# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
-from ipsilon.providers.common import ProviderPageBase
+from ipsilon.providers.common import ProviderPageBase, ProviderException
+from ipsilon.providers.saml2.provider import ServiceProvider
+from ipsilon.providers.saml2.provider import InvalidProviderId
+from ipsilon.providers.saml2.provider import NameIdNotAllowed
from ipsilon.util.user import UserSession
import cherrypy
import datetime
import lasso
-class InvalidRequest(Exception):
+class AuthenticationError(ProviderException):
+
+ def __init__(self, message, code):
+ super(AuthenticationError, self).__init__(message)
+ self.code = code
+ self._debug('%s [%s]' % (message, code))
+
+
+class InvalidRequest(ProviderException):
def __init__(self, message):
super(InvalidRequest, self).__init__(message)
- self.message = message
-
- def __str__(self):
- return repr(self.message)
+ self._debug(message)
class AuthenticateRequest(ProviderPageBase):
self.stage = self.STAGE_INIT
def auth(self, login):
- self.saml2checks(login)
- self.saml2assertion(login)
+ try:
+ self.saml2checks(login)
+ except AuthenticationError, e:
+ self.saml2error(login, e.code, e.message)
return self.reply(login)
def _parse_request(self, message):
- login = lasso.Login(self.cfg.idp)
+ login = self.cfg.idp.get_login_handler()
try:
login.processAuthnRequestMsg(message)
except (lasso.ServerProviderNotFoundError,
lasso.ProfileUnknownProviderError), e:
- msg = 'Invalid Service Provider (%r [%r])' % (e, message)
- # TODO: return to SP anyway ?
+ msg = 'Invalid SP [%s] (%r [%r])' % (login.remoteProviderId,
+ e, message)
raise InvalidRequest(msg)
+ self._debug('SP %s requested authentication' % login.remoteProviderId)
+
return login
def saml2login(self, request):
'%s/saml2/SSO/Continue' % self.basepath)
raise cherrypy.HTTPRedirect('%s/login' % self.basepath)
else:
- raise cherrypy.HTTPError(401)
+ raise AuthenticationError(
+ "Unknown user", lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
self._audit("Logged in user: %s [%s]" % (user.name, user.fullname))
# record it
consent = True
- # TODO: check Name-ID Policy
+ # TODO: check destination
+
+ try:
+ provider = ServiceProvider(self.cfg, login.remoteProviderId)
+ nameidfmt = provider.get_valid_nameid(login.request.nameIdPolicy)
+ except NameIdNotAllowed, e:
+ raise AuthenticationError(
+ str(e), lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
+ except InvalidProviderId, e:
+ raise AuthenticationError(
+ str(e), lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
# TODO: check login.request.forceAuthn
login.validateRequestMsg(not user.is_anonymous, consent)
- def saml2assertion(self, login):
-
authtime = datetime.datetime.utcnow()
skew = datetime.timedelta(0, 60)
authtime_notbefore = authtime - skew
authtime_notafter = authtime + skew
- user = UserSession().get_user()
+ us = UserSession()
+ user = us.get_user()
# TODO: get authentication type fnd name format from session
# need to save which login manager authenticated and map it to a
None,
authtime_notbefore.strftime(timeformat),
authtime_notafter.strftime(timeformat))
- login.assertion.subject.nameId.format = \
- lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT
- login.assertion.subject.nameId.content = user.name
- # TODO: add user attributes as policy requires taking from 'user'
+ nameid = None
+ if nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT:
+ ## TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
+ ## TODO map to something else ?
+ nameid = provider.normalize_username(user.name)
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
+ nameid = us.get_data('user', 'krb_principal_name')
+ elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
+ nameid = us.get_user().email
+ if not nameid:
+ nameid = '%s@%s' % (user.name, self.cfg.default_email_domain)
+
+ if nameid:
+ login.assertion.subject.nameId.format = nameidfmt
+ login.assertion.subject.nameId.content = nameid
+ else:
+ raise AuthenticationError("Unavailable Name ID type",
+ lasso.SAML2_STATUS_CODE_AUTHN_FAILED)
+
+ # TODO: add user attributes as policy requires from 'usersession'
+
+ def saml2error(self, login, code, message):
+ status = lasso.Samlp2Status()
+ status.statusCode = lasso.Samlp2StatusCode()
+ status.statusCode.value = lasso.SAML2_STATUS_CODE_RESPONDER
+ status.statusCode.statusCode = lasso.Samlp2StatusCode()
+ status.statusCode.statusCode.value = code
+ login.response.status = status
def reply(self, login):
if login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_ART: