def parse(self, xmlstr):
self.entities_descr = md.entities_descriptor_from_string(xmlstr)
if not self.entities_descr:
self.entity_descr = md.entity_descriptor_from_string(xmlstr)
if self.entity_descr:
self.do_entity_descriptor(self.entity_descr)
else:
try:
valid_instance(self.entities_descr)
except NotValid as exc:
logger.error("Invalid XML message: %s", exc.args[0])
return
if self.check_validity:
try:
if not valid(self.entities_descr.valid_until):
raise ToOld(
"Metadata not valid anymore, it's only valid "
"until %s" % (self.entities_descr.valid_until, ))
except AttributeError:
pass
for entity_descr in self.entities_descr.entity_descriptor:
self.do_entity_descriptor(entity_descr)
def parse(self, xmlstr):
self.entities_descr = md.entities_descriptor_from_string(xmlstr)
if not self.entities_descr:
self.entity_descr = md.entity_descriptor_from_string(xmlstr)
if self.entity_descr:
self.do_entity_descriptor(self.entity_descr)
else:
try:
valid_instance(self.entities_descr)
except NotValid, exc:
logger.error(exc.args[0])
return
if self.check_validity:
try:
if not valid(self.entities_descr.valid_until):
raise ToOld(
"Metadata not valid anymore, it's after %s" % (
self.entities_descr.valid_until,))
except AttributeError:
pass
for entity_descr in self.entities_descr.entity_descriptor:
self.do_entity_descriptor(entity_descr)
def import_metadata(self, xml_str, source):
""" Import information; organization distinguish name, location and
certificates from a metadata file.
:param xml_str: The metadata as a XML string.
:param source: A name by which this source should be known, has to be
unique within this session.
"""
# now = time.gmtime()
#print >> sys.stderr, "Loading %s" % (source,)
entities_descr = md.entities_descriptor_from_string(xml_str)
if not entities_descr:
entity_descr = md.entity_descriptor_from_string(xml_str)
if entity_descr:
self.do_entity_descriptor(entity_descr, source)
else:
try:
valid_instance(entities_descr)
except NotValid, exc:
print >> sys.stderr, exc.args[0]
return
try:
valid(entities_descr.valid_until)
except AttributeError:
pass
for entity_descr in entities_descr.entity_descriptor:
self.do_entity_descriptor(entity_descr, source,
entities_descr.valid_until)
def import_metadata(self, xml_str, source):
""" Import information; organization distinguish name, location and
certificates from a metadata file.
:param xml_str: The metadata as a XML string.
:param source: A name by which this source should be known, has to be
unique within this session.
"""
# now = time.gmtime()
#print >> sys.stderr, "Loading %s" % (source,)
entities_descr = md.entities_descriptor_from_string(xml_str)
if not entities_descr:
entity_descr = md.entity_descriptor_from_string(xml_str)
if entity_descr:
self.do_entity_descriptor(entity_descr, source)
else:
try:
valid_instance(entities_descr)
except NotValid, exc:
print >> sys.stderr, exc.args[0]
return
try:
valid(entities_descr.valid_until)
except AttributeError:
pass
for entity_descr in entities_descr.entity_descriptor:
self.do_entity_descriptor(entity_descr, source,
entities_descr.valid_until)
def sign_entity_descriptor(edesc, ident, secc):
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement_using_xmlsec("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def sign_entity_descriptor(edesc, ident, secc):
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def sign_entity_descriptor(edesc, valid_for, ident, secc):
if valid_for:
edesc.valid_until = in_a_while(hours=valid_for)
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement_using_xmlsec("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def sign_entity_descriptor(edesc, valid_for, ident, secc):
if valid_for:
edesc.valid_until = in_a_while(hours=valid_for)
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement_using_xmlsec("%s" % edesc, class_name(edesc))
return md.entity_descriptor_from_string(xmldoc)
def sign_entity_descriptor(edesc, ident, secc):
