c8edb28d5b
Since the README already says to point a browser at localhost, it was surprising to see the listeners bound to 0.0.0.0 by default. Changed that and added notes in README about how to change it if the user really wants to make a test listener accessible externally. Updated output messages during startup to include the bound IP, to make this more obvious. Added a missing EOL or two.
742 lines
26 KiB
Python
Executable File
742 lines
26 KiB
Python
Executable File
#!/usr/bin/env python
|
|
import logging
|
|
import re
|
|
import argparse
|
|
import service_conf
|
|
|
|
from Cookie import SimpleCookie
|
|
from urlparse import parse_qs
|
|
import sys
|
|
|
|
from saml2 import BINDING_HTTP_REDIRECT
|
|
from saml2 import BINDING_SOAP
|
|
from saml2 import time_util
|
|
from saml2 import ecp
|
|
from saml2 import BINDING_HTTP_ARTIFACT
|
|
from saml2 import BINDING_HTTP_POST
|
|
from saml2.client import Saml2Client
|
|
from saml2.ecp_client import PAOS_HEADER_INFO
|
|
from saml2.httputil import geturl, make_cookie, parse_cookie
|
|
from saml2.httputil import get_post
|
|
from saml2.httputil import Response
|
|
from saml2.httputil import BadRequest
|
|
from saml2.httputil import ServiceError
|
|
from saml2.httputil import SeeOther
|
|
from saml2.httputil import Unauthorized
|
|
from saml2.httputil import NotFound
|
|
from saml2.httputil import Redirect
|
|
from saml2.httputil import NotImplemented
|
|
from saml2.response import StatusError
|
|
from saml2.response import VerificationError
|
|
from saml2.s_utils import UnknownPrincipal
|
|
from saml2.s_utils import UnsupportedBinding
|
|
from saml2.s_utils import sid
|
|
from saml2.s_utils import rndstr
|
|
#from srtest import exception_trace
|
|
|
|
logger = logging.getLogger("")
|
|
hdlr = logging.FileHandler('spx.log')
|
|
base_formatter = logging.Formatter(
|
|
"%(asctime)s %(name)s:%(levelname)s %(message)s")
|
|
|
|
hdlr.setFormatter(base_formatter)
|
|
logger.addHandler(hdlr)
|
|
logger.setLevel(logging.INFO)
|
|
|
|
|
|
SP = None
|
|
SEED = ""
|
|
POLICY = None
|
|
|
|
|
|
def dict_to_table(ava, lev=0, width=1):
|
|
txt = ['<table border=%s bordercolor="black">\n' % width]
|
|
for prop, valarr in ava.items():
|
|
txt.append("<tr>\n")
|
|
if isinstance(valarr, basestring):
|
|
txt.append("<th>%s</th>\n" % str(prop))
|
|
try:
|
|
txt.append("<td>%s</td>\n" % valarr.encode("utf8"))
|
|
except AttributeError:
|
|
txt.append("<td>%s</td>\n" % valarr)
|
|
elif isinstance(valarr, list):
|
|
i = 0
|
|
n = len(valarr)
|
|
for val in valarr:
|
|
if not i:
|
|
txt.append("<th rowspan=%d>%s</td>\n" % (len(valarr), prop))
|
|
else:
|
|
txt.append("<tr>\n")
|
|
if isinstance(val, dict):
|
|
txt.append("<td>\n")
|
|
txt.extend(dict_to_table(val, lev + 1, width - 1))
|
|
txt.append("</td>\n")
|
|
else:
|
|
try:
|
|
txt.append("<td>%s</td>\n" % val.encode("utf8"))
|
|
except AttributeError:
|
|
txt.append("<td>%s</td>\n" % val)
|
|
if n > 1:
|
|
txt.append("</tr>\n")
|
|
n -= 1
|
|
i += 1
|
|
elif isinstance(valarr, dict):
|
|
txt.append("<th>%s</th>\n" % prop)
|
|
txt.append("<td>\n")
|
|
txt.extend(dict_to_table(valarr, lev + 1, width - 1))
|
|
txt.append("</td>\n")
|
|
txt.append("</tr>\n")
|
|
txt.append('</table>\n')
|
|
return txt
|
|
|
|
|
|
def handle_static(environ, start_response, path):
|
|
"""
|
|
Creates a response for a static file. There might be a longer path
|
|
then just /static/... - if so strip the path leading up to static.
|
|
|
|
:param environ: wsgi enviroment
|
|
:param start_response: wsgi start response
|
|
:param path: the static file and path to the file.
|
|
:return: wsgi response for the static file.
|
|
"""
|
|
try:
|
|
text = open(path).read()
|
|
if path.endswith(".ico"):
|
|
resp = Response(text, headers=[('Content-Type', "image/x-icon")])
|
|
elif path.endswith(".html"):
|
|
resp = Response(text, headers=[('Content-Type', 'text/html')])
|
|
elif path.endswith(".txt"):
|
|
resp = Response(text, headers=[('Content-Type', 'text/plain')])
|
|
elif path.endswith(".css"):
|
|
resp = Response(text, headers=[('Content-Type', 'text/css')])
|
|
elif path.endswith(".js"):
|
|
resp = Response(text, headers=[('Content-Type', 'text/javascript')])
|
|
elif path.endswith(".png"):
|
|
resp = Response(text, headers=[('Content-Type', 'image/png')])
|
|
else:
|
|
resp = Response(text)
|
|
except IOError:
|
|
resp = NotFound()
|
|
return resp(environ, start_response)
|
|
|
|
|
|
class ECPResponse(object):
|
|
code = 200
|
|
title = 'OK'
|
|
|
|
def __init__(self, content):
|
|
self.content = content
|
|
|
|
#noinspection PyUnusedLocal
|
|
def __call__(self, environ, start_response):
|
|
start_response('%s %s' % (self.code, self.title),
|
|
[('Content-Type', "text/xml")])
|
|
return [self.content]
|
|
|
|
|
|
def _expiration(timeout, tformat=None):
|
|
# Wed, 06-Jun-2012 01:34:34 GMT
|
|
if not tformat:
|
|
tformat = '%a, %d-%b-%Y %T GMT'
|
|
|
|
if timeout == "now":
|
|
return time_util.instant(tformat)
|
|
else:
|
|
# validity time should match lifetime of assertions
|
|
return time_util.in_a_while(minutes=timeout, format=tformat)
|
|
|
|
|
|
class Cache(object):
|
|
def __init__(self):
|
|
self.uid2user = {}
|
|
self.cookie_name = "spauthn"
|
|
self.outstanding_queries = {}
|
|
self.relay_state = {}
|
|
self.user = {}
|
|
self.result = {}
|
|
|
|
def kaka2user(self, kaka):
|
|
logger.debug("KAKA: %s" % kaka)
|
|
if kaka:
|
|
cookie_obj = SimpleCookie(kaka)
|
|
morsel = cookie_obj.get(self.cookie_name, None)
|
|
if morsel:
|
|
try:
|
|
return self.uid2user[morsel.value]
|
|
except KeyError:
|
|
return None
|
|
else:
|
|
logger.debug("No spauthn cookie")
|
|
return None
|
|
|
|
def delete_cookie(self, environ=None, kaka=None):
|
|
if not kaka:
|
|
kaka = environ.get("HTTP_COOKIE", '')
|
|
logger.debug("delete KAKA: %s" % kaka)
|
|
if kaka:
|
|
_name = self.cookie_name
|
|
cookie_obj = SimpleCookie(kaka)
|
|
morsel = cookie_obj.get(_name, None)
|
|
cookie = SimpleCookie()
|
|
cookie[_name] = ""
|
|
cookie[_name]['path'] = "/"
|
|
logger.debug("Expire: %s" % morsel)
|
|
cookie[_name]["expires"] = _expiration("dawn")
|
|
return tuple(cookie.output().split(": ", 1))
|
|
return None
|
|
|
|
def user2kaka(self, user):
|
|
uid = rndstr(32)
|
|
self.uid2user[uid] = user
|
|
cookie = SimpleCookie()
|
|
cookie[self.cookie_name] = uid
|
|
cookie[self.cookie_name]['path'] = "/"
|
|
cookie[self.cookie_name]["expires"] = _expiration(480)
|
|
logger.debug("Cookie expires: %s" % cookie[self.cookie_name]["expires"])
|
|
return tuple(cookie.output().split(": ", 1))
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# RECEIVERS
|
|
# -----------------------------------------------------------------------------
|
|
|
|
|
|
class Service(object):
|
|
def __init__(self, environ, start_response, user=None):
|
|
self.environ = environ
|
|
logger.debug("ENVIRON: %s" % environ)
|
|
self.start_response = start_response
|
|
self.user = user
|
|
self.sp = None
|
|
|
|
def unpack_redirect(self):
|
|
if "QUERY_STRING" in self.environ:
|
|
_qs = self.environ["QUERY_STRING"]
|
|
return dict([(k, v[0]) for k, v in parse_qs(_qs).items()])
|
|
else:
|
|
return None
|
|
|
|
def unpack_post(self):
|
|
_dict = parse_qs(get_post(self.environ))
|
|
logger.debug("unpack_post:: %s" % _dict)
|
|
try:
|
|
return dict([(k, v[0]) for k, v in _dict.items()])
|
|
except Exception:
|
|
return None
|
|
|
|
def unpack_soap(self):
|
|
try:
|
|
query = get_post(self.environ)
|
|
return {"SAMLResponse": query, "RelayState": ""}
|
|
except Exception:
|
|
return None
|
|
|
|
def unpack_either(self):
|
|
if self.environ["REQUEST_METHOD"] == "GET":
|
|
_dict = self.unpack_redirect()
|
|
elif self.environ["REQUEST_METHOD"] == "POST":
|
|
_dict = self.unpack_post()
|
|
else:
|
|
_dict = None
|
|
logger.debug("_dict: %s" % _dict)
|
|
return _dict
|
|
|
|
def operation(self, _dict, binding):
|
|
logger.debug("_operation: %s" % _dict)
|
|
if not _dict:
|
|
resp = BadRequest('Error parsing request or no request')
|
|
return resp(self.environ, self.start_response)
|
|
else:
|
|
try:
|
|
_relay_state = _dict["RelayState"]
|
|
except KeyError:
|
|
_relay_state = ""
|
|
if "SAMLResponse" in _dict:
|
|
return self.do(_dict["SAMLResponse"], binding,
|
|
_relay_state, mtype="response")
|
|
elif "SAMLRequest" in _dict:
|
|
return self.do(_dict["SAMLRequest"], binding,
|
|
_relay_state, mtype="request")
|
|
|
|
def artifact_operation(self, _dict):
|
|
if not _dict:
|
|
resp = BadRequest("Missing query")
|
|
return resp(self.environ, self.start_response)
|
|
else:
|
|
# exchange artifact for response
|
|
request = self.sp.artifact2message(_dict["SAMLart"], "spsso")
|
|
return self.do(request, BINDING_HTTP_ARTIFACT, _dict["RelayState"])
|
|
|
|
def response(self, binding, http_args):
|
|
if binding == BINDING_HTTP_ARTIFACT:
|
|
resp = Redirect()
|
|
else:
|
|
resp = Response(http_args["data"], headers=http_args["headers"])
|
|
return resp(self.environ, self.start_response)
|
|
|
|
def do(self, query, binding, relay_state="", mtype="response"):
|
|
pass
|
|
|
|
def redirect(self):
|
|
""" Expects a HTTP-redirect response """
|
|
|
|
_dict = self.unpack_redirect()
|
|
return self.operation(_dict, BINDING_HTTP_REDIRECT)
|
|
|
|
def post(self):
|
|
""" Expects a HTTP-POST response """
|
|
|
|
_dict = self.unpack_post()
|
|
return self.operation(_dict, BINDING_HTTP_POST)
|
|
|
|
def artifact(self):
|
|
# Can be either by HTTP_Redirect or HTTP_POST
|
|
_dict = self.unpack_either()
|
|
return self.artifact_operation(_dict)
|
|
|
|
def soap(self):
|
|
"""
|
|
Single log out using HTTP_SOAP binding
|
|
"""
|
|
logger.debug("- SOAP -")
|
|
_dict = self.unpack_soap()
|
|
logger.debug("_dict: %s" % _dict)
|
|
return self.operation(_dict, BINDING_SOAP)
|
|
|
|
def uri(self):
|
|
_dict = self.unpack_either()
|
|
return self.operation(_dict, BINDING_SOAP)
|
|
|
|
def not_authn(self):
|
|
resp = Unauthorized('Unknown user')
|
|
return resp(self.environ, self.start_response)
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Attribute Consuming service
