def handle_scoped_token(context, auth_payload, auth_context, token_ref,
federation_api, identity_api, token_provider_api):
utils.validate_expiration(token_ref)
token_audit_id = token_ref.audit_id
identity_provider = token_ref.federation_idp_id
protocol = token_ref.federation_protocol_id
user_id = token_ref.user_id
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate', context,
user_id, group_ids, identity_provider, protocol, token_audit_id)
utils.assert_enabled_identity_provider(federation_api, identity_provider)
try:
mapping = federation_api.get_mapping_from_idp_and_protocol(
identity_provider, protocol)
utils.validate_groups(group_ids, mapping['id'], identity_api)
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
send_notification(taxonomy.OUTCOME_FAILURE)
raise
else:
send_notification(taxonomy.OUTCOME_SUCCESS)
auth_context['user_id'] = user_id
auth_context['group_ids'] = group_ids
auth_context[federation_constants.IDENTITY_PROVIDER] = identity_provider
auth_context[federation_constants.PROTOCOL] = protocol
def handle_scoped_token(context, auth_payload, auth_context, token_ref,
federation_api, identity_api, token_provider_api):
utils.validate_expiration(token_ref)
token_audit_id = token_ref.audit_id
identity_provider = token_ref.federation_idp_id
protocol = token_ref.federation_protocol_id
user_id = token_ref.user_id
group_ids = token_ref.federation_group_ids
send_notification = functools.partial(
notifications.send_saml_audit_notification, 'authenticate',
context, user_id, group_ids, identity_provider, protocol,
token_audit_id)
utils.assert_enabled_identity_provider(federation_api, identity_provider)
try:
mapping = federation_api.get_mapping_from_idp_and_protocol(
identity_provider, protocol)
utils.validate_groups(group_ids, mapping['id'], identity_api)
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
send_notification(taxonomy.OUTCOME_FAILURE)
raise
else:
send_notification(taxonomy.OUTCOME_SUCCESS)
auth_context['user_id'] = user_id
auth_context['group_ids'] = group_ids
auth_context[federation_constants.IDENTITY_PROVIDER] = identity_provider
auth_context[federation_constants.PROTOCOL] = protocol
def handle_unscoped_token(context, auth_payload, auth_context,
assignment_api, federation_api, identity_api):
assertion = extract_assertion_data(context)
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
utils.assert_enabled_identity_provider(federation_api, identity_provider)
group_ids = None
# NOTE(topol): The user is coming in from an IdP with a SAML assertion
# instead of from a token, so we set token_id to None
token_id = None
# NOTE(marek-denis): This variable is set to None and there is a
# possibility that it will be used in the CADF notification. This means
# operation will not be mapped to any user (even ephemeral).
user_id = None
try:
mapped_properties = apply_mapping_filter(identity_provider, protocol,
assertion, assignment_api,
federation_api, identity_api)
user_id = setup_username(context, mapped_properties)
group_ids = mapped_properties['group_ids']
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider,
protocol, token_id,
outcome)
raise
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider,
protocol, token_id,
outcome)
auth_context['user_id'] = user_id
auth_context['group_ids'] = group_ids
auth_context[federation.IDENTITY_PROVIDER] = identity_provider
auth_context[federation.PROTOCOL] = protocol
def handle_unscoped_token(context, auth_payload, auth_context, assignment_api,
federation_api, identity_api):
assertion = extract_assertion_data(context)
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
utils.assert_enabled_identity_provider(federation_api, identity_provider)
