Exemple #1
0
    def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
                        name_id, policy, _issuer, authn_statement, identity,
                        best_effort, sign_response, farg=None, **kwargs):
        """
        Construct and return the Assertion

        :param authn: Authentication information
        :param sp_entity_id:
        :param in_response_to: The ID of the request this is an answer to
        :param consumer_url: The recipient of the assertion
        :param name_id: The NameID of the subject
        :param policy: Assertion policies
        :param _issuer: Issuer of the statement
        :param authn_statement: An AuthnStatement instance
        :param identity: Identity information about the Subject
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :param sign_response: Sign the response, only applicable if
            ErrorResponse
        :param kwargs: Extra keyword arguments
        :return: An Assertion instance
        """

        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        farg = self.update_farg(in_response_to, consumer_url, farg)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict(
                [(AUTHN_DICT_MAP[k], v) for k, v in authn.items() if
                 k in AUTHN_DICT_MAP])
            authn_args.update(kwargs)

            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, farg=farg['assertion'], name_id=name_id,
                **authn_args)

        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, authn_statem=authn_statement,
                farg=farg['assertion'], name_id=name_id, **kwargs)
        else:
            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, farg=farg['assertion'], name_id=name_id,
                **kwargs)
        return assertion
Exemple #2
0
    def setup_assertion(self,
                        authn,
                        sp_entity_id,
                        in_response_to,
                        consumer_url,
                        name_id,
                        policy,
                        _issuer,
                        authn_statement,
                        identity,
                        best_effort,
                        sign_response,
                        add_subject=True):
        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict([(AUTHN_DICT_MAP[k], v)
                               for k, v in authn.items()
                               if k in AUTHN_DICT_MAP])

            assertion = ast.construct(sp_entity_id,
                                      in_response_to,
                                      consumer_url,
                                      name_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      add_subject=add_subject,
                                      **authn_args)
        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(sp_entity_id,
                                      in_response_to,
                                      consumer_url,
                                      name_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      authn_statem=authn_statement,
                                      add_subject=add_subject)
        else:
            assertion = ast.construct(sp_entity_id,
                                      in_response_to,
                                      consumer_url,
                                      name_id,
                                      self.config.attribute_converters,
                                      policy,
                                      issuer=_issuer,
                                      add_subject=add_subject)
        return assertion
Exemple #3
0
 def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url, name_id, policy, _issuer,
                     authn_statement, identity, best_effort, sign_response, add_subject=True):
     ast = Assertion(identity)
     ast.acs = self.config.getattr("attribute_converters", "idp")
     if policy is None:
         policy = Policy()
     try:
         ast.apply_policy(sp_entity_id, policy, self.metadata)
     except MissingValue, exc:
         if not best_effort:
             return self.create_error_response(in_response_to, consumer_url,
                                               exc, sign_response)
Exemple #4
0
    def _authn_response(self,
                        in_response_to,
                        consumer_url,
                        sp_entity_id,
                        identity=None,
                        name_id=None,
                        status=None,
                        authn=None,
                        issuer=None,
                        policy=None,
                        sign_assertion=False,
                        sign_response=False,
                        best_effort=False,
                        encrypt_assertion=False,
                        encrypt_cert=None):
        """ Create a response. A layer of indirection.

        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param authn: A dictionary containing information about the
            authn context.
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the response should be signed or not
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :return: A response instance
        """

        to_sign = []
        args = {}
        #if identity:
        _issuer = self._issuer(issuer)
        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue, exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)
Exemple #5
0
    def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
                        name_id, policy, _issuer,
                        authn_statement, identity, best_effort, sign_response,
                        add_subject=True):
        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict([
                                  (AUTHN_DICT_MAP[k], v) for k, v in
                                  authn.items()
                                  if k in AUTHN_DICT_MAP])

            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer,
                                      add_subject=add_subject,
                                      **authn_args)
        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer,
                                      authn_statem=authn_statement,
                                      add_subject=add_subject)
        else:
            assertion = ast.construct(sp_entity_id, in_response_to,
                                      consumer_url, name_id,
                                      self.config.attribute_converters,
                                      policy, issuer=_issuer,
                                      add_subject=add_subject)
        return assertion
Exemple #6
0
    def _authn_response(self, in_response_to, consumer_url,
                        sp_entity_id, identity=None, name_id=None,
                        status=None, authn=None, issuer=None, policy=None,
                        sign_assertion=False, sign_response=False,
                        best_effort=False, encrypt_assertion=False,
                        encrypt_cert=None, authn_statement=None):
        """ Create a response. A layer of indirection.

        :param in_response_to: The session identifier of the request
        :param consumer_url: The URL which should receive the response
        :param sp_entity_id: The entity identifier of the SP
        :param identity: A dictionary with attributes and values that are
            expected to be the bases for the assertion in the response.
        :param name_id: The identifier of the subject
        :param status: The status of the response
        :param authn: A dictionary containing information about the
            authn context.
        :param issuer: The issuer of the response
        :param sign_assertion: Whether the assertion should be signed or not
        :param sign_response: Whether the response should be signed or not
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :return: A response instance
        """

        to_sign = []
        args = {}
        #if identity:
        _issuer = self._issuer(issuer)
        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue, exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)
Exemple #7
0
 def setup_assertion(self,
                     authn,
                     sp_entity_id,
                     in_response_to,
                     consumer_url,
                     name_id,
                     policy,
                     _issuer,
                     authn_statement,
                     identity,
                     best_effort,
                     sign_response,
                     add_subject=True):
     ast = Assertion(identity)
     ast.acs = self.config.getattr("attribute_converters", "idp")
     if policy is None:
         policy = Policy()
     try:
         ast.apply_policy(sp_entity_id, policy, self.metadata)
     except MissingValue, exc:
         if not best_effort:
             return self.create_error_response(in_response_to, consumer_url,
                                               exc, sign_response)
Exemple #8
0
    def setup_assertion(self, authn, sp_entity_id, in_response_to, consumer_url,
                        name_id, policy, _issuer, authn_statement, identity,
                        best_effort, sign_response, farg=None,
                        session_not_on_or_after=None, **kwargs):
        """
        Construct and return the Assertion

        :param authn: Authentication information
        :param sp_entity_id:
        :param in_response_to: The ID of the request this is an answer to
        :param consumer_url: The recipient of the assertion
        :param name_id: The NameID of the subject
        :param policy: Assertion policies
        :param _issuer: Issuer of the statement
        :param authn_statement: An AuthnStatement instance
        :param identity: Identity information about the Subject
        :param best_effort: Even if not the SPs demands can be met send a
            response.
        :param sign_response: Sign the response, only applicable if
            ErrorResponse
        :param kwargs: Extra keyword arguments
        :return: An Assertion instance
        """

        ast = Assertion(identity)
        ast.acs = self.config.getattr("attribute_converters", "idp")
        if policy is None:
            policy = Policy()
        try:
            ast.apply_policy(sp_entity_id, policy, self.metadata)
        except MissingValue as exc:
            if not best_effort:
                return self.create_error_response(in_response_to, consumer_url,
                                                  exc, sign_response)

        farg = self.update_farg(in_response_to, consumer_url, farg)

        if authn:  # expected to be a dictionary
            # Would like to use dict comprehension but ...
            authn_args = dict(
                [(AUTHN_DICT_MAP[k], v) for k, v in authn.items() if
                 k in AUTHN_DICT_MAP])
            authn_args.update(kwargs)

            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, farg=farg['assertion'], name_id=name_id,
                session_not_on_or_after=session_not_on_or_after,
                **authn_args)