|
|
# -----------------------------------------------------------------------------
|
|
|
|
|
|
class ACS(Service):
|
|
def __init__(self, sp, environ, start_response, cache=None, **kwargs):
|
|
Service.__init__(self, environ, start_response)
|
|
self.sp = sp
|
|
self.outstanding_queries = cache.outstanding_queries
|
|
self.cache = cache
|
|
self.response = None
|
|
self.kwargs = kwargs
|
|
|
|
def do(self, response, binding, relay_state="", mtype="response"):
|
|
"""
|
|
:param response: The SAML response, transport encoded
|
|
:param binding: Which binding the query came in over
|
|
"""
|
|
#tmp_outstanding_queries = dict(self.outstanding_queries)
|
|
if not response:
|
|
logger.info("Missing Response")
|
|
resp = Unauthorized('Unknown user')
|
|
return resp(self.environ, self.start_response)
|
|
|
|
try:
|
|
self.response = self.sp.parse_authn_request_response(
|
|
response, binding, self.outstanding_queries)
|
|
except UnknownPrincipal, excp:
|
|
logger.error("UnknownPrincipal: %s" % (excp,))
|
|
resp = ServiceError("UnknownPrincipal: %s" % (excp,))
|
|
return resp(self.environ, self.start_response)
|
|
except UnsupportedBinding, excp:
|
|
logger.error("UnsupportedBinding: %s" % (excp,))
|
|
resp = ServiceError("UnsupportedBinding: %s" % (excp,))
|
|
return resp(self.environ, self.start_response)
|
|
except VerificationError, err:
|
|
resp = ServiceError("Verification error: %s" % (err,))
|
|
return resp(self.environ, self.start_response)
|
|
except Exception, err:
|
|
resp = ServiceError("Other error: %s" % (err,))
|
|
return resp(self.environ, self.start_response)
|
|
|
|
logger.info("AVA: %s" % self.response.ava)
|
|
resp = Response(dict_to_table(self.response.ava))
|
|
return resp(self.environ, self.start_response)
|
|
|
|
def verify_attributes(self, ava):
|
|
logger.info("SP: %s" % self.sp.config.entityid)
|
|
rest = POLICY.get_entity_categories(
|
|
self.sp.config.entityid, self.sp.metadata)
|
|
|
|
akeys = [k.lower() for k in ava.keys()]
|
|
|
|
res = {"less": [], "more": []}
|
|
for key, attr in rest.items():
|
|
if key not in ava:
|
|
if key not in akeys:
|
|
res["less"].append(key)
|
|
|
|
for key, attr in ava.items():
|
|
_key = key.lower()
|
|
if _key not in rest:
|
|
res["more"].append(key)
|
|
|
|
return res
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# REQUESTERS
|
|
# -----------------------------------------------------------------------------
|
|
|
|
|
|
class SSO(object):
|
|
def __init__(self, sp, environ, start_response, cache=None,
|
|
wayf=None, discosrv=None, bindings=None):
|
|
self.sp = sp
|
|
self.environ = environ
|
|
self.start_response = start_response
|
|
self.cache = cache
|
|
self.idp_query_param = "IdpQuery"
|
|
self.wayf = wayf
|
|
self.discosrv = discosrv
|
|
if bindings:
|
|
self.bindings = bindings
|
|
else:
|
|
self.bindings = [BINDING_HTTP_REDIRECT, BINDING_HTTP_POST,
|
|
BINDING_HTTP_ARTIFACT]
|
|
logger.debug("--- SSO ---")
|
|
|
|
def response(self, binding, http_args, do_not_start_response=False):
|
|
if binding == BINDING_HTTP_ARTIFACT:
|
|
resp = Redirect()
|
|
elif binding == BINDING_HTTP_REDIRECT:
|
|
for param, value in http_args["headers"]:
|
|
if param == "Location":
|
|
resp = SeeOther(str(value))
|
|
break
