openstack/deb-python-pysaml2
Code Issues Proposed changes

Methods creating request changed to return a tuple consisting of request id and request.

Browse Source
This commit is contained in:
Roland Hedberg
2014-03-20 21:34:39 +01:00
parent a442e039d2
commit d3b9056e12
2 changed files with 45 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
example/sp-wsgi/sp.py
View File

@@ -529,7 +529,7 @@ class SSO(object):
entity_id=entity_id) entity_id=entity_id)
logger.debug("binding: %s, destination: %s" % (_binding, logger.debug("binding: %s, destination: %s" % (_binding,
destination)) destination))
req = _cli.create_authn_request(destination, vorg=vorg_name) req_id, req = _cli.create_authn_request(destination, vorg=vorg_name)
_rstate = rndstr() _rstate = rndstr()
self.cache.relay_state[_rstate] = came_from self.cache.relay_state[_rstate] = came_from
ht_args = _cli.apply_binding(_binding, "%s" % req, destination, ht_args = _cli.apply_binding(_binding, "%s" % req, destination,

71
src/s2repoze/plugins/sp.py
View File

@@ -23,7 +23,6 @@ import logging
import sys import sys
import platform import platform
import shelve import shelve
import threading
import traceback import traceback
import saml2 import saml2
from urlparse import parse_qs, urlparse from urlparse import parse_qs, urlparse
@@ -129,7 +128,8 @@ class SAML2Plugin(object):
implements(IChallenger, IIdentifier, IAuthenticator, IMetadataProvider) implements(IChallenger, IIdentifier, IAuthenticator, IMetadataProvider)
def __init__(self, rememberer_name, config, saml_client, wayf, cache, def __init__(self, rememberer_name, config, saml_client, wayf, cache,
sid_store=None, discovery="", idp_query_param="", sid_store_cert=None,): sid_store=None, discovery="", idp_query_param="",
sid_store_cert=None,):
self.rememberer_name = rememberer_name self.rememberer_name = rememberer_name
self.wayf = wayf self.wayf = wayf
self.saml_client = saml_client self.saml_client = saml_client
@@ -137,7 +137,8 @@ class SAML2Plugin(object):
self.cache = cache self.cache = cache
self.discosrv = discovery self.discosrv = discovery
self.idp_query_param = idp_query_param self.idp_query_param = idp_query_param
self.logout_endpoints = [urlparse(ep)[2] for ep in config.endpoint("single_logout_service")] self.logout_endpoints = [urlparse(ep)[2] for ep in config.endpoint(
"single_logout_service")]
try: try:
self.metadata = self.conf.metadata self.metadata = self.conf.metadata
except KeyError: except KeyError:
@@ -153,24 +154,20 @@ class SAML2Plugin(object):
self.iam = platform.node() self.iam = platform.node()
def _get_rememberer(self, environ): def _get_rememberer(self, environ):
rememberer = environ['repoze.who.plugins'][self.rememberer_name] rememberer = environ['repoze.who.plugins'][self.rememberer_name]
return rememberer return rememberer
#### IIdentifier #### #### IIdentifier ####
def remember(self, environ, identity): def remember(self, environ, identity):
rememberer = self._get_rememberer(environ) rememberer = self._get_rememberer(environ)
return rememberer.remember(environ, identity) return rememberer.remember(environ, identity)
#### IIdentifier #### #### IIdentifier ####
def forget(self, environ, identity): def forget(self, environ, identity):
rememberer = self._get_rememberer(environ) rememberer = self._get_rememberer(environ)
return rememberer.forget(environ, identity) return rememberer.forget(environ, identity)
def _get_post(self, environ): def _get_post(self, environ):
""" """
Get the posted information Get the posted information
@@ -293,8 +290,8 @@ class SAML2Plugin(object):
self.outstanding_queries[sid_] = came_from self.outstanding_queries[sid_] = came_from
logger.debug("Redirect to Discovery Service function") logger.debug("Redirect to Discovery Service function")
eid = _cli.config.entityid eid = _cli.config.entityid
ret = _cli.config.getattr("endpoints", ret = _cli.config.getattr(
"sp")["discovery_response"][0][0] "endpoints", "sp")["discovery_response"][0][0]
ret += "?sid=%s" % sid_ ret += "?sid=%s" % sid_
loc = _cli.create_discovery_service_request( loc = _cli.create_discovery_service_request(
self.discosrv, eid, **{"return": ret}) self.discosrv, eid, **{"return": ret})
@@ -379,22 +376,28 @@ class SAML2Plugin(object):
"cert": cert_str, "cert": cert_str,
"key": req_key_str "key": req_key_str
} }
spcertenc = SPCertEnc(x509_data=ds.X509Data(x509_certificate=ds.X509Certificate(text=cert_str))) spcertenc = SPCertEnc(x509_data=ds.X509Data(
extensions = Extensions(extension_elements=[element_to_extension_element(spcertenc)]) x509_certificate=ds.X509Certificate(text=cert_str)))
extensions = Extensions(extension_elements=[
element_to_extension_element(spcertenc)])
if _cli.authn_requests_signed: if _cli.authn_requests_signed:
_sid = saml2.s_utils.sid(_cli.seed) _sid = saml2.s_utils.sid(_cli.seed)
msg_str = _cli.create_authn_request(dest, vorg=vorg_name, sign=_cli.authn_requests_signed, msg_id = msg_str = _cli.create_authn_request(
dest, vorg=vorg_name, sign=_cli.authn_requests_signed,
message_id=_sid, extensions=extensions) message_id=_sid, extensions=extensions)
else: else:
req = _cli.create_authn_request(dest, vorg=vorg_name, sign=False, extensions=extensions) req_id, req = _cli.create_authn_request(
