openstack/deb-python-pysaml2
Code Issues Proposed changes

IDP logout fix, add .gitignore

Browse Source 
Make IDP logout a little more resilient by double checking content in the cache.
Added some .gitignore for generated and copied files in idp, sp and idp2 folders.
Allow both sp and idp2 to be mounted using wsgi container.
Add static handler for css and other files in idp2.
This commit is contained in:
Andreas Richter
2014-03-07 08:22:08 -05:00
parent fdc1abc7d9
commit 4a32aab3a1
5 changed files with 71 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
example/.gitignore vendored Normal file
View File

@@ -0,0 +1,9 @@
idp/idp_conf.py
idp2/idp.subject
idp2/idp_conf.py
sp/outstanding
sp/sp_conf.py
server.crt
server.csr
server.key
server.key.org

75
example/idp2/idp.py
View File

@@ -120,7 +120,7 @@ class Service(object):
def operation(self, _dict, binding):
logger.debug("_operation: %s" % _dict)
if not _dict:
if not _dict or not 'SAMLRequest' in _dict:
resp = BadRequest('Error parsing request or no request')
return resp(self.environ, self.start_response)
else:
@@ -335,8 +335,13 @@ class SSO(Service):
self.req_info = _info["req_info"]
del IDP.ticket[_key]
except KeyError:
self.req_info = IDP.parse_authn_request(_info["SAMLRequest"],
BINDING_HTTP_REDIRECT)
try:
self.req_info = IDP.parse_authn_request(_info["SAMLRequest"],
BINDING_HTTP_REDIRECT)
except KeyError:
resp = BadRequest("Message signature verification failure")
return resp(self.environ, self.start_response)
_req = self.req_info.message
if "SigAlg" in _info and "Signature" in _info: # Signed request
@@ -547,8 +552,11 @@ class SLO(Service):
if msg.name_id:
lid = IDP.ident.find_local_id(msg.name_id)
logger.info("local identifier: %s" % lid)
del IDP.cache.uid2user[IDP.cache.user2uid[lid]]
del IDP.cache.user2uid[lid]
if lid in IDP.cache.user2uid:
uid = IDP.cache.user2uid[lid]
if uid in IDP.cache.uid2user:
del IDP.cache.uid2user[uid]
del IDP.cache.user2uid[lid]
# remove the authentication
try:
IDP.session_db.remove_authn_statements(msg.name_id)
@@ -843,6 +851,19 @@ def metadata(environ, start_response):
logger.error("An error occured while creating metadata:" + ex.message)
return not_found(environ, start_response)
def staticfile(environ, start_response):
try:
path = args.path
if path is None or len(path) == 0:
path = os.path.dirname(os.path.abspath(__file__))
if path[-1] != "/":
path += "/"
path += environ.get('PATH_INFO', '').lstrip('/')
start_response('200 OK', [('Content-Type', "text/xml")])
return open(path, 'r').read()
except Exception as ex:
logger.error("An error occured while creating metadata:" + ex.message)
return not_found(environ, start_response)
def application(environ, start_response):
"""
@@ -900,19 +921,40 @@ def application(environ, start_response):
return func()
return callback(environ, start_response, user)
if re.search(r'static/.*', path) is not None:
return staticfile(environ, start_response)
return not_found(environ, start_response)
# ----------------------------------------------------------------------------
# allow uwsgi or gunicorn mount
# by moving some initialization out of __name__ == '__main__' section.
# uwsgi -s 0.0.0.0:8088 --protocol http --callable application --module idp
args = type('Config', (object,), { })
args.config = 'idp_conf'
args.mako_root = './'
args.path = None
import socket
from idp_user import USERS
from idp_user import EXTRA
from mako.lookup import TemplateLookup
AUTHN_BROKER = AuthnBroker()
AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
username_password_authn, 10,
"http://%s" % socket.gethostname())
AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
"", 0, "http://%s" % socket.gethostname())
IDP = server.Server(args.config, cache=Cache())
IDP.ticket = {}
# ----------------------------------------------------------------------------
if __name__ == '__main__':
import socket
from idp_user import USERS
from idp_user import EXTRA
from wsgiref.simple_server import make_server
from mako.lookup import TemplateLookup
parser = argparse.ArgumentParser()
parser.add_argument('-p', dest='path', help='Path to configuration file.')
@@ -937,16 +979,11 @@ if __name__ == '__main__':
PORT = 8088
AUTHN_BROKER = AuthnBroker()
AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
username_password_authn, 10,
"http://%s" % socket.gethostname())
AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
"", 0, "http://%s" % socket.gethostname())
IDP = server.Server(args.config, cache=Cache())
IDP.ticket = {}
SRV = make_server('', PORT, application)
print "IdP listening on port: %s" % PORT
SRV.serve_forever()
else:
_rot = args.mako_root
LOOKUP = TemplateLookup(directories=[_rot + 'templates', _rot + 'htdocs'],
module_directory=_rot + 'modules',
input_encoding='utf-8', output_encoding='utf-8')

2
example/idp2/static/css/main.css Normal file
View File

@@ -0,0 +1,2 @@
/* Sample css file */

2
example/idp2/templates/root.mako
View File

@@ -6,7 +6,7 @@
<% self.seen_css.add(path) %>
</%def>
<%def name="css()" filter="trim">
${css_link('/css/main.css', 'screen')}
${css_link('/static/css/main.css', 'screen')}
</%def>
<%def name="pre()" filter="trim">
<div class="header">

3
example/sp/sp.py
View File

@@ -270,6 +270,9 @@ app_with_auth = make_middleware_with_config(application, {"here": "."},
# ----------------------------------------------------------------------------
PORT = 8087
# allow uwsgi or gunicorn mount
# by moving some initialization out of __name__ == '__main__' section.
# uwsgi -s 0.0.0.0:8087 --protocol http --callable app_with_auth --module idp
if __name__ == '__main__':
#make_metadata arguments