projects / cascardo / ipsilon.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
IdP-initiated logout for current user
[cascardo/ipsilon.git] / ipsilon / providers / saml2idp.py
diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py
old mode 100755 (executable)
new mode 100644 (file)
index b337652..9bc75b3
--- a/ipsilon/providers/saml2idp.py
+++ b/ipsilon/providers/saml2idp.py
@@ -1,5 +1,3 @@
-#!/usr/bin/python
-#
 # Copyright (C) 2014  Simo Sorce <simo@redhat.com>
 #
 # see file 'COPYING' for use and warranty information
 # Copyright (C) 2014  Simo Sorce <simo@redhat.com>
 #
 # see file 'COPYING' for use and warranty information
@@ -17,19 +15,25 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
-from ipsilon.providers.common import ProviderBase, ProviderPageBase
-from ipsilon.providers.common import FACILITY
+from ipsilon.providers.common import ProviderBase, ProviderPageBase, \
+    ProviderInstaller
 from ipsilon.providers.saml2.auth import AuthenticateRequest
 from ipsilon.providers.saml2.auth import AuthenticateRequest
-from ipsilon.providers.saml2.admin import AdminPage
+from ipsilon.providers.saml2.logout import LogoutRequest
+from ipsilon.providers.saml2.admin import Saml2AdminPage
+from ipsilon.providers.saml2.rest import Saml2RestBase
 from ipsilon.providers.saml2.provider import IdentityProvider
 from ipsilon.tools.certs import Certificate
 from ipsilon.tools import saml2metadata as metadata
 from ipsilon.tools import files
 from ipsilon.util.user import UserSession
 from ipsilon.util.plugin import PluginObject
 from ipsilon.providers.saml2.provider import IdentityProvider
 from ipsilon.tools.certs import Certificate
 from ipsilon.tools import saml2metadata as metadata
 from ipsilon.tools import files
 from ipsilon.util.user import UserSession
 from ipsilon.util.plugin import PluginObject
+from ipsilon.util import config as pconfig
 import cherrypy
 import cherrypy
+from datetime import timedelta
 import lasso
 import os
 import lasso
 import os
+import time
+import uuid
 
 
 class Redirect(AuthenticateRequest):
 
 
 class Redirect(AuthenticateRequest):
@@ -60,8 +64,8 @@ class Continue(AuthenticateRequest):
 
         session = UserSession()
         user = session.get_user()
 
         session = UserSession()
         user = session.get_user()
-        session.nuke_data('login', 'Return')
-        self.stage = session.get_data('saml2', 'stage')
+        transdata = self.trans.retrieve()
+        self.stage = transdata['saml2_stage']
 
         if user.is_anonymous:
             self._debug("User is marked anonymous?!")
 
         if user.is_anonymous:
             self._debug("User is marked anonymous?!")
@@ -70,11 +74,11 @@ class Continue(AuthenticateRequest):
 
         self._debug('Continue auth for %s' % user.name)
 
 
         self._debug('Continue auth for %s' % user.name)
 
-        dump = session.get_data('saml2', 'Request')
-        if not dump:
+        if 'saml2_request' not in transdata:
             self._debug("Couldn't find Request dump?!")
             # TODO: Return to SP with auth failed error
             raise cherrypy.HTTPError(400)
             self._debug("Couldn't find Request dump?!")
             # TODO: Return to SP with auth failed error
             raise cherrypy.HTTPError(400)
+        dump = transdata['saml2_request']
 
         try:
             login = self.cfg.idp.get_login_handler(dump)
 
         try:
             login = self.cfg.idp.get_login_handler(dump)
@@ -89,6 +93,19 @@ class Continue(AuthenticateRequest):
         return self.auth(login)
 
 
         return self.auth(login)
 
 
+class RedirectLogout(LogoutRequest):
+
+    def GET(self, *args, **kwargs):
+        query = cherrypy.request.query_string
+
+        relaystate = kwargs.get(lasso.SAML2_FIELD_RELAYSTATE)
+        response = kwargs.get(lasso.SAML2_FIELD_RESPONSE)
+
+        return self.logout(query,
+                           relaystate=relaystate,
+                           samlresponse=response)
+
+
 class SSO(ProviderPageBase):
 
     def __init__(self, *args, **kwargs):
 class SSO(ProviderPageBase):
 
     def __init__(self, *args, **kwargs):
@@ -98,96 +115,118 @@ class SSO(ProviderPageBase):
         self.Continue = Continue(*args, **kwargs)
 
 
         self.Continue = Continue(*args, **kwargs)
 
