treat missing groups as an empty list (#40)

Comments in code, but compare... User who does not have any groups (expect empty groups claim, but get missing claim): ```xml <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>John.Doe@example.com</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> <AttributeValue>John</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> <AttributeValue>Doe</AttributeValue> </Attribute> </AttributeStatement> ``` User who _does_ have groups: ```xml <AttributeStatement> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> <AttributeValue>Jane.Doe@example.com</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> <AttributeValue>Jane</AttributeValue> </Attribute> <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> <AttributeValue>Doe</AttributeValue> </Attribute> <Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups"> <AttributeValue>role-Netbox-Admin</AttributeValue> </Attribute> </AttributeStatement> ```
jeremyschulman · Oct 19, 2021 · 2ddf6f2 · 2ddf6f2
1 parent 4f45eec
commit 2ddf6f2
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/django3_saml2_nbplugin/backends.py b/django3_saml2_nbplugin/backends.py
@@ -153,15 +153,22 @@ def configure_user(self, request: WSGIRequest, user: User) -> User:
  user.last_name = user_ident[be_settings["LAST_NAME_ATTR"]][0]
  if "MAIL_ATTR" in be_settings:
  user.email = user_ident[be_settings["MAIL_ATTR"]][0]
- if "GROUP_ATTR" in be_settings:
- ident_groups = user_ident[be_settings["GROUP_ATTR"]]
- else:
- ident_groups = []
  except KeyError as exc:
  missing_attr = exc.args[0]
  be_name = self.__class__.__name__
  raise PermissionError(f"SAML2 backend {be_name} missing attribute: {missing_attr}")
 
+ ident_groups = []
+ try:
+ if "GROUP_ATTR" in be_settings:
+ ident_groups = user_ident[be_settings["GROUP_ATTR"]]
+ except KeyError:
+ # When we ask IdP to provide groups,
+ # we expect SAML response to include attribute with zero or more groups.
+ # However, IdP may omit the attr altogether instead of providing an empty attr.
+ # Therefore, treat missing groups as empty instead of an error.
+ pass
+
  if "FLAGS_BY_GROUP" in be_settings and "GROUP_ATTR" in be_settings:
  for flag, group_name in be_settings["FLAGS_BY_GROUP"].items():
  if group_name in ident_groups: