saml: Extract logic for determining if subdomain is allowed by an attr.

This logic has some trickiness due to the need to handle root subdomain
aliases, so this is worth extracting into a helper for use in other
backends.
This commit is contained in:
Mateusz Mandera 2020-08-15 17:27:09 +02:00 committed by Tim Abbott
parent a0dea84edb
commit f078509105
1 changed files with 17 additions and 11 deletions

View File

@ -204,6 +204,22 @@ def common_get_active_user(email: str, realm: Realm,
return user_profile return user_profile
def is_subdomain_in_allowed_subdomains_list(subdomain: str, allowed_subdomains: List[str]) -> bool:
if subdomain in allowed_subdomains:
return True
# The root subdomain is a special case, as sending an
# empty string in the list of values of the attribute may
# not be viable. So, any of the ROOT_SUBDOMAIN_ALIASES can
# be used to signify the user is authorized for the root
# subdomain.
if (subdomain == Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
and not settings.ROOT_DOMAIN_LANDING_PAGE
and any(alias in allowed_subdomains for alias in settings.ROOT_SUBDOMAIN_ALIASES)):
return True
return False
AuthFuncT = TypeVar('AuthFuncT', bound=Callable[..., Optional[UserProfile]]) AuthFuncT = TypeVar('AuthFuncT', bound=Callable[..., Optional[UserProfile]])
rate_limiting_rules = settings.RATE_LIMITING_RULES['authenticate_by_username'] rate_limiting_rules = settings.RATE_LIMITING_RULES['authenticate_by_username']
@ -1850,17 +1866,7 @@ class SAMLAuthBackend(SocialAuthMixin, SAMLAuth):
entitlements = [entitlements, ] entitlements = [entitlements, ]
assert isinstance(entitlements, list) assert isinstance(entitlements, list)
if subdomain in entitlements: if is_subdomain_in_allowed_subdomains_list(subdomain, entitlements):
return
# The root subdomain is a special case, as sending an
# empty string in the list of values of the attribute may
# not be viable. So, any of the ROOT_SUBDOMAIN_ALIASES can
# be used to signify the user is authorized for the root
# subdomain.
if (subdomain == Realm.SUBDOMAIN_FOR_ROOT_DOMAIN
and not settings.ROOT_DOMAIN_LANDING_PAGE
and any(alias in entitlements for alias in settings.ROOT_SUBDOMAIN_ALIASES)):
return return
error_msg = f"SAML user from IdP {idp.name} rejected due to missing entitlement " + \ error_msg = f"SAML user from IdP {idp.name} rejected due to missing entitlement " + \