Update the OpenID API extension to work with IPA

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2021-03-26 12:07:59 +01:00 · 2021-03-26 12:07:59 +01:00 · 75dd1b934c
commit 75dd1b934c
parent 0bd1e309ac
1 changed files with 27 additions and 15 deletions
--- a/ipsilon/providers/openid/extensions/api.py
+++ b/ipsilon/providers/openid/extensions/api.py
@ -2,10 +2,8 @@

 from __future__ import absolute_import

-try:
-    from ipsilon.info.infofas import fas_make_userdata
-except ImportError:
-    fas_make_userdata = None
+from python_freeipa.client_meta import ClientMeta as IPAClient
+
 from ipsilon.providers.openid.extensions.common import OpenidExtensionBase
 import ipsilon.root
 from ipsilon.util.page import Page
@ -13,6 +11,7 @@ from ipsilon.util.user import User

 import json
 import inspect
+from configparser import ConfigParser


 class OpenidExtension(OpenidExtensionBase):
@ -57,7 +56,6 @@ class APIV1Page(Page):
                        'message': 'Missing argument: %s' % arg
                        }

-        fas = self.root_obj.login.fas.lm
        openid = self.root_obj.openid

        openid_request = None
@ -85,15 +83,30 @@ class APIV1Page(Page):
        password = arguments['password']
        user = None
        userdata = None
-        try:
-            _, user = fas.fpc.login(username, password)
-            if fas_make_userdata is None:
-                userdata = fas.page.make_userdata(user.user)
-            else:
-                userdata = fas_make_userdata(user.user)
-        except Exception as ex:
-            print('Error during auth: %s' % ex)
-            pass
+
+        # Check auth with IPA directly
+        ipa_config = ConfigParser()
+        ipa_config.read("/etc/ipa/default.conf")
+        ipa_server = ipa_config.get("global", "server", fallback=None)
+        ipa = IPAClient(ipa_server, verify_ssl="/etc/ipa/ca.crt")
+        auth = ipa.login(username, password)
+        if auth and auth.logged_in:
+            user = ipa.user_find(whoami=True)["result"][0]
+            userdata = {
+                "nickname": user["uid"][0],
+                "fullname": user["displayname"][0],
+                "_groups": user["memberof_group"],
+                "email": user["mail"][0],
+                "givenname": user["givenname"],  # It's not a list? WTF?
+                "surname": user["sn"][0],
+                "zoneinfo": user["fastimezone"][0],
+            }
+            userdata["human_name"] = userdata["fullname"]
+            userdata["name"] = userdata["fullname"]
+            userdata["preferred_username"] = userdata["nickname"]
+            userdata["_username"] = userdata["nickname"]
+        else:
+            print('Error during auth: %s' % auth.login_exception)

        if user is None or userdata is None:
            print('No user or data: %s, %s' % (user, userdata))
@ -110,4 +123,3 @@ class APIV1Page(Page):
        openid_response = openid.cfg.server.signatory.sign(openid_response).fields.toPostArgs()
        return {'success': True,
                'response': openid_response}
-