Add configuration setting for CAS protocol version (#15816)
parent
efdb87c898
commit
aeeca2a62e
|
@ -0,0 +1 @@
|
||||||
|
Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard.
|
|
@ -3420,6 +3420,7 @@ Has the following sub-options:
|
||||||
to style the login flow according to the identity provider in question.
|
to style the login flow according to the identity provider in question.
|
||||||
See the [spec](https://spec.matrix.org/latest/) for possible options here.
|
See the [spec](https://spec.matrix.org/latest/) for possible options here.
|
||||||
* `server_url`: The URL of the CAS authorization endpoint.
|
* `server_url`: The URL of the CAS authorization endpoint.
|
||||||
|
* `protocol_version`: The CAS protocol version, defaults to none (version 3 is required if you want to use "required_attributes").
|
||||||
* `displayname_attribute`: The attribute of the CAS response to use as the display name.
|
* `displayname_attribute`: The attribute of the CAS response to use as the display name.
|
||||||
If no name is given here, no displayname will be set.
|
If no name is given here, no displayname will be set.
|
||||||
* `required_attributes`: It is possible to configure Synapse to only allow logins if CAS attributes
|
* `required_attributes`: It is possible to configure Synapse to only allow logins if CAS attributes
|
||||||
|
@ -3433,6 +3434,7 @@ Example configuration:
|
||||||
cas_config:
|
cas_config:
|
||||||
enabled: true
|
enabled: true
|
||||||
server_url: "https://cas-server.com"
|
server_url: "https://cas-server.com"
|
||||||
|
protocol_version: 3
|
||||||
displayname_attribute: name
|
displayname_attribute: name
|
||||||
required_attributes:
|
required_attributes:
|
||||||
userGroup: "staff"
|
userGroup: "staff"
|
||||||
|
|
|
@ -18,7 +18,7 @@ from typing import Any, List
|
||||||
from synapse.config.sso import SsoAttributeRequirement
|
from synapse.config.sso import SsoAttributeRequirement
|
||||||
from synapse.types import JsonDict
|
from synapse.types import JsonDict
|
||||||
|
|
||||||
from ._base import Config
|
from ._base import Config, ConfigError
|
||||||
from ._util import validate_config
|
from ._util import validate_config
|
||||||
|
|
||||||
|
|
||||||
|
@ -41,6 +41,16 @@ class CasConfig(Config):
|
||||||
public_baseurl = self.root.server.public_baseurl
|
public_baseurl = self.root.server.public_baseurl
|
||||||
self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
|
self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
|
||||||
|
|
||||||
|
self.cas_protocol_version = cas_config.get("protocol_version")
|
||||||
|
if (
|
||||||
|
self.cas_protocol_version is not None
|
||||||
|
and self.cas_protocol_version not in [1, 2, 3]
|
||||||
|
):
|
||||||
|
raise ConfigError(
|
||||||
|
"Unsupported CAS protocol version %s (only versions 1, 2, 3 are supported)"
|
||||||
|
% (self.cas_protocol_version,),
|
||||||
|
("cas_config", "protocol_version"),
|
||||||
|
)
|
||||||
self.cas_displayname_attribute = cas_config.get("displayname_attribute")
|
self.cas_displayname_attribute = cas_config.get("displayname_attribute")
|
||||||
required_attributes = cas_config.get("required_attributes") or {}
|
required_attributes = cas_config.get("required_attributes") or {}
|
||||||
self.cas_required_attributes = _parsed_required_attributes_def(
|
self.cas_required_attributes = _parsed_required_attributes_def(
|
||||||
|
@ -54,6 +64,7 @@ class CasConfig(Config):
|
||||||
else:
|
else:
|
||||||
self.cas_server_url = None
|
self.cas_server_url = None
|
||||||
self.cas_service_url = None
|
self.cas_service_url = None
|
||||||
|
self.cas_protocol_version = None
|
||||||
self.cas_displayname_attribute = None
|
self.cas_displayname_attribute = None
|
||||||
self.cas_required_attributes = []
|
self.cas_required_attributes = []
|
||||||
|
|
||||||
|
|
|
@ -67,6 +67,7 @@ class CasHandler:
|
||||||
|
|
||||||
self._cas_server_url = hs.config.cas.cas_server_url
|
self._cas_server_url = hs.config.cas.cas_server_url
|
||||||
self._cas_service_url = hs.config.cas.cas_service_url
|
self._cas_service_url = hs.config.cas.cas_service_url
|
||||||
|
self._cas_protocol_version = hs.config.cas.cas_protocol_version
|
||||||
self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute
|
self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute
|
||||||
self._cas_required_attributes = hs.config.cas.cas_required_attributes
|
self._cas_required_attributes = hs.config.cas.cas_required_attributes
|
||||||
|
|
||||||
|
@ -121,7 +122,10 @@ class CasHandler:
|
||||||
Returns:
|
Returns:
|
||||||
The parsed CAS response.
|
The parsed CAS response.
|
||||||
"""
|
"""
|
||||||
uri = self._cas_server_url + "/proxyValidate"
|
if self._cas_protocol_version == 3:
|
||||||
|
uri = self._cas_server_url + "/p3/proxyValidate"
|
||||||
|
else:
|
||||||
|
uri = self._cas_server_url + "/proxyValidate"
|
||||||
args = {
|
args = {
|
||||||
"ticket": ticket,
|
"ticket": ticket,
|
||||||
"service": self._build_service_param(service_args),
|
"service": self._build_service_param(service_args),
|
||||||
|
|
Loading…
Reference in New Issue