def __call__(self,
cookie=None,
policy_url=None,
logo_url=None,
query="",
**kwargs):
"""
Put up the login form
"""
if cookie:
headers = [cookie]
else:
headers = []
resp = Response(headers=headers)
argv = {
"login": "",
"password": "",
"action": "verify",
"policy_url": policy_url,
"logo_url": logo_url,
"query": query
}
logger.info("do_authentication argv: %s" % argv)
mte = self.template_lookup.get_template(self.mako_template)
resp.message = mte.render(**argv)
return resp
def do(self, query, binding, relay_state=""):
req = IDP.parse_name_id_mapping_request(query, binding)
request = req.message
# Do the necessary stuff
try:
name_id = IDP.ident.handle_name_id_mapping_request(
request.name_id, request.name_id_policy)
except Unknown:
resp = BadRequest("Unknown entity")
return resp(self.environ, self.start_response)
except PolicyError:
resp = BadRequest("Unknown entity")
return resp(self.environ, self.start_response)
info = IDP.response_args(request)
_resp = IDP.create_name_id_mapping_response(name_id, **info)
# Only SOAP
hinfo = IDP.apply_binding(BINDING_SOAP,
"%s" % _resp,
"",
"",
response=True)
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)
def handle_static(environ, start_response, path):
"""
Creates a response for a static file. There might be a longer path
then just /static/... - if so strip the path leading up to static.
:param environ: wsgi enviroment
:param start_response: wsgi start response
:param path: the static file and path to the file.
:return: wsgi response for the static file.
"""
try:
data = open(path, "rb").read()
if path.endswith(".ico"):
resp = Response(data, headers=[("Content-Type", "image/x-icon")])
elif path.endswith(".html"):
resp = Response(data, headers=[("Content-Type", "text/html")])
elif path.endswith(".txt"):
resp = Response(data, headers=[("Content-Type", "text/plain")])
elif path.endswith(".css"):
resp = Response(data, headers=[("Content-Type", "text/css")])
elif path.endswith(".js"):
resp = Response(data,
headers=[("Content-Type", "text/javascript")])
elif path.endswith(".png"):
resp = Response(data, headers=[("Content-Type", "image/png")])
else:
resp = Response(data)
except IOError:
resp = NotFound()
return resp(environ, start_response)
def do(self, request, binding, relay_state="", encrypt_cert=None):
_req = IDP.parse_artifact_resolve(request, binding)
msg = IDP.create_artifact_response(_req, _req.artifact.text)
hinfo = IDP.apply_binding(BINDING_SOAP, "%s" % msg, "", "", response=True)
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)
def finish_logout(environ, start_response):
logger.info("[logout done] environ: %s", environ)
logger.info("[logout done] remaining subjects: %s",
CACHE.uid2user.values())
# remove cookie and stored info
cookie = CACHE.delete_cookie(environ)
resp = Response("You are now logged out of this service", headers=[cookie])
return resp(environ, start_response)
def __call__(self, cookie=None, policy_url=None, logo_url=None,
query="", **kwargs):
"""
Put up the login form
"""
if cookie:
headers = [cookie]
else:
headers = []
resp = Response(headers=headers)
argv = {"login": "",
"password": "",
"action": "verify",
"policy_url": policy_url,
"logo_url": logo_url,
"query": query}
logger.info("do_authentication argv: %s" % argv)
mte = self.template_lookup.get_template(self.mako_template)
resp.message = mte.render(**argv)
return resp
def do(self, request, binding, relay_state="", encrypt_cert=None):
logger.info("--- Authn Query Service ---")
_req = IDP.parse_authn_query(request, binding)
_query = _req.message
msg = IDP.create_authn_query_response(
_query.subject, _query.requested_authn_context, _query.session_index
)
logger.debug("response: %s", msg)
hinfo = IDP.apply_binding(BINDING_SOAP, "%s" % msg, "", "", response=True)
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)
def do(self, aid, binding, relay_state="", encrypt_cert=None):
logger.info("--- Assertion ID Service ---")
try:
assertion = IDP.create_assertion_id_request_response(aid)
except Unknown:
resp = NotFound(aid)
return resp(self.environ, self.start_response)
hinfo = IDP.apply_binding(BINDING_URI, "%s" % assertion, response=True)
logger.debug("HINFO: %s", hinfo)
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)
def response(self, binding, http_args):
resp = None
if binding == BINDING_HTTP_ARTIFACT:
resp = Redirect()
elif http_args["data"]:
resp = Response(http_args["data"], headers=http_args["headers"])
else:
for header in http_args["headers"]:
if header[0] == "Location":
resp = Redirect(header[1])
if not resp:
resp = ServiceError("Don't know how to return response")
return resp(self.environ, self.start_response)
def whoami(environ, start_response, user):
nameid = environ["repoze.who.identity"]["login"]
ava = environ["repoze.who.identity"]["user"]
if not nameid:
return not_authn(environ, start_response)
if ava:
response = ["<h2>Your identity is supposed to be</h2>"]
response.extend(dict_to_table(ava))
else:
response = [
"<h2>The system did not return any information about you</h2>"
]
response.extend("<a href='logout'>Logout</a>")
resp = Response(response)
return resp(environ, start_response)
def response(self, binding, http_args, do_not_start_response=False):
if binding == BINDING_HTTP_ARTIFACT:
resp = Redirect()
elif binding == BINDING_HTTP_REDIRECT:
for param, value in http_args["headers"]:
if param == "Location":
resp = SeeOther(str(value))
break
else:
resp = ServiceError("Parameter error")
else:
resp = Response(http_args["data"], headers=http_args["headers"])
if do_not_start_response:
return resp
else:
return resp(self.environ, self.start_response)
def do(self, request, binding, relay_state=""):
logger.info("--- Single Log Out Service ---")
try:
_, body = request.split("\n")
logger.debug("req: '%s'", body)
req_info = IDP.parse_logout_request(body, binding)
except Exception as exc:
logger.error("Bad request: %s", exc)
resp = BadRequest("%s" % exc)
return resp(self.environ, self.start_response)
msg = req_info.message
if msg.name_id:
lid = IDP.ident.find_local_id(msg.name_id)
logger.info("local identifier: %s", lid)
if lid in IDP.cache.user2uid:
uid = IDP.cache.user2uid[lid]
if uid in IDP.cache.uid2user:
del IDP.cache.uid2user[uid]
del IDP.cache.user2uid[lid]
# remove the authentication
try:
IDP.session_db.remove_authn_statements(msg.name_id)
except KeyError as exc:
logger.error("ServiceError: %s", exc)
resp = ServiceError("%s" % exc)
return resp(self.environ, self.start_response)
resp = IDP.create_logout_response(msg, [binding])
try:
hinfo = IDP.apply_binding(binding, "%s" % resp, "", relay_state)
except Exception as exc:
logger.error("ServiceError: %s", exc)
resp = ServiceError("%s" % exc)
return resp(self.environ, self.start_response)
#_tlh = dict2list_of_tuples(hinfo["headers"])
delco = delete_cookie(self.environ, "idpauthn")
if delco:
hinfo["headers"].append(delco)
logger.info("Header: %s", hinfo["headers"])
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)
def main(environ, start_response, sp):
user = CACHE.get_user(environ)
if user is None:
sso = SSO(sp, environ, start_response, cache=CACHE, **ARGS)
return sso.do()
body = dict_to_table(user.data)
body.append("<br><pre>{authn_stmt}</pre>".format(
authn_stmt=cgi.escape(user.authn_statement)))
body.append("<br><a href='/logout'>logout</a>")
body = [
item if not isinstance(item, six.binary_type) else item.encode("utf-8")
for item in body
]
resp = Response(body)
return resp(environ, start_response)
def do(self, request, binding, relay_state="", encrypt_cert=None):
logger.info("--- Attribute Query Service ---")
_req = IDP.parse_attribute_query(request, binding)
_query = _req.message
name_id = _query.subject.name_id
uid = name_id.text
logger.debug("Local uid: %s", uid)
identity = EXTRA[uid]
# Comes in over SOAP so only need to construct the response
args = IDP.response_args(_query, [BINDING_SOAP])
msg = IDP.create_attribute_response(identity, name_id=name_id, **args)
logger.debug("response: %s", msg)
hinfo = IDP.apply_binding(BINDING_SOAP, "%s" % msg, "", "", response=True)
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)
def do(self, query, binding, relay_state="", encrypt_cert=None):
logger.info("--- Manage Name ID Service ---")
