common: hash too long SAML usernames

7a09c4a7 · Kálmán Viktor · 87de80d5 · 7a09c4a7 · 7a09c4a7
Commit 7a09c4a7 authored Sep 09, 2015 by Kálmán Viktor
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

circle/circle/settings/test.py
+2 -0

circle/common/backends.py
+8 -6

No files found.
--- a/circle/circle/settings/test.py
+++ b/circle/circle/settings/test.py
@@ -71,3 +71,5 @@ STORE_URL = ""
 # buildbot doesn't love pipeline
 STATICFILES_STORAGE = 'django.contrib.staticfiles.storage.StaticFilesStorage'
+SAML_MAIN_ATTRIBUTE_MAX_LENGTH=0  # doctest on SAML2 backend runs either way
--- a/circle/common/backends.py
+++ b/circle/common/backends.py
@@ -18,6 +18,7 @@
 import re
 import logging
+import sha
 from django.conf import settings
 from djangosaml2.backends import Saml2Backend as Saml2BackendBase
@@ -48,14 +49,15 @@ class Saml2Backend(Saml2BackendBase):
        attr = re.sub(r'[^\w.@-]', replace, main_attribute)
        max_length = settings.SAML_MAIN_ATTRIBUTE_MAX_LENGTH
        if max_length > 0 and len(attr) > max_length:
-            logger.info("Trimming main attribute: %s" % attr)
+            logger.info("Main attribute '%s' is too long." % attr)
+            hashed = sha.new(attr).hexdigest()
            if "@" in attr:
-                parts = attr.split("@")
+                domain = attr.rsplit("@", 1)[1]
-                attr = "%s@%s" % (parts[0][:max_length-1-len(parts[1])],
+                attr = "%s@%s" % (hashed[:max_length-1-len(domain)],
-                                  parts[1])
+                                  domain)
            else:
-                attr = attr[:max_length]
+                attr = hashed[:max_length]
-            logger.info("Trimmed main attribute: %s" % attr)
+            logger.info("New main attribute: %s" % attr)
        return attr
    def _set_attribute(self, obj, attr, value):