Exemple #1
0
def artifact_resolve(request, soap_message):
    '''Resolve a SAMLv1.1 ArtifactResolve request
    '''
    server = create_idff12_server(request, reverse(metadata))
    login = lasso.Login(server)
    try:
        login.processRequestMsg(soap_message)
    except:
        raise
    logging.debug('ID-FFv1.2 artifact resolve %r' % soap_message)
    liberty_artifact = LibertyArtifact.objects.get(
            artifact = login.assertionArtifact)
    if liberty_artifact:
        liberty_artifact.delete()
        provider_id = liberty_artifact.provider_id
        load_provider(request, provider_id, server=login.server)
        load_session(request, login,
                session_key = liberty_artifact.django_session_key)
        logging.info('ID-FFv1.2 artifact resolve from %r for artifact %r' % (
                        provider_id, login.assertionArtifact))
    else:
         logging.warning('ID-FFv1.2 no artifact found for %r' % login.assertionArtifact)
         provider_id = None
    return finish_artifact_resolve(request, login, provider_id,
            session_key = liberty_artifact.django_session_key)
Exemple #2
0
def artifact_resolve(request, soap_message):
    '''Resolve a SAMLv1.1 ArtifactResolve request
    '''
    server = create_idff12_server(request, reverse(metadata))
    login = lasso.Login(server)
    try:
        login.processRequestMsg(soap_message)
    except:
        raise
    logging.debug('ID-FFv1.2 artifact resolve %r' % soap_message)
    liberty_artifact = LibertyArtifact.objects.get(
        artifact=login.assertionArtifact)
    if liberty_artifact:
        liberty_artifact.delete()
        provider_id = liberty_artifact.provider_id
        load_provider(request, provider_id, server=login.server)
        load_session(request,
                     login,
                     session_key=liberty_artifact.django_session_key)
        logging.info('ID-FFv1.2 artifact resolve from %r for artifact %r' %
                     (provider_id, login.assertionArtifact))
    else:
        logging.warning('ID-FFv1.2 no artifact found for %r' %
                        login.assertionArtifact)
        provider_id = None
    return finish_artifact_resolve(
        request,
        login,
        provider_id,
        session_key=liberty_artifact.django_session_key)
Exemple #3
0
def idp_sso(request, provider_id, user_id=None):
    '''Initiate an SSO toward provider_id without a prior AuthnRequest
    '''
    assert provider_id, 'You must call idp_initiated_sso with a provider_id parameter'
    server = create_idff12_server(request, reverse(metadata))
    login = lasso.Login(server)
    liberty_provider = load_provider(request, provider_id, server=login.server)
    service_provider = liberty_provider.service_provider
    binding = service_provider.prefered_assertion_consumer_binding
    nid_policy = service_provider.default_name_id_format
    if user_id:
        user = User.get(id=user_id)
        if not check_delegated_authentication_permission(request):
            logging.warning(
                'ID-FFv1.2: %r tried to log as %r on %r but was forbidden' %
                (request.user, user, provider_id))
            return HttpResponseForbidden(
                'You must be superuser to log as another user')
    else:
        user = request.user
    load_federation(request, login, user)
    if not liberty_provider:
        message = _('ID-FFv1.2: provider %r unknown') % provider_id
        logging.warning('ID-FFv1.2: provider %r unknown' % provider_id)
        return HttpResponseForbidden(message)
    login.initIdpInitiatedAuthnRequest(provider_id)
    if binding == 'art':
        login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART
    elif binding == 'post':
        login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_POST
    else:
        raise Exception('Unsupported binding %r' % binding)
    if nid_policy == 'persistent':
        login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_FEDERATED
    elif nid_policy == 'transient':
        login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_ONE_TIME
    else:
        message = _(
            'ID-FFv1.2: default nameIdPolicy unsupported %r') % nid_policy
        logging.error(message)
        raise Exception(message)
    login.processAuthnRequestMsg(None)

    return sso_after_process_request(request,
                                     login,
                                     consent_obtained=True,
                                     user=user,
                                     save=False)
Exemple #4
0
def sso(request):
    """Endpoint for AuthnRequests asynchronously sent, i.e. POST or Redirect"""
    # 1. Process the request, separate POST and GET treatment
    message = get_idff12_request_message(request)
    if not message:
        return HttpResponseForbidden('Invalid SAML 1.1 AuthnRequest: "%s"' %
                                     message)
    server = create_idff12_server(request, reverse(metadata))
    login = lasso.Login(server)
    while True:
        try:
            logging.debug('ID-FFv1.2: processing sso request %r' % message)
            login.processAuthnRequestMsg(message)
            break
        except lasso.ProfileInvalidMsgError:
            message = _('Invalid SAML 1.1 AuthnRequest: %r') % message
            logging.error(message)
            return HttpResponseForbidden(message)
        except lasso.DsInvalidSignatureError:
            message = _(
                'Invalid signature on SAML 1.1 AuthnRequest: %r') % message
            logging.error(message)
            # This error is handled through SAML status codes, so return a
            # response
            return finish_sso(request, login)
        except lasso.ServerProviderNotFoundError:
            # This path is not exceptionnal it should be normal since we did
            # not load any provider in the Server object
            provider_id = login.remoteProviderId
            # 2. Lookup the ProviderID
            logging.info('ID-FFv1.2: AuthnRequest from %r' % provider_id)
            provider_loaded = load_provider(request,
                                            provider_id,
                                            server=login.server)
            if not provider_loaded:
                consent_obtained = False
                message = _('ID-FFv1.2: provider %r unknown') % provider_id
                logging.warning(message)
                return HttpResponseForbidden(message)
            else:
                # XXX: does consent be always automatic for known providers ? Maybe
                # add a configuration key on the provider.
                consent_obtained = True
    return sso_after_process_request(request,
                                     login,
                                     consent_obtained=consent_obtained)
Exemple #5
0
def idp_sso(request, provider_id, user_id = None):
    '''Initiate an SSO toward provider_id without a prior AuthnRequest
    '''
    assert provider_id, 'You must call idp_initiated_sso with a provider_id parameter'
    server = create_idff12_server(request, reverse(metadata))
    login = lasso.Login(server)
    liberty_provider = load_provider(request, provider_id, server=login.server)
    service_provider = liberty_provider.service_provider
    binding = service_provider.prefered_assertion_consumer_binding
    nid_policy = service_provider.default_name_id_format
    if user_id:
        user = User.get(id = user_id)
        if not check_delegated_authentication_permission(request):
            logging.warning('ID-FFv1.2: %r tried to log as %r on %r but was forbidden' % (
                                    request.user, user, provider_id))
            return HttpResponseForbidden('You must be superuser to log as another user')
    else:
        user = request.user
    load_federation(request, login, user)
    if not liberty_provider:
        message = _('ID-FFv1.2: provider %r unknown') % provider_id
        logging.warning('ID-FFv1.2: provider %r unknown' % provider_id)
        return HttpResponseForbidden(message)
    login.initIdpInitiatedAuthnRequest(provider_id)
    if binding == 'art':
        login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_ART
    elif binding == 'post':
        login.request.protocolProfile = lasso.LIB_PROTOCOL_PROFILE_BRWS_POST
    else:
        raise Exception('Unsupported binding %r' % binding)
    if nid_policy == 'persistent':
        login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_FEDERATED
    elif nid_policy == 'transient':
        login.request.nameIdPolicy = lasso.LIB_NAMEID_POLICY_TYPE_ONE_TIME
    else:
        message = _('ID-FFv1.2: default nameIdPolicy unsupported %r') % nid_policy
        logging.error(message)
        raise Exception(message)
    login.processAuthnRequestMsg(None)

    return sso_after_process_request(request, login,
            consent_obtained = True, user = user, save = False)
Exemple #6
0
def sso(request):
    """Endpoint for AuthnRequests asynchronously sent, i.e. POST or Redirect"""
    # 1. Process the request, separate POST and GET treatment
    message = get_idff12_request_message(request)
    if not message:
        return HttpResponseForbidden('Invalid SAML 1.1 AuthnRequest: "%s"' % message)
    server = create_idff12_server(request, reverse(metadata))
    login = lasso.Login(server)
    while True:
        try:
            logging.debug('ID-FFv1.2: processing sso request %r' % message)
            login.processAuthnRequestMsg(message)
            break
        except lasso.ProfileInvalidMsgError:
            message = _('Invalid SAML 1.1 AuthnRequest: %r') % message
            logging.error(message)
            return HttpResponseForbidden(message)
        except lasso.DsInvalidSignatureError:
            message = _('Invalid signature on SAML 1.1 AuthnRequest: %r') % message
            logging.error(message)
            # This error is handled through SAML status codes, so return a
            # response
            return finish_sso(request, login)
        except lasso.ServerProviderNotFoundError:
            # This path is not exceptionnal it should be normal since we did
            # not load any provider in the Server object
            provider_id = login.remoteProviderId
            # 2. Lookup the ProviderID
            logging.info('ID-FFv1.2: AuthnRequest from %r' % provider_id)
            provider_loaded = load_provider(request, provider_id, server=login.server)
            if not provider_loaded:
                consent_obtained = False
                message = _('ID-FFv1.2: provider %r unknown') % provider_id
                logging.warning(message)
                return HttpResponseForbidden(message)
            else:
                # XXX: does consent be always automatic for known providers ? Maybe
                # add a configuration key on the provider.
                consent_obtained = True
    return sso_after_process_request(request, login,
            consent_obtained = consent_obtained)