Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Add configuration setting for CAS protocol version #15816

Merged
merged 12 commits into from
Aug 24, 2023
1 change: 1 addition & 0 deletions changelog.d/15816.feature
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add configuration setting for CAS protocol version. Contributed by Aurélien Grimpard.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 changes: 2 additions & 0 deletions docs/usage/configuration/config_documentation.md
Original file line number Diff line number Diff line change
Expand Up @@ -3337,6 +3337,7 @@ Has the following sub-options:
* `enabled`: Set this to true to enable authorization against a CAS server.
Defaults to false.
* `server_url`: The URL of the CAS authorization endpoint.
* `protocol_version`: The CAS protocol version, defaults to none (version 3 is required if you want to use "required_attributes").
* `displayname_attribute`: The attribute of the CAS response to use as the display name.
If no name is given here, no displayname will be set.
* `required_attributes`: It is possible to configure Synapse to only allow logins if CAS attributes
Expand All @@ -3350,6 +3351,7 @@ Example configuration:
cas_config:
enabled: true
server_url: "https://cas-server.com"
protocol_version: 3
displayname_attribute: name
required_attributes:
userGroup: "staff"
Expand Down
2 changes: 2 additions & 0 deletions synapse/config/cas.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
public_baseurl = self.root.server.public_baseurl
self.cas_service_url = public_baseurl + "_matrix/client/r0/login/cas/ticket"

self.cas_protocol_version = cas_config.get("protocol_version")
agrimpard marked this conversation as resolved.
Show resolved Hide resolved
self.cas_displayname_attribute = cas_config.get("displayname_attribute")
required_attributes = cas_config.get("required_attributes") or {}
self.cas_required_attributes = _parsed_required_attributes_def(
Expand All @@ -50,6 +51,7 @@ def read_config(self, config: JsonDict, **kwargs: Any) -> None:
else:
self.cas_server_url = None
self.cas_service_url = None
self.cas_protocol_version = None
self.cas_displayname_attribute = None
self.cas_required_attributes = []

Expand Down
6 changes: 5 additions & 1 deletion synapse/handlers/cas.py
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ def __init__(self, hs: "HomeServer"):

self._cas_server_url = hs.config.cas.cas_server_url
self._cas_service_url = hs.config.cas.cas_service_url
self._cas_protocol_version = hs.config.cas.cas_protocol_version
self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute
self._cas_required_attributes = hs.config.cas.cas_required_attributes

Expand Down Expand Up @@ -120,7 +121,10 @@ async def _validate_ticket(
Returns:
The parsed CAS response.
"""
uri = self._cas_server_url + "/proxyValidate"
if self._cas_protocol_version == 3:
uri = self._cas_server_url + "/p3/proxyValidate"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems legit -> spec docs for CAS protocol version 3: https://apereo.github.io/cas/6.6.x/protocol/CAS-Protocol-Specification.html#29-p3proxyvalidate-cas-30

2.9. /p3/proxyValidate [CAS 3.0]

/p3/proxyValidate MUST perform the same validation tasks as /p3/serviceValidate and additionally validate proxy tickets. See Section 2.8.

2.8. /p3/serviceValidate [CAS 3.0]

/p3/serviceValidate MUST perform the same validation tasks as /serviceValidate and additionally return user attributes in the CAS response. See Section 2.5 and Section 2.5.7 for details.

2.5.7 Example response with custom attributes

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
  <cas:authenticationSuccess>
    <cas:user>username</cas:user>
    <cas:attributes>
      <cas:firstname>John</cas:firstname>
      <cas:lastname>Doe</cas:lastname>
      <cas:title>Mr.</cas:title>
      <cas:email>[email protected]</cas:email>
      <cas:affiliation>staff</cas:affiliation>
      <cas:affiliation>faculty</cas:affiliation>
    </cas:attributes>
    <cas:proxyGrantingTicket>PGTIOU-84678-8a9d...</cas:proxyGrantingTicket>
  </cas:authenticationSuccess>
</cas:serviceResponse>

else:
uri = self._cas_server_url + "/proxyValidate"
args = {
"ticket": ticket,
"service": self._build_service_param(service_args),
Expand Down