Read localpart / displayName from attestations configured in config

Allow the attestations that we use for localpart & displayname to be configured in the config
2019-09-09 15:04:01 +01:00
parent 55d5b3af88
commit 7c0487b01f
2 changed files with 17 additions and 5 deletions
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@@ -48,6 +48,9 @@ class SAML2Config(Config):
            saml2_config.get("saml_session_lifetime", "5m")
        )

+        self.saml2_username_attestation = saml2_config.get("username_attestation", "uid")
+        self.saml2_displayname_attestation = saml2_config.get("displayname_attestation", "displayName")
+
    def _default_saml_config_dict(self):
        import saml2

@@ -135,6 +138,13 @@ class SAML2Config(Config):
        #  # The default is 5 minutes.
        #  #
        #  # saml_session_lifetime: 5m
+        #  #
+        #  # # The ID of the attestation that will be used for the localpart of the user's Matrix ID
+        #  # # Deafault: 'uid'
+        #  # username_attestation: "uid"
+        #  #
+        #  # # The ID of the attestation that will be used for the user's display name. Default: 'displayName'
+        #  # displayname_attestation: "displayName"
        """ % {
            "config_dir_path": config_dir_path
        }
--- a/synapse/handlers/saml_handler.py
+++ b/synapse/handlers/saml_handler.py
@@ -35,6 +35,8 @@ class SamlHandler:

        self._clock = hs.get_clock()
        self._saml2_session_lifetime = hs.config.saml2_session_lifetime
+        self.saml2_username_attestation = hs.config.saml2_username_attestation
+        self.saml2_displayname_attestation = hs.config.saml2_displayname_attestation

    def handle_redirect_request(self, client_redirect_url):
        """Handle an incoming request to /login/sso/redirect
@@ -91,14 +93,14 @@ class SamlHandler:
            logger.warning("SAML2 response was not signed")
            raise SynapseError(400, "SAML2 response was not signed")

-        if "uid" not in saml2_auth.ava:
-            logger.warning("SAML2 response lacks a 'uid' attestation")
-            raise SynapseError(400, "uid not in SAML2 response")
+        if self.saml2_username_attestation not in saml2_auth.ava:
+            logger.warning("SAML2 response lacks a '%s' attestation", self.saml2_username_attestation)
+            raise SynapseError(400, "username attestation not in SAML2 response")

        self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)

-        username = saml2_auth.ava["uid"][0]
-        displayName = saml2_auth.ava.get("displayName", [None])[0]
+        username = saml2_auth.ava[self.saml2_username_attestation][0]
+        displayName = saml2_auth.ava.get(self.saml2_displayname_attestation, [None])[0]

        return self._sso_auth_handler.on_successful_auth(
            username, request, relay_state, user_display_name=displayName