|
|
else:
|
|
resp = ServiceError("Parameter error")
|
|
else:
|
|
resp = Response(http_args["data"], headers=http_args["headers"])
|
|
|
|
if do_not_start_response:
|
|
return resp
|
|
else:
|
|
return resp(self.environ, self.start_response)
|
|
|
|
def _wayf_redirect(self, came_from):
|
|
sid_ = sid()
|
|
self.cache.outstanding_queries[sid_] = came_from
|
|
logger.debug("Redirect to WAYF function: %s" % self.wayf)
|
|
return -1, SeeOther(headers=[('Location', "%s?%s" % (self.wayf, sid_))])
|
|
|
|
def _pick_idp(self, came_from):
|
|
"""
|
|
If more than one idp and if none is selected, I have to do wayf or
|
|
disco
|
|
"""
|
|
|
|
_cli = self.sp
|
|
|
|
logger.debug("[_pick_idp] %s" % self.environ)
|
|
if "HTTP_PAOS" in self.environ:
|
|
if self.environ["HTTP_PAOS"] == PAOS_HEADER_INFO:
|
|
if 'application/vnd.paos+xml' in self.environ["HTTP_ACCEPT"]:
|
|
# Where should I redirect the user to
|
|
# entityid -> the IdP to use
|
|
# relay_state -> when back from authentication
|
|
|
|
logger.debug("- ECP client detected -")
|
|
|
|
_rstate = rndstr()
|
|
self.cache.relay_state[_rstate] = geturl(self.environ)
|
|
_entityid = _cli.config.ecp_endpoint(
|
|
self.environ["REMOTE_ADDR"])
|
|
|
|
if not _entityid:
|
|
return -1, ServiceError("No IdP to talk to")
|
|
logger.debug("IdP to talk to: %s" % _entityid)
|
|
return ecp.ecp_auth_request(_cli, _entityid, _rstate)
|
|
else:
|
|
return -1, ServiceError('Faulty Accept header')
|
|
else:
|
|
return -1, ServiceError('unknown ECP version')
|
|
|
|
# Find all IdPs
|
|
idps = self.sp.metadata.with_descriptor("idpsso")
|
|
|
|
idp_entity_id = None
|
|
|
|
kaka = self.environ.get("HTTP_COOKIE", '')
|
|
if kaka:
|
|
try:
|
|
(idp_entity_id, _) = parse_cookie("ve_disco", "SEED_SAW", kaka)
|
|
except ValueError:
|
|
pass
|
|
except TypeError:
|
|
pass
|
|
|
|
# Any specific IdP specified in a query part
|
|
query = self.environ.get("QUERY_STRING")
|
|
if not idp_entity_id and query:
|
|
try:
|
|
_idp_entity_id = dict(parse_qs(query))[
|
|
self.idp_query_param][0]
|
|
if _idp_entity_id in idps:
|
|
idp_entity_id = _idp_entity_id
|
|
except KeyError:
|
|
logger.debug("No IdP entity ID in query: %s" % query)
|
|
pass
|
|
|
|
if not idp_entity_id:
|
|
|
|
if self.wayf:
|
|
if query:
|
|
try:
|
|
wayf_selected = dict(parse_qs(query))[
|
|
"wayf_selected"][0]
|
|
except KeyError:
|
|
return self._wayf_redirect(came_from)
|
|
idp_entity_id = wayf_selected
|
|
else:
|
|
return self._wayf_redirect(came_from)
|
|
elif self.discosrv:
|
|
if query:
|
|
idp_entity_id = _cli.parse_discovery_service_response(
|
|
query=self.environ.get("QUERY_STRING"))
|
|
if not idp_entity_id:
|
|
sid_ = sid()
|
|
self.cache.outstanding_queries[sid_] = came_from
|
|
logger.debug("Redirect to Discovery Service function")
|
|
eid = _cli.config.entityid
|
|
ret = _cli.config.getattr("endpoints",
|
|
"sp")["discovery_response"][0][0]
|
|
ret += "?sid=%s" % sid_
|
|
loc = _cli.create_discovery_service_request(
|
|
self.discosrv, eid, **{"return": ret})
|
|
return -1, SeeOther(loc)
|
|
elif len(idps) == 1:
|
|
# idps is a dictionary
|
|
idp_entity_id = idps.keys()[0]
|
|
elif not len(idps):
|
|
return -1, ServiceError('Misconfiguration')
|
|
else:
|
|
return -1, NotImplemented("No WAYF or DS present!")