 
+class SLO(ProviderPageBase):
+
+    def __init__(self, *args, **kwargs):
+        super(SLO, self).__init__(*args, **kwargs)
+        self._debug('SLO init')
+        self.Redirect = RedirectLogout(*args, **kwargs)
+
+
+# one week
+METADATA_RENEW_INTERVAL = 60 * 60 * 24 * 7
+# 30 days
+METADATA_VALIDITY_PERIOD = 30
+
+
 class Metadata(ProviderPageBase):
     def GET(self, *args, **kwargs):
 class Metadata(ProviderPageBase):
     def GET(self, *args, **kwargs):
-        with open(self.cfg.idp_metadata_file) as m:
-            body = m.read()
+
+        body = self._get_metadata()
         cherrypy.response.headers["Content-Type"] = "text/xml"
         cherrypy.response.headers["Content-Disposition"] = \
             'attachment; filename="metadata.xml"'
         return body
 
         cherrypy.response.headers["Content-Type"] = "text/xml"
         cherrypy.response.headers["Content-Disposition"] = \
             'attachment; filename="metadata.xml"'
         return body
 
+    def _get_metadata(self):
+        if os.path.isfile(self.cfg.idp_metadata_file):
+            s = os.stat(self.cfg.idp_metadata_file)
+            if s.st_mtime > time.time() - METADATA_RENEW_INTERVAL:
+                with open(self.cfg.idp_metadata_file) as m:
+                    return m.read()
+
+        # Otherwise generate and save
+        idp_cert = Certificate()
+        idp_cert.import_cert(self.cfg.idp_certificate_file,
+                             self.cfg.idp_key_file)
+        meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
+                                    timedelta(METADATA_VALIDITY_PERIOD))
+        body = meta.output()
+        with open(self.cfg.idp_metadata_file, 'w+') as m:
+            m.write(body)
+        return body
+
 
 class SAML2(ProviderPageBase):
 
     def __init__(self, *args, **kwargs):
         super(SAML2, self).__init__(*args, **kwargs)
         self.metadata = Metadata(*args, **kwargs)
 
 class SAML2(ProviderPageBase):
 
     def __init__(self, *args, **kwargs):
         super(SAML2, self).__init__(*args, **kwargs)
         self.metadata = Metadata(*args, **kwargs)
-
-        # Init IDP data
-        try:
-            self.cfg.idp = IdentityProvider(self.cfg)
-        except Exception, e:  # pylint: disable=broad-except
-            self._debug('Failed to init SAML2 provider: %r' % e)
-            return
-
-        # Import all known applications
-        data = self.cfg.get_data()
-        for idval in data:
-            sp = data[idval]
-            if 'type' not in sp or sp['type'] != 'SP':
-                continue
-            if 'name' not in sp or 'metadata' not in sp:
-                continue
-            try:
-                self.cfg.idp.add_provider(sp)
-            except Exception, e:  # pylint: disable=broad-except
-                self._debug('Failed to add SP %s: %r' % (sp['name'], e))
-
         self.SSO = SSO(*args, **kwargs)
         self.SSO = SSO(*args, **kwargs)
+        self.SLO = SLO(*args, **kwargs)
 
 
 class IdpProvider(ProviderBase):
 
 
 
 class IdpProvider(ProviderBase):
 
-    def __init__(self):
-        super(IdpProvider, self).__init__('saml2', 'saml2')
+    def __init__(self, *pargs):
+        super(IdpProvider, self).__init__('saml2', 'saml2', *pargs)
+        self.admin = None
+        self.rest = None
         self.page = None
         self.idp = None
         self.description = """
 Provides SAML 2.0 authentication infrastructure. """
 
         self.page = None
         self.idp = None
         self.description = """
 Provides SAML 2.0 authentication infrastructure. """
 
