def challenge(self, environ, _status, _app_headers, _forget_headers):
# this challenge consist in login out
if environ.has_key('rwpc.logout'):
# ignore right now?
pass
logger = environ.get('repoze.who.logger', '')
# Which page was accessed to get here
came_from = construct_came_from(environ)
environ["myapp.came_from"] = came_from
logger.debug("[sp.challenge] RelayState >> %s" % came_from)
# Am I part of a virtual organization ?
try:
vorg_name = environ["myapp.vo"]
except KeyError:
try:
vorg_name = self.saml_client.vorg.vorg_name
except AttributeError:
vorg_name = ""
logger.info("[sp.challenge] VO: %s" % vorg_name)
# If more than one idp and if none is selected, I have to do wayf
(done, response) = self._pick_idp(environ, came_from)
# Three cases: -1 something went wrong or Discovery service used
# 0 I've got an IdP to send a request to
# >0 ECP in progress
logger.debug("_idp_pick returned: %s" % done)
if done == -1:
return response
elif done > 0:
self.outstanding_queries[done] = came_from
return ECP_response(response)
else:
idp_url = response
logger.info("[sp.challenge] idp_url: %s" % idp_url)
# Do the AuthnRequest
(sid_,
result) = self.saml_client.authenticate(idp_url,
relay_state=came_from,
vorg=vorg_name)
# remember the request
self.outstanding_queries[sid_] = came_from
if isinstance(result, tuple):
logger.debug('redirect to: %s' % result[1])
return HTTPSeeOther(headers=[result])
else:
return HTTPInternalServerError(
detail='Incorrect returned data')
def delete_perm_user(self, repo_name):
"""
DELETE an existing repository permission user
:param repo_name:
"""
try:
RepoModel().revoke_user_permission(repo=repo_name,
user=request.POST['user_id'])
Session.commit()
except Exception:
log.error(traceback.format_exc())
h.flash(_('An error occurred during deletion of repository user'),
category='error')
raise HTTPInternalServerError()
def _pick_idp(self, environ, came_from):
"""
If more than one idp and if none is selected, I have to do wayf or
disco
"""
# check headers to see if it's an ECP request
# headers = {
# 'Accept' : 'text/html; application/vnd.paos+xml',
# 'PAOS' : 'ver="%s";"%s"' % (paos.NAMESPACE,
# SERVICE)
# }
_cli = self.saml_client
logger.info("[_pick_idp] %s" % environ)
if "HTTP_PAOS" in environ:
if environ["HTTP_PAOS"] == PAOS_HEADER_INFO:
if 'application/vnd.paos+xml' in environ["HTTP_ACCEPT"]:
# Where should I redirect the user to
# entityid -> the IdP to use
# relay_state -> when back from authentication
logger.info("- ECP client detected -")
_relay_state = construct_came_from(environ)
_entityid = _cli.config.ecp_endpoint(environ["REMOTE_ADDR"])
if not _entityid:
return -1, HTTPInternalServerError(
detail="No IdP to talk to")
logger.info("IdP to talk to: %s" % _entityid)
return ecp.ecp_auth_request(_cli, _entityid,
_relay_state)
else:
return -1, HTTPInternalServerError(
detail='Faulty Accept header')
else:
return -1, HTTPInternalServerError(
detail='unknown ECP version')
idps = self.metadata.with_descriptor("idpsso")
logger.info("IdP URL: %s" % idps)
idp_entity_id = query = None
for key in ['s2repoze.body', "QUERY_STRING"]:
query = environ.get(key)
if query:
try:
_idp_entity_id = dict(parse_qs(query))[
self.idp_query_param][0]
if _idp_entity_id in idps:
idp_entity_id = _idp_entity_id
break
except KeyError:
logger.debug("No IdP entity ID in query: %s" % query)
pass
if idp_entity_id is None:
if len(idps) == 1:
# idps is a dictionary
idp_entity_id = idps.keys()[0]
elif not len(idps):
return -1, HTTPInternalServerError(detail='Misconfiguration')
else:
idp_entity_id = ""
logger.info("ENVIRON: %s" % environ)
if self.wayf:
if query:
try:
wayf_selected = dict(parse_qs(query))[
"wayf_selected"][0]
except KeyError:
return self._wayf_redirect(came_from)
idp_entity_id = wayf_selected
else:
return self._wayf_redirect(came_from)
elif self.discosrv:
if query:
idp_entity_id = _cli.parse_discovery_service_response(
query=environ.get("QUERY_STRING"))
else:
sid_ = sid()
self.outstanding_queries[sid_] = came_from
logger.debug("Redirect to Discovery Service function")
eid = _cli.config.entityid
ret = _cli.config.getattr(
"endpoints", "sp")["discovery_response"][0][0]
ret += "?sid=%s" % sid_
loc = _cli.create_discovery_service_request(
self.discosrv, eid, **{"return": ret})
return -1, SeeOther(loc)
else:
return -1, HTTPNotImplemented(
detail='No WAYF or DJ present!')
logger.info("Chosen IdP: '%s'" % idp_entity_id)
return 0, idp_entity_id
def _pick_idp(self, environ, came_from):
"""
If more than one idp and if none is selected, I have to do wayf or
disco
"""
# check headers to see if it's an ECP request
# headers = {
# 'Accept' : 'text/html; application/vnd.paos+xml',
# 'PAOS' : 'ver="%s";"%s"' % (paos.NAMESPACE, SERVICE)
# }
logger.info("[_pick_idp] %s" % environ)
if "HTTP_PAOS" in environ:
if environ["HTTP_PAOS"] == PAOS_HEADER_INFO:
if 'application/vnd.paos+xml' in environ["HTTP_ACCEPT"]:
# Where should I redirect the user to
# entityid -> the IdP to use
# relay_state -> when back from authentication
logger.info("- ECP client detected -")
_relay_state = construct_came_from(environ)
_entityid = self.saml_client.config.ecp_endpoint(
environ["REMOTE_ADDR"])
if not _entityid:
return -1, HTTPInternalServerError(
detail="No IdP to talk to")
logger.info("IdP to talk to: %s" % _entityid)
return ecp.ecp_auth_request(self.saml_client, _entityid,
_relay_state)
else:
return -1, HTTPInternalServerError(
detail='Faulty Accept header')
else:
return -1, HTTPInternalServerError(
detail='unknown ECP version')
idps = self.conf.idps()
logger.info("IdP URL: %s" % idps)
if len(idps) == 1:
# idps is a dictionary
idp_entity_id = idps.keys()[0]
elif not len(idps):
return -1, HTTPInternalServerError(detail='Misconfiguration')
else:
idp_entity_id = ""
logger.info("ENVIRON: %s" % environ)
query = environ.get('s2repoze.body', '')
if not query:
query = environ.get("QUERY_STRING", "")
logger.info("<_pick_idp> query: %s" % query)
if self.wayf:
if query:
try:
wayf_selected = dict(
parse_qs(query))["wayf_selected"][0]
except KeyError:
return self._wayf_redirect(came_from)
idp_entity_id = wayf_selected
else:
return self._wayf_redirect(came_from)
elif self.discovery:
if query:
idp_entity_id = self.saml_client.get_idp_from_discovery_service(
query=environ.get("QUERY_STRING"))
else:
sid_ = sid()
self.outstanding_queries[sid_] = came_from
logger.info("Redirect to Discovery Service function")
loc = self.saml_client.request_to_discovery_service(
self.discovery)
return -1, HTTPSeeOther(headers=[('Location', loc)])
else:
return -1, HTTPNotImplemented(detail='No WAYF or DJ present!')
logger.info("Choosen IdP: '%s'" % idp_entity_id)
return 0, idp_entity_id
def wrapped(environ, start_response):
if 'HTTP_X_FORWARDED_SERVER' in environ:
exc = HTTPInternalServerError()
exc.explanation = cant_proxy_correctly_message
raise exc
return app(environ, start_response)
