Commit fcb7aaee authored by ale's avatar ale

allow auth backends to provide user emails

Uses the email as a SAML attribute.
parent 14c4c555
......@@ -33,3 +33,6 @@ class AuthBase(object):
def match_groups(self, username, groups):
return set()
def get_user_email(self, username):
return None
......@@ -17,11 +17,12 @@ class _CredentialsCache(dict):
self._lock = threading.Lock()
self._data = {'pwcache': {}, 'otpcache': {}, 'grpcache': {}}
def update(self, pwcache, otpcache, grpcache):
def update(self, pwcache, otpcache, grpcache, mailcache):
with self._lock:
self._data['pwcache'] = pwcache
self._data['otpcache'] = otpcache
self._data['grpcache'] = grpcache
self._data['mailcache'] = mailcache
def get(self, tag):
with self._lock:
......@@ -44,7 +45,7 @@ class Updater(threading.Thread):
time.sleep(600)
def update_auth_cache(self):
pwcache, otpcache, grpcache = {}, {}, {}
pwcache, otpcache, grpcache, mailcache = {}, {}, {}, {}
for user in mdb.User.find():
if not user.enabled:
continue
......@@ -52,7 +53,9 @@ class Updater(threading.Thread):
if user.totp_key:
otpcache[user.name] = user.totp_key
grpcache[user.name] = set(x.name for x in user.groups)
self.auth_cache.update(pwcache, otpcache, grpcache)
if user.email:
mailcache[user.name] = user.email
self.auth_cache.update(pwcache, otpcache, grpcache, mailcache)
class Auth(AuthBase):
......@@ -87,3 +90,7 @@ class Auth(AuthBase):
user_groups.intersection_update(groups)
return user_groups
def get_user_email(self, username):
mailcache = self.auth_cache.get('mailcache')
return mailcache.get(username)
......@@ -43,3 +43,6 @@ class Auth(AuthBase):
allowed_groups = set(["group1", "group2"])
allowed_groups.intersection_update(groups)
return allowed_groups
def get_user_email(self, u):
return u + '@example.com'
......@@ -55,6 +55,10 @@ def login_required(fn):
raise NoCookieError('no cookie')
current_app.logger.info('retrieved cookie: %s', cookie)
g.sso_ticket = saml_app.sso_verifier.verify(str(cookie))
# Cheat by looking up the email using the LoginService
# private to the main app.
g.user_email = current_app.login_service.auth.get_user_email(
g.sso_ticket.user())
return fn(*args, **kwargs)
except (NoCookieError, TypeError, sso.Error) as e:
current_app.logger.error('auth failed: %s', str(e))
......
......@@ -8,6 +8,7 @@ import logging
import warnings
import zlib
from flask import g
from importlib import import_module
from . import base
......@@ -37,6 +38,7 @@ class SSOProcessor(base.Processor):
# Add attributes that gitlab needs (?).
self._assertion_params['ATTRIBUTES'] = {
'name': self._subject,
'email': g.user_email,
}
self._assertion_xml = xml_render.get_assertion_salesforce_xml(self._assertion_params, signed=True)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment