NameQualifier and sn.NameQualifier != us: return self.SUBJECT_MISMATCH subject = self._subject_from_member(member, sn.SPNameQualifier, sn.Format) if not isinstance(subject, SubjectType): return subject if sn.value() != subject.NameID.value(): return self.SUBJECT_MISMATCH # Note: we make assumptions below which might only hold for # `AuthnRequest`. # determine the required name id policy unspecified = normalize_nameid_format("unspecified") format, sp, ok_create = None, teid, True if req.NameIDPolicy: nip = req.NameIDPolicy format, sp, ok_create = nip.Format, nip.SPNameQualifier, nip.AllowCreate if format in (None, unspecified): # find a format supported by us and the requester rd = target.get_role_descriptor(self._get_authority()) supported = INameidFormatSupport(self).supported for nif in rd.NameIDFormat: if nif in supported: format = nif; break else: if not rd.NameIDFormat or unspecified in rd.NameIDFormat: # we can choose the format format = supported[0] else: return "InvalidNameIDPolicy" if sp is None: sp = teid return self._subject_from_member(member, sp, format, ok_create)