def apply_mapping_filter(identity_provider, protocol, assertion, assignment_api, federation_api, identity_api): mapping = federation_api.get_mapping_from_idp_and_protocol( identity_provider, protocol) rules = jsonutils.loads(mapping['rules']) LOG.debug('using the following rules: %s', rules) rule_processor = utils.RuleProcessor(rules) mapped_properties = rule_processor.process(assertion) # NOTE(marek-denis): We update group_ids only here to avoid fetching # groups identified by name/domain twice. # NOTE(marek-denis): Groups are translated from name/domain to their # corresponding ids in the auth plugin, as we need information what # ``mapping_id`` was used as well as idenity_api and assignment_api # objects. group_ids = mapped_properties['group_ids'] utils.validate_groups_in_backend(group_ids, mapping['id'], identity_api) group_ids.extend( utils.transform_to_group_ids( mapped_properties['group_names'], mapping['id'], identity_api, assignment_api)) utils.validate_groups_cardinality(group_ids, mapping['id']) mapped_properties['group_ids'] = list(set(group_ids)) return mapped_properties
def apply_mapping_filter(identity_provider, protocol, assertion, assignment_api, federation_api, identity_api): idp = federation_api.get_idp(identity_provider) utils.validate_idp(idp, assertion) mapping = federation_api.get_mapping_from_idp_and_protocol( identity_provider, protocol) rules = jsonutils.loads(mapping['rules']) LOG.debug('using the following rules: %s', rules) rule_processor = utils.RuleProcessor(rules) mapped_properties = rule_processor.process(assertion) # NOTE(marek-denis): We update group_ids only here to avoid fetching # groups identified by name/domain twice. # NOTE(marek-denis): Groups are translated from name/domain to their # corresponding ids in the auth plugin, as we need information what # ``mapping_id`` was used as well as idenity_api and assignment_api # objects. group_ids = mapped_properties['group_ids'] utils.validate_groups_in_backend(group_ids, mapping['id'], identity_api) group_ids.extend( utils.transform_to_group_ids(mapped_properties['group_names'], mapping['id'], identity_api, assignment_api)) utils.validate_groups_cardinality(group_ids, mapping['id']) mapped_properties['group_ids'] = list(set(group_ids)) return mapped_properties
def handle_unscoped_token(context, auth_payload, auth_context, resource_api, federation_api, identity_api): def is_ephemeral_user(mapped_properties): return mapped_properties['user']['type'] == utils.UserType.EPHEMERAL def build_ephemeral_user_context(auth_context, user, mapped_properties, identity_provider, protocol): auth_context['user_id'] = user['id'] auth_context['group_ids'] = mapped_properties['group_ids'] auth_context[federation_constants.IDENTITY_PROVIDER] = ( identity_provider) auth_context[federation_constants.PROTOCOL] = protocol def build_local_user_context(auth_context, mapped_properties): user_info = auth_plugins.UserAuthInfo.create(mapped_properties, METHOD_NAME) auth_context['user_id'] = user_info.user_id assertion = extract_assertion_data(context) identity_provider = auth_payload['identity_provider'] protocol = auth_payload['protocol'] utils.assert_enabled_identity_provider(federation_api, identity_provider) group_ids = None # NOTE(topol): The user is coming in from an IdP with a SAML assertion # instead of from a token, so we set token_id to None token_id = None # NOTE(marek-denis): This variable is set to None and there is a # possibility that it will be used in the CADF notification. This means # operation will not be mapped to any user (even ephemeral). user_id = None try: mapped_properties, mapping_id = apply_mapping_filter( identity_provider, protocol, assertion, resource_api, federation_api, identity_api) if is_ephemeral_user(mapped_properties): user = setup_username(context, mapped_properties) user_id = user['id'] group_ids = mapped_properties['group_ids'] utils.validate_groups_cardinality(group_ids, mapping_id) build_ephemeral_user_context(auth_context, user, mapped_properties, identity_provider, protocol) else: build_local_user_context(auth_context, mapped_properties) except Exception: # NOTE(topol): Diaper defense to catch any exception, so we can # send off failed authentication notification, raise the exception # after sending the notification outcome = taxonomy.OUTCOME_FAILURE notifications.send_saml_audit_notification('authenticate', context, user_id, group_ids, identity_provider, protocol, token_id, outcome) raise else: outcome = taxonomy.OUTCOME_SUCCESS notifications.send_saml_audit_notification('authenticate', context, user_id, group_ids, identity_provider, protocol, token_id, outcome)