req = IDP.parse_manage_name_id_request(query, binding)
request = req.message
# Do the necessary stuff
name_id = IDP.ident.handle_manage_name_id_request(
request.name_id, request.new_id, request.new_encrypted_id, request.terminate
)
logger.debug("New NameID: %s", name_id)
_resp = IDP.create_manage_name_id_response(request)
# It's using SOAP binding
hinfo = IDP.apply_binding(
BINDING_SOAP, "%s" % _resp, "", relay_state, response=True
)
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)
def username_password_authn(environ, start_response, reference, key,
redirect_uri):
"""
Display the login form
"""
logger.info("The login page")
headers = []
resp = Response(mako_template="login.mako",
template_lookup=LOOKUP,
headers=headers)
argv = {
"action": "/verify",
"login": "",
"password": "",
"key": key,
"authn_reference": reference,
"redirect_uri": redirect_uri
}
logger.info("do_authentication argv: %s", argv)
return resp(environ, start_response, **argv)
def logout(environ, start_response, sp):
user = CACHE.get_user(environ)
if user is None:
sso = SSO(sp, environ, start_response, cache=CACHE, **ARGS)
return sso.do()
logger.info("[logout] subject_id: '%s'", user.name_id)
# What if more than one
data = sp.global_logout(user.name_id)
logger.info("[logout] global_logout > %s", data)
for entity_id, logout_info in data.items():
if isinstance(logout_info, tuple):
binding, http_info = logout_info
if binding == BINDING_HTTP_POST:
body = "".join(http_info["data"])
resp = Response(body)
return resp(environ, start_response)
elif binding == BINDING_HTTP_REDIRECT:
for key, value in http_info["headers"]:
if key.lower() == "location":
resp = Redirect(value)
return resp(environ, start_response)
resp = ServiceError("missing Location header")
return resp(environ, start_response)
else:
resp = ServiceError("unknown logout binding: %s", binding)
return resp(environ, start_response)
else: # result from logout, should be OK
pass
return finish_logout(environ, start_response)
def response(self, binding, http_args):
if binding == BINDING_HTTP_ARTIFACT:
resp = Redirect()
else:
resp = Response(http_args["data"], headers=http_args["headers"])
return resp(self.environ, self.start_response)
def do(self, request, binding, relay_state="", encrypt_cert=None, **kwargs):
logger.info("--- Single Log Out Service ---")
try:
logger.debug("req: '%s'", request)
req_info = IDP.parse_logout_request(request, binding)
except Exception as exc:
logger.error("Bad request: %s", exc)
resp = BadRequest("%s" % exc)
return resp(self.environ, self.start_response)
msg = req_info.message
if msg.name_id:
lid = IDP.ident.find_local_id(msg.name_id)
logger.info("local identifier: %s", lid)
if lid in IDP.cache.user2uid:
uid = IDP.cache.user2uid[lid]
if uid in IDP.cache.uid2user:
del IDP.cache.uid2user[uid]
del IDP.cache.user2uid[lid]
# remove the authentication
try:
IDP.session_db.remove_authn_statements(msg.name_id)
except KeyError as exc:
logger.error("Unknown session: %s", exc)
resp = ServiceError("Unknown session: %s", exc)
return resp(self.environ, self.start_response)
resp = IDP.create_logout_response(msg, [binding])
if binding == BINDING_SOAP:
destination = ""
response = False
else:
binding, destination = IDP.pick_binding(
"single_logout_service", [binding], "spsso", req_info
)
response = True
try:
hinfo = IDP.apply_binding(
binding, "%s" % resp, destination, relay_state, response=response
)
except Exception as exc:
logger.error("ServiceError: %s", exc)
resp = ServiceError("%s" % exc)
return resp(self.environ, self.start_response)
# _tlh = dict2list_of_tuples(hinfo["headers"])
delco = delete_cookie(self.environ, "idpauthn")
if delco:
hinfo["headers"].append(delco)
logger.info("Header: %s", (hinfo["headers"],))
if binding == BINDING_HTTP_REDIRECT:
for key, value in hinfo["headers"]:
if key.lower() == "location":
resp = Redirect(value, headers=hinfo["headers"])
return resp(self.environ, self.start_response)
resp = ServiceError("missing Location header")
return resp(self.environ, self.start_response)
else:
resp = Response(hinfo["data"], headers=hinfo["headers"])
return resp(self.environ, self.start_response)