fjddlmZddlmZddlmZddlmZmZGddeZ GddeZ e gZ y ) )HttpResponseRedirect)reverse) urlencode)ProviderProviderAccountc eZdZy) SAMLAccountN)__name__ __module__ __qualname__h/var/www/cs2snipe.com/venv/lib/python3.12/site-packages/allauth/socialaccount/providers/saml/provider.pyr r srr cveZdZdZdZdZeZdgddgdgdd gd gd gd Zfd Z dZ dZ dZ dZ dZddZxZS) SAMLProvidersamlSAMLTz,urn:oasis:names:tc:SAML:attribute:subject-idz!urn:oid:0.9.2342.19200300.100.1.3zBhttp://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressz'http://schemas.auth0.com/email_verifiedz?http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennamezurn:oid:2.5.4.42zurn:oid:2.5.4.4z!http://schemas.auth0.com/nickname)uidemailemail_verified first_name last_nameusernamect||i||jjxs$|jjxs |j|_yN)super__init__appname client_id)selfargskwargs __class__s rrzSAMLProvider.__init__(s< $)&)HHMMDTXX%7%7D499 rc rtdd|jji}|r|dzt|z}|S)N saml_loginorganization_slug)r#?)rrr r)r!requestr#urls r get_login_urlzSAMLProvider.get_login_url,s9l,?ASAS+TU )i//C rc"|jSr)get_attributes)r!datas rextract_extra_datazSAMLProvider.extract_extra_data2s""$$rcj|j|jd}||j}|S)uhttp://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/csprd01/saml-subject-id-attr-v1.0-csprd01.html Quotes: "While the Attributes defined in this profile have as a goal the explicit replacement of the element as a means of subject identification, it is certainly possible to compose them with existing NameID usage provided the same subject is being identified. This can also serve as a migration strategy for existing applications." "SAML does not define an identifier that meets all of these requirements well. It does standardize a kind of NameID termed “persistent” that meets some of them in the particular case of so-called “pairwise” identification, where an identifier varies by relying party. It has seen minimal adoption outside of a few contexts, and fails at the “compact” and “simple to handle” criteria above, on top of the disadvantages inherent with all NameID usage." Overall, our strategy is to prefer a uid resulting from explicit attribute mappings, and only if there is no such uid fallback to the NameID. r)_extractget get_nameid)r!r.rs r extract_uidzSAMLProvider.extract_uid5s30mmD!%%e, ;//#C rcL|j|}|jdd|S)Nr)r1pop)r!r.rets rextract_common_fieldsz"SAMLProvider.extract_common_fieldsRs#mmD! t rc2|jj}|j}i}|jd|j}|j D]L\}}t |tr|g}|D]/}|j|d} | t| dkDs'| d||<LN|jd} | r| jdv} | |d<|jds8|jdk(s|jddr|j|d<|S) Nattribute_mappingrr)true1tyyesrz6urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddressuse_nameid_for_emailF) rsettingsr-r2default_attribute_mappingitems isinstancestrlenlowerget_nameid_formatr3) r!r.provider_configraw_attributes attributesr:key provider_keys provider_keyattribute_listrs rr1zSAMLProvider._extractWs4((++,,. +// !?!? #4"9"9";  C--!. -  !/!3!3L$!G!-#n2E2I&4Q&7JsO   $(89 +1137UUN+9J' (~~g&  " " $G H""#95A"&//"3Jw rc ddlm}|||}|jd}|j||||fd|j i|t |S)Nr) build_auth) return_tostate_id)*allauth.socialaccount.providers.saml.utilsrQloginstash_redirect_stateget_last_request_idr) r!r)processnext_urlr.r#rQauthredirects rr\zSAMLProvider.redirectwsiI'4(:::+!!!      --/    $H--r)NN)r r r idrsupports_redirectr account_classrBrr+r/r4r8r1r\ __classcell__)r$s@rrr s B DM ;  0 P 6  N    0 %!.E %: @.rrN) django.httpr django.urlsrdjango.utils.httpr$allauth.socialaccount.providers.baserrr rprovider_classesr rrrfs6,'J / z.8z.z!>r