allow auth backends to provide user emails

Uses the email as a SAML attribute.

allow auth backends to provide user emails
Uses the email as a SAML attribute.
fcb7aaee · ale · 14c4c555 · fcb7aaee · fcb7aaee · fcb7aaee
Commit fcb7aaee authored Oct 15, 2016 by ale
5 changed files
--- a/src/sso_server/sso_server/auth/__init__.py
+++ b/src/sso_server/sso_server/auth/__init__.py
@@ -33,3 +33,6 @@ class AuthBase(object):

    def match_groups(self, username, groups):
        return set()
+
+    def get_user_email(self, username):
+        return None
--- a/src/sso_server/sso_server/auth/auth_machdb.py
+++ b/src/sso_server/sso_server/auth/auth_machdb.py
@@ -17,11 +17,12 @@ class _CredentialsCache(dict):
        self._lock = threading.Lock()
        self._data = {'pwcache': {}, 'otpcache': {}, 'grpcache': {}}

-    def update(self, pwcache, otpcache, grpcache):
+    def update(self, pwcache, otpcache, grpcache, mailcache):
        with self._lock:
            self._data['pwcache'] = pwcache
            self._data['otpcache'] = otpcache
            self._data['grpcache'] = grpcache
+            self._data['mailcache'] = mailcache

    def get(self, tag):
        with self._lock:
@@ -44,7 +45,7 @@ class Updater(threading.Thread):
            time.sleep(600)

    def update_auth_cache(self):
-        pwcache, otpcache, grpcache = {}, {}, {}
+        pwcache, otpcache, grpcache, mailcache = {}, {}, {}, {}
        for user in mdb.User.find():
            if not user.enabled:
                continue
@@ -52,7 +53,9 @@ class Updater(threading.Thread):
            if user.totp_key:
                otpcache[user.name] = user.totp_key
            grpcache[user.name] = set(x.name for x in user.groups)
-        self.auth_cache.update(pwcache, otpcache, grpcache)
+            if user.email:
+                mailcache[user.name] = user.email
+        self.auth_cache.update(pwcache, otpcache, grpcache, mailcache)


 class Auth(AuthBase):
@@ -87,3 +90,7 @@ class Auth(AuthBase):
        user_groups.intersection_update(groups)
        return user_groups

+    def get_user_email(self, username):
+        mailcache = self.auth_cache.get('mailcache')
+        return mailcache.get(username)
+
--- a/src/sso_server/sso_server/auth/auth_test.py
+++ b/src/sso_server/sso_server/auth/auth_test.py
@@ -43,3 +43,6 @@ class Auth(AuthBase):
        allowed_groups = set(["group1", "group2"])
        allowed_groups.intersection_update(groups)
        return allowed_groups
+
+    def get_user_email(self, u):
+        return u + '@example.com'
--- a/src/sso_server/sso_server/saml/flask_views.py
+++ b/src/sso_server/sso_server/saml/flask_views.py
@@ -55,6 +55,10 @@ def login_required(fn):
                raise NoCookieError('no cookie')
            current_app.logger.info('retrieved cookie: %s', cookie)
            g.sso_ticket = saml_app.sso_verifier.verify(str(cookie))
+            # Cheat by looking up the email using the LoginService
+            # private to the main app.
+            g.user_email = current_app.login_service.auth.get_user_email(
+                g.sso_ticket.user())
            return fn(*args, **kwargs)
        except (NoCookieError, TypeError, sso.Error) as e:
            current_app.logger.error('auth failed: %s', str(e))

--- a/src/sso_server/sso_server/saml/registry.py
+++ b/src/sso_server/sso_server/saml/registry.py
@@ -8,6 +8,7 @@ import logging
 import warnings
 import zlib

+from flask import g
 from importlib import import_module

 from . import base
@@ -37,6 +38,7 @@ class SSOProcessor(base.Processor):
        # Add attributes that gitlab needs (?).
        self._assertion_params['ATTRIBUTES'] = {
            'name': self._subject,
+            'email': g.user_email,
        }
        self._assertion_xml = xml_render.get_assertion_salesforce_xml(self._assertion_params, signed=True)