|
|
|
|
logger.info("Chosen IdP: '%s'" % idp_entity_id)
|
|
return 0, idp_entity_id
|
|
|
|
def redirect_to_auth(self, _cli, entity_id, came_from, vorg_name=""):
|
|
try:
|
|
_binding, destination = _cli.pick_binding(
|
|
"single_sign_on_service", self.bindings, "idpsso",
|
|
entity_id=entity_id)
|
|
logger.debug("binding: %s, destination: %s" % (_binding,
|
|
destination))
|
|
req_id, req = _cli.create_authn_request(destination, vorg=vorg_name)
|
|
_rstate = rndstr()
|
|
self.cache.relay_state[_rstate] = came_from
|
|
ht_args = _cli.apply_binding(_binding, "%s" % req, destination,
|
|
relay_state=_rstate)
|
|
_sid = req_id
|
|
logger.debug("ht_args: %s" % ht_args)
|
|
except Exception, exc:
|
|
logger.exception(exc)
|
|
resp = ServiceError(
|
|
"Failed to construct the AuthnRequest: %s" % exc)
|
|
return resp(self.environ, self.start_response)
|
|
|
|
# remember the request
|
|
self.cache.outstanding_queries[_sid] = came_from
|
|
return self.response(_binding, ht_args, do_not_start_response=True)
|
|
|
|
def do(self):
|
|
_cli = self.sp
|
|
|
|
# Which page was accessed to get here
|
|
came_from = geturl(self.environ)
|
|
logger.debug("[sp.challenge] RelayState >> '%s'" % came_from)
|
|
|
|
# Am I part of a virtual organization or more than one ?
|
|
try:
|
|
vorg_name = _cli.vorg._name
|
|
except AttributeError:
|
|
vorg_name = ""
|
|
|
|
logger.debug("[sp.challenge] VO: %s" % vorg_name)
|
|
|
|
# If more than one idp and if none is selected, I have to do wayf
|
|
(done, response) = self._pick_idp(came_from)
|
|
# Three cases: -1 something went wrong or Discovery service used
|
|
# 0 I've got an IdP to send a request to
|
|
# >0 ECP in progress
|
|
logger.debug("_idp_pick returned: %s" % done)
|
|
if done == -1:
|
|
return response(self.environ, self.start_response)
|
|
elif done > 0:
|
|
self.cache.outstanding_queries[done] = came_from
|
|
return ECPResponse(response)
|
|
else:
|
|
entity_id = response
|
|
# Do the AuthnRequest
|
|
resp = self.redirect_to_auth(_cli, entity_id, came_from, vorg_name)
|
|
return resp(self.environ, self.start_response)
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
|
#noinspection PyUnusedLocal
|
|
def not_found(environ, start_response):
|
|
"""Called if no URL matches."""
|
|
resp = NotFound('Not Found')
|
|
return resp(environ, start_response)
|
|
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
|
#noinspection PyUnusedLocal
|
|
def main(environ, start_response, _sp):
|
|
_sso = SSO(_sp, environ, start_response, cache=CACHE, **ARGS)
|
|
return _sso.do()
|
|
|
|
|
|
#noinspection PyUnusedLocal
|
|
def verify_login_cookie(environ, start_response, _sp):
|
|
_sso = SSO(_sp, environ, start_response, cache=CACHE, **ARGS)
|
|
return _sso.do()
|
|
|
|
|
|
def disco(environ, start_response, _sp):
|
|
query = parse_qs(environ["QUERY_STRING"])
|
|
entity_id = query["entityID"][0]
|
|
_sid = query["sid"][0]
|
|
came_from = CACHE.outstanding_queries[_sid]
|
|
_sso = SSO(_sp, environ, start_response, cache=CACHE, **ARGS)
|
|
resp = _sso.redirect_to_auth(_sso.sp, entity_id, came_from)
|
|
|
|
# Add cookie
|
|
kaka = make_cookie("ve_disco", entity_id, "SEED_SAW")
|
|
resp.headers.append(kaka)
|
|
return resp(environ, start_response)
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
# map urls to functions
|
|
urls = [
|
|
# Hmm, place holder, NOT used
|
|
('place', ("holder", None)),
|
|
(r'^$', main),
|
|
(r'^login', verify_login_cookie),
|
|
(r'^disco', disco)
|
|
]
|
|
|
|
|
|
def add_urls():
|
|
base = "acs"
|
|
|
|
urls.append(("%s/post$" % base, (ACS, "post", SP)))
|
|
urls.append(("%s/post/(.*)$" % base, (ACS, "post", SP)))
|
|
urls.append(("%s/redirect$" % base, (ACS, "redirect", SP)))
|
|
urls.append(("%s/redirect/(.*)$" % base, (ACS, "redirect", SP)))
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
|
|
def application(environ, start_response):
|
|
"""
|
|
The main WSGI application. Dispatch the current request to
|
|
the functions from above.
