Merge remote-tracking branch 'upstream/master'

example/idp2/idp.py

@@ -1,24 +1,24 @@
 #!/usr/bin/env python
-import importlib
 import argparse
 import base64
-import re
+import importlib
 import logging
-import time
-from hashlib import sha1
-
-from urlparse import parse_qs
-from Cookie import SimpleCookie
 import os
-from saml2.profile import ecp
+import re
+import socket
+import time
+
+from Cookie import SimpleCookie
+from hashlib import sha1
+from urlparse import parse_qs
 
-from saml2 import server
 from saml2 import BINDING_HTTP_ARTIFACT
 from saml2 import BINDING_URI
 from saml2 import BINDING_PAOS
 from saml2 import BINDING_SOAP
 from saml2 import BINDING_HTTP_REDIRECT
 from saml2 import BINDING_HTTP_POST
+from saml2 import server
 from saml2 import time_util
 
 from saml2.authn_context import AuthnBroker
@@ -35,6 +35,7 @@ from saml2.httputil import BadRequest
 from saml2.httputil import ServiceError
 from saml2.ident import Unknown
 from saml2.metadata import create_metadata_string
+from saml2.profile import ecp
 from saml2.s_utils import rndstr
 from saml2.s_utils import exception_trace
 from saml2.s_utils import UnknownPrincipal
@@ -43,6 +44,10 @@ from saml2.s_utils import PolicyError
 from saml2.sigver import verify_redirect_signature
 from saml2.sigver import encrypt_cert_from_item
 
+from idp_user import USERS
+from idp_user import EXTRA
+from mako.lookup import TemplateLookup
+
 logger = logging.getLogger("saml2.idp")
 
 
@@ -716,7 +721,7 @@ class ATTR(Service):
         name_id = _query.subject.name_id
         uid = name_id.text
         logger.debug("Local uid: %s" % uid)
-        identity = EXTRA[uid]
+        identity = EXTRA[self.user]
 
         # Comes in over SOAP so only need to construct the response
         args = IDP.response_args(_query, [BINDING_SOAP])
@@ -948,32 +953,6 @@ def application(environ, start_response):
 
 # ----------------------------------------------------------------------------
 
-# allow uwsgi or gunicorn mount
-# by moving some initialization out of __name__ == '__main__' section.
-# uwsgi -s 0.0.0.0:8088 --protocol http --callable application --module idp
-
-args = type('Config', (object,), { })
-args.config = 'idp_conf'
-args.mako_root = './'
-args.path = None
-
-import socket
-from idp_user import USERS
-from idp_user import EXTRA
-from mako.lookup import TemplateLookup
-
-AUTHN_BROKER = AuthnBroker()
-AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
-                 username_password_authn, 10,
-                 "http://%s" % socket.gethostname())
-AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
-                 "", 0, "http://%s" % socket.gethostname())
-CONFIG = importlib.import_module(args.config)
-IDP = server.Server(args.config, cache=Cache())
-IDP.ticket = {}
-
-# ----------------------------------------------------------------------------
-
 if __name__ == '__main__':
     from wsgiref.simple_server import make_server
 
@@ -993,6 +972,16 @@ if __name__ == '__main__':
     parser.add_argument(dest="config")
     args = parser.parse_args()
 
+    AUTHN_BROKER = AuthnBroker()
+    AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
+                     username_password_authn, 10,
+                     "http://%s" % socket.gethostname())
+    AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
+                     "", 0, "http://%s" % socket.gethostname())
+    CONFIG = importlib.import_module(args.config)
+    IDP = server.Server(args.config, cache=Cache())
+    IDP.ticket = {}
+
     _rot = args.mako_root
     LOOKUP = TemplateLookup(directories=[_rot + 'templates', _rot + 'htdocs'],
                             module_directory=_rot + 'modules',
@@ -1004,8 +993,3 @@ if __name__ == '__main__':
     SRV = make_server(HOST, PORT, application)
     print "IdP listening on %s:%s" % (HOST, PORT)
     SRV.serve_forever()
-else:
-    _rot = args.mako_root
-    LOOKUP = TemplateLookup(directories=[_rot + 'templates', _rot + 'htdocs'],
-                            module_directory=_rot + 'modules',
-                            input_encoding='utf-8', output_encoding='utf-8')

