def do_authz_decision_query(self, entityid, assertion=None, log=None, sign=False):
authz_decision_query = self.authz_decision_query(entityid, assertion)
for destination in self.config.authz_services(entityid):
to_sign = []
if sign:
authz_decision_query.signature = pre_signature_part(authz_decision_query.id, self.sec.my_cert, 1)
to_sign.append((class_name(authz_decision_query), authz_decision_query.id))
authz_decision_query = signed_instance_factory(authz_decision_query, self.sec, to_sign)
response = send_using_soap(
authz_decision_query,
destination,
self.config.key_file,
self.config.cert_file,
log=log,
ca_certs=self.config.ca_certs,
)
if response:
if log:
log.info("Verifying response")
response = self.authz_decision_query_response(response, log)
if response:
# not_done.remove(entity_id)
if log:
log.info("OK response from %s" % destination)
return response
else:
if log:
log.info("NOT OK response from %s" % destination)
return None
def use_soap(self, destination, query_type, **kwargs):
_create_func = getattr(self, "create_%s" % query_type)
_response_func = getattr(self, "%s_response" % query_type)
try:
response_args = kwargs["response_args"]
del kwargs["response_args"]
except KeyError:
response_args = None
query = _create_func(destination, **kwargs)
response = send_using_soap(
query, destination, self.config.key_file, self.config.cert_file, ca_certs=self.config.ca_certs
)
if response:
logger.info("Verifying response")
if response_args:
response = _response_func(response, **response_args)
else:
response = _response_func(response)
if response:
# not_done.remove(entity_id)
logger.info("OK response from %s" % destination)
return response
else:
logger.info("NOT OK response from %s" % destination)
return None
def do_authz_decision_query(self, entityid, assertion=None, sign=False):
authz_decision_query = self.authz_decision_query(entityid, assertion)
for destination in self.config.authz_services(entityid):
to_sign = []
if sign:
authz_decision_query.signature = pre_signature_part(
authz_decision_query.id, self.sec.my_cert, 1)
to_sign.append((class_name(authz_decision_query),
authz_decision_query.id))
authz_decision_query = signed_instance_factory(
authz_decision_query, self.sec, to_sign)
response = send_using_soap(authz_decision_query,
destination,
self.config.key_file,
self.config.cert_file,
ca_certs=self.config.ca_certs)
if response:
logger.info("Verifying response")
response = self.authz_decision_query_response(response)
if response:
#not_done.remove(entity_id)
logger.info("OK response from %s" % destination)
return response
else:
logger.info("NOT OK response from %s" % destination)
return None
def _logout(self, subject_id, entity_ids, reason, expire, sign=None, log=None, return_to="/"):
# check time
if not not_on_or_after(expire): # I've run out of time
# Do the local logout anyway
self.local_logout(subject_id)
return 0, "504 Gateway Timeout", [], []
# for all where I can use the SOAP binding, do those first
not_done = entity_ids[:]
response = False
if log is None:
log = self.logger
for entity_id in entity_ids:
response = False
for binding in [BINDING_SOAP, BINDING_HTTP_POST, BINDING_HTTP_REDIRECT]:
destinations = self.config.single_logout_services(entity_id, binding)
if not destinations:
continue
destination = destinations[0]
if log:
log.info("destination to provider: %s" % destination)
request = self.construct_logout_request(subject_id, destination, entity_id, reason, expire)
to_sign = []
# if sign and binding != BINDING_HTTP_REDIRECT:
if sign is None:
sign = self.logout_requests_signed_default
if sign:
request.signature = pre_signature_part(request.id, self.sec.my_cert, 1)
to_sign = [(class_name(request), request.id)]
if log:
log.info("REQUEST: %s" % request)
request = signed_instance_factory(request, self.sec, to_sign)
if binding == BINDING_SOAP:
response = send_using_soap(
request,
destination,
self.config.key_file,
self.config.cert_file,
log=log,
ca_certs=self.config.ca_certs,
)
if response:
if log:
log.info("Verifying response")
response = self.logout_response(response, log)
if response:
not_done.remove(entity_id)
if log:
log.info("OK response from %s" % destination)
else:
if log:
log.info("NOT OK response from %s" % destination)
else:
session_id = request.id
rstate = self._relay_state(session_id)
self.state[session_id] = {
"entity_id": entity_id,
"operation": "SLO",
"entity_ids": entity_ids,
"subject_id": subject_id,
"reason": reason,
"not_on_of_after": expire,
"sign": sign,
"return_to": return_to,
}
if binding == BINDING_HTTP_POST:
(head, body) = http_post_message(request, destination, rstate)
code = "200 OK"
else:
(head, body) = http_redirect_message(request, destination, rstate)
code = "302 Found"
return session_id, code, head, body
if not_done:
# upstream should try later
raise LogoutError("%s" % (entity_ids,))
return 0, "", [], response
def _logout(self,
subject_id,
entity_ids,
reason,
expire,
sign=None,
return_to="/"):
# check time
if not not_on_or_after(expire): # I've run out of time
# Do the local logout anyway
self.local_logout(subject_id)
return 0, "504 Gateway Timeout", [], []
# for all where I can use the SOAP binding, do those first
not_done = entity_ids[:]
response = False
for entity_id in entity_ids:
response = False
for binding in [
BINDING_SOAP, BINDING_HTTP_POST, BINDING_HTTP_REDIRECT
]:
destinations = self.config.single_logout_services(
entity_id, binding)
if not destinations:
continue
destination = destinations[0]
logger.info("destination to provider: %s" % destination)
request = self.construct_logout_request(
subject_id, destination, entity_id, reason, expire)
to_sign = []
#if sign and binding != BINDING_HTTP_REDIRECT:
if sign is None:
sign = self.logout_requests_signed_default
if sign:
request.signature = pre_signature_part(
request.id, self.sec.my_cert, 1)
to_sign = [(class_name(request), request.id)]
logger.info("REQUEST: %s" % request)
request = signed_instance_factory(request, self.sec, to_sign)
if binding == BINDING_SOAP:
response = send_using_soap(request,
destination,
self.config.key_file,
self.config.cert_file,
ca_certs=self.config.ca_certs)
if response:
logger.info("Verifying response")
response = self.logout_response(response)
if response:
not_done.remove(entity_id)
logger.info("OK response from %s" % destination)
else:
logger.info("NOT OK response from %s" % destination)
else:
session_id = request.id
rstate = self._relay_state(session_id)
self.state[session_id] = {
"entity_id": entity_id,
"operation": "SLO",
"entity_ids": entity_ids,
"subject_id": subject_id,
"reason": reason,
"not_on_of_after": expire,
"sign": sign,
"return_to": return_to
}
if binding == BINDING_HTTP_POST:
(head,
body) = http_post_message(request, destination,
rstate)
code = "200 OK"
else:
(head,
body) = http_redirect_message(request, destination,
rstate)
code = "302 Found"
return session_id, code, head, body
if not_done:
# upstream should try later
raise LogoutError("%s" % (entity_ids, ))
return 0, "", [], response
