def logout(self, to=None): # pylint: disable=R0201,C0111,C0103
return_to = self.settings["auth"]["logout_default_redirect_url"]
if to is not None and to in self.settings["auth"][
"logout_allowed_redirect_urls"]:
return_to = to
#
# try:
# endresp = self.client.do_end_session_request(
# state=cherrypy.session["state"],
# extra_args={
# "post_logout_redirect_uri": return_to
# }
# )
# log.info(
# "Logout endresp: %s (%s) [%s]",
# endresp.status_code, endresp.headers, endresp._content # pylint: disable=W0212
# )
# if "Location" in endresp.headers:
# return_to = endresp.headers["Location"]
# except: # pylint: disable=W0702
# log.exception("OIDC exception")
#
end_req = self.client.construct_EndSessionRequest(
state=cherrypy.session["state"],
request_args={"redirect_uri": return_to})
logout_url = end_req.request(self.client.end_session_endpoint)
#
if self.settings["oidc"]["debug"]:
log.warning("Logout URL: %s", logout_url)
#
cherrypy.session.clear()
cherrypy.session.regenerate()
#
raise cherrypy.HTTPRedirect(logout_url)
def error_handler(status, message, traceback, version):
_ = traceback, version
log.warning("Engine error: %s: %s", status, message)
response = cherrypy.serving.response
response.status = 303
response.headers["Content-Type"] = "text/html;charset=utf-8"
response.headers["Location"] = urllib.parse.urljoin(
cherrypy.url(), tonative(
cherrypy.config["engine.settings"]["endpoints"]["access_denied"], "utf-8"
)
)
data = "This resource can be found at <a href=%s>%s</a>." % (
saxutils.quoteattr(cherrypy.response.headers["Location"]),
html.escape(cherrypy.response.headers["Location"], quote=False)
)
response.headers.pop("Content-Length", None)
return data
def callback(self, *args, **kvargs): # pylint: disable=R0201,C0111,W0613
auth_resp = self.client.parse_response(
AuthorizationResponse,
info=cherrypy.request.query_string,
sformat="urlencoded")
if "state" not in cherrypy.session or auth_resp[
"state"] != cherrypy.session["state"]:
raise cherrypy.HTTPRedirect(cherrypy.config["engine.settings"]
["endpoints"]["access_denied"])
#
access_token_resp = self.client.do_access_token_request(
state=auth_resp["state"],
request_args={"code": auth_resp["code"]},
authn_method="client_secret_basic")
#
if self.settings["oidc"]["debug"]:
log.warning("Callback access_token_resp: %s", access_token_resp)
#
# userinfo = self.client.do_user_info_request(
# state=auth_resp["state"]
# )
# userinfo = self.client.do_user_info_request(
# access_token=access_token_resp["access_token"]
# )
# log.info("Callback userinfo: %s", userinfo)
#
redirect_to = self._build_redirect_url()
session_state = cherrypy.session.pop("state")
session_nonce = cherrypy.session.pop("nonce")
id_token = dict(access_token_resp["id_token"])
#
cherrypy.session.clear()
cherrypy.session.regenerate()
cherrypy.session["state"] = session_state
cherrypy.session["nonce"] = session_nonce
cherrypy.session["auth"] = True
cherrypy.session["auth_errors"] = []
cherrypy.session["auth_nameid"] = ""
cherrypy.session["auth_sessionindex"] = ""
cherrypy.session["auth_attributes"] = id_token
#
if self.settings["oidc"]["debug"]:
log.warning("Callback redirect URL: %s", redirect_to)
#
raise cherrypy.HTTPRedirect(redirect_to)
def login(self): # pylint: disable=R0201,C0111
cherrypy.session["state"] = rndstr()
cherrypy.session["nonce"] = rndstr()
auth_req = self.client.construct_AuthorizationRequest(
request_args={
"client_id":
self.client.client_id,
"response_type":
"code",
"scope": ["openid"],
"state":
cherrypy.session["state"],
"nonce":
cherrypy.session["nonce"],
"redirect_uri":
self.client.registration_response["redirect_uris"][0],
})
login_url = auth_req.request(self.client.authorization_endpoint)
#
if self.settings["oidc"]["debug"]:
log.warning("OIDC login URL: %s", login_url)
#
raise cherrypy.HTTPRedirect(login_url)
def sls(self, *args, **kvargs): # pylint: disable=R0201,C0111
if self.settings["saml"]["debug"]:
log.warning("===== SLS =====")
log.warning("SLS args: %s", args)
log.warning("SLS kvargs: %s", kvargs)
log.warning("SLS headers: %s", cherrypy.request.headers)
#
saml_auth = OneLogin_Saml2_Auth(
self._prepare_request_object(cherrypy.request),
self.settings["saml"])
saml_auth.process_slo()
#
if self.settings["saml"]["debug"]:
log.warning("SLS auth: %s", saml_auth.is_authenticated())
log.warning("SLS err: %s", saml_auth.get_errors())
log.warning("SLS attrs: %s", saml_auth.get_attributes())
log.warning("SLS NameID: %s", saml_auth.get_nameid())
log.warning("SLS SessionIndex: %s", saml_auth.get_session_index())
#
cherrypy.session.clear()
cherrypy.session.regenerate()
#
loop_urls = [
cherrypy.request.base + cherrypy.request.script_name + "/sls",
cherrypy.request.base + cherrypy.request.script_name + "/logout",
cherrypy.request.base + \
(self.settings["endpoints"]["root"] + "/logout").replace("//", "/"),
]
if "RelayState" in cherrypy.request.params and \
cherrypy.request.params["RelayState"] not in loop_urls:
raise cherrypy.HTTPRedirect(cherrypy.request.params["RelayState"])
raise cherrypy.HTTPRedirect(
self.settings["auth"]["logout_default_redirect_url"])