dest, vorg=vorg_name, sign=False, extensions=extensions)
msg_str = "%s" % req msg_str = "%s" % req
_sid = req.id _sid = req_id
if cert is not None: if cert is not None:
self.outstanding_certs[_sid] = cert self.outstanding_certs[_sid] = cert
ht_args = _cli.apply_binding(_binding, msg_str, destination=dest, relay_state=came_from) ht_args = _cli.apply_binding(_binding, msg_str,
destination=dest,
relay_state=came_from)
logger.debug("ht_args: %s" % ht_args) logger.debug("ht_args: %s" % ht_args)
except Exception, exc: except Exception, exc:
@@ -402,10 +405,11 @@ class SAML2Plugin(object):
raise Exception( raise Exception(
"Failed to construct the AuthnRequest: %s" % exc) "Failed to construct the AuthnRequest: %s" % exc)
try: try:
ret = _cli.config.getattr("endpoints","sp")["discovery_response"][0][0] ret = _cli.config.getattr(
if (environ["PATH_INFO"]) in ret and ret.split(environ["PATH_INFO"])[1] == "": "endpoints","sp")["discovery_response"][0][0]
if (environ["PATH_INFO"]) in ret and ret.split(
environ["PATH_INFO"])[1] == "":
query = parse_qs(environ["QUERY_STRING"]) query = parse_qs(environ["QUERY_STRING"])
sid = query["sid"][0] sid = query["sid"][0]
came_from = self.outstanding_queries[sid] came_from = self.outstanding_queries[sid]
@@ -440,7 +444,8 @@ class SAML2Plugin(object):
# Evaluate the response, returns a AuthnResponse instance # Evaluate the response, returns a AuthnResponse instance
try: try:
authresp = self.saml_client.parse_authn_request_response( authresp = self.saml_client.parse_authn_request_response(
post["SAMLResponse"], binding, self.outstanding_queries, self.outstanding_certs) post["SAMLResponse"], binding, self.outstanding_queries,
self.outstanding_certs)
except Exception, excp: except Exception, excp:
logger.exception("Exception: %s" % (excp,)) logger.exception("Exception: %s" % (excp,))
@@ -476,12 +481,13 @@ class SAML2Plugin(object):
#### IIdentifier #### #### IIdentifier ####
def identify(self, environ): def identify(self, environ):
""" """
Tries do the identification Tries to do the identification
""" """
#logger = environ.get('repoze.who.logger', '') #logger = environ.get('repoze.who.logger', '')
query = parse_dict_querystring(environ) query = parse_dict_querystring(environ)
if ("CONTENT_LENGTH" not in environ or not environ["CONTENT_LENGTH"]) and "SAMLResponse" not in query and "SAMLRequest" not in query: if ("CONTENT_LENGTH" not in environ or not environ["CONTENT_LENGTH"]) and \
"SAMLResponse" not in query and "SAMLRequest" not in query:
logger.debug('[identify] get or empty post') logger.debug('[identify] get or empty post')
return {} return {}
@@ -517,7 +523,9 @@ class SAML2Plugin(object):
if logout and "SAMLRequest" in post: if logout and "SAMLRequest" in post:
print("logout request received") print("logout request received")
try: try:
response = self.saml_client.handle_logout_request(post["SAMLRequest"], self.saml_client.users.subjects()[0], binding) response = self.saml_client.handle_logout_request(
post["SAMLRequest"],
self.saml_client.users.subjects()[0], binding)
environ['samlsp.pending'] = self._handle_logout(response) environ['samlsp.pending'] = self._handle_logout(response)
return {} return {}
except: except:
@@ -537,15 +545,18 @@ class SAML2Plugin(object):
#if self.debug: #if self.debug:
try: try:
if logout: if logout:
response = self.saml_client.parse_logout_request_response(post["SAMLResponse"], binding) response = self.saml_client.parse_logout_request_response(
post["SAMLResponse"], binding)
if response: if response:
action = self.saml_client.handle_logout_response(response) action = self.saml_client.handle_logout_response(
request = None response)
if type(action) == dict: if type(action) == dict:
request = self._handle_logout(action) request = self._handle_logout(action)
else: else:
#logout complete #logout complete
request = HTTPSeeOther(headers=[('Location', "/")]) request = HTTPSeeOther(headers=[
('Location', "/")])
if request: if request:
environ['samlsp.pending'] = request environ['samlsp.pending'] = request
return {} return {}
@@ -621,9 +632,9 @@ class SAML2Plugin(object):
# remove cookie and demand re-authentication # remove cookie and demand re-authentication
pass pass
# @return
# used 2 times : one to get the ticket, the other to validate it # used 2 times : one to get the ticket, the other to validate it
def _service_url(self, environ, qstr=None): @staticmethod
def _service_url(environ, qstr=None):
if qstr is not None: if qstr is not None:
url = construct_url(environ, querystring=qstr) url = construct_url(environ, querystring=qstr)
else: else:
@@ -641,7 +652,8 @@ class SAML2Plugin(object):
else: else:
return None return None
def _handle_logout(self, responses): @staticmethod
def _handle_logout(responses):
if 'data' in responses: if 'data' in responses:
ht_args = responses ht_args = responses
else: else:
@@ -652,6 +664,7 @@ class SAML2Plugin(object):
else: else:
return ht_args["data"] return ht_args["data"]
def make_plugin(remember_name=None, # plugin for remember def make_plugin(remember_name=None, # plugin for remember
cache="", # cache cache="", # cache
# Which virtual organization to support # Which virtual organization to support