example/sp-wsgi/sp.xml

@@ -1,34 +1,93 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns4="http://www.w3.org/2000/09/xmldsig#" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" entityID="http://localhost:8087/sp.xml"><ns0:Extensions><ns1:EntityAttributes><ns2:Attribute Name="http://macedir.org/entity-category"><ns2:AttributeValue xsi:type="xs:string">http://www.geant.net/uri/dataprotection-code-of-conduct/v1</ns2:AttributeValue></ns2:Attribute></ns1:EntityAttributes></ns0:Extensions><ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><ns0:KeyDescriptor use="encryption"><ns4:KeyInfo><ns4:X509Data><ns4:X509Certificate>MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
+<ns0:EntityDescriptor xmlns:ns0="urn:oasis:names:tc:SAML:2.0:metadata"
-BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
+                      xmlns:ns1="urn:oasis:names:tc:SAML:metadata:attribute"
-EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
+                      xmlns:ns2="urn:oasis:names:tc:SAML:2.0:assertion"
-MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
+                      xmlns:ns4="http://www.w3.org/2000/09/xmldsig#"
-YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
+                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
+                      entityID="http://localhost:8087/sp.xml">
-bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
+    <ns0:Extensions>
-FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
+        <ns1:EntityAttributes>
-mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
+            <ns2:Attribute Name="http://macedir.org/entity-category">
-BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
+                <ns2:AttributeValue xsi:type="xs:string">
-o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
+                    http://www.geant.net/uri/dataprotection-code-of-conduct/v1
-BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
+                </ns2:AttributeValue>
-AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+            </ns2:Attribute>
-BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
+        </ns1:EntityAttributes>
-zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+    </ns0:Extensions>
-+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
+    <ns0:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true"
-</ns4:X509Certificate></ns4:X509Data></ns4:KeyInfo></ns0:KeyDescriptor><ns0:KeyDescriptor use="signing"><ns4:KeyInfo><ns4:X509Data><ns4:X509Certificate>MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
+                         protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
-BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
+        <ns0:KeyDescriptor use="encryption">
-EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
+            <ns4:KeyInfo>
-MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
+                <ns4:X509Data>
-YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
+                    <ns4:X509Certificate>
-DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
+                        MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
-bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
+                        BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
-FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
+                        EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
-mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
+                        MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
-BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
+                        YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
-o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
+                        DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
-BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
+                        bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
-AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+                        FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
-BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
+                        mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
-zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+                        BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
-+vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
+                        o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
-</ns4:X509Certificate></ns4:X509Data></ns4:KeyInfo></ns0:KeyDescriptor><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost:8087/acs/redirect" index="1" /><ns0:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost:8087/acs/post" index="2" /></ns0:SPSSODescriptor></ns0:EntityDescriptor>
+                        BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
+                        AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+                        BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
+                        zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+                        +vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
+                    </ns4:X509Certificate>
+                </ns4:X509Data>
+            </ns4:KeyInfo>
+        </ns0:KeyDescriptor>
+        <ns0:KeyDescriptor use="signing">
+            <ns4:KeyInfo>
+                <ns4:X509Data>
+                    <ns4:X509Certificate>
+                        MIIC8jCCAlugAwIBAgIJAJHg2V5J31I8MA0GCSqGSIb3DQEBBQUAMFoxCzAJBgNV
+                        BAYTAlNFMQ0wCwYDVQQHEwRVbWVhMRgwFgYDVQQKEw9VbWVhIFVuaXZlcnNpdHkx
+                        EDAOBgNVBAsTB0lUIFVuaXQxEDAOBgNVBAMTB1Rlc3QgU1AwHhcNMDkxMDI2MTMz
+                        MTE1WhcNMTAxMDI2MTMzMTE1WjBaMQswCQYDVQQGEwJTRTENMAsGA1UEBxMEVW1l
+                        YTEYMBYGA1UEChMPVW1lYSBVbml2ZXJzaXR5MRAwDgYDVQQLEwdJVCBVbml0MRAw
+                        DgYDVQQDEwdUZXN0IFNQMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkJWP7
+                        bwOxtH+E15VTaulNzVQ/0cSbM5G7abqeqSNSs0l0veHr6/ROgW96ZeQ57fzVy2MC
+                        FiQRw2fzBs0n7leEmDJyVVtBTavYlhAVXDNa3stgvh43qCfLx+clUlOvtnsoMiiR
+                        mo7qf0BoPKTj7c0uLKpDpEbAHQT4OF1HRYVxMwIDAQABo4G/MIG8MB0GA1UdDgQW
+                        BBQ7RgbMJFDGRBu9o3tDQDuSoBy7JjCBjAYDVR0jBIGEMIGBgBQ7RgbMJFDGRBu9
+                        o3tDQDuSoBy7JqFepFwwWjELMAkGA1UEBhMCU0UxDTALBgNVBAcTBFVtZWExGDAW
+                        BgNVBAoTD1VtZWEgVW5pdmVyc2l0eTEQMA4GA1UECxMHSVQgVW5pdDEQMA4GA1UE
+                        AxMHVGVzdCBTUIIJAJHg2V5J31I8MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
+                        BQADgYEAMuRwwXRnsiyWzmRikpwinnhTmbooKm5TINPE7A7gSQ710RxioQePPhZO
+                        zkM27NnHTrCe2rBVg0EGz7QTd1JIwLPvgoj4VTi/fSha/tXrYUaqc9AqU1kWI4WN
+                        +vffBGQ09mo+6CffuFTZYeOhzP/2stAPwCTU4kxEoiy0KpZMANI=
+                    </ns4:X509Certificate>
+                </ns4:X509Data>
+            </ns4:KeyInfo>
+        </ns0:KeyDescriptor>
+        <ns0:AssertionConsumerService
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+                Location="http://localhost:8087/acs/redirect" index="1"/>
+        <ns0:AssertionConsumerService
+                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+                Location="http://localhost:8087/acs/post" index="2"/>
+        <ns0:AttributeConsumingService index="1">
+            <ns0:ServiceName xml:lang="en">My SP service</ns0:ServiceName>
+            <ns0:ServiceDescription xml:lang="en">Example SP
+            </ns0:ServiceDescription>
+            <ns0:RequestedAttribute FriendlyName="sn" Name="urn:oid:2.5.4.4"
+                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                    isRequired="true"/>
+            <ns0:RequestedAttribute FriendlyName="givenname"
+                                    Name="urn:oid:2.5.4.42"
+                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                    isRequired="true"/>
+            <ns0:RequestedAttribute FriendlyName="edupersonaffiliation"
+                                    Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                    isRequired="true"/>
+            <ns0:RequestedAttribute FriendlyName="title" Name="urn:oid:2.5.4.12"
+                                    NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+                                    isRequired="false"/>
+        </ns0:AttributeConsumingService>
+    </ns0:SPSSODescriptor>
+</ns0:EntityDescriptor>