Support CAS in UI Auth flows. (#7186)

2025-11-13 20:10:46 -05:00 · 2020-04-03 15:35:05 -04:00 · 2020-04-03 15:35:05 -04:00 · 694d8bed0e
commit 694d8bed0e
parent b0db928c63
5 changed files with 137 additions and 89 deletions
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@ -425,7 +425,9 @@ class CasRedirectServlet(BaseSSORedirectServlet):
        self._cas_handler = hs.get_cas_handler()

    def get_sso_url(self, client_redirect_url: bytes) -> bytes:
-        return self._cas_handler.handle_redirect_request(client_redirect_url)
+        return self._cas_handler.get_redirect_url(
+            {"redirectUrl": client_redirect_url}
+        ).encode("ascii")


 class CasTicketServlet(RestServlet):
@ -436,10 +438,20 @@ class CasTicketServlet(RestServlet):
        self._cas_handler = hs.get_cas_handler()

    async def on_GET(self, request: SynapseRequest) -> None:
-        client_redirect_url = parse_string(request, "redirectUrl", required=True)
+        client_redirect_url = parse_string(request, "redirectUrl")
        ticket = parse_string(request, "ticket", required=True)
-        await self._cas_handler.handle_ticket_request(
-            request, client_redirect_url, ticket
+
+        # Maybe get a session ID (if this ticket is from user interactive
+        # authentication).
+        session = parse_string(request, "session")
+
+        # Either client_redirect_url or session must be provided.
+        if not client_redirect_url and not session:
+            message = "Missing string query parameter redirectUrl or session"
+            raise SynapseError(400, message, errcode=Codes.MISSING_PARAM)
+
+        await self._cas_handler.handle_ticket(
+            request, ticket, client_redirect_url, session
        )


--- a/synapse/rest/client/v2_alpha/auth.py
+++ b/synapse/rest/client/v2_alpha/auth.py
@ -111,6 +111,11 @@ class AuthRestServlet(RestServlet):
        self._saml_enabled = hs.config.saml2_enabled
        if self._saml_enabled:
            self._saml_handler = hs.get_saml_handler()
+        self._cas_enabled = hs.config.cas_enabled
+        if self._cas_enabled:
+            self._cas_handler = hs.get_cas_handler()
+            self._cas_server_url = hs.config.cas_server_url
+            self._cas_service_url = hs.config.cas_service_url

    def on_GET(self, request, stagetype):
        session = parse_string(request, "session")
@ -133,14 +138,27 @@ class AuthRestServlet(RestServlet):
                % (CLIENT_API_PREFIX, LoginType.TERMS),
            }

-        elif stagetype == LoginType.SSO and self._saml_enabled:
+        elif stagetype == LoginType.SSO:
            # Display a confirmation page which prompts the user to
            # re-authenticate with their SSO provider.
-            client_redirect_url = ""
-            sso_redirect_url = self._saml_handler.handle_redirect_request(
-                client_redirect_url, session
-            )
+            if self._cas_enabled:
+                # Generate a request to CAS that redirects back to an endpoint
+                # to verify the successful authentication.
+                sso_redirect_url = self._cas_handler.get_redirect_url(
+                    {"session": session},
+                )
+
+            elif self._saml_enabled:
+                client_redirect_url = ""
+                sso_redirect_url = self._saml_handler.handle_redirect_request(
+                    client_redirect_url, session
+                )
+
+            else:
+                raise SynapseError(400, "Homeserver not configured for SSO.")
+
            html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
+
        else:
            raise SynapseError(404, "Unknown auth stage type")