def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
name_id, policy, _issuer, authn_statement, identity,
best_effort, sign_response, farg=None, **kwargs):
"""
Construct and return the Assertion
:param authn: Authentication information
:param sp_entity_id:
:param in_response_to: The ID of the request this is an answer to
:param consumer_url: The recipient of the assertion
:param name_id: The NameID of the subject
:param policy: Assertion policies
:param _issuer: Issuer of the statement
:param authn_statement: An AuthnStatement instance
:param identity: Identity information about the Subject
:param best_effort: Even if not the SPs demands can be met send a
response.
:param sign_response: Sign the response, only applicable if
ErrorResponse
:param kwargs: Extra keyword arguments
:return: An Assertion instance
"""
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue as exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
farg = self.update_farg(in_response_to, consumer_url, farg)
if authn: # expected to be a dictionary
# Would like to use dict comprehension but ...
authn_args = dict(
[(AUTHN_DICT_MAP[k], v) for k, v in authn.items() if
k in AUTHN_DICT_MAP])
authn_args.update(kwargs)
assertion = ast.construct(
sp_entity_id, self.config.attribute_converters, policy,
issuer=_issuer, farg=farg['assertion'], name_id=name_id,
**authn_args)
elif authn_statement: # Got a complete AuthnStatement
assertion = ast.construct(
sp_entity_id, self.config.attribute_converters, policy,
issuer=_issuer, authn_statem=authn_statement,
farg=farg['assertion'], name_id=name_id, **kwargs)
else:
assertion = ast.construct(
sp_entity_id, self.config.attribute_converters, policy,
issuer=_issuer, farg=farg['assertion'], name_id=name_id,
**kwargs)
return assertion
def setup_assertion(self,
authn,
sp_entity_id,
in_response_to,
consumer_url,
name_id,
policy,
_issuer,
authn_statement,
identity,
best_effort,
sign_response,
add_subject=True):
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue as exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
if authn: # expected to be a dictionary
# Would like to use dict comprehension but ...
authn_args = dict([(AUTHN_DICT_MAP[k], v)
for k, v in authn.items()
if k in AUTHN_DICT_MAP])
assertion = ast.construct(sp_entity_id,
in_response_to,
consumer_url,
name_id,
self.config.attribute_converters,
policy,
issuer=_issuer,
add_subject=add_subject,
**authn_args)
elif authn_statement: # Got a complete AuthnStatement
assertion = ast.construct(sp_entity_id,
in_response_to,
consumer_url,
name_id,
self.config.attribute_converters,
policy,
issuer=_issuer,
authn_statem=authn_statement,
add_subject=add_subject)
else:
assertion = ast.construct(sp_entity_id,
in_response_to,
consumer_url,
name_id,
self.config.attribute_converters,
policy,
issuer=_issuer,
add_subject=add_subject)
return assertion
def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url, name_id, policy, _issuer,
authn_statement, identity, best_effort, sign_response, add_subject=True):
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue, exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
def _authn_response(self,
in_response_to,
consumer_url,
sp_entity_id,
identity=None,
name_id=None,
status=None,
authn=None,
issuer=None,
policy=None,
sign_assertion=False,
sign_response=False,
best_effort=False,
encrypt_assertion=False,
encrypt_cert=None):
""" Create a response. A layer of indirection.
:param in_response_to: The session identifier of the request
:param consumer_url: The URL which should receive the response
:param sp_entity_id: The entity identifier of the SP
:param identity: A dictionary with attributes and values that are
expected to be the bases for the assertion in the response.
:param name_id: The identifier of the subject
:param status: The status of the response
:param authn: A dictionary containing information about the
authn context.
:param issuer: The issuer of the response
:param sign_assertion: Whether the assertion should be signed or not
:param sign_response: Whether the response should be signed or not
:param best_effort: Even if not the SPs demands can be met send a
response.
:return: A response instance
"""
to_sign = []
args = {}
#if identity:
_issuer = self._issuer(issuer)
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue, exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
name_id, policy, _issuer,
authn_statement, identity, best_effort, sign_response,
add_subject=True):
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue as exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
if authn: # expected to be a dictionary
# Would like to use dict comprehension but ...
authn_args = dict([
(AUTHN_DICT_MAP[k], v) for k, v in
authn.items()
if k in AUTHN_DICT_MAP])
assertion = ast.construct(sp_entity_id, in_response_to,
consumer_url, name_id,
self.config.attribute_converters,
policy, issuer=_issuer,
add_subject=add_subject,
**authn_args)
elif authn_statement: # Got a complete AuthnStatement
assertion = ast.construct(sp_entity_id, in_response_to,
consumer_url, name_id,
self.config.attribute_converters,
policy, issuer=_issuer,
authn_statem=authn_statement,
add_subject=add_subject)
else:
assertion = ast.construct(sp_entity_id, in_response_to,
consumer_url, name_id,
self.config.attribute_converters,
policy, issuer=_issuer,
add_subject=add_subject)
return assertion
def _authn_response(self, in_response_to, consumer_url,
sp_entity_id, identity=None, name_id=None,
status=None, authn=None, issuer=None, policy=None,
sign_assertion=False, sign_response=False,
best_effort=False, encrypt_assertion=False,
encrypt_cert=None, authn_statement=None):
""" Create a response. A layer of indirection.
:param in_response_to: The session identifier of the request
:param consumer_url: The URL which should receive the response
:param sp_entity_id: The entity identifier of the SP
:param identity: A dictionary with attributes and values that are
expected to be the bases for the assertion in the response.
:param name_id: The identifier of the subject
:param status: The status of the response
:param authn: A dictionary containing information about the
authn context.
:param issuer: The issuer of the response
:param sign_assertion: Whether the assertion should be signed or not
:param sign_response: Whether the response should be signed or not
:param best_effort: Even if not the SPs demands can be met send a
response.
:return: A response instance
"""
to_sign = []
args = {}
#if identity:
_issuer = self._issuer(issuer)
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue, exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
def setup_assertion(self,
authn,
sp_entity_id,
in_response_to,
consumer_url,
name_id,
policy,
_issuer,
authn_statement,
identity,
best_effort,
sign_response,
add_subject=True):
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue, exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
name_id, policy, _issuer, authn_statement, identity,
best_effort, sign_response, farg=None,
session_not_on_or_after=None, **kwargs):
"""
Construct and return the Assertion
:param authn: Authentication information
:param sp_entity_id:
:param in_response_to: The ID of the request this is an answer to
:param consumer_url: The recipient of the assertion
:param name_id: The NameID of the subject
:param policy: Assertion policies
:param _issuer: Issuer of the statement
:param authn_statement: An AuthnStatement instance
:param identity: Identity information about the Subject
:param best_effort: Even if not the SPs demands can be met send a
response.
:param sign_response: Sign the response, only applicable if
ErrorResponse
:param kwargs: Extra keyword arguments
:return: An Assertion instance
"""
ast = Assertion(identity)
ast.acs = self.config.getattr("attribute_converters", "idp")
if policy is None:
policy = Policy()
try:
ast.apply_policy(sp_entity_id, policy, self.metadata)
except MissingValue as exc:
if not best_effort:
return self.create_error_response(in_response_to, consumer_url,
exc, sign_response)
farg = self.update_farg(in_response_to, consumer_url, farg)
if authn: # expected to be a dictionary
# Would like to use dict comprehension but ...
authn_args = dict(
[(AUTHN_DICT_MAP[k], v) for k, v in authn.items() if
k in AUTHN_DICT_MAP])
authn_args.update(kwargs)
assertion = ast.construct(
sp_entity_id, self.config.attribute_converters, policy,
issuer=_issuer, farg=farg['assertion'], name_id=name_id,
session_not_on_or_after=session_not_on_or_after,
**authn_args)
elif authn_statement: # Got a complete AuthnStatement
assertion = ast.construct(
sp_entity_id, self.config.attribute_converters, policy,
issuer=_issuer, authn_statem=authn_statement,
farg=farg['assertion'], name_id=name_id,
**kwargs)
else:
assertion = ast.construct(
sp_entity_id, self.config.attribute_converters, policy,
issuer=_issuer, farg=farg['assertion'], name_id=name_id,
session_not_on_or_after=session_not_on_or_after,
**kwargs)
return assertion
def login(self):
"""
Login endpoint (verify user credentials)
"""
key = session['request_key'] if 'request_key' in session else None
relay_state = session['relay_state'] if 'relay_state' in session else ''
self.app.logger.debug('Request key: {}'.format(key))
if key and key in self.ticket:
authn_request = self.ticket[key]
sp_id = authn_request.message.issuer.text
destination = authn_request.message.assertion_consumer_service_url
spid_level = authn_request.message.requested_authn_context.authn_context_class_ref[
0].text
authn_info = self.authn_broker.pick(
authn_request.message.requested_authn_context)
callback, reference = authn_info[0]
if request.method == 'GET':
# inject extra data in form login based on spid level
extra_challenge = callback(**{'key': key})
return FORM_LOGIN.format(url_for('login'), key, relay_state,
extra_challenge), 200
# verify optional challenge based on spid level
verified = callback(verify=True,
**{
'key': key,
'data': request.form
})
if verified:
# verify user credentials
user_id, user = self.user_manager.get(request.form['username'],
request.form['password'],
sp_id)
if user_id is not None:
