Beispiel #1
0
 def _create_id(self, nformat, name_qualifier="", sp_name_qualifier=""):
     _id = sha256(rndbytes(32))
     _id.update(nformat.encode("utf8"))
     if name_qualifier:
         _id.update(name_qualifier.encode("utf8"))
     if sp_name_qualifier:
         _id.update(sp_name_qualifier.encode("utf8"))
     return _id.hexdigest()
Beispiel #2
0
 def user2kaka(self, user):
     uid = rndbytes(32)
     self.uid2user[uid] = user
     cookie = SimpleCookie()
     cookie[self.cookie_name] = uid
     cookie[self.cookie_name]['path'] = "/"
     cookie[self.cookie_name]["expires"] = _expiration(480)
     logger.debug("Cookie expires: %s" % cookie[self.cookie_name]["expires"])
     return tuple(cookie.output().split(": ", 1))
Beispiel #3
0
    def use_artifact(self, message, endpoint_index=0):
        """

        :param message:
        :param endpoint_index:
        :return:
        """
        message_handle = sha1(str(message).encode('utf-8'))
        message_handle.update(rndbytes())
        mhd = message_handle.digest()
        saml_art = create_artifact(self.config.entityid, mhd, endpoint_index)
        self.artifact[saml_art] = message
        return saml_art
Beispiel #4
0
 def __init__(self, config_file="", config=None, cache=None, stype="idp",
              symkey=""):
     Entity.__init__(self, stype, config, config_file)
     self.eptid = None
     self.init_config(stype)
     self.cache = cache
     self.ticket = {}
     #
     self.session_db = self.choose_session_storage()
     # Needed for
     self.symkey = symkey
     self.seed = rndbytes()
     self.iv = os.urandom(16)
Beispiel #5
0
 def _create_id(self, nformat, name_qualifier="", sp_name_qualifier=""):
     _id = sha256(rndbytes(32))
     if not isinstance(nformat, six.binary_type):
         nformat = nformat.encode('utf-8')
     _id.update(nformat)
     if name_qualifier:
         if not isinstance(name_qualifier, six.binary_type):
             name_qualifier = name_qualifier.encode('utf-8')
         _id.update(name_qualifier)
     if sp_name_qualifier:
         if not isinstance(sp_name_qualifier, six.binary_type):
             sp_name_qualifier = sp_name_qualifier.encode('utf-8')
         _id.update(sp_name_qualifier)
     return _id.hexdigest()
Beispiel #6
0
 def _create_id(self, nformat, name_qualifier="", sp_name_qualifier=""):
     _id = sha256(rndbytes(32))
     if not isinstance(nformat, six.binary_type):
         nformat = nformat.encode('utf-8')
     _id.update(nformat)
     if name_qualifier:
         if not isinstance(name_qualifier, six.binary_type):
             name_qualifier = name_qualifier.encode('utf-8')
         _id.update(name_qualifier)
     if sp_name_qualifier:
         if not isinstance(sp_name_qualifier, six.binary_type):
             sp_name_qualifier = sp_name_qualifier.encode('utf-8')
         _id.update(sp_name_qualifier)
     return _id.hexdigest()
Beispiel #7
0
    def use_artifact(self, message, endpoint_index=0):
        """

        :param message:
        :param endpoint_index:
        :return:
        """
        _txt = "%s" % message
        message_handle = sha1(_txt.encode("utf8"))
        message_handle.update(rndbytes())
        mhd = message_handle.digest()
        saml_art = create_artifact(self.config.entityid, mhd, endpoint_index)
        try:
            saml_art = saml_art.decode()
        except AttributeError:
            pass
        self.artifact[saml_art] = message
        return saml_art
Beispiel #8
0
    def use_artifact(self, message, endpoint_index=0):
        """

        :param message:
        :param endpoint_index:
        :return:
        """
        _txt = "%s" % message
        message_handle = sha1(_txt.encode("utf8"))
        message_handle.update(rndbytes())
        mhd = message_handle.digest()
        saml_art = create_artifact(self.config.entityid, mhd, endpoint_index)
        try:
            saml_art = saml_art.decode()
        except AttributeError:
            pass
        self.artifact[saml_art] = message
        return saml_art
Beispiel #9
0
    def __init__(self,
                 entity_type,
                 config=None,
                 config_file="",
                 virtual_organization=""):
        self.entity_type = entity_type
        self.users = None

        if config:
            self.config = config
        elif config_file:
            self.config = config_factory(entity_type, config_file)
        else:
            raise SAMLError("Missing configuration")

        HTTPBase.__init__(self, self.config.verify_ssl_cert,
                          self.config.ca_certs, self.config.key_file,
                          self.config.cert_file)

        if self.config.vorg:
            for vo in list(self.config.vorg.values()):
                vo.sp = self

        self.metadata = self.config.metadata
        self.config.setup_logger()
        self.debug = self.config.debug
        self.seed = rndbytes(32)

        self.sec = security_context(self.config)

        if virtual_organization:
            if isinstance(virtual_organization, str):
                self.vorg = self.config.vorg[virtual_organization]
            elif isinstance(virtual_organization, VirtualOrg):
                self.vorg = virtual_organization
        else:
            self.vorg = None

        self.artifact = {}
        if self.metadata:
            self.sourceid = self.metadata.construct_source_id()
        else:
            self.sourceid = {}
Beispiel #10
0
    def __init__(self, entity_type, config=None, config_file="",
                 virtual_organization=""):
        self.entity_type = entity_type
        self.users = None

        if config:
            self.config = config
        elif config_file:
            self.config = config_factory(entity_type, config_file)
        else:
            raise SAMLError("Missing configuration")

        HTTPBase.__init__(self, self.config.verify_ssl_cert,
                          self.config.ca_certs, self.config.key_file,
                          self.config.cert_file)

        if self.config.vorg:
            for vo in list(self.config.vorg.values()):
                vo.sp = self

        self.metadata = self.config.metadata
        self.config.setup_logger()
        self.debug = self.config.debug
        self.seed = rndbytes(32)

        self.sec = security_context(self.config)

        if virtual_organization:
            if isinstance(virtual_organization, str):
                self.vorg = self.config.vorg[virtual_organization]
            elif isinstance(virtual_organization, VirtualOrg):
                self.vorg = virtual_organization
        else:
            self.vorg = None

        self.artifact = {}
        if self.metadata:
            self.sourceid = self.metadata.construct_source_id()
        else:
            self.sourceid = {}
Beispiel #11
0
    def redirect_to_auth(self, _cli, entity_id, came_from, vorg_name=""):
        try:
            _binding, destination = _cli.pick_binding(
                "single_sign_on_service", self.bindings, "idpsso",
                entity_id=entity_id)
            logger.debug("binding: %s, destination: %s" % (_binding,
                                                           destination))
            req = _cli.create_authn_request(destination, vorg=vorg_name)
            _rstate = rndbytes()
            self.cache.relay_state[_rstate] = came_from
            ht_args = _cli.apply_binding(_binding, "%s" % req, destination,
                                         relay_state=_rstate)
            _sid = req.id
            logger.debug("ht_args: %s" % ht_args)
        except Exception as exc:
            logger.exception(exc)
            resp = ServiceError(
                "Failed to construct the AuthnRequest: %s" % exc)
            return resp(self.environ, self.start_response)

        # remember the request
        self.cache.outstanding_queries[_sid] = came_from
        return self.response(_binding, ht_args, do_not_start_response=True)
Beispiel #12
0
    def _pick_idp(self, came_from):
        """
        If more than one idp and if none is selected, I have to do wayf or
        disco
        """

        _cli = self.sp

        logger.debug("[_pick_idp] %s" % self.environ)
        if "HTTP_PAOS" in self.environ:
            if self.environ["HTTP_PAOS"] == PAOS_HEADER_INFO:
                if 'application/vnd.paos+xml' in self.environ["HTTP_ACCEPT"]:
                    # Where should I redirect the user to
                    # entityid -> the IdP to use
                    # relay_state -> when back from authentication

                    logger.debug("- ECP client detected -")

                    _rstate = rndbytes()
                    self.cache.relay_state[_rstate] = geturl(self.environ)
                    _entityid = _cli.config.ecp_endpoint(
                        self.environ["REMOTE_ADDR"])

                    if not _entityid:
                        return -1, ServiceError("No IdP to talk to")
                    logger.debug("IdP to talk to: %s" % _entityid)
                    return ecp.ecp_auth_request(_cli, _entityid, _rstate)
                else:
                    return -1, ServiceError('Faulty Accept header')
            else:
                return -1, ServiceError('unknown ECP version')

        # Find all IdPs
        idps = self.sp.metadata.with_descriptor("idpsso")

        idp_entity_id = None

        kaka = self.environ.get("HTTP_COOKIE", '')
        if kaka:
            try:
                (idp_entity_id, _) = parse_cookie("ve_disco", "SEED_SAW", kaka)
            except ValueError:
                pass
            except TypeError:
                pass

        # Any specific IdP specified in a query part
        query = self.environ.get("QUERY_STRING")
        if not idp_entity_id and query:
            try:
                _idp_entity_id = dict(parse_qs(query))[
                    self.idp_query_param][0]
                if _idp_entity_id in idps:
                    idp_entity_id = _idp_entity_id
            except KeyError:
                logger.debug("No IdP entity ID in query: %s" % query)
                pass

        if not idp_entity_id:

            if self.wayf:
                if query:
                    try:
                        wayf_selected = dict(parse_qs(query))[
                            "wayf_selected"][0]
                    except KeyError:
                        return self._wayf_redirect(came_from)
                    idp_entity_id = wayf_selected
                else:
                    return self._wayf_redirect(came_from)
            elif self.discosrv:
                if query:
                    idp_entity_id = _cli.parse_discovery_service_response(
                        query=self.environ.get("QUERY_STRING"))
                if not idp_entity_id:
                    sid_ = sid()
                    self.cache.outstanding_queries[sid_] = came_from
                    logger.debug("Redirect to Discovery Service function")
                    eid = _cli.config.entityid
                    ret = _cli.config.getattr("endpoints",
                                              "sp")["discovery_response"][0][0]
                    ret += "?sid=%s" % sid_
                    loc = _cli.create_discovery_service_request(
                        self.discosrv, eid, **{"return": ret})
                    return -1, SeeOther(loc)
            elif len(idps) == 1:
                # idps is a dictionary
                idp_entity_id = list(idps.keys())[0]
            elif not len(idps):
                return -1, ServiceError('Misconfiguration')
            else:
                return -1, NotImplemented("No WAYF or DS present!")

        logger.info("Chosen IdP: '%s'" % idp_entity_id)
        return 0, idp_entity_id