-        self._options = {
-            'idp storage path': [
-                """ Path to data storage accessible by the IdP """,
-                'string',
-                '/var/lib/ipsilon/saml2'
-            ],
-            'idp metadata file': [
-                """ The IdP Metadata file genearated at install time. """,
-                'string',
-                'metadata.xml'
-            ],
-            'idp certificate file': [
-                """ The IdP PEM Certificate genearated at install time. """,
-                'string',
-                'certificate.pem'
-            ],
-            'idp key file': [
-                """ The IdP Certificate Key genearated at install time. """,
-                'string',
-                'certificate.key'
-            ],
-            'allow self registration': [
-                """ Allow authenticated users to register applications. """,
-                'boolean',
-                True
-            ],
-            'default allowed nameids': [
-                """Default Allowed NameIDs for Service Providers. """,
-                'list',
-                ['persistent', 'transient', 'email', 'kerberos', 'x509']
-            ],
-            'default nameid': [
-                """Default NameID used by Service Providers. """,
-                'string',
-                'persistent'
-            ],
-            'default email domain': [
-                """Default email domain, for users missing email property.""",
-                'string',
-                'example.com'
-            ]
-        }
+        self.new_config(
+            self.name,
+            pconfig.String(
+                'idp storage path',
+                'Path to data storage accessible by the IdP.',
+                '/var/lib/ipsilon/saml2'),
+            pconfig.String(
+                'idp metadata file',
+                'The IdP Metadata file genearated at install time.',
+                'metadata.xml'),
+            pconfig.String(
+                'idp certificate file',
+                'The IdP PEM Certificate genearated at install time.',
+                'certificate.pem'),
+            pconfig.String(
+                'idp key file',
+                'The IdP Certificate Key genearated at install time.',
+                'certificate.key'),
+            pconfig.String(
+                'idp nameid salt',
+                'The salt used for persistent Name IDs.',
+                None),
+            pconfig.Condition(
+                'allow self registration',
+                'Allow authenticated users to register applications.',
+                True),
+            pconfig.Choice(
+                'default allowed nameids',
+                'Default Allowed NameIDs for Service Providers.',
+                metadata.SAML2_NAMEID_MAP.keys(),
+                ['unspecified', 'persistent', 'transient', 'email',
+                 'kerberos', 'x509']),
+            pconfig.Pick(
+                'default nameid',
+                'Default NameID used by Service Providers.',
+                metadata.SAML2_NAMEID_MAP.keys(),
+                'unspecified'),
+            pconfig.String(
+                'default email domain',
+                'Used for users missing the email property.',
+                'example.com'),
+            pconfig.MappingList(
+                'default attribute mapping',
+                'Defines how to map attributes before returning them to SPs',
+                [['*', '*']]),
+            pconfig.ComplexList(
+                'default allowed attributes',
+                'Defines a list of allowed attributes, applied after mapping',
+                ['*']),
+        )
         if cherrypy.config.get('debug', False):
             import logging
             import sys
         if cherrypy.config.get('debug', False):
             import logging
             import sys
@@ -219,6 +258,10 @@ Provides SAML 2.0 authentication infrastructure. """
         return os.path.join(self.idp_storage_path,
                             self.get_config_value('idp key file'))
 
         return os.path.join(self.idp_storage_path,
                             self.get_config_value('idp key file'))
 
+    @property
+    def idp_nameid_salt(self):
+        return self.get_config_value('idp nameid salt')
+
     @property
     def default_allowed_nameids(self):
         return self.get_config_value('default allowed nameids')
     @property
     def default_allowed_nameids(self):
         return self.get_config_value('default allowed nameids')
@@ -231,17 +274,123 @@ Provides SAML 2.0 authentication infrastructure. """
     def default_email_domain(self):
         return self.get_config_value('default email domain')
 
     def default_email_domain(self):
         return self.get_config_value('default email domain')
 
