Fix E256 with stricter pep8 error checker

[cascardo/ipsilon.git] / ipsilon / providers / saml2 / auth.py
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py

index 4adb959..036ed5e 100755 (executable)
--- a/ipsilon/providers/saml2/auth.py
+++ b/ipsilon/providers/saml2/auth.py
@@ -17,32 +17,36 @@
  # You should have received a copy of the GNU General Public License
  # along with this program.  If not, see <http://www.gnu.org/licenses/>.
  
-from ipsilon.providers.common import ProviderPageBase
+from ipsilon.providers.common import ProviderPageBase, ProviderException
+from ipsilon.providers.saml2.provider import ServiceProvider
+from ipsilon.providers.saml2.provider import InvalidProviderId
+from ipsilon.providers.saml2.provider import NameIdNotAllowed
  from ipsilon.util.user import UserSession
  import cherrypy
  import datetime
  import lasso
  
  
-class AuthenticationError(Exception):
+class AuthenticationError(ProviderException):
  
      def __init__(self, message, code):
          super(AuthenticationError, self).__init__(message)
-        self.message = message
          self.code = code
+        self._debug('%s [%s]' % (message, code))
  
-    def __str__(self):
-        return repr(self.message)
  
-
-class InvalidRequest(Exception):
+class InvalidRequest(ProviderException):
  
      def __init__(self, message):
          super(InvalidRequest, self).__init__(message)
-        self.message = message
+        self._debug(message)
+
+
+class UnknownProvider(ProviderException):
  
-    def __str__(self):
-        return repr(self.message)
+    def __init__(self, message):
+        super(UnknownProvider, self).__init__(message)
+        self._debug(message)
  
  
  class AuthenticateRequest(ProviderPageBase):
@@ -56,14 +60,13 @@ class AuthenticateRequest(ProviderPageBase):
      def auth(self, login):
          try:
              self.saml2checks(login)
-            self.saml2assertion(login)
          except AuthenticationError, e:
              self.saml2error(login, e.code, e.message)
          return self.reply(login)
  
      def _parse_request(self, message):
  
-        login = lasso.Login(self.cfg.idp)
+        login = self.cfg.idp.get_login_handler()
  
          try:
              login.processAuthnRequestMsg(message)
@@ -85,7 +88,7 @@ class AuthenticateRequest(ProviderPageBase):
  
              msg = 'Invalid SP [%s] (%r [%r])' % (login.remoteProviderId,
                                                   e, message)
-            raise InvalidRequest(msg)
+            raise UnknownProvider(msg)
  
          self._debug('SP %s requested authentication' % login.remoteProviderId)
  
@@ -102,6 +105,9 @@ class AuthenticateRequest(ProviderPageBase):
          except InvalidRequest, e:
              self._debug(str(e))
              raise cherrypy.HTTPError(400, 'Invalid SAML request token')
+        except UnknownProvider, e:
+            self._debug(str(e))
+            raise cherrypy.HTTPError(400, 'Unknown Service Provider')
          except Exception, e:  # pylint: disable=broad-except
              self._debug(str(e))
              raise cherrypy.HTTPError(500)
@@ -130,20 +136,29 @@ class AuthenticateRequest(ProviderPageBase):
          # record it
          consent = True
  
-        # TODO: check Name-ID Policy
+        # TODO: check destination
+
+        try:
+            provider = ServiceProvider(self.cfg, login.remoteProviderId)
+            nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy)
+        except NameIdNotAllowed, e:
+            raise AuthenticationError(
+                str(e), lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
+        except InvalidProviderId, e:
+            raise AuthenticationError(
+                str(e), lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
  
          # TODO: check login.request.forceAuthn
  
          login.validateRequestMsg(not user.is_anonymous, consent)
  
-    def saml2assertion(self, login):
-
          authtime = datetime.datetime.utcnow()
          skew = datetime.timedelta(0, 60)
          authtime_notbefore = authtime - skew
          authtime_notafter = authtime + skew
  
-        user = UserSession().get_user()
+        us = UserSession()
+        user = us.get_user()
  
          # TODO: get authentication type fnd name format from session
          # need to save which login manager authenticated and map it to a
@@ -156,11 +171,29 @@ class AuthenticateRequest(ProviderPageBase):
                               None,
                               authtime_notbefore.strftime(timeformat),
                               authtime_notafter.strftime(timeformat))
-        login.assertion.subject.nameId.format = \
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
-        login.assertion.subject.nameId.content = user.name
  
-        # TODO: add user attributes as policy requires taking from 'user'
+        nameid = None
+        if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+            # TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+            # TODO map to something else ?
+            nameid = provider.normalize_username(user.name)
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+            nameid = us.get_data('user', 'krb_principal_name')
+        elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+            nameid = us.get_user().email
+            if not nameid:
+                nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+
+        if nameid:
+            login.assertion.subject.nameId.format = nameidfmt
+            login.assertion.subject.nameId.content = nameid
+        else:
+            raise AuthenticationError("Unavailable Name ID type",
+                                      lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
+
+        # TODO: add user attributes as policy requires from 'usersession'
  
      def saml2error(self, login, code, message):
          status = lasso.Samlp2Status()