3 # Copyright (C) 2014 Simo Sorce <simo@redhat.com>
5 # see file 'COPYING' for use and warranty information
7 # This program is free software; you can redistribute it and/or modify
8 # it under the terms of the GNU General Public License as published by
9 # the Free Software Foundation, either version 3 of the License, or
10 # (at your option) any later version.
12 # This program is distributed in the hope that it will be useful,
13 # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 # GNU General Public License for more details.
17 # You should have received a copy of the GNU General Public License
18 # along with this program. If not, see <http://www.gnu.org/licenses/>.
20 from ipsilon.providers.common import ProviderPageBase, ProviderException
21 from ipsilon.providers.saml2.provider import ServiceProvider
22 from ipsilon.providers.saml2.provider import InvalidProviderId
23 from ipsilon.providers.saml2.provider import NameIdNotAllowed
24 from ipsilon.util.user import UserSession
30 class AuthenticationError(ProviderException):
32 def __init__(self, message, code):
33 super(AuthenticationError, self).__init__(message)
35 self._debug('%s [%s]' % (message, code))
38 class InvalidRequest(ProviderException):
40 def __init__(self, message):
41 super(InvalidRequest, self).__init__(message)
45 class UnknownProvider(ProviderException):
47 def __init__(self, message):
48 super(UnknownProvider, self).__init__(message)
52 class AuthenticateRequest(ProviderPageBase):
54 def __init__(self, *args, **kwargs):
55 super(AuthenticateRequest, self).__init__(*args, **kwargs)
58 self.stage = self.STAGE_INIT
60 def auth(self, login):
62 self.saml2checks(login)
63 except AuthenticationError, e:
64 self.saml2error(login, e.code, e.message)
65 return self.reply(login)
67 def _parse_request(self, message):
69 login = self.cfg.idp.get_login_handler()
72 login.processAuthnRequestMsg(message)
73 except (lasso.ProfileInvalidMsgError,
74 lasso.ProfileMissingIssuerError), e:
76 msg = 'Malformed Request %r [%r]' % (e, message)
77 raise InvalidRequest(msg)
79 except (lasso.ProfileInvalidProtocolprofileError,
82 msg = 'Invalid SAML Request: %r (%r [%r])' % (login.request,
84 raise InvalidRequest(msg)
86 except (lasso.ServerProviderNotFoundError,
87 lasso.ProfileUnknownProviderError), e:
89 msg = 'Invalid SP [%s] (%r [%r])' % (login.remoteProviderId,
91 raise UnknownProvider(msg)
93 self._debug('SP %s requested authentication' % login.remoteProviderId)
97 def saml2login(self, request):
100 raise cherrypy.HTTPError(400,
101 'SAML request token missing or empty')
104 login = self._parse_request(request)
105 except InvalidRequest, e:
107 raise cherrypy.HTTPError(400, 'Invalid SAML request token')
108 except UnknownProvider, e:
110 raise cherrypy.HTTPError(400, 'Unknown Service Provider')
111 except Exception, e: # pylint: disable=broad-except
113 raise cherrypy.HTTPError(500)
117 def saml2checks(self, login):
119 session = UserSession()
120 user = session.get_user()
121 if user.is_anonymous:
122 if self.stage < self.STAGE_AUTH:
123 session.save_data('saml2', 'stage', self.STAGE_AUTH)
124 session.save_data('saml2', 'Request', login.dump())
125 session.save_data('login', 'Return',
126 '%s/saml2/SSO/Continue' % self.basepath)
127 raise cherrypy.HTTPRedirect('%s/login' % self.basepath)
129 raise AuthenticationError(
130 "Unknown user", lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
132 self._audit("Logged in user: %s [%s]" % (user.name, user.fullname))
134 # TODO: check if this is the first time this user access this SP
135 # If required by user prefs, ask user for consent once and then
139 # TODO: check destination
142 provider = ServiceProvider(self.cfg, login.remoteProviderId)
143 nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy)
144 except NameIdNotAllowed, e:
145 raise AuthenticationError(
146 str(e), lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
147 except InvalidProviderId, e:
148 raise AuthenticationError(
149 str(e), lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
151 # TODO: check login.request.forceAuthn
153 login.validateRequestMsg(not user.is_anonymous, consent)
155 authtime = datetime.datetime.utcnow()
156 skew = datetime.timedelta(0, 60)
157 authtime_notbefore = authtime - skew
158 authtime_notafter = authtime + skew
163 # TODO: get authentication type fnd name format from session
164 # need to save which login manager authenticated and map it to a
165 # saml2 authentication context
166 authn_context = lasso.SAML2_AUTHN_CONTEXT_UNSPECIFIED
168 timeformat = '%Y-%m-%dT%H:%M:%SZ'
169 login.buildAssertion(authn_context,
170 authtime.strftime(timeformat),
172 authtime_notbefore.strftime(timeformat),
173 authtime_notafter.strftime(timeformat))
176 if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
177 ## TODO map to something else ?
178 nameid = provider.normalize_username(user.name)
179 elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
180 ## TODO map to something else ?
181 nameid = provider.normalize_username(user.name)
182 elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
183 nameid = us.get_data('user', 'krb_principal_name')
184 elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
185 nameid = us.get_user().email
187 nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
190 login.assertion.subject.nameId.format = nameidfmt
191 login.assertion.subject.nameId.content = nameid
193 raise AuthenticationError("Unavailable Name ID type",
194 lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
196 # TODO: add user attributes as policy requires from 'usersession'
198 def saml2error(self, login, code, message):
199 status = lasso.Samlp2Status()
200 status.statusCode = lasso.Samlp2StatusCode()
201 status.statusCode.value = lasso.SAML2_STATUS_CODE_RESPONDER
202 status.statusCode.statusCode = lasso.Samlp2StatusCode()
203 status.statusCode.statusCode.value = code
204 login.response.status = status
206 def reply(self, login):
207 if login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_ART:
209 raise cherrypy.HTTPError(501)
210 elif login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_POST:
211 login.buildAuthnResponseMsg()
212 self._debug('POSTing back to SP [%s]' % (login.msgUrl))
214 "title": 'Redirecting back to the web application',
215 "action": login.msgUrl,
217 [lasso.SAML2_FIELD_RESPONSE, login.msgBody],
218 [lasso.SAML2_FIELD_RELAYSTATE, login.msgRelayState],
220 "submit": 'Return to application',
222 # pylint: disable=star-args
223 return self._template('saml2/post_response.html', **context)
226 raise cherrypy.HTTPError(500)