+    @property
+    def default_attribute_mapping(self):
+        return self.get_config_value('default attribute mapping')
+
+    @property
+    def default_allowed_attributes(self):
+        return self.get_config_value('default allowed attributes')
+
     def get_tree(self, site):
     def get_tree(self, site):
+        self.idp = self.init_idp()
         self.page = SAML2(site, self)
         self.page = SAML2(site, self)
-        self.admin = AdminPage(site, self)
+        self.admin = Saml2AdminPage(site, self)
+        self.rest = Saml2RestBase(site, self)
         return self.page
 
         return self.page
 
+    def init_idp(self):
+        idp = None
+        # Init IDP data
+        try:
+            idp = IdentityProvider(self)
+        except Exception, e:  # pylint: disable=broad-except
+            self._debug('Failed to init SAML2 provider: %r' % e)
+            return None
+
+        self._root.logout.add_handler(self.name, self.idp_initiated_logout)
+
+        # Import all known applications
+        data = self.get_data()
+        for idval in data:
+            sp = data[idval]
+            if 'type' not in sp or sp['type'] != 'SP':
+                continue
+            if 'name' not in sp or 'metadata' not in sp:
+                continue
+            try:
+                idp.add_provider(sp)
+            except Exception, e:  # pylint: disable=broad-except
+                self._debug('Failed to add SP %s: %r' % (sp['name'], e))
+
+        return idp
+
+    def on_enable(self):
+        super(IdpProvider, self).on_enable()
+        self.idp = self.init_idp()
+        if hasattr(self, 'admin'):
+            if self.admin:
+                self.admin.add_sps()
+
+    def idp_initiated_logout(self):
+        """
+        Logout all SP sessions when the logout comes from the IdP.
 
 
-class Installer(object):
+        For the current user only.
+        """
+        self._debug("IdP-initiated SAML2 logout")
+        us = UserSession()
+
+        saml_sessions = us.get_provider_data('saml2')
+        if saml_sessions is None:
+            self._debug("No SAML2 sessions to logout")
+            return
+        session = saml_sessions.get_next_logout(remove=False)
+        if session is None:
+            return
 
 
-    def __init__(self):
+        # Add a fake session to indicate where the user should
+        # be redirected to when all SP's are logged out.
+        idpurl = self._root.instance_base_url()
+        saml_sessions.add_session("_idp_initiated_logout",
+                                  idpurl,
+                                  "")
+        init_session = saml_sessions.find_session_by_provider(idpurl)
+        init_session.set_logoutstate(idpurl, "idp_initiated_logout", None)
+        saml_sessions.start_logout(init_session)
+
+        logout = self.idp.get_logout_handler()
+        logout.setSessionFromDump(session.session.dump())
+        logout.initRequest(session.provider_id)
+        try:
+            logout.buildRequestMsg()
+        except lasso.Error, e:
+            self.error('failure to build logout request msg: %s' % e)
+            raise cherrypy.HTTPRedirect(400, 'Failed to log out user: %s '
+                                        % e)
+
+        raise cherrypy.HTTPRedirect(logout.msgUrl)
+
+
+class IdpMetadataGenerator(object):
+
+    def __init__(self, url, idp_cert, expiration=None):
+        self.meta = metadata.Metadata(metadata.IDP_ROLE, expiration)
+        self.meta.set_entity_id('%s/saml2/metadata' % url)
+        self.meta.add_certs(idp_cert, idp_cert)
+        self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
+                              '%s/saml2/SSO/POST' % url)
+        self.meta.add_service(metadata.SAML2_SERVICE_MAP['sso-redirect'],
+                              '%s/saml2/SSO/Redirect' % url)
+        self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
+                              '%s/saml2/SLO/Redirect' % url)
+        self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
+        self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
+        self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
+
+    def output(self, path=None):
+        return self.meta.output(path)
+
+
+class Installer(ProviderInstaller):
+
+    def __init__(self, *pargs):
+        super(Installer, self).__init__()
         self.name = 'saml2'
         self.name = 'saml2'
-        self.ptype = 'provider'
+        self.pargs = pargs
 
     def install_args(self, group):
         group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
 
     def install_args(self, group):
         group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
@@ -261,40 +410,33 @@ class Installer(object):
         cert.generate('idp', opts['hostname'])
 
         # Generate Idp Metadata
         cert.generate('idp', opts['hostname'])
 
         # Generate Idp Metadata
-        url = 'https://' + opts['hostname'] + '/' + