def logout(self, SAMLRequest=None, SAMLResponse=None, RelayState=""): if cherrypy.session.get('issuers') is None: cherrypy.session['issuers'] = {} if SAMLRequest is not None: # A service provider has sent logout request. try: decoded_request = base64.b64decode(SAMLRequest) logout_request = samlp.LogoutRequestFromString(decoded_request) if logout_request is None: raise errors.GheimdallException('The value of SAMLRequest is wrong.') issuer_name = logout_request.issuer.text.strip() key_file = config.get('apps.public_keys').get(issuer_name, None) if key_file is None: raise errors.GheimdallException('Failed to get public key filename.' ' issuer: %s' % issuer_name) result = samlutils.verify(decoded_request, key_file) if result == False: raise errors.GheimdallException('Failed verifyng the signature' ' of logout request.') try: issuer_in_ses = cherrypy.session['issuers'].get(issuer_name, None) except KeyError: raise errors.GheimdallException( 'The session has no issuer attribute.') if issuer_in_ses is None: raise errors.GheimdallException('Request from invalid issuer.') if logout_request.name_id.text is None: raise errors.GheimdallException('Request with empty NameID.') if issuer_in_ses.name_id.text.strip() != \ logout_request.name_id.text.strip(): raise errors.GheimdallException('Request with invalid NameID.') # OK log.debug('Succeeded verifying the signature of logout request.') issuer_in_ses.status = sp.STATUS_LOGOUT_SUCCESS cherrypy.session['issuers'][issuer_name] = issuer_in_ses # delete session data cherrypy.session['remember_me'] = False cherrypy.session['authenticated'] = False cherrypy.session['user_name'] = None cherrypy.session['auth_time'] = 0 cherrypy.session['valid_time'] = 0 # save state cherrypy.session['issuer_origin'] = issuer_name cherrypy.session['logout_request_id'] = logout_request.id # goto LOOP for SP except errors.GheimdallException, e: log.error(e) return utils.createLogoutResponse( RelayState, issuer_name, logout_request.id, samlp.STATUS_RESPONDER)
status_to_send = samlp.STATUS_PARTIAL_LOGOUT else: status_to_send = samlp.STATUS_SUCCESS if cherrypy.session['issuer_origin'].startswith("google.com"): useSSL = cherrypy.session.get('useSSL', False) if useSSL: scheme = 'https' else: scheme = 'http' url = scheme + '://mail.google.com/a/' + config.get('apps.domain') + '/' return { "url": url, "tg_template": "gheimdall.templates.gheimdall-logout"} else: return utils.createLogoutResponse(RelayState, cherrypy.session['issuer_origin'], cherrypy.session['logout_request_id'], status_to_send) @expose(template="gheimdall.templates.gheimdall-login") @strongly_expire def login(self, SAMLRequest, RelayState='', *args, **kw): if config.get('apps.use_header_auth'): # header auth # retrieve user name from header key = config.get('apps.auth_header_key') user_name = cherrypy.request.headers.get(key, None) if user_name is None: raise errors.GheimdallException('Can not retrieve user name.') ret = utils.createLoginDict(SAMLRequest, RelayState, user_name) ret['tg_template'] = 'gheimdall.templates.gheimdall-login-success'