o &zh@s^ddlmZddlmZddlmZddlmZmZGdddeZ GdddeZ e gZ d S) )HttpResponseRedirect)reverse) urlencode)ProviderProviderAccountc@s eZdZdS) SAMLAccountN)__name__ __module__ __qualname__r r h/var/www/html/kangema/venv/lib/python3.10/site-packages/allauth/socialaccount/providers/saml/provider.pyrsrcseZdZdZdZdZeZdgddgdgdd gd gd gd Zfd dZ ddZ ddZ ddZ ddZ ddZdddZZS) SAMLProvidersamlSAMLTz,urn:oasis:names:tc:SAML:attribute:subject-idz!urn:oid:0.9.2342.19200300.100.1.3zBhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressz'http://schemas.auth0.com/email_verifiedz?http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamezurn:oid:2.5.4.42zurn:oid:2.5.4.4z!http://schemas.auth0.com/nickname)uidemailemail_verified first_name last_nameusernamecs.tj|i||jjp|jjp|j|_dSN)super__init__appname client_id)selfargskwargs __class__r r r(szSAMLProvider.__init__cKs,tdd|jjid}|r|dt|}|S)N saml_loginorganization_slug)r?)rrrr)rrequestrurlr r r get_login_url,szSAMLProvider.get_login_urlcCs|Sr)get_attributes)rdatar r r extract_extra_data2szSAMLProvider.extract_extra_datacCs$||d}|dur|}|S)uhttp://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/csprd01/saml-subject-id-attr-v1.0-csprd01.html Quotes: "While the Attributes defined in this profile have as a goal the explicit replacement of the element as a means of subject identification, it is certainly possible to compose them with existing NameID usage provided the same subject is being identified. This can also serve as a migration strategy for existing applications." "SAML does not define an identifier that meets all of these requirements well. It does standardize a kind of NameID termed “persistent” that meets some of them in the particular case of so-called “pairwise” identification, where an identifier varies by relying party. It has seen minimal adoption outside of a few contexts, and fails at the “compact” and “simple to handle” criteria above, on top of the disadvantages inherent with all NameID usage." Overall, our strategy is to prefer a uid resulting from explicit attribute mappings, and only if there is no such uid fallback to the NameID. rN)_extractget get_nameid)rr(rr r r extract_uid5szSAMLProvider.extract_uidcCs||}|dd|S)Nr)r*pop)rr(retr r r extract_common_fieldsRs  z"SAMLProvider.extract_common_fieldsc Cs|jj}|}i}|d|j}|D])\}}t|tr!|g}|D]}||d} | dur=t| dkr=| d||<nq#q|d} | rP| dv} | |d<|dsg| dksa|ddrg| |d<|S) Nattribute_mappingrr)true1tyyesrz6urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressuse_nameid_for_emailF) rsettingsr'r+default_attribute_mappingitems isinstancestrlenlowerget_nameid_formatr,) rr(provider_configraw_attributes attributesr1key provider_keys provider_keyattribute_listrr r r r*Ws6        zSAMLProvider._extractNc KsJddlm}|||}|jdd}|j||||fd|i|t|S)Nr) build_auth) return_tostate_id)*allauth.socialaccount.providers.saml.utilsrGloginstash_redirect_stateget_last_request_idr) rr$processnext_urlr(rrGauthredirectr r r rRws   zSAMLProvider.redirect)NN)rr r idrsupports_redirectr account_classr9rr&r)r-r0r*rR __classcell__r r rr r s6  r N) django.httpr django.urlsrdjango.utils.httpr$allauth.socialaccount.providers.baserrrr provider_classesr r r r s   }