Пример #1
0
    def _create_base_saml_assertion(self, context, auth):
        issuer = CONF.saml.idp_entity_id
        sp_id = auth['scope']['service_provider']['id']
        service_provider = self.federation_api.get_sp(sp_id)
        utils.assert_enabled_service_provider_object(service_provider)
        sp_url = service_provider.get('sp_url')

        token_id = auth['identity']['token']['id']
        token_data = self.token_provider_api.validate_token(token_id)
        token_ref = token_model.KeystoneToken(token_id, token_data)

        if not token_ref.project_scoped:
            action = _('Use a project scoped token when attempting to create '
                       'a SAML assertion')
            raise exception.ForbiddenAction(action=action)

        subject = token_ref.user_name
        roles = token_ref.role_names
        project = token_ref.project_name
        # NOTE(rodrigods): the domain name is necessary in order to distinguish
        # between projects and users with the same name in different domains.
        project_domain_name = token_ref.project_domain_name
        subject_domain_name = token_ref.user_domain_name

        generator = keystone_idp.SAMLGenerator()
        response = generator.samlize_token(issuer, sp_url, subject,
                                           subject_domain_name, roles, project,
                                           project_domain_name)
        return (response, service_provider)
Пример #2
0
    def create_saml_assertion(self, context, auth):
        """Exchange a scoped token for a SAML assertion.

        :param auth: Dictionary that contains a token id and region id
        :returns: SAML Assertion based on properties from the token
        """

        issuer = CONF.saml.idp_entity_id
        region_id = auth['scope']['region']['id']
        region = self.catalog_api.get_region(region_id)
        recipient = region['url']

        token_id = auth['identity']['token']['id']
        token_data = self.token_provider_api.validate_token(token_id)
        token_ref = token_model.KeystoneToken(token_id, token_data)
        subject = token_ref.user_name
        roles = token_ref.role_names

        if token_ref.project_scoped:
            project = token_ref.project_name
        else:
            raise ValueError(
                _('Use a project scoped token when attempting to'
                  'create a SAML assertion'))

        generator = keystone_idp.SAMLGenerator()
        response = generator.samlize_token(issuer, recipient, subject, roles,
                                           project)

        return wsgi.render_response(body=response.to_string(),
                                    status=('200', 'OK'),
                                    headers=[('Content-Type', 'text/xml')])
Пример #3
0
    def create_saml_assertion(self, context, auth):
        """Exchange a scoped token for a SAML assertion.

        :param auth: Dictionary that contains a token and service provider id
        :returns: SAML Assertion based on properties from the token
        """

        issuer = CONF.saml.idp_entity_id
        sp_id = auth['scope']['service_provider']['id']
        service_provider = self.federation_api.get_sp(sp_id)
        utils.assert_enabled_service_provider_object(service_provider)

        sp_url = service_provider.get('sp_url')
        auth_url = service_provider.get('auth_url')

        token_id = auth['identity']['token']['id']
        token_data = self.token_provider_api.validate_token(token_id)
        token_ref = token_model.KeystoneToken(token_id, token_data)
        subject = token_ref.user_name
        roles = token_ref.role_names

        if not token_ref.project_scoped:
            action = _('Use a project scoped token when attempting to create '
                       'a SAML assertion')
            raise exception.ForbiddenAction(action=action)

        project = token_ref.project_name
        generator = keystone_idp.SAMLGenerator()
        response = generator.samlize_token(issuer, sp_url, subject, roles,
                                           project)

        return wsgi.render_response(body=response.to_string(),
                                    status=('200', 'OK'),
                                    headers=[('Content-Type', 'text/xml'),
                                             ('X-sp-url',
                                              six.binary_type(sp_url)),
                                             ('X-auth-url',
                                              six.binary_type(auth_url))])
Пример #4
0
    def _create_base_saml_assertion(self, context, auth):
        issuer = CONF.saml.idp_entity_id
        sp_id = auth['scope']['service_provider']['id']
        service_provider = self.federation_api.get_sp(sp_id)
        utils.assert_enabled_service_provider_object(service_provider)
        sp_url = service_provider.get('sp_url')

        token_id = auth['identity']['token']['id']
        token_data = self.token_provider_api.validate_token(token_id)
        token_ref = token_model.KeystoneToken(token_id, token_data)
        subject = token_ref.user_name
        roles = token_ref.role_names

        if not token_ref.project_scoped:
            action = _('Use a project scoped token when attempting to create '
                       'a SAML assertion')
            raise exception.ForbiddenAction(action=action)

        project = token_ref.project_name
        generator = keystone_idp.SAMLGenerator()
        response = generator.samlize_token(issuer, sp_url, subject, roles,
                                           project)
        return (response, service_provider)