Delegate remote_user_id mapping to the saml mapping provider (#6723)

Turns out that figuring out a remote user id for the SAML user isn't quite as obvious as it seems. Factor it out to the SamlMappingProvider so that it's easy to control.
2020-01-17 10:32:47 +00:00 · 2020-01-17 10:32:47 +00:00 · 2b6a77fcde
parent a8a50f5b57
commit 2b6a77fcde
3 changed files with 23 additions and 6 deletions
--- a/changelog.d/6723.misc
+++ b/changelog.d/6723.misc
@ -0,0 +1 @@
+Updates to the SAML mapping provider API.
--- a/synapse/config/saml2_config.py
+++ b/synapse/config/saml2_config.py
@ -121,6 +121,7 @@ class SAML2Config(Config):
        required_methods = [
            "get_saml_attributes",
            "saml_response_to_user_attributes",
+            "get_remote_user_id",
        ]
        missing_methods = [
            method
--- a/synapse/handlers/saml_handler.py
+++ b/synapse/handlers/saml_handler.py
@ -135,14 +135,15 @@ class SamlHandler:
        logger.info("SAML2 response: %s", saml2_auth.origxml)
        logger.info("SAML2 mapped attributes: %s", saml2_auth.ava)

-        try:
-            remote_user_id = saml2_auth.ava["uid"][0]
-        except KeyError:
-            logger.warning("SAML2 response lacks a 'uid' attestation")
-            raise SynapseError(400, "'uid' not in SAML2 response")
-
        self._outstanding_requests_dict.pop(saml2_auth.in_response_to, None)

+        remote_user_id = self._user_mapping_provider.get_remote_user_id(
+            saml2_auth, client_redirect_url
+        )
+
+        if not remote_user_id:
+            raise Exception("Failed to extract remote user id from SAML response")
+
        with (await self._mapping_lock.queue(self._auth_provider_id)):
            # first of all, check if we already have a mapping for this user
            logger.info(
@ -279,6 +280,20 @@ class DefaultSamlMappingProvider(object):
        self._mxid_source_attribute = parsed_config.mxid_source_attribute
        self._mxid_mapper = parsed_config.mxid_mapper

+        self._grandfathered_mxid_source_attribute = (
+            module_api._hs.config.saml2_grandfathered_mxid_source_attribute
+        )
+
+    def get_remote_user_id(
+        self, saml_response: saml2.response.AuthnResponse, client_redirect_url: str
+    ):
+        """Extracts the remote user id from the SAML response"""
+        try:
+            return saml_response.ava["uid"][0]
+        except KeyError:
+            logger.warning("SAML2 response lacks a 'uid' attestation")
+            raise SynapseError(400, "'uid' not in SAML2 response")
+
    def saml_response_to_user_attributes(
        self,
        saml_response: saml2.response.AuthnResponse,