"""
:param edesc: EntityDescriptor instance
:param ident: EntityDescriptor identifier
:param secc: Security context
:return: Tuple with EntityDescriptor instance and Signed XML document
"""
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
edesc = md.entity_descriptor_from_string(xmldoc)
return edesc, xmldoc
def sign_entity_descriptor(edesc, ident, secc):
"""
:param edesc: EntityDescriptor instance
:param ident: EntityDescriptor identifier
:param secc: Security context
:return: Tuple with EntityDescriptor instance and Signed XML document
"""
if not ident:
ident = sid()
edesc.signature = pre_signature_part(ident, secc.my_cert, 1)
edesc.id = ident
xmldoc = secc.sign_statement("%s" % edesc, class_name(edesc))
edesc = md.entity_descriptor_from_string(xmldoc)
return edesc, xmldoc
def parse(self, xmlstr):
self.entities_descr = md.entities_descriptor_from_string(xmlstr)
if not self.entities_descr:
self.entity_descr = md.entity_descriptor_from_string(xmlstr)
if self.entity_descr:
self.do_entity_descriptor(self.entity_descr)
else:
try:
valid_instance(self.entities_descr)
except NotValid, exc:
logger.error(exc.args[0])
return
try:
valid(self.entities_descr.valid_until)
except AttributeError:
pass
for entity_descr in self.entities_descr.entity_descriptor:
self.do_entity_descriptor(entity_descr)
def parse(self, xmlstr):
self.entities_descr = md.entities_descriptor_from_string(xmlstr)
if not self.entities_descr:
self.entity_descr = md.entity_descriptor_from_string(xmlstr)
if self.entity_descr:
self.do_entity_descriptor(self.entity_descr)
else:
try:
valid_instance(self.entities_descr)
except NotValid, exc:
logger.error(exc.args[0])
return
try:
valid(self.entities_descr.valid_until)
except AttributeError:
pass
for entity_descr in self.entities_descr.entity_descriptor:
self.do_entity_descriptor(entity_descr)
def get(self, request, *args, **kwargs): # pylint: disable=missing-function-docstring, unused-argument, too-many-locals
resp_args = {
'in_response_to': self.IN_RESPONSE_TO,
'sp_entity_id': self.SP_ENTITY_ID,
'name_id_policy': saml.NAMEID_FORMAT_PERSISTENT,
'binding': BINDING_HTTP_POST,
'destination': self.DESTINATION,
}
sp_config = {
'processor': 'djangosaml2idp.processors.BaseProcessor',
'attribute_mapping': {
'username':
'******',
'token':
'token',
'aliyun_sso_roles':
self.CUSTOM_CONFIG['role'],
'uid':
self.CUSTOM_CONFIG['role_session_name'],
'aliyun_sso_session_duration':
self.CUSTOM_CONFIG['session_duration'],
},
}
processor = self.get_processor(resp_args['sp_entity_id'], sp_config)
# Check if user has access to the service of this SP
if not processor.has_access(request):
return self.handle_error(
request,
exception=PermissionDenied(
"You do not have access to this resource"),
status=403)
cookie_user = self.cookie_user(request)
if not cookie_user.aliyun_sso_role.is_active:
# 用户的角色SSO被禁用
return self.handle_error(
request,
exception=PermissionDenied("Your role SSO has been disabled"),
status=403)
identity = self.get_identity(processor, cookie_user, sp_config)
# print('identity is', identity)
AUTHN_BROKER = AuthnBroker() # pylint: disable=invalid-name
AUTHN_BROKER.add(authn_context_class_ref(PASSWORD), "")
user_id = processor.get_user_id(cookie_user)
# Construct SamlResponse message
try:
app = SAMLAPP.valid_objects.get(
entity_id=resp_args['sp_entity_id'])
_spsso_descriptor = entity_descriptor_from_string(
app.xmldata).spsso_descriptor.pop() # pylint: disable=no-member
authn_resp = self.IDP.create_authn_response(
identity=identity,
userid=user_id,
name_id=NameID(format=resp_args['name_id_policy'],
sp_name_qualifier=resp_args['sp_entity_id'],
text=user_id),
authn=AUTHN_BROKER.get_authn_by_accr(PASSWORD),
sign_response=getattr(_spsso_descriptor,
'want_response_signed', '') == 'true',
sign_assertion=getattr(_spsso_descriptor,
'want_assertions_signed', '') == 'true',
**resp_args)
except Exception as excp: # pylint: disable=broad-except
return self.handle_error(request, exception=excp, status=500)
# print('authn_resp is', authn_resp)
http_args = self.IDP.apply_binding(
binding=resp_args['binding'],
msg_str="%s" % authn_resp,
destination=resp_args['destination'],
response=True)
return HttpResponse(http_args['data'])
def get(self, request, *args, **kwargs): # pylint: disable=missing-function-docstring, unused-argument, too-many-locals
binding = request.session.get('Binding', BINDING_HTTP_POST)
# Parse incoming request
try:
req_info = self.IDP.parse_authn_request(
request.session['SAMLRequest'], binding)
except Exception as excp: # pylint: disable=broad-except
return self.handle_error(request, exception=excp)
# Signed request for HTTP-REDIRECT
if "SigAlg" in request.session and "Signature" in request.session:
_certs = self.IDP.metadata.certs(req_info.message.issuer.text,
"any", "signing")
verified_ok = False
for cert in _certs: # pylint: disable=unused-variable
# TODO implement
# if verify_redirect_signature(_info, self.IDP.sec.sec_backend, cert):
# verified_ok = True
# break
pass
if not verified_ok:
return self.handle_error(
request,
extra_message="Message signature verification failure",
status=400)
# Gather response arguments
try:
resp_args = self.IDP.response_args(req_info.message)
except (UnknownPrincipal, UnsupportedBinding) as excp:
return self.handle_error(request, exception=excp, status=400)
# print('resp_args is', resp_args)
try:
# sp_config = SAML_IDP_SPCONFIG[resp_args['sp_entity_id']]
sp_config = {
'processor': 'djangosaml2idp.processors.BaseProcessor',
'attribute_mapping': {
'email': 'email',
'private_email': 'private_email',
'username': '******',
'is_staff': 'is_staff',
'is_superuser': '******',
'token': 'token',
},
}
except Exception: # pylint: disable=broad-except
return self.handle_error(
request,
exception=ImproperlyConfigured(
"No config for SP %s defined in SAML_IDP_SPCONFIG" %
resp_args['sp_entity_id']),
status=400)
processor = self.get_processor(resp_args['sp_entity_id'], sp_config)
# Check if user has access to the service of this SP
if not processor.has_access(request):
return self.handle_error(
request,
exception=PermissionDenied(
"You do not have access to this resource"),
status=403)
cookie_user = self.cookie_user(request)
identity = self.get_identity(processor, cookie_user, sp_config)
req_authn_context = req_info.message.requested_authn_context or PASSWORD
# print('cookie_user is', cookie_user)
# print('identity is', identity)
# print('req_authn_context is', req_authn_context)
AUTHN_BROKER = AuthnBroker() # pylint: disable=invalid-name
AUTHN_BROKER.add(authn_context_class_ref(req_authn_context), "")
user_id = processor.get_user_id(cookie_user)
# Construct SamlResponse message
try:
app = SAMLAPP.valid_objects.get(
entity_id=resp_args['sp_entity_id'])
_spsso_descriptor = entity_descriptor_from_string(
app.xmldata).spsso_descriptor.pop() # pylint: disable=no-member
authn_resp = self.IDP.create_authn_response(
identity=identity,
userid=user_id,
# name_id=NameID(format=resp_args['name_id_policy'].format,
# sp_name_qualifier=resp_args['sp_entity_id'],
# text=user_id),
name_id=NameID(format=resp_args['name_id_policy'],
sp_name_qualifier=resp_args['sp_entity_id'],
text=user_id),
authn=AUTHN_BROKER.get_authn_by_accr(req_authn_context),
sign_response=getattr(_spsso_descriptor,
'want_response_signed', '') == 'true',
sign_assertion=getattr(_spsso_descriptor,
'want_assertions_signed', '') == 'true',
**resp_args)
except Exception as excp: # pylint: disable=broad-except
return self.handle_error(request, exception=excp, status=500)
# print('authn_resp is', authn_resp)
http_args = self.IDP.apply_binding(
binding=resp_args['binding'],
msg_str="%s" % authn_resp,
destination=resp_args['destination'],
relay_state=request.session['RelayState'],
response=True)
logger.debug('http args are: %s' % http_args) # pylint: disable=logging-not-lazy
return self.render_response(request, processor, http_args)
