Delegate remote_user_id mapping to the saml mapping provider (#6723)

Turns out that figuring out a remote user id for the SAML user isn't quite as obvious as it seems. Factor it out to the SamlMappingProvider so that it's easy to control.
This commit is contained in:
Richard van der Hoff 2020-01-17 10:32:47 +00:00 committed by GitHub
parent a8a50f5b57
commit 2b6a77fcde
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 6 deletions

1
changelog.d/6723.misc Normal file
View File

@ -0,0 +1 @@
Updates to the SAML mapping provider API.

View File

@ -121,6 +121,7 @@ class SAML2Config(Config):
required_methods = [ required_methods = [
"get_saml_attributes", "get_saml_attributes",
"saml_response_to_user_attributes", "saml_response_to_user_attributes",
"get_remote_user_id",
] ]
missing_methods = [ missing_methods = [
method method

View File

@ -135,14 +135,15 @@ class SamlHandler:
logger.info("SAML2 response: %s", saml2_auth.origxml) logger.info("SAML2 response: %s", saml2_auth.origxml)
logger.info("SAML2 mapped attributes: %s", saml2_auth.ava) logger.info("SAML2 mapped attributes: %s", saml2_auth.ava)
try:
remote_user_id = saml2_auth.ava["uid"][0]
except KeyError:
logger.warning("SAML2 response lacks a 'uid' attestation")
raise SynapseError(400, "'uid' not in SAML2 response")
self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None) self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)
remote_user_id = self._user_mapping_provider.get_remote_user_id(
saml2_auth, client_redirect_url
)
if not remote_user_id:
raise Exception("Failed to extract remote user id from SAML response")
with (await self._mapping_lock.queue(self._auth_provider_id)): with (await self._mapping_lock.queue(self._auth_provider_id)):
# first of all, check if we already have a mapping for this user # first of all, check if we already have a mapping for this user
logger.info( logger.info(
@ -279,6 +280,20 @@ class DefaultSamlMappingProvider(object):
self._mxid_source_attribute = parsed_config.mxid_source_attribute self._mxid_source_attribute = parsed_config.mxid_source_attribute
self._mxid_mapper = parsed_config.mxid_mapper self._mxid_mapper = parsed_config.mxid_mapper
self._grandfathered_mxid_source_attribute = (
module_api._hs.config.saml2_grandfathered_mxid_source_attribute
)
def get_remote_user_id(
self, saml_response: saml2.response.AuthnResponse, client_redirect_url: str
):
"""Extracts the remote user id from the SAML response"""
try:
return saml_response.ava["uid"][0]
except KeyError:
logger.warning("SAML2 response lacks a 'uid' attestation")
raise SynapseError(400, "'uid' not in SAML2 response")
def saml_response_to_user_attributes( def saml_response_to_user_attributes(
self, self,
saml_response: saml2.response.AuthnResponse, saml_response: saml2.response.AuthnResponse,