def _create_id(self, nformat, name_qualifier="", sp_name_qualifier=""):
_id = sha256(rndbytes(32))
_id.update(nformat.encode("utf8"))
if name_qualifier:
_id.update(name_qualifier.encode("utf8"))
if sp_name_qualifier:
_id.update(sp_name_qualifier.encode("utf8"))
return _id.hexdigest()
def user2kaka(self, user):
uid = rndbytes(32)
self.uid2user[uid] = user
cookie = SimpleCookie()
cookie[self.cookie_name] = uid
cookie[self.cookie_name]['path'] = "/"
cookie[self.cookie_name]["expires"] = _expiration(480)
logger.debug("Cookie expires: %s" % cookie[self.cookie_name]["expires"])
return tuple(cookie.output().split(": ", 1))
def use_artifact(self, message, endpoint_index=0):
"""
:param message:
:param endpoint_index:
:return:
"""
message_handle = sha1(str(message).encode('utf-8'))
message_handle.update(rndbytes())
mhd = message_handle.digest()
saml_art = create_artifact(self.config.entityid, mhd, endpoint_index)
self.artifact[saml_art] = message
return saml_art
def __init__(self, config_file="", config=None, cache=None, stype="idp",
symkey=""):
Entity.__init__(self, stype, config, config_file)
self.eptid = None
self.init_config(stype)
self.cache = cache
self.ticket = {}
#
self.session_db = self.choose_session_storage()
# Needed for
self.symkey = symkey
self.seed = rndbytes()
self.iv = os.urandom(16)
def _create_id(self, nformat, name_qualifier="", sp_name_qualifier=""):
_id = sha256(rndbytes(32))
if not isinstance(nformat, six.binary_type):
nformat = nformat.encode('utf-8')
_id.update(nformat)
if name_qualifier:
if not isinstance(name_qualifier, six.binary_type):
name_qualifier = name_qualifier.encode('utf-8')
_id.update(name_qualifier)
if sp_name_qualifier:
if not isinstance(sp_name_qualifier, six.binary_type):
sp_name_qualifier = sp_name_qualifier.encode('utf-8')
_id.update(sp_name_qualifier)
return _id.hexdigest()
def _create_id(self, nformat, name_qualifier="", sp_name_qualifier=""):
_id = sha256(rndbytes(32))
if not isinstance(nformat, six.binary_type):
nformat = nformat.encode('utf-8')
_id.update(nformat)
if name_qualifier:
if not isinstance(name_qualifier, six.binary_type):
name_qualifier = name_qualifier.encode('utf-8')
_id.update(name_qualifier)
if sp_name_qualifier:
if not isinstance(sp_name_qualifier, six.binary_type):
sp_name_qualifier = sp_name_qualifier.encode('utf-8')
_id.update(sp_name_qualifier)
return _id.hexdigest()
def use_artifact(self, message, endpoint_index=0):
"""
:param message:
:param endpoint_index:
:return:
"""
_txt = "%s" % message
message_handle = sha1(_txt.encode("utf8"))
message_handle.update(rndbytes())
mhd = message_handle.digest()
saml_art = create_artifact(self.config.entityid, mhd, endpoint_index)
try:
saml_art = saml_art.decode()
except AttributeError:
pass
self.artifact[saml_art] = message
return saml_art
def use_artifact(self, message, endpoint_index=0):
"""
:param message:
:param endpoint_index:
:return:
"""
_txt = "%s" % message
message_handle = sha1(_txt.encode("utf8"))
message_handle.update(rndbytes())
mhd = message_handle.digest()
saml_art = create_artifact(self.config.entityid, mhd, endpoint_index)
try:
saml_art = saml_art.decode()
except AttributeError:
pass
self.artifact[saml_art] = message
return saml_art
def __init__(self,
entity_type,
config=None,
config_file="",
virtual_organization=""):
self.entity_type = entity_type
self.users = None
if config:
self.config = config
elif config_file:
self.config = config_factory(entity_type, config_file)
else:
raise SAMLError("Missing configuration")
HTTPBase.__init__(self, self.config.verify_ssl_cert,
self.config.ca_certs, self.config.key_file,
self.config.cert_file)
if self.config.vorg:
for vo in list(self.config.vorg.values()):
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
self.debug = self.config.debug
self.seed = rndbytes(32)
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, str):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = None
self.artifact = {}
if self.metadata:
self.sourceid = self.metadata.construct_source_id()
else:
self.sourceid = {}
def __init__(self, entity_type, config=None, config_file="",
virtual_organization=""):
self.entity_type = entity_type
self.users = None
