Implement Single Logout Service for SP-initiated logout

[cascardo/ipsilon.git] / ipsilon / providers / saml2idp.py
diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py

index 4afe7d3..256fcf9 100644 (file)
--- a/ipsilon/providers/saml2idp.py
+++ b/ipsilon/providers/saml2idp.py
@@ -17,6 +17,7 @@
  
  from ipsilon.providers.common import ProviderBase, ProviderPageBase
  from ipsilon.providers.saml2.auth import AuthenticateRequest
+from ipsilon.providers.saml2.logout import LogoutRequest
  from ipsilon.providers.saml2.admin import Saml2AdminPage
  from ipsilon.providers.saml2.provider import IdentityProvider
  from ipsilon.tools.certs import Certificate
@@ -26,8 +27,10 @@ from ipsilon.util.user import UserSession
  from ipsilon.util.plugin import PluginObject
  from ipsilon.util import config as pconfig
  import cherrypy
+from datetime import timedelta
  import lasso
  import os
+import time
  
  
  class Redirect(AuthenticateRequest):
@@ -87,6 +90,19 @@ class Continue(AuthenticateRequest):
          return self.auth(login)
  
  
+class RedirectLogout(LogoutRequest):
+
+    def GET(self, *args, **kwargs):
+        query = cherrypy.request.query_string
+
+        relaystate = kwargs.get(lasso.SAML2_FIELD_RELAYSTATE)
+        response = kwargs.get(lasso.SAML2_FIELD_RESPONSE)
+
+        return self.logout(query,
+                           relaystate=relaystate,
+                           samlresponse=response)
+
+
  class SSO(ProviderPageBase):
  
      def __init__(self, *args, **kwargs):
@@ -96,15 +112,47 @@ class SSO(ProviderPageBase):
          self.Continue = Continue(*args, **kwargs)
  
  
+class SLO(ProviderPageBase):
+
+    def __init__(self, *args, **kwargs):
+        super(SLO, self).__init__(*args, **kwargs)
+        self._debug('SLO init')
+        self.Redirect = RedirectLogout(*args, **kwargs)
+
+
+# one week
+METADATA_RENEW_INTERVAL = 60 * 60 * 24 * 7
+# 30 days
+METADATA_VALIDITY_PERIOD = 30
+
+
  class Metadata(ProviderPageBase):
      def GET(self, *args, **kwargs):
-        with open(self.cfg.idp_metadata_file) as m:
-            body = m.read()
+
+        body = self._get_metadata()
          cherrypy.response.headers["Content-Type"] = "text/xml"
          cherrypy.response.headers["Content-Disposition"] = \
              'attachment; filename="metadata.xml"'
          return body
  
+    def _get_metadata(self):
+        if os.path.isfile(self.cfg.idp_metadata_file):
+            s = os.stat(self.cfg.idp_metadata_file)
+            if s.st_mtime > time.time() - METADATA_RENEW_INTERVAL:
+                with open(self.cfg.idp_metadata_file) as m:
+                    return m.read()
+
+        # Otherwise generate and save
+        idp_cert = Certificate()
+        idp_cert.import_cert(self.cfg.idp_certificate_file,
+                             self.cfg.idp_key_file)
+        meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
+                                    timedelta(METADATA_VALIDITY_PERIOD))
+        body = meta.output()
+        with open(self.cfg.idp_metadata_file, 'w+') as m:
+            m.write(body)
+        return body
+
  
  class SAML2(ProviderPageBase):
  
@@ -112,6 +160,7 @@ class SAML2(ProviderPageBase):
          super(SAML2, self).__init__(*args, **kwargs)
          self.metadata = Metadata(*args, **kwargs)
          self.SSO = SSO(*args, **kwargs)
+        self.SLO = SLO(*args, **kwargs)
  
  
  class IdpProvider(ProviderBase):
@@ -242,6 +291,29 @@ Provides SAML 2.0 authentication infrastructure. """
                  self.admin.add_sps()
  
  
+class IdpMetadataGenerator(object):
+
+    def __init__(self, url, idp_cert, expiration=None):
+        self.meta = metadata.Metadata(metadata.IDP_ROLE, expiration)
+        self.meta.set_entity_id('%s/saml2/metadata' % url)
+        self.meta.add_certs(idp_cert, idp_cert)
+        self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
+                              '%s/saml2/SSO/POST' % url)
+        self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-redirect'],
+                              '%s/saml2/SSO/Redirect' % url)
+        self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
+                              '%s/saml2/SLO/Redirect' % url)
+        self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
+        self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
+        self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
+
+    def output(self, path=None):
+        return self.meta.output(path)
+
+
  class Installer(object):
  
      def __init__(self, *pargs):
@@ -270,23 +342,11 @@ class Installer(object):
          proto = 'https'
          if opts['secure'].lower() == 'no':
              proto = 'http'
-        url = '%s://%s/%s/saml2' % (proto, opts['hostname'], opts['instance'])
-        meta = metadata.Metadata(metadata.IDP_ROLE)
-        meta.set_entity_id(url + '/metadata')
-        meta.add_certs(cert, cert)
-        meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
-                         url + '/SSO/POST')
-        meta.add_service(metadata.SAML2_SERVICE_MAP['sso-redirect'],
-                         url + '/SSO/Redirect')
-
-        meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
-        meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
-        meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
+        url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
+        meta = IdpMetadataGenerator(url, cert,
+                                    timedelta(METADATA_VALIDITY_PERIOD))
          if 'krb' in opts and opts['krb'] == 'yes':
-            meta.add_allowed_name_format(
+            meta.meta.add_allowed_name_format(
                  lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
  
          meta.output(os.path.join(path, 'metadata.xml'))