if k not in response.ava:
return Unauthorized(self.not_authorized)
else:
allowed = False
for allowed_attr_value in v:
if allowed_attr_value == response.ava[k] or allowed_attr_value in response.ava[k]:
allowed = True
break
if not allowed:
return Unauthorized(self.not_authorized)
#logger.info("parsed OK")'
uid = response.assertion.subject.name_id.text
self.setup_userdb(uid, response.ava)
return_to = create_return_url(self.return_to, uid, **{self.query_param: "true"})
if '?' in return_to:
return_to += "&"
else:
return_to += "?"
return_to += base64.b64decode(data[self.CONST_QUERY])
auth_cookie = self.create_cookie(uid, "samlm")
resp = Redirect(return_to, headers=[auth_cookie])
return resp
def setup_userdb(self, uid, samldata):
attributes = {}
if self.sp_conf.ATTRIBUTE_WHITELIST is not None:
for attr, allowed in self.sp_conf.ATTRIBUTE_WHITELIST.iteritems():
if attr in samldata:
def verify(self,
request,
cookie,
path,
requrl,
end_point_index=None,
**kwargs):
"""
Verifies if the authentication was successful.
:rtype : Response
:param request: Contains the request parameters.
:param cookie: Cookies sent with the request.
:param kwargs: Any other parameters.
:return: If the authentication was successful: a redirect to the
return_to url. Otherwise a unauthorized response.
:raise: ValueError
"""
if isinstance(request, six.string_types):
request = parse_qs(request)
elif isinstance(request, dict):
pass
else:
raise ValueError("Wrong type of input")
acs = self.sp.config.getattr("endpoints",
"sp")["assertion_consumer_service"]
acs_endpoints = [(ep[0].rsplit("/", 1)[1], ep[1]) for ep in acs]
binding = None
path = path[1:]
for endp in acs_endpoints:
if path == endp[0]:
binding = endp[1]
break
saml_cookie, _ts, _typ = self.getCookieValue(cookie,
self.CONST_SAML_COOKIE)
data = json.loads(saml_cookie)
rp_query_cookie = self.get_multi_auth_cookie(cookie)
query = rp_query_cookie
if not query:
query = base64.b64decode(data[self.CONST_QUERY]).decode("ascii")
if data[self.CONST_HASIDP] == 'False':
(done, response) = self._pick_idp(request, end_point_index)
if done == 0:
entity_id = response
# Do the AuthnRequest
resp = self._redirect_to_auth(self.sp, entity_id, query,
end_point_index)
return resp, False
return response, False
if not request:
logger.info("Missing Response")
return Unauthorized("You are not authorized!"), False
try:
response = self.sp.parse_authn_request_response(
request["SAMLResponse"][0], binding,
self.cache_outstanding_queries)
except UnknownPrincipal as excp:
logger.error("UnknownPrincipal: %s" % (excp, ))
return Unauthorized(self.not_authorized), False
except UnsupportedBinding as excp:
logger.error("UnsupportedBinding: %s" % (excp, ))
return Unauthorized(self.not_authorized), False
except VerificationError as err:
logger.error("Verification error: %s" % (err, ))
return Unauthorized(self.not_authorized), False
except Exception as err:
logger.error("Other error: %s" % (err, ))
return Unauthorized(self.not_authorized), False
if self.sp_conf.VALID_ATTRIBUTE_RESPONSE is not None:
for k, v in six.iteritems(self.sp_conf.VALID_ATTRIBUTE_RESPONSE):
if k not in response.ava:
return Unauthorized(self.not_authorized), False
else:
allowed = False
for allowed_attr_value in v:
if isinstance(response.ava[k], list):
for resp_value in response.ava[k]:
if allowed_attr_value in resp_value:
allowed = True
break
elif allowed_attr_value in response.ava[k]:
allowed = True
break
if not allowed:
return Unauthorized(self.not_authorized), False
# logger.info("parsed OK")'
uid = response.assertion.subject.name_id.text
if self.userinfo == "AA":
if response.entity_id is not None and self.samlcache is not None:
self.samlcache["AA_ENTITYID"] = response.entity_id
self.setup_userdb(uid, response.ava)
return_to = create_return_url(self.return_to, uid,
**{self.query_param: "true"})
if '?' in return_to:
return_to += "&"
else:
return_to += "?"
return_to += query
auth_cookie = self.create_cookie(uid, "samlm")
resp = SeeOther(str(return_to), headers=[auth_cookie])
return resp, True
def verify(self, request, cookie, path, requrl, end_point_index=None, **kwargs):
"""
Verifies if the authentication was successful.