        elif authn_statement:  # Got a complete AuthnStatement
            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, authn_statem=authn_statement,
                farg=farg['assertion'], name_id=name_id,
                **kwargs)
        else:
            assertion = ast.construct(
                sp_entity_id, self.config.attribute_converters, policy,
                issuer=_issuer, farg=farg['assertion'], name_id=name_id,
                session_not_on_or_after=session_not_on_or_after,
                **kwargs)
        return assertion
Exemple #9
0
 def login(self):
     """
     Login endpoint (verify user credentials)
     """
     key = session['request_key'] if 'request_key' in session else None
     relay_state = session['relay_state'] if 'relay_state' in session else ''
     self.app.logger.debug('Request key: {}'.format(key))
     if key and key in self.ticket:
         authn_request = self.ticket[key]
         sp_id = authn_request.message.issuer.text
         destination = authn_request.message.assertion_consumer_service_url
         spid_level = authn_request.message.requested_authn_context.authn_context_class_ref[
             0].text
         authn_info = self.authn_broker.pick(
             authn_request.message.requested_authn_context)
         callback, reference = authn_info[0]
         if request.method == 'GET':
             # inject extra data in form login based on spid level
             extra_challenge = callback(**{'key': key})
             return FORM_LOGIN.format(url_for('login'), key, relay_state,
                                      extra_challenge), 200
         # verify optional challenge based on spid level
         verified = callback(verify=True,
                             **{
                                 'key': key,
                                 'data': request.form
                             })
         if verified:
             # verify user credentials
             user_id, user = self.user_manager.get(request.form['username'],
                                                   request.form['password'],
                                                   sp_id)
             if user_id is not None:
                 # setup response
                 attribute_statement_on_response = self._config.get(
                     'attribute_statement_on_response')
                 identity = user['attrs']
                 AUTHN = {"class_ref": spid_level, "authn_auth": spid_level}
                 _data = dict(identity=identity,
                              userid=user_id,
                              in_response_to=authn_request.message.id,
                              destination=destination,
                              sp_entity_id=sp_id,
                              authn=AUTHN,
                              issuer=self.server.config.entityid,
                              sign_alg=SIGN_ALG,
                              digest_alg=DIGEST_ALG,
                              sign_assertion=True)
                 response = self.server.create_authn_response(**_data)
                 http_args = self.server.apply_binding(
                     BINDING_HTTP_POST,
                     response,
                     destination,
                     response=True,
                     sign=True,
                     relay_state=relay_state)
                 # Setup confirmation page data
                 ast = Assertion(identity)
                 policy = self.server.config.getattr("policy", "idp")
                 ast.acs = self.server.config.getattr(
                     "attribute_converters", "idp")
                 res = ast.apply_policy(sp_id, policy, self.server.metadata)
                 attrs = res.keys()
                 attrs_list = ''
                 for _attr in attrs:
                     attrs_list = '{}<tr><td>{}</td></tr>'.format(
                         attrs_list, _attr)
                 self.responses[key] = http_args['data']
                 return CONFIRM_PAGE.format(attrs_list,
                                            '/continue-response', key), 200
     abort(403)
 def login(self):
     """
     Login endpoint (verify user credentials)
     """
     key = session['request_key'] if 'request_key' in session else None
     relay_state = session['relay_state'] if 'relay_state' in session else ''
     self.app.logger.debug('Request key: {}'.format(key))
     if key and key in self.ticket:
         authn_request = self.ticket[key]
         sp_id = authn_request.message.issuer.text
         destination = None
         if authn_request.message.attribute_consuming_service_index is not None:
             acss = self.server.metadata.assertion_consumer_service(
                 sp_id, authn_request.message.protocol_binding)
             for acs in acss:
                 if acs.get(
                         'index'
                 ) == authn_request.message.attribute_consuming_service_index:
                     destination = acs.get('location')
                     break
             self.app.logger.debug(
                 'AssertionConsumingServiceIndex Location: {}'.format(
                     destination))
         if destination is None:
             destination = authn_request.message.assertion_consumer_service_url
             self.app.logger.debug(
                 'AssertionConsumerServiceUrl: {}'.format(destination))
         if destination is None:
             self._raise_error(
                 'Impossibile ricavare l\'url di risposta',
                 'Verificare la presenza e la correttezza dell\'AssertionConsumerServiceIndex, o in alternativa della coppia di attributi AssertionConsumerServiceURL e ProtocolBinding'
             )
         spid_level = authn_request.message.requested_authn_context.authn_context_class_ref[
             0].text
         authn_info = self.authn_broker.pick(
             authn_request.message.requested_authn_context)
         callback, reference = authn_info[0]
         if request.method == 'GET':
             # inject extra data in form login based on spid level
             extra_challenge = callback(**{'key': key})
             rendered_form = render_template(
                 'login.html', **{
                     'action': url_for('login'),
                     'request_key': key,
                     'relay_state': relay_state,
                     'extra_challenge': extra_challenge
                 })
             return rendered_form, 200
         # verify optional challenge based on spid level
         verified = callback(verify=True,
                             **{
                                 'key': key,
                                 'data': request.form
                             })
         if verified:
             # verify user credentials
             user_id, user = self.user_manager.get(request.form['username'],
                                                   request.form['password'],
                                                   sp_id)
             if user_id is not None:
                 # setup response
                 attribute_statement_on_response = self._config.get(
                     'attribute_statement_on_response')
                 identity = user['attrs']
                 AUTHN = {"class_ref": spid_level, "authn_auth": spid_level}
                 _data = dict(identity=identity,
                              userid=user_id,
                              in_response_to=authn_request.message.id,
                              destination=destination,
                              sp_entity_id=sp_id,
                              authn=AUTHN,
                              issuer=self.server.config.entityid,
                              sign_alg=SIGN_ALG,
                              digest_alg=DIGEST_ALG,
                              sign_assertion=True)
                 response = self.server.create_authn_response(**_data)
                 http_args = self.server.apply_binding(
                     BINDING_HTTP_POST,
                     response,
                     destination,
                     response=True,
                     sign=True,
                     relay_state=relay_state)
                 # Setup confirmation page data
                 ast = Assertion(identity)
                 policy = self.server.config.getattr("policy", "idp")
                 ast.acs = self.server.config.getattr(
                     "attribute_converters", "idp")
                 res = ast.apply_policy(sp_id, policy, self.server.metadata)
                 attrs = res.keys()
                 attrs_list = ''
                 for _attr in attrs:
                     attrs_list = '{}<tr><td>{}</td></tr>'.format(
                         attrs_list, _attr)
                 self.responses[key] = http_args['data']
                 rendered_response = render_template(
                     'confirm.html', **{
                         'destination_service': sp_id,
                         'lines':
                         escape(prettify_xml(response)).splitlines(),
                         'attrs': attrs,
                         'action': '/continue-response',
                         'request_key': key
                     })
                 return rendered_response, 200
     return render_template('403.html'), 403