if k not in response.ava: return Unauthorized(self.not_authorized) else: allowed = False for allowed_attr_value in v: if allowed_attr_value == response.ava[k] or allowed_attr_value in response.ava[k]: allowed = True break if not allowed: return Unauthorized(self.not_authorized) #logger.info("parsed OK")' uid = response.assertion.subject.name_id.text self.setup_userdb(uid, response.ava) return_to = create_return_url(self.return_to, uid, **{self.query_param: "true"}) if '?' in return_to: return_to += "&" else: return_to += "?" return_to += base64.b64decode(data[self.CONST_QUERY]) auth_cookie = self.create_cookie(uid, "samlm") resp = Redirect(return_to, headers=[auth_cookie]) return resp def setup_userdb(self, uid, samldata): attributes = {} if self.sp_conf.ATTRIBUTE_WHITELIST is not None: for attr, allowed in self.sp_conf.ATTRIBUTE_WHITELIST.iteritems(): if attr in samldata:
def verify(self, request, cookie, path, requrl, end_point_index=None, **kwargs): """ Verifies if the authentication was successful. :rtype : Response :param request: Contains the request parameters. :param cookie: Cookies sent with the request. :param kwargs: Any other parameters. :return: If the authentication was successful: a redirect to the return_to url. Otherwise a unauthorized response. :raise: ValueError """ if isinstance(request, six.string_types): request = parse_qs(request) elif isinstance(request, dict): pass else: raise ValueError("Wrong type of input") acs = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"] acs_endpoints = [(ep[0].rsplit("/", 1)[1], ep[1]) for ep in acs] binding = None path = path[1:] for endp in acs_endpoints: if path == endp[0]: binding = endp[1] break saml_cookie, _ts, _typ = self.getCookieValue(cookie, self.CONST_SAML_COOKIE) data = json.loads(saml_cookie) rp_query_cookie = self.get_multi_auth_cookie(cookie) query = rp_query_cookie if not query: query = base64.b64decode(data[self.CONST_QUERY]).decode("ascii") if data[self.CONST_HASIDP] == 'False': (done, response) = self._pick_idp(request, end_point_index) if done == 0: entity_id = response # Do the AuthnRequest resp = self._redirect_to_auth(self.sp, entity_id, query, end_point_index) return resp, False return response, False if not request: logger.info("Missing Response") return Unauthorized("You are not authorized!"), False try: response = self.sp.parse_authn_request_response( request["SAMLResponse"][0], binding, self.cache_outstanding_queries) except UnknownPrincipal as excp: logger.error("UnknownPrincipal: %s" % (excp, )) return Unauthorized(self.not_authorized), False except UnsupportedBinding as excp: logger.error("UnsupportedBinding: %s" % (excp, )) return Unauthorized(self.not_authorized), False except VerificationError as err: logger.error("Verification error: %s" % (err, )) return Unauthorized(self.not_authorized), False except Exception as err: logger.error("Other error: %s" % (err, )) return Unauthorized(self.not_authorized), False if self.sp_conf.VALID_ATTRIBUTE_RESPONSE is not None: for k, v in six.iteritems(self.sp_conf.VALID_ATTRIBUTE_RESPONSE): if k not in response.ava: return Unauthorized(self.not_authorized), False else: allowed = False for allowed_attr_value in v: if isinstance(response.ava[k], list): for resp_value in response.ava[k]: if allowed_attr_value in resp_value: allowed = True break elif allowed_attr_value in response.ava[k]: allowed = True break if not allowed: return Unauthorized(self.not_authorized), False # logger.info("parsed OK")' uid = response.assertion.subject.name_id.text if self.userinfo == "AA": if response.entity_id is not None and self.samlcache is not None: self.samlcache["AA_ENTITYID"] = response.entity_id self.setup_userdb(uid, response.ava) return_to = create_return_url(self.return_to, uid, **{self.query_param: "true"}) if '?' in return_to: return_to += "&" else: return_to += "?" return_to += query auth_cookie = self.create_cookie(uid, "samlm") resp = SeeOther(str(return_to), headers=[auth_cookie]) return resp, True
def verify(self, request, cookie, path, requrl, end_point_index=None, **kwargs): """ Verifies if the authentication was successful. :rtype : Response :param request: Contains the request parameters. :param cookie: Cookies sent with the request. :param kwargs: Any other parameters. :return: If the authentication was successful: a redirect to the return_to url. Otherwise a unauthorized response. :raise: ValueError """ if isinstance(request, six.string_types): request = parse_qs(request) elif isinstance(request, dict): pass else: raise ValueError("Wrong type of input") acs = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"] acs_endpoints = [(ep[0].rsplit("/", 1)[1], ep[1]) for ep in acs] binding = None path = path[1:] for endp in acs_endpoints: if path == endp[0]: binding = endp[1] break saml_cookie, _ts, _typ = self.getCookieValue(cookie, self.CONST_SAML_COOKIE) data = json.loads(saml_cookie) rp_query_cookie = self.get_multi_auth_cookie(cookie) query = rp_query_cookie if not query: query = base64.b64decode(data[self.CONST_QUERY]).decode("ascii") if data[self.CONST_HASIDP] == 'False': (done, response) = self._pick_idp(request, end_point_index) if done == 0: entity_id = response # Do the AuthnRequest resp = self._redirect_to_auth(self.sp, entity_id, query, end_point_index) return resp, False return response, False if not request: logger.info("Missing Response") return Unauthorized("You are not authorized!"), False try: response = self.sp.parse_authn_request_response( request["SAMLResponse"][0], binding, self.cache_outstanding_queries) except UnknownPrincipal as excp: logger.error("UnknownPrincipal: %s" % (excp,)) return Unauthorized(self.not_authorized), False except UnsupportedBinding as excp: logger.error("UnsupportedBinding: %s" % (excp,)) return Unauthorized(self.not_authorized), False except VerificationError as err: logger.error("Verification error: %s" % (err,)) return Unauthorized(self.not_authorized), False except Exception as err: logger.error("Other error: %s" % (err,)) return Unauthorized(self.not_authorized), False if self.sp_conf.VALID_ATTRIBUTE_RESPONSE is not None: for k, v in six.iteritems(self.sp_conf.VALID_ATTRIBUTE_RESPONSE): if k not in response.ava: return Unauthorized(self.not_authorized), False else: allowed = False for allowed_attr_value in v: if isinstance(response.ava[k], list): for resp_value in response.ava[k]: if allowed_attr_value in resp_value: allowed = True break elif allowed_attr_value in response.ava[k]: allowed = True break if not allowed: return Unauthorized(self.not_authorized), False # logger.info("parsed OK")' uid = response.assertion.subject.name_id.text if self.userinfo == "AA": if response.entity_id is not None and self.samlcache is not None: self.samlcache["AA_ENTITYID"] = response.entity_id self.setup_userdb(uid, response.ava) return_to = create_return_url(self.return_to, uid, **{self.query_param: "true"}) if '?' in return_to: return_to += "&" else: return_to += "?" return_to += query auth_cookie = self.create_cookie(uid, "samlm") resp = SeeOther(str(return_to), headers=[auth_cookie]) return resp, True
def generate_return_url(self, return_to, uid, path=""): return create_return_url(return_to, uid, **{self.query_param: "true"})