group_ids = None
# NOTE(topol): The user is coming in from an IdP with a SAML assertion
# instead of from a token, so we set token_id to None
token_id = None
# NOTE(marek-denis): This variable is set to None and there is a
# possibility that it will be used in the CADF notification. This means
# operation will not be mapped to any user (even ephemeral).
user_id = None
try:
mapped_properties = apply_mapping_filter(identity_provider, protocol,
assertion, assignment_api,
federation_api, identity_api)
user_id = setup_username(context, mapped_properties)
group_ids = mapped_properties['group_ids']
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider, protocol,
token_id, outcome)
raise
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider, protocol,
token_id, outcome)
auth_context['user_id'] = user_id
auth_context['group_ids'] = group_ids
auth_context[federation.IDENTITY_PROVIDER] = identity_provider
auth_context[federation.PROTOCOL] = protocol
def handle_unscoped_token(context, auth_payload, auth_context, resource_api,
federation_api, identity_api):
def is_ephemeral_user(mapped_properties):
return mapped_properties['user']['type'] == utils.UserType.EPHEMERAL
def build_ephemeral_user_context(auth_context, user, mapped_properties,
identity_provider, protocol):
auth_context['user_id'] = user['id']
auth_context['group_ids'] = mapped_properties['group_ids']
auth_context[federation_constants.IDENTITY_PROVIDER] = (
identity_provider)
auth_context[federation_constants.PROTOCOL] = protocol
def build_local_user_context(auth_context, mapped_properties):
user_info = auth_plugins.UserAuthInfo.create(mapped_properties,
METHOD_NAME)
auth_context['user_id'] = user_info.user_id
assertion = extract_assertion_data(context)
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
utils.assert_enabled_identity_provider(federation_api, identity_provider)
group_ids = None
# NOTE(topol): The user is coming in from an IdP with a SAML assertion
# instead of from a token, so we set token_id to None
token_id = None
# NOTE(marek-denis): This variable is set to None and there is a
# possibility that it will be used in the CADF notification. This means
# operation will not be mapped to any user (even ephemeral).
user_id = None
try:
mapped_properties, mapping_id = apply_mapping_filter(
identity_provider, protocol, assertion, resource_api,
federation_api, identity_api)
if is_ephemeral_user(mapped_properties):
user = setup_username(context, mapped_properties)
user_id = user['id']
group_ids = mapped_properties['group_ids']
utils.validate_groups_cardinality(group_ids, mapping_id)
build_ephemeral_user_context(auth_context, user, mapped_properties,
identity_provider, protocol)
else:
build_local_user_context(auth_context, mapped_properties)
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider, protocol,
token_id, outcome)
raise
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider, protocol,
token_id, outcome)
def handle_unscoped_token(context, auth_payload, auth_context,
resource_api, federation_api, identity_api):
def is_ephemeral_user(mapped_properties):
return mapped_properties['user']['type'] == utils.UserType.EPHEMERAL
def build_ephemeral_user_context(auth_context, user, mapped_properties,
identity_provider, protocol):
auth_context['user_id'] = user['id']
auth_context['group_ids'] = mapped_properties['group_ids']
auth_context[federation_constants.IDENTITY_PROVIDER] = (
identity_provider)
auth_context[federation_constants.PROTOCOL] = protocol
def build_local_user_context(auth_context, mapped_properties):
user_info = auth_plugins.UserAuthInfo.create(mapped_properties,
METHOD_NAME)
auth_context['user_id'] = user_info.user_id
assertion = extract_assertion_data(context)
identity_provider = auth_payload['identity_provider']
protocol = auth_payload['protocol']
utils.assert_enabled_identity_provider(federation_api, identity_provider)
group_ids = None
# NOTE(topol): The user is coming in from an IdP with a SAML assertion
# instead of from a token, so we set token_id to None
token_id = None
# NOTE(marek-denis): This variable is set to None and there is a
# possibility that it will be used in the CADF notification. This means
# operation will not be mapped to any user (even ephemeral).
user_id = None
try:
mapped_properties, mapping_id = apply_mapping_filter(
identity_provider, protocol, assertion, resource_api,
federation_api, identity_api)
if is_ephemeral_user(mapped_properties):
user = setup_username(context, mapped_properties)
user_id = user['id']
group_ids = mapped_properties['group_ids']
utils.validate_groups_cardinality(group_ids, mapping_id)
build_ephemeral_user_context(auth_context, user,
mapped_properties,
identity_provider, protocol)
else:
build_local_user_context(auth_context, mapped_properties)
except Exception:
# NOTE(topol): Diaper defense to catch any exception, so we can
# send off failed authentication notification, raise the exception
# after sending the notification
outcome = taxonomy.OUTCOME_FAILURE
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider,
protocol, token_id,
outcome)
raise
else:
outcome = taxonomy.OUTCOME_SUCCESS
notifications.send_saml_audit_notification('authenticate', context,
user_id, group_ids,
identity_provider,
protocol, token_id,
outcome)
