def logout(self, SAMLRequest=None, SAMLResponse=None, RelayState=""):
if cherrypy.session.get('issuers') is None:
cherrypy.session['issuers'] = {}
if SAMLRequest is not None:
# A service provider has sent logout request.
try:
decoded_request = base64.b64decode(SAMLRequest)
logout_request = samlp.LogoutRequestFromString(decoded_request)
if logout_request is None:
raise errors.GheimdallException('The value of SAMLRequest is wrong.')
issuer_name = logout_request.issuer.text.strip()
key_file = config.get('apps.public_keys').get(issuer_name, None)
if key_file is None:
raise errors.GheimdallException('Failed to get public key filename.'
' issuer: %s' % issuer_name)
result = samlutils.verify(decoded_request, key_file)
if result == False:
raise errors.GheimdallException('Failed verifyng the signature'
' of logout request.')
try:
issuer_in_ses = cherrypy.session['issuers'].get(issuer_name, None)
except KeyError:
raise errors.GheimdallException(
'The session has no issuer attribute.')
if issuer_in_ses is None:
raise errors.GheimdallException('Request from invalid issuer.')
if logout_request.name_id.text is None:
raise errors.GheimdallException('Request with empty NameID.')
if issuer_in_ses.name_id.text.strip() != \
logout_request.name_id.text.strip():
raise errors.GheimdallException('Request with invalid NameID.')
# OK
log.debug('Succeeded verifying the signature of logout request.')
issuer_in_ses.status = sp.STATUS_LOGOUT_SUCCESS
cherrypy.session['issuers'][issuer_name] = issuer_in_ses
# delete session data
cherrypy.session['remember_me'] = False
cherrypy.session['authenticated'] = False
cherrypy.session['user_name'] = None
cherrypy.session['auth_time'] = 0
cherrypy.session['valid_time'] = 0
# save state
cherrypy.session['issuer_origin'] = issuer_name
cherrypy.session['logout_request_id'] = logout_request.id
# goto LOOP for SP
except errors.GheimdallException, e:
log.error(e)
return utils.createLogoutResponse(
RelayState, issuer_name, logout_request.id, samlp.STATUS_RESPONDER)
status_to_send = samlp.STATUS_PARTIAL_LOGOUT
else:
status_to_send = samlp.STATUS_SUCCESS
if cherrypy.session['issuer_origin'].startswith("google.com"):
useSSL = cherrypy.session.get('useSSL', False)
if useSSL:
scheme = 'https'
else:
scheme = 'http'
url = scheme + '://mail.google.com/a/' + config.get('apps.domain') + '/'
return {
"url": url,
"tg_template": "gheimdall.templates.gheimdall-logout"}
else:
return utils.createLogoutResponse(RelayState,
cherrypy.session['issuer_origin'],
cherrypy.session['logout_request_id'],
status_to_send)
@expose(template="gheimdall.templates.gheimdall-login")
@strongly_expire
def login(self, SAMLRequest, RelayState='', *args, **kw):
if config.get('apps.use_header_auth'):
# header auth
# retrieve user name from header
key = config.get('apps.auth_header_key')
user_name = cherrypy.request.headers.get(key, None)
if user_name is None:
raise errors.GheimdallException('Can not retrieve user name.')
ret = utils.createLoginDict(SAMLRequest, RelayState, user_name)
ret['tg_template'] = 'gheimdall.templates.gheimdall-login-success'
