Add configuration setting for CAS protocol version (#15816)

pull/16180/head
Aurélien Grimpard 2023-08-24 22:11:23 +02:00 committed by GitHub
parent efdb87c898
commit aeeca2a62e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 20 additions and 2 deletions

View File

@ -0,0 +1 @@
Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard.

View File

@ -3420,6 +3420,7 @@ Has the following sub-options:
to style the login flow according to the identity provider in question. to style the login flow according to the identity provider in question.
See the [spec](https://spec.matrix.org/latest/) for possible options here. See the [spec](https://spec.matrix.org/latest/) for possible options here.
* `server_url`: The URL of the CAS authorization endpoint. * `server_url`: The URL of the CAS authorization endpoint.
* `protocol_version`: The CAS protocol version, defaults to none (version 3 is required if you want to use "required_attributes").
* `displayname_attribute`: The attribute of the CAS response to use as the display name. * `displayname_attribute`: The attribute of the CAS response to use as the display name.
If no name is given here, no displayname will be set. If no name is given here, no displayname will be set.
* `required_attributes`: It is possible to configure Synapse to only allow logins if CAS attributes * `required_attributes`: It is possible to configure Synapse to only allow logins if CAS attributes
@ -3433,6 +3434,7 @@ Example configuration:
cas_config: cas_config:
enabled: true enabled: true
server_url: "https://cas-server.com" server_url: "https://cas-server.com"
protocol_version: 3
displayname_attribute: name displayname_attribute: name
required_attributes: required_attributes:
userGroup: "staff" userGroup: "staff"

View File

@ -18,7 +18,7 @@ from typing import Any, List
from synapse.config.sso import SsoAttributeRequirement from synapse.config.sso import SsoAttributeRequirement
from synapse.types import JsonDict from synapse.types import JsonDict
from ._base import Config from ._base import Config, ConfigError
from ._util import validate_config from ._util import validate_config
@ -41,6 +41,16 @@ class CasConfig(Config):
public_baseurl = self.root.server.public_baseurl public_baseurl = self.root.server.public_baseurl
self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket" self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"
self.cas_protocol_version = cas_config.get("protocol_version")
if (
self.cas_protocol_version is not None
and self.cas_protocol_version not in [1, 2, 3]
):
raise ConfigError(
"Unsupported CAS protocol version %s (only versions 1, 2, 3 are supported)"
% (self.cas_protocol_version,),
("cas_config", "protocol_version"),
)
self.cas_displayname_attribute = cas_config.get("displayname_attribute") self.cas_displayname_attribute = cas_config.get("displayname_attribute")
required_attributes = cas_config.get("required_attributes") or {} required_attributes = cas_config.get("required_attributes") or {}
self.cas_required_attributes = _parsed_required_attributes_def( self.cas_required_attributes = _parsed_required_attributes_def(
@ -54,6 +64,7 @@ class CasConfig(Config):
else: else:
self.cas_server_url = None self.cas_server_url = None
self.cas_service_url = None self.cas_service_url = None
self.cas_protocol_version = None
self.cas_displayname_attribute = None self.cas_displayname_attribute = None
self.cas_required_attributes = [] self.cas_required_attributes = []

View File

@ -67,6 +67,7 @@ class CasHandler:
self._cas_server_url = hs.config.cas.cas_server_url self._cas_server_url = hs.config.cas.cas_server_url
self._cas_service_url = hs.config.cas.cas_service_url self._cas_service_url = hs.config.cas.cas_service_url
self._cas_protocol_version = hs.config.cas.cas_protocol_version
self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute
self._cas_required_attributes = hs.config.cas.cas_required_attributes self._cas_required_attributes = hs.config.cas.cas_required_attributes
@ -121,7 +122,10 @@ class CasHandler:
Returns: Returns:
The parsed CAS response. The parsed CAS response.
""" """
uri = self._cas_server_url + "/proxyValidate" if self._cas_protocol_version == 3:
uri = self._cas_server_url + "/p3/proxyValidate"
else:
uri = self._cas_server_url + "/proxyValidate"
args = { args = {
"ticket": ticket, "ticket": ticket,
"service": self._build_service_param(service_args), "service": self._build_service_param(service_args),