# setup response
attribute_statement_on_response = self._config.get(
'attribute_statement_on_response')
identity = user['attrs']
AUTHN = {"class_ref": spid_level, "authn_auth": spid_level}
_data = dict(identity=identity,
userid=user_id,
in_response_to=authn_request.message.id,
destination=destination,
sp_entity_id=sp_id,
authn=AUTHN,
issuer=self.server.config.entityid,
sign_alg=SIGN_ALG,
digest_alg=DIGEST_ALG,
sign_assertion=True)
response = self.server.create_authn_response(**_data)
http_args = self.server.apply_binding(
BINDING_HTTP_POST,
response,
destination,
response=True,
sign=True,
relay_state=relay_state)
# Setup confirmation page data
ast = Assertion(identity)
policy = self.server.config.getattr("policy", "idp")
ast.acs = self.server.config.getattr(
"attribute_converters", "idp")
res = ast.apply_policy(sp_id, policy, self.server.metadata)
attrs = res.keys()
attrs_list = ''
for _attr in attrs:
attrs_list = '{}<tr><td>{}</td></tr>'.format(
attrs_list, _attr)
self.responses[key] = http_args['data']
return CONFIRM_PAGE.format(attrs_list,
'/continue-response', key), 200
abort(403)
def login(self):
"""
Login endpoint (verify user credentials)
"""
key = session['request_key'] if 'request_key' in session else None
relay_state = session['relay_state'] if 'relay_state' in session else ''
self.app.logger.debug('Request key: {}'.format(key))
if key and key in self.ticket:
authn_request = self.ticket[key]
sp_id = authn_request.message.issuer.text
destination = None
if authn_request.message.attribute_consuming_service_index is not None:
acss = self.server.metadata.assertion_consumer_service(
sp_id, authn_request.message.protocol_binding)
for acs in acss:
if acs.get(
'index'
) == authn_request.message.attribute_consuming_service_index:
destination = acs.get('location')
break
self.app.logger.debug(
'AssertionConsumingServiceIndex Location: {}'.format(
destination))
if destination is None:
destination = authn_request.message.assertion_consumer_service_url
self.app.logger.debug(
'AssertionConsumerServiceUrl: {}'.format(destination))
if destination is None:
self._raise_error(
'Impossibile ricavare l\'url di risposta',
'Verificare la presenza e la correttezza dell\'AssertionConsumerServiceIndex, o in alternativa della coppia di attributi AssertionConsumerServiceURL e ProtocolBinding'
)
spid_level = authn_request.message.requested_authn_context.authn_context_class_ref[
0].text
authn_info = self.authn_broker.pick(
authn_request.message.requested_authn_context)
callback, reference = authn_info[0]
if request.method == 'GET':
# inject extra data in form login based on spid level
extra_challenge = callback(**{'key': key})
rendered_form = render_template(
'login.html', **{
'action': url_for('login'),
'request_key': key,
'relay_state': relay_state,
'extra_challenge': extra_challenge
})
return rendered_form, 200
# verify optional challenge based on spid level
verified = callback(verify=True,
**{
'key': key,
'data': request.form
})
if verified:
# verify user credentials
user_id, user = self.user_manager.get(request.form['username'],
request.form['password'],
sp_id)
if user_id is not None:
# setup response
attribute_statement_on_response = self._config.get(
'attribute_statement_on_response')
identity = user['attrs']
AUTHN = {"class_ref": spid_level, "authn_auth": spid_level}
_data = dict(identity=identity,
userid=user_id,
in_response_to=authn_request.message.id,
destination=destination,
sp_entity_id=sp_id,
authn=AUTHN,
issuer=self.server.config.entityid,
sign_alg=SIGN_ALG,
digest_alg=DIGEST_ALG,
sign_assertion=True)
response = self.server.create_authn_response(**_data)
http_args = self.server.apply_binding(
BINDING_HTTP_POST,
response,
destination,
response=True,
sign=True,
relay_state=relay_state)
# Setup confirmation page data
ast = Assertion(identity)
policy = self.server.config.getattr("policy", "idp")
ast.acs = self.server.config.getattr(
"attribute_converters", "idp")
res = ast.apply_policy(sp_id, policy, self.server.metadata)
attrs = res.keys()
attrs_list = ''
for _attr in attrs:
attrs_list = '{}<tr><td>{}</td></tr>'.format(
attrs_list, _attr)
self.responses[key] = http_args['data']
rendered_response = render_template(
'confirm.html', **{
'destination_service': sp_id,
'lines':
escape(prettify_xml(response)).splitlines(),
'attrs': attrs,
'action': '/continue-response',
'request_key': key
})
return rendered_response, 200
return render_template('403.html'), 403