def ecp(self):
# The ECP interface
logger.info("--- ECP SSO ---")
resp = None
try:
authz_info = self.environ["HTTP_AUTHORIZATION"]
if authz_info.startswith("Basic "):
try:
_info = base64.b64decode(authz_info[6:])
except TypeError:
resp = Unauthorized()
else:
logger.debug("Authz_info: %s", _info)
try:
(user, passwd) = _info.split(":")
if is_equal(PASSWD[user], passwd):
resp = Unauthorized()
self.user = user
except (ValueError, TypeError):
resp = Unauthorized()
else:
resp = Unauthorized()
except KeyError:
resp = Unauthorized()
if resp:
return resp(self.environ, self.start_response)
_dict = self.unpack_soap()
self.response_bindings = [BINDING_PAOS]
# Basic auth ?!
return self.operation(_dict, BINDING_SOAP)
def verify(self, request, **kwargs):
"""
Verifies that the given username and password was correct
:param request: Either the query part of a URL a urlencoded
body of a HTTP message or a parse such.
:param kwargs: Catch whatever else is sent.
:return: redirect back to where ever the base applications
wants the user after authentication.
"""
#logger.debug("verify(%s)" % request)
if isinstance(request, six.string_types):
_dict = parse_qs(request)
elif isinstance(request, dict):
_dict = request
else:
raise ValueError("Wrong type of input")
# verify username and password
try:
self._verify(_dict["password"][0], _dict["login"][0])
timestamp = str(int(time.mktime(time.gmtime())))
msg = "::".join([_dict["login"][0], timestamp])
info = self.symmetric.encrypt(msg.encode())
self.active[info] = timestamp
cookie = make_cookie(self.cookie_name, info, self.srv.seed)
return_to = create_return_url(self.return_to, _dict["query"][0],
**{self.query_param: "true"})
resp = Redirect(return_to, headers=[cookie])
except (ValueError, KeyError):
resp = Unauthorized("Unknown user or wrong password")
return resp
def do_verify(environ, start_response, _):
query_str = get_post(environ)
if not isinstance(query_str, six.string_types):
query_str = query_str.decode("ascii")
query = parse_qs(query_str)
logger.debug("do_verify: %s", query)
try:
_ok, user = verify_username_and_password(query)
except KeyError:
_ok = False
user = None
if not _ok:
resp = Unauthorized("Unknown user or wrong password")
else:
uid = rndstr(24)
IDP.cache.uid2user[uid] = user
IDP.cache.user2uid[user] = uid
logger.debug("Register %s under '%s'", user, uid)
kaka = set_cookie("idpauthn", "/", uid, query["authn_reference"][0])
lox = "%s?id=%s&key=%s" % (query["redirect_uri"][0], uid, query["key"][0])
logger.debug("Redirect => %s", lox)
resp = Redirect(lox, headers=[kaka], content="text/html")
return resp(environ, start_response)
def do(self, response, binding, relay_state="", mtype="response"):
"""
:param response: The SAML response, transport encoded
:param binding: Which binding the query came in over
"""
# tmp_outstanding_queries = dict(self.outstanding_queries)
if not response:
logger.info("Missing Response")
resp = Unauthorized("Unknown user")
return resp(self.environ, self.start_response)
try:
conv_info = {
"remote_addr": self.environ["REMOTE_ADDR"],
"request_uri": self.environ["REQUEST_URI"],
"entity_id": self.sp.config.entityid,
"endpoints": self.sp.config.getattr("endpoints", "sp"),
}
self.response = self.sp.parse_authn_request_response(
response,
binding,
self.outstanding_queries,
self.cache.outstanding_certs,
conv_info=conv_info,
)
except UnknownPrincipal as excp:
logger.error("UnknownPrincipal: %s", excp)
resp = ServiceError("UnknownPrincipal: %s" % (excp, ))
return resp(self.environ, self.start_response)
except UnsupportedBinding as excp:
logger.error("UnsupportedBinding: %s", excp)
resp = ServiceError("UnsupportedBinding: %s" % (excp, ))
return resp(self.environ, self.start_response)
except VerificationError as err:
resp = ServiceError("Verification error: %s" % (err, ))
return resp(self.environ, self.start_response)
except SignatureError as err:
resp = ServiceError("Signature error: %s" % (err, ))
return resp(self.environ, self.start_response)
except Exception as err:
resp = ServiceError("Other error: %s" % (err, ))
return resp(self.environ, self.start_response)
logger.info("AVA: %s", self.response.ava)
user = User(self.response.name_id, self.response.ava, self.response)
cookie = self.cache.set_cookie(user)
resp = Redirect("/", headers=[cookie])
return resp(self.environ, self.start_response)
def ecp(self):
# The ECP interface
logger.info("--- ECP SSO ---")
resp = None
try:
authz_info = self.environ["HTTP_AUTHORIZATION"]
if authz_info.startswith("Basic "):
try:
_info = base64.b64decode(authz_info[6:])
except TypeError:
resp = Unauthorized()
else:
try:
(user, passwd) = _info.split(":")
if is_equal(PASSWD[user], passwd):
resp = Unauthorized()
self.user = user
self.environ["idp.authn"] = AUTHN_BROKER.get_authn_by_accr(
PASSWORD
)
except ValueError:
resp = Unauthorized()
else:
resp = Unauthorized()
except KeyError:
resp = Unauthorized()
if resp:
return resp(self.environ, self.start_response)
_dict = self.unpack_soap()
self.response_bindings = [BINDING_PAOS]
# Basic auth ?!
self.op_type = "ecp"
return self.operation(_dict, BINDING_SOAP)
def do_authentication(environ, start_response, authn_context, key,
redirect_uri):
"""
Display the login form
"""
logger.debug("Do authentication")
auth_info = AUTHN_BROKER.pick(authn_context)
if len(auth_info):
method, reference = auth_info[0]
logger.debug("Authn chosen: %s (ref=%s)", method, reference)
return method(environ, start_response, reference, key, redirect_uri)
else:
resp = Unauthorized("No usable authentication method")
return resp(environ, start_response)
def staticfile(environ, start_response):
try:
path = args.path[:]
if path is None or len(path) == 0:
path = os.path.dirname(os.path.abspath(__file__))
if path[-1] != "/":
path += "/"
path += environ.get("PATH_INFO", "").lstrip("/")
path = os.path.realpath(path)
if not path.startswith(args.path):
resp = Unauthorized()
return resp(environ, start_response)
start_response("200 OK", [("Content-Type", "text/xml")])
return open(path, "r").read()
except Exception as ex:
logger.error("An error occured while creating metadata: %s", ex.message)
return not_found(environ, start_response)
def verify_request(self, query, binding):
"""
:param query: The SAML query, transport encoded
:param binding: Which binding the query came in over
"""
resp_args = {}
if not query:
logger.info("Missing QUERY")
resp = Unauthorized('Unknown user')
return resp_args, resp(self.environ, self.start_response)
if not self.req_info:
self.req_info = IDP.parse_authn_request(query, binding)
logger.info("parsed OK")
_authn_req = self.req_info.message
logger.debug("%s", _authn_req)
try:
self.binding_out, self.destination = IDP.pick_binding(
"assertion_consumer_service",
bindings=self.response_bindings,
entity_id=_authn_req.issuer.text)
except Exception as err:
logger.error("Couldn't find receiver endpoint: %s", err)
raise
logger.debug("Binding: %s, destination: %s", self.binding_out,
self.destination)
resp_args = {}
try:
resp_args = IDP.response_args(_authn_req)
_resp = None
except UnknownPrincipal as excp:
_resp = IDP.create_error_response(_authn_req.id, self.destination,
excp)
except UnsupportedBinding as excp:
_resp = IDP.create_error_response(_authn_req.id, self.destination,
excp)
return resp_args, _resp
def not_authn(self):
resp = Unauthorized("Unknown user")
return resp(self.environ, self.start_response)
def not_authn(environ, start_response):
resp = Unauthorized('Unknown user')
return resp(environ, start_response)