-# Copyright (C) 2014 Simo Sorce <simo@redhat.com>
-#
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
+# Copyright (C) 2014 Ipsilon project Contributors, for license see COPYING
from ipsilon.providers.common import ProviderPageBase, ProviderException
from ipsilon.providers.common import AuthenticationError, InvalidRequest
from ipsilon.providers.saml2.provider import ServiceProvider
from ipsilon.providers.saml2.provider import InvalidProviderId
from ipsilon.providers.saml2.provider import NameIdNotAllowed
-from ipsilon.providers.saml2.sessions import SAMLSessionsContainer
+from ipsilon.tools import saml2metadata as metadata
from ipsilon.util.policy import Policy
from ipsilon.util.user import UserSession
from ipsilon.util.trans import Transaction
def __init__(self, message):
super(UnknownProvider, self).__init__(message)
- self._debug(message)
+ self.debug(message)
class AuthenticateRequest(ProviderPageBase):
super(AuthenticateRequest, self).__init__(*args, **kwargs)
self.stage = 'init'
self.trans = None
+ self.binding = None
def _preop(self, *args, **kwargs):
try:
# generate a new id or get current one
self.trans = Transaction('saml2', **kwargs)
- if self.trans.cookie.value != self.trans.provider:
- self.debug('Invalid transaction, %s != %s' % (
- self.trans.cookie.value, self.trans.provider))
+
+ self.debug('self.binding=%s, transdata=%s' %
+ (self.binding, self.trans.retrieve()))
+ if self.binding is None:
+ # SAML binding is unknown, try to get it from transaction
+ transdata = self.trans.retrieve()
+ self.binding = transdata.get('saml2_binding')
+ else:
+ # SAML binding known, store in transaction
+ data = {'saml2_binding': self.binding}
+ self.trans.store(data)
+
+ # Only check for cookie for those bindings which use one
+ if self.binding not in (metadata.SAML2_SERVICE_MAP['sso-soap'][1]):
+ if self.trans.cookie.value != self.trans.provider:
+ self.debug('Invalid transaction, %s != %s' % (
+ self.trans.cookie.value, self.trans.provider))
except Exception, e: # pylint: disable=broad-except
self.debug('Transaction initialization failed: %s' % repr(e))
raise cherrypy.HTTPError(400, 'Invalid transaction id')
e, message)
raise UnknownProvider(msg)
- self._debug('SP %s requested authentication' % login.remoteProviderId)
+ self.debug('SP %s requested authentication' % login.remoteProviderId)
return login
try:
login = self._parse_request(request)
except InvalidRequest, e:
- self._debug(str(e))
+ self.debug(str(e))
raise cherrypy.HTTPError(400, 'Invalid SAML request token')
except UnknownProvider, e:
- self._debug(str(e))
+ self.debug(str(e))
raise cherrypy.HTTPError(400, 'Unknown Service Provider')
except Exception, e: # pylint: disable=broad-except
- self._debug(str(e))
+ self.debug(str(e))
raise cherrypy.HTTPError(500)
return login
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
- nameid = us.get_data('user', 'krb_principal_name')
+ userattrs = us.get_user_attrs()
+ nameid = userattrs.get('gssapi_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
self.debug('Assertion: %s' % login.assertion.dump())
- saml_sessions = us.get_provider_data('saml2')
- if saml_sessions is None:
- saml_sessions = SAMLSessionsContainer()
-
- session = saml_sessions.find_session_by_provider(
- login.remoteProviderId)
- if session:
- # TODO: something...
- self.debug('Login session for this user already exists!?')
- session.dump()
+ saml_sessions = self.cfg.idp.sessionfactory
lasso_session = lasso.Session()
lasso_session.addAssertion(login.remoteProviderId, login.assertion)
saml_sessions.add_session(login.assertion.id,
login.remoteProviderId,
- lasso_session)
- us.save_provider_data('saml2', saml_sessions)
+ user.name,
+ lasso_session.dump())
def saml2error(self, login, code, message):
status = lasso.Samlp2Status()
raise cherrypy.HTTPError(501)
elif login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_POST:
login.buildAuthnResponseMsg()
- self._debug('POSTing back to SP [%s]' % (login.msgUrl))
+ self.debug('POSTing back to SP [%s]' % (login.msgUrl))
context = {
"title": 'Redirecting back to the web application',
"action": login.msgUrl,
],
"submit": 'Return to application',
}
- # pylint: disable=star-args
return self._template('saml2/post_response.html', **context)
+ elif login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_LECP:
+ login.buildResponseMsg()
+ self.debug("Returning ECP: %s" % login.msgBody)
+ return login.msgBody
+
else:
raise cherrypy.HTTPError(500)