Allows CAS SSO flow to provide user IDs composed of numbers only (#17098)

This commit is contained in:
Aurélien Grimpard 2024-05-14 14:55:32 +02:00 committed by GitHub
parent bd8d8865fb
commit 7d82987b27
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 30 additions and 0 deletions

View file

@ -0,0 +1 @@
Add the ability to allow numeric user IDs with a specific prefix when in the CAS flow. Contributed by Aurélien Grimpard.

View file

@ -3558,6 +3558,15 @@ Has the following sub-options:
users. This allows the CAS SSO flow to be limited to sign in only, rather than users. This allows the CAS SSO flow to be limited to sign in only, rather than
automatically registering users that have a valid SSO login but do not have automatically registering users that have a valid SSO login but do not have
a pre-registered account. Defaults to true. a pre-registered account. Defaults to true.
* `allow_numeric_ids`: set to 'true' allow numeric user IDs (default false).
This allows CAS SSO flow to provide user IDs composed of numbers only.
These identifiers will be prefixed by the letter "u" by default.
The prefix can be configured using the "numeric_ids_prefix" option.
Be careful to choose the prefix correctly to avoid any possible conflicts
(e.g. user 1234 becomes u1234 when a user u1234 already exists).
* `numeric_ids_prefix`: the prefix you wish to add in front of a numeric user ID
when the "allow_numeric_ids" option is set to "true".
By default, the prefix is the letter "u" and only alphanumeric characters are allowed.
*Added in Synapse 1.93.0.* *Added in Synapse 1.93.0.*
@ -3572,6 +3581,8 @@ cas_config:
userGroup: "staff" userGroup: "staff"
department: None department: None
enable_registration: true enable_registration: true
allow_numeric_ids: true
numeric_ids_prefix: "numericuser"
``` ```
--- ---
### `sso` ### `sso`

View file

@ -66,6 +66,17 @@ class CasConfig(Config):
self.cas_enable_registration = cas_config.get("enable_registration", True) self.cas_enable_registration = cas_config.get("enable_registration", True)
self.cas_allow_numeric_ids = cas_config.get("allow_numeric_ids")
self.cas_numeric_ids_prefix = cas_config.get("numeric_ids_prefix")
if (
self.cas_numeric_ids_prefix is not None
and self.cas_numeric_ids_prefix.isalnum() is False
):
raise ConfigError(
"Only alphanumeric characters are allowed for numeric IDs prefix",
("cas_config", "numeric_ids_prefix"),
)
self.idp_name = cas_config.get("idp_name", "CAS") self.idp_name = cas_config.get("idp_name", "CAS")
self.idp_icon = cas_config.get("idp_icon") self.idp_icon = cas_config.get("idp_icon")
self.idp_brand = cas_config.get("idp_brand") self.idp_brand = cas_config.get("idp_brand")
@ -77,6 +88,8 @@ class CasConfig(Config):
self.cas_displayname_attribute = None self.cas_displayname_attribute = None
self.cas_required_attributes = [] self.cas_required_attributes = []
self.cas_enable_registration = False self.cas_enable_registration = False
self.cas_allow_numeric_ids = False
self.cas_numeric_ids_prefix = "u"
# CAS uses a legacy required attributes mapping, not the one provided by # CAS uses a legacy required attributes mapping, not the one provided by

View file

@ -78,6 +78,8 @@ class CasHandler:
self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute self._cas_displayname_attribute = hs.config.cas.cas_displayname_attribute
self._cas_required_attributes = hs.config.cas.cas_required_attributes self._cas_required_attributes = hs.config.cas.cas_required_attributes
self._cas_enable_registration = hs.config.cas.cas_enable_registration self._cas_enable_registration = hs.config.cas.cas_enable_registration
self._cas_allow_numeric_ids = hs.config.cas.cas_allow_numeric_ids
self._cas_numeric_ids_prefix = hs.config.cas.cas_numeric_ids_prefix
self._http_client = hs.get_proxied_http_client() self._http_client = hs.get_proxied_http_client()
@ -188,6 +190,9 @@ class CasHandler:
for child in root[0]: for child in root[0]:
if child.tag.endswith("user"): if child.tag.endswith("user"):
user = child.text user = child.text
# if numeric user IDs are allowed and username is numeric then we add the prefix so Synapse can handle it
if self._cas_allow_numeric_ids and user is not None and user.isdigit():
user = f"{self._cas_numeric_ids_prefix}{user}"
if child.tag.endswith("attributes"): if child.tag.endswith("attributes"):
for attribute in child: for attribute in child:
# ElementTree library expands the namespace in # ElementTree library expands the namespace in