|
|
|
|
If nothing matches, call the `not_found` function.
|
|
|
|
:param environ: The HTTP application environment
|
|
:param start_response: The application to run when the handling of the
|
|
request is done
|
|
:return: The response as a list of lines
|
|
"""
|
|
path = environ.get('PATH_INFO', '').lstrip('/')
|
|
logger.debug("<application> PATH: '%s'" % path)
|
|
|
|
logger.debug("Finding callback to run")
|
|
try:
|
|
for regex, spec in urls:
|
|
match = re.search(regex, path)
|
|
if match is not None:
|
|
if isinstance(spec, tuple):
|
|
callback, func_name, _sp = spec
|
|
cls = callback(_sp, environ, start_response, cache=CACHE)
|
|
func = getattr(cls, func_name)
|
|
return func()
|
|
else:
|
|
return spec(environ, start_response, SP)
|
|
if re.match(".*static/.*", path):
|
|
return handle_static(environ, start_response, path)
|
|
return not_found(environ, start_response)
|
|
except StatusError, err:
|
|
logging.error("StatusError: %s" % err)
|
|
resp = BadRequest("%s" % err)
|
|
return resp(environ, start_response)
|
|
except Exception, err:
|
|
#_err = exception_trace("RUN", err)
|
|
#logging.error(exception_trace("RUN", _err))
|
|
print >> sys.stderr, err
|
|
resp = ServiceError("%s" % err)
|
|
return resp(environ, start_response)
|
|
|
|
# ----------------------------------------------------------------------------
|
|
|
|
HOST = service_conf.HOST
|
|
PORT = service_conf.PORT
|
|
# ------- HTTPS -------
|
|
# These should point to relevant files
|
|
SERVER_CERT = service_conf.SERVER_CERT
|
|
SERVER_KEY = service_conf.SERVER_KEY
|
|
# This is of course the certificate chain for the CA that signed
|
|
# your cert and all the way up to the top
|
|
CERT_CHAIN = service_conf.CERT_CHAIN
|
|
|
|
if __name__ == '__main__':
|
|
from cherrypy import wsgiserver
|
|
from cherrypy.wsgiserver import ssl_pyopenssl
|
|
|
|
_parser = argparse.ArgumentParser()
|
|
_parser.add_argument('-d', dest='debug', action='store_true',
|
|
help="Print debug information")
|
|
_parser.add_argument('-D', dest='discosrv',
|
|
help="Which disco server to use")
|
|
_parser.add_argument('-s', dest='seed',
|
|
help="Cookie seed")
|
|
_parser.add_argument('-W', dest='wayf', action='store_true',
|
|
help="Which WAYF url to use")
|
|
_parser.add_argument("config", help="SAML client config")
|
|
|
|
ARGS = {}
|
|
_args = _parser.parse_args()
|
|
if _args.discosrv:
|
|
ARGS["discosrv"] = _args.discosrv
|
|
if _args.wayf:
|
|
ARGS["wayf"] = _args.wayf
|
|
|
|
CACHE = Cache()
|
|
CNFBASE = _args.config
|
|
if _args.seed:
|
|
SEED = _args.seed
|
|
else:
|
|
SEED = "SnabbtInspel"
|
|
|
|
SP = Saml2Client(config_file="%s" % CNFBASE)
|
|
|
|
POLICY = service_conf.POLICY
|
|
|
|
add_urls()
|
|
|
|
SRV = wsgiserver.CherryPyWSGIServer((HOST, PORT), application)
|
|
|
|
if service_conf.HTTPS:
|
|
SRV.ssl_adapter = ssl_pyopenssl.pyOpenSSLAdapter(SERVER_CERT,
|
|
SERVER_KEY, CERT_CHAIN)
|
|
logger.info("Server starting")
|
|
print "SP listening on %s:%s" % (HOST, PORT)
|
|
try:
|
|
SRV.start()
|
|
except KeyboardInterrupt:
|
|
SRV.stop()
|