1
0

Read localpart / displayName from attestations configured in config

Allow the attestations that we use for localpart & displayname to
be configured in the config
This commit is contained in:
David Baker
2019-09-09 15:04:01 +01:00
parent 55d5b3af88
commit 7c0487b01f
2 changed files with 17 additions and 5 deletions

View File

@@ -48,6 +48,9 @@ class SAML2Config(Config):
saml2_config.get("saml_session_lifetime", "5m")
)
self.saml2_username_attestation = saml2_config.get("username_attestation", "uid")
self.saml2_displayname_attestation = saml2_config.get("displayname_attestation", "displayName")
def _default_saml_config_dict(self):
import saml2
@@ -135,6 +138,13 @@ class SAML2Config(Config):
# # The default is 5 minutes.
# #
# # saml_session_lifetime: 5m
# #
# # # The ID of the attestation that will be used for the localpart of the user's Matrix ID
# # # Deafault: 'uid'
# # username_attestation: "uid"
# #
# # # The ID of the attestation that will be used for the user's display name. Default: 'displayName'
# # displayname_attestation: "displayName"
""" % {
"config_dir_path": config_dir_path
}

View File

@@ -35,6 +35,8 @@ class SamlHandler:
self._clock = hs.get_clock()
self._saml2_session_lifetime = hs.config.saml2_session_lifetime
self.saml2_username_attestation = hs.config.saml2_username_attestation
self.saml2_displayname_attestation = hs.config.saml2_displayname_attestation
def handle_redirect_request(self, client_redirect_url):
"""Handle an incoming request to /login/sso/redirect
@@ -91,14 +93,14 @@ class SamlHandler:
logger.warning("SAML2 response was not signed")
raise SynapseError(400, "SAML2 response was not signed")
if "uid" not in saml2_auth.ava:
logger.warning("SAML2 response lacks a 'uid' attestation")
raise SynapseError(400, "uid not in SAML2 response")
if self.saml2_username_attestation not in saml2_auth.ava:
logger.warning("SAML2 response lacks a '%s' attestation", self.saml2_username_attestation)
raise SynapseError(400, "username attestation not in SAML2 response")
self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)
username = saml2_auth.ava["uid"][0]
displayName = saml2_auth.ava.get("displayName", [None])[0]
username = saml2_auth.ava[self.saml2_username_attestation][0]
displayName = saml2_auth.ava.get(self.saml2_displayname_attestation, [None])[0]
return self._sso_auth_handler.on_successful_auth(
username, request, relay_state, user_display_name=displayName