Change OIDC engine to not be federated

We don't need linking, just the ability to perform lookup
2017-06-09 17:21:37 -04:00 · 2017-06-09 17:21:37 -04:00 · ed897c7cb0
commit ed897c7cb0
parent bc82edb2d1
8 changed files with 78 additions and 25 deletions
--- a/data/users/oidc.py
+++ b/data/users/oidc.py
@ -1,6 +1,6 @@
 import logging

-from data.users.federated import FederatedUsers, UserInformation
+from data import model
 from oauth.loginmanager import OAuthLoginManager
 from oauth.oidc import PublicKeyLoadException
 from util.security.jwtutil import InvalidTokenError
@ -13,29 +13,29 @@ class UnknownServiceException(Exception):
  pass


-class OIDCInternalAuth(FederatedUsers):
+class OIDCInternalAuth(object):
  """ Handles authentication by delegating authentication to a signed OIDC JWT produced by the
      configured OIDC service.
  """
  def __init__(self, config, login_service_id, requires_email):
-    super(OIDCInternalAuth, self).__init__('oidc', requires_email)
    login_manager = OAuthLoginManager(config)
+
+    self.login_service_id = login_service_id
    self.login_service = login_manager.get_service(login_service_id)
    if self.login_service is None:
      raise UnknownServiceException('Unknown OIDC login service %s' % login_service_id)

+  @property
+  def federated_service(self):
+    return None
+
  @property
  def supports_encrypted_credentials(self):
    # Since the "password" is already a signed JWT.
    return False

-  def get_user(self, username_or_email):
-    return (None, 'Cannot retrieve users for OIDC')
-
-  def query_users(self, query, limit=20):
-    return (None, 'Cannot query users for OIDC')
-
  def verify_credentials(self, username_or_email, id_token):
+    # Parse the ID token.
    try:
      payload = self.login_service.decode_user_jwt(id_token)
    except InvalidTokenError as ite:
@ -45,5 +45,39 @@ class OIDCInternalAuth(FederatedUsers):
      logger.exception('Could not load public key during OIDC decode: %s', pke.message)
      return (None, 'Could not validate OIDC token')

-    user_info = UserInformation(username=payload['sub'], id=payload['sub'], email=None)
-    return (user_info, None)
+    # Find the user ID.
+    user_id = payload['sub']
+
+    # Lookup the federated login and user record with that matching ID and service.
+    user_found = model.user.verify_federated_login(self.login_service_id, user_id)
+    if user_found is None:
+      return (None, 'User does not exist')
+
+    if not user_found.enabled:
+      return (None, 'User account is disabled. Please contact your administrator.')
+
+    return (user_found, None)
+
+  def verify_and_link_user(self, username_or_email, password):
+    return self.verify_credentials(username_or_email, password)
+
+  def confirm_existing_user(self, username, password):
+    return self.verify_credentials(username, password)
+
+  def link_user(self, username_or_email):
+    return (None, 'Unsupported for this authentication system')
+
+  def get_and_link_federated_user_info(self, user_info):
+    return (None, 'Unsupported for this authentication system')
+
+  def query_users(self, query, limit):
+    return (None, '', '')
+
+  def check_group_lookup_args(self, group_lookup_args):
+    return (False, 'Not supported')
+
+  def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False):
+    return (None, 'Not supported')
+
+  def service_metadata(self):
+    return {}