if config:
self.config = config
elif config_file:
self.config = config_factory(entity_type, config_file)
else:
raise SAMLError("Missing configuration")
HTTPBase.__init__(self, self.config.verify_ssl_cert,
self.config.ca_certs, self.config.key_file,
self.config.cert_file)
if self.config.vorg:
for vo in list(self.config.vorg.values()):
vo.sp = self
self.metadata = self.config.metadata
self.config.setup_logger()
self.debug = self.config.debug
self.seed = rndbytes(32)
self.sec = security_context(self.config)
if virtual_organization:
if isinstance(virtual_organization, str):
self.vorg = self.config.vorg[virtual_organization]
elif isinstance(virtual_organization, VirtualOrg):
self.vorg = virtual_organization
else:
self.vorg = None
self.artifact = {}
if self.metadata:
self.sourceid = self.metadata.construct_source_id()
else:
self.sourceid = {}
def redirect_to_auth(self, _cli, entity_id, came_from, vorg_name=""):
try:
_binding, destination = _cli.pick_binding(
"single_sign_on_service", self.bindings, "idpsso",
entity_id=entity_id)
logger.debug("binding: %s, destination: %s" % (_binding,
destination))
req = _cli.create_authn_request(destination, vorg=vorg_name)
_rstate = rndbytes()
self.cache.relay_state[_rstate] = came_from
ht_args = _cli.apply_binding(_binding, "%s" % req, destination,
relay_state=_rstate)
_sid = req.id
logger.debug("ht_args: %s" % ht_args)
except Exception as exc:
logger.exception(exc)
resp = ServiceError(
"Failed to construct the AuthnRequest: %s" % exc)
return resp(self.environ, self.start_response)
# remember the request
self.cache.outstanding_queries[_sid] = came_from
return self.response(_binding, ht_args, do_not_start_response=True)
def _pick_idp(self, came_from):
"""
If more than one idp and if none is selected, I have to do wayf or
disco
"""
_cli = self.sp
logger.debug("[_pick_idp] %s" % self.environ)
if "HTTP_PAOS" in self.environ:
if self.environ["HTTP_PAOS"] == PAOS_HEADER_INFO:
if 'application/vnd.paos+xml' in self.environ["HTTP_ACCEPT"]:
# Where should I redirect the user to
# entityid -> the IdP to use
# relay_state -> when back from authentication
logger.debug("- ECP client detected -")
_rstate = rndbytes()
self.cache.relay_state[_rstate] = geturl(self.environ)
_entityid = _cli.config.ecp_endpoint(
self.environ["REMOTE_ADDR"])
if not _entityid:
return -1, ServiceError("No IdP to talk to")
logger.debug("IdP to talk to: %s" % _entityid)
return ecp.ecp_auth_request(_cli, _entityid, _rstate)
else:
return -1, ServiceError('Faulty Accept header')
else:
return -1, ServiceError('unknown ECP version')
# Find all IdPs
idps = self.sp.metadata.with_descriptor("idpsso")
idp_entity_id = None
kaka = self.environ.get("HTTP_COOKIE", '')
if kaka:
try:
(idp_entity_id, _) = parse_cookie("ve_disco", "SEED_SAW", kaka)
except ValueError:
pass
except TypeError:
pass
# Any specific IdP specified in a query part
query = self.environ.get("QUERY_STRING")
if not idp_entity_id and query:
try:
_idp_entity_id = dict(parse_qs(query))[
self.idp_query_param][0]
if _idp_entity_id in idps:
idp_entity_id = _idp_entity_id
except KeyError:
logger.debug("No IdP entity ID in query: %s" % query)
pass
if not idp_entity_id:
if self.wayf:
if query:
try:
wayf_selected = dict(parse_qs(query))[
"wayf_selected"][0]
except KeyError:
return self._wayf_redirect(came_from)
idp_entity_id = wayf_selected
else:
return self._wayf_redirect(came_from)
elif self.discosrv:
if query:
idp_entity_id = _cli.parse_discovery_service_response(
query=self.environ.get("QUERY_STRING"))
if not idp_entity_id:
sid_ = sid()
self.cache.outstanding_queries[sid_] = came_from
logger.debug("Redirect to Discovery Service function")
eid = _cli.config.entityid
ret = _cli.config.getattr("endpoints",
"sp")["discovery_response"][0][0]
ret += "?sid=%s" % sid_
loc = _cli.create_discovery_service_request(
self.discosrv, eid, **{"return": ret})
return -1, SeeOther(loc)
elif len(idps) == 1:
# idps is a dictionary
idp_entity_id = list(idps.keys())[0]
elif not len(idps):
return -1, ServiceError('Misconfiguration')
else:
return -1, NotImplemented("No WAYF or DS present!")
logger.info("Chosen IdP: '%s'" % idp_entity_id)
return 0, idp_entity_id