Combine the SSO Redirect Servlets (#9015)

* Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
2025-05-07 15:04:58 -04:00 · 2021-01-04 18:13:49 +00:00 · 2021-01-04 18:13:49 +00:00 · d2c616a413
commit d2c616a413
parent 31b1905e13
8 changed files with 174 additions and 113 deletions
--- a/synapse/handlers/cas_handler.py
+++ b/synapse/handlers/cas_handler.py
@ -75,10 +75,12 @@ class CasHandler:
        self._http_client = hs.get_proxied_http_client()

        # identifier for the external_ids table
-        self._auth_provider_id = "cas"
+        self.idp_id = "cas"

        self._sso_handler = hs.get_sso_handler()

+        self._sso_handler.register_identity_provider(self)
+
    def _build_service_param(self, args: Dict[str, str]) -> str:
        """
        Generates a value to use as the "service" parameter when redirecting or
@ -105,7 +107,7 @@ class CasHandler:
        Args:
            ticket: The CAS ticket from the client.
            service_args: Additional arguments to include in the service URL.
-                Should be the same as those passed to `get_redirect_url`.
+                Should be the same as those passed to `handle_redirect_request`.

        Raises:
            CasError: If there's an error parsing the CAS response.
@ -184,16 +186,31 @@ class CasHandler:

        return CasResponse(user, attributes)

-    def get_redirect_url(self, service_args: Dict[str, str]) -> str:
-        """
-        Generates a URL for the CAS server where the client should be redirected.
+    async def handle_redirect_request(
+        self,
+        request: SynapseRequest,
+        client_redirect_url: Optional[bytes],
+        ui_auth_session_id: Optional[str] = None,
+    ) -> str:
+        """Generates a URL for the CAS server where the client should be redirected.

        Args:
-            service_args: Additional arguments to include in the final redirect URL.
+            request: the incoming HTTP request
+            client_redirect_url: the URL that we should redirect the
+                client to after login (or None for UI Auth).
+            ui_auth_session_id: The session ID of the ongoing UI Auth (or
+                None if this is a login).

        Returns:
-            The URL to redirect the client to.
+            URL to redirect to
        """
+
+        if ui_auth_session_id:
+            service_args = {"session": ui_auth_session_id}
+        else:
+            assert client_redirect_url
+            service_args = {"redirectUrl": client_redirect_url.decode("utf8")}
+
        args = urllib.parse.urlencode(
            {"service": self._build_service_param(service_args)}
        )
@ -275,7 +292,7 @@ class CasHandler:
        # first check if we're doing a UIA
        if session:
            return await self._sso_handler.complete_sso_ui_auth_request(
-                self._auth_provider_id, cas_response.username, session, request,
+                self.idp_id, cas_response.username, session, request,
            )

        # otherwise, we're handling a login request.
@ -375,7 +392,7 @@ class CasHandler:
            return None

        await self._sso_handler.complete_sso_login_request(
-            self._auth_provider_id,
+            self.idp_id,
            cas_response.username,
            request,
            client_redirect_url,