def logout(self, to=None): # pylint: disable=R0201,C0111,C0103 return_to = self.settings["auth"]["logout_default_redirect_url"] if to is not None and to in self.settings["auth"][ "logout_allowed_redirect_urls"]: return_to = to # # try: # endresp = self.client.do_end_session_request( # state=cherrypy.session["state"], # extra_args={ # "post_logout_redirect_uri": return_to # } # ) # log.info( # "Logout endresp: %s (%s) [%s]", # endresp.status_code, endresp.headers, endresp._content # pylint: disable=W0212 # ) # if "Location" in endresp.headers: # return_to = endresp.headers["Location"] # except: # pylint: disable=W0702 # log.exception("OIDC exception") # end_req = self.client.construct_EndSessionRequest( state=cherrypy.session["state"], request_args={"redirect_uri": return_to}) logout_url = end_req.request(self.client.end_session_endpoint) # if self.settings["oidc"]["debug"]: log.warning("Logout URL: %s", logout_url) # cherrypy.session.clear() cherrypy.session.regenerate() # raise cherrypy.HTTPRedirect(logout_url)
def error_handler(status, message, traceback, version): _ = traceback, version log.warning("Engine error: %s: %s", status, message) response = cherrypy.serving.response response.status = 303 response.headers["Content-Type"] = "text/html;charset=utf-8" response.headers["Location"] = urllib.parse.urljoin( cherrypy.url(), tonative( cherrypy.config["engine.settings"]["endpoints"]["access_denied"], "utf-8" ) ) data = "This resource can be found at <a href=%s>%s</a>." % ( saxutils.quoteattr(cherrypy.response.headers["Location"]), html.escape(cherrypy.response.headers["Location"], quote=False) ) response.headers.pop("Content-Length", None) return data
def callback(self, *args, **kvargs): # pylint: disable=R0201,C0111,W0613 auth_resp = self.client.parse_response( AuthorizationResponse, info=cherrypy.request.query_string, sformat="urlencoded") if "state" not in cherrypy.session or auth_resp[ "state"] != cherrypy.session["state"]: raise cherrypy.HTTPRedirect(cherrypy.config["engine.settings"] ["endpoints"]["access_denied"]) # access_token_resp = self.client.do_access_token_request( state=auth_resp["state"], request_args={"code": auth_resp["code"]}, authn_method="client_secret_basic") # if self.settings["oidc"]["debug"]: log.warning("Callback access_token_resp: %s", access_token_resp) # # userinfo = self.client.do_user_info_request( # state=auth_resp["state"] # ) # userinfo = self.client.do_user_info_request( # access_token=access_token_resp["access_token"] # ) # log.info("Callback userinfo: %s", userinfo) # redirect_to = self._build_redirect_url() session_state = cherrypy.session.pop("state") session_nonce = cherrypy.session.pop("nonce") id_token = dict(access_token_resp["id_token"]) # cherrypy.session.clear() cherrypy.session.regenerate() cherrypy.session["state"] = session_state cherrypy.session["nonce"] = session_nonce cherrypy.session["auth"] = True cherrypy.session["auth_errors"] = [] cherrypy.session["auth_nameid"] = "" cherrypy.session["auth_sessionindex"] = "" cherrypy.session["auth_attributes"] = id_token # if self.settings["oidc"]["debug"]: log.warning("Callback redirect URL: %s", redirect_to) # raise cherrypy.HTTPRedirect(redirect_to)
def login(self): # pylint: disable=R0201,C0111 cherrypy.session["state"] = rndstr() cherrypy.session["nonce"] = rndstr() auth_req = self.client.construct_AuthorizationRequest( request_args={ "client_id": self.client.client_id, "response_type": "code", "scope": ["openid"], "state": cherrypy.session["state"], "nonce": cherrypy.session["nonce"], "redirect_uri": self.client.registration_response["redirect_uris"][0], }) login_url = auth_req.request(self.client.authorization_endpoint) # if self.settings["oidc"]["debug"]: log.warning("OIDC login URL: %s", login_url) # raise cherrypy.HTTPRedirect(login_url)
def sls(self, *args, **kvargs): # pylint: disable=R0201,C0111 if self.settings["saml"]["debug"]: log.warning("===== SLS =====") log.warning("SLS args: %s", args) log.warning("SLS kvargs: %s", kvargs) log.warning("SLS headers: %s", cherrypy.request.headers) # saml_auth = OneLogin_Saml2_Auth( self._prepare_request_object(cherrypy.request), self.settings["saml"]) saml_auth.process_slo() # if self.settings["saml"]["debug"]: log.warning("SLS auth: %s", saml_auth.is_authenticated()) log.warning("SLS err: %s", saml_auth.get_errors()) log.warning("SLS attrs: %s", saml_auth.get_attributes()) log.warning("SLS NameID: %s", saml_auth.get_nameid()) log.warning("SLS SessionIndex: %s", saml_auth.get_session_index()) # cherrypy.session.clear() cherrypy.session.regenerate() # loop_urls = [ cherrypy.request.base + cherrypy.request.script_name + "/sls", cherrypy.request.base + cherrypy.request.script_name + "/logout", cherrypy.request.base + \ (self.settings["endpoints"]["root"] + "/logout").replace("//", "/"), ] if "RelayState" in cherrypy.request.params and \ cherrypy.request.params["RelayState"] not in loop_urls: raise cherrypy.HTTPRedirect(cherrypy.request.params["RelayState"]) raise cherrypy.HTTPRedirect( self.settings["auth"]["logout_default_redirect_url"])