:rtype : Response
:param request: Contains the request parameters.
:param cookie: Cookies sent with the request.
:param kwargs: Any other parameters.
:return: If the authentication was successful: a redirect to the
return_to url. Otherwise a unauthorized response.
:raise: ValueError
"""
if isinstance(request, six.string_types):
request = parse_qs(request)
elif isinstance(request, dict):
pass
else:
raise ValueError("Wrong type of input")
acs = self.sp.config.getattr("endpoints", "sp")["assertion_consumer_service"]
acs_endpoints = [(ep[0].rsplit("/", 1)[1], ep[1]) for ep in acs]
binding = None
path = path[1:]
for endp in acs_endpoints:
if path == endp[0]:
binding = endp[1]
break
saml_cookie, _ts, _typ = self.getCookieValue(cookie,
self.CONST_SAML_COOKIE)
data = json.loads(saml_cookie)
rp_query_cookie = self.get_multi_auth_cookie(cookie)
query = rp_query_cookie
if not query:
query = base64.b64decode(data[self.CONST_QUERY]).decode("ascii")
if data[self.CONST_HASIDP] == 'False':
(done, response) = self._pick_idp(request, end_point_index)
if done == 0:
entity_id = response
# Do the AuthnRequest
resp = self._redirect_to_auth(self.sp, entity_id, query, end_point_index)
return resp, False
return response, False
if not request:
logger.info("Missing Response")
return Unauthorized("You are not authorized!"), False
try:
response = self.sp.parse_authn_request_response(
request["SAMLResponse"][0], binding,
self.cache_outstanding_queries)
except UnknownPrincipal as excp:
logger.error("UnknownPrincipal: %s" % (excp,))
return Unauthorized(self.not_authorized), False
except UnsupportedBinding as excp:
logger.error("UnsupportedBinding: %s" % (excp,))
return Unauthorized(self.not_authorized), False
except VerificationError as err:
logger.error("Verification error: %s" % (err,))
return Unauthorized(self.not_authorized), False
except Exception as err:
logger.error("Other error: %s" % (err,))
return Unauthorized(self.not_authorized), False
if self.sp_conf.VALID_ATTRIBUTE_RESPONSE is not None:
for k, v in six.iteritems(self.sp_conf.VALID_ATTRIBUTE_RESPONSE):
if k not in response.ava:
return Unauthorized(self.not_authorized), False
else:
allowed = False
for allowed_attr_value in v:
if isinstance(response.ava[k], list):
for resp_value in response.ava[k]:
if allowed_attr_value in resp_value:
allowed = True
break
elif allowed_attr_value in response.ava[k]:
allowed = True
break
if not allowed:
return Unauthorized(self.not_authorized), False
# logger.info("parsed OK")'
uid = response.assertion.subject.name_id.text
if self.userinfo == "AA":
if response.entity_id is not None and self.samlcache is not None:
self.samlcache["AA_ENTITYID"] = response.entity_id
self.setup_userdb(uid, response.ava)
return_to = create_return_url(self.return_to, uid,
**{self.query_param: "true"})
if '?' in return_to:
return_to += "&"
else:
return_to += "?"
return_to += query
auth_cookie = self.create_cookie(uid, "samlm")
resp = SeeOther(str(return_to), headers=[auth_cookie])
return resp, True
def generate_return_url(self, return_to, uid, path=""):
return create_return_url(return_to, uid, **{self.query_param: "true"})
