def _verify(self):
assert self.message.version == "2.0"
if self.message.destination and self.receiver_addrs and \
self.message.destination not in self.receiver_addrs:
logger.error("%s not in %s" % (self.message.destination,
self.receiver_addrs))
raise OtherError("Not destined for me!")
assert self.issue_instant_ok()
return self
def _verify(self):
valid_version = "2.0"
if self.message.version != valid_version:
raise VersionMismatch(
"Invalid version {invalid} should be {valid}".format(
invalid=self.message.version, valid=valid_version))
if self.message.destination and self.receiver_addrs and \
self.message.destination not in self.receiver_addrs:
logger.error("%s not in %s", self.message.destination,
self.receiver_addrs)
raise OtherError("Not destined for me!")
valid = self.issue_instant_ok()
return valid
def parse_authn_request(self, enc_request, binding=BINDING_HTTP_REDIRECT):
"""Parse a Authentication Request
:param enc_request: The request in its transport format
:param binding: Which binding that was used to transport the message
to this entity.
:return: A dictionary with keys:
consumer_url - as gotten from the SPs entity_id and the metadata
id - the id of the request
sp_entity_id - the entity id of the SP
request - The verified request
"""
response = {}
_log_info = logger.info
_log_debug = logger.debug
# The addresses I should receive messages like this on
receiver_addresses = self.conf.endpoint("single_sign_on_service",
binding)
_log_info("receiver addresses: %s" % receiver_addresses)
_log_info("Binding: %s" % binding)
try:
timeslack = self.conf.accepted_time_diff
if not timeslack:
timeslack = 0
except AttributeError:
timeslack = 0
authn_request = AuthnRequest(self.sec,
self.conf.attribute_converters,
receiver_addresses, timeslack=timeslack)
if binding == BINDING_SOAP or binding == BINDING_PAOS:
# not base64 decoding and unzipping
authn_request.debug=True
_log_info("Don't decode")
authn_request = authn_request.loads(enc_request, decode=False)
else:
authn_request = authn_request.loads(enc_request)
_log_debug("Loaded authn_request")
if authn_request:
authn_request = authn_request.verify()
_log_debug("Verified authn_request")
if not authn_request:
return None
response["id"] = authn_request.message.id # put in in_reply_to
sp_entity_id = authn_request.message.issuer.text
# try to find return address in metadata
# What's the binding ? ProtocolBinding
if authn_request.message.protocol_binding == BINDING_HTTP_REDIRECT:
_binding = BINDING_HTTP_POST
else:
_binding = authn_request.message.protocol_binding
try:
srvs = self.metadata.assertion_consumer_service(sp_entity_id,
binding=_binding)
consumer_url = destinations(srvs)[0]
except (KeyError, IndexError):
_log_info("Failed to find consumer URL for %s" % sp_entity_id)
_log_info("Binding: %s" % _binding)
_log_info("entities: %s" % self.metadata.keys())
raise UnknownPrincipal(sp_entity_id)
if not consumer_url: # what to do ?
_log_info("Couldn't find a consumer URL binding=%s entity_id=%s" % (
_binding,sp_entity_id))
raise UnsupportedBinding(sp_entity_id)
response["sp_entity_id"] = sp_entity_id
if authn_request.message.assertion_consumer_service_url:
return_destination = \
authn_request.message.assertion_consumer_service_url
if consumer_url != return_destination:
# serious error on someones behalf
_log_info("%s != %s" % (consumer_url, return_destination))
raise OtherError("ConsumerURL and return destination mismatch")
response["consumer_url"] = consumer_url
response["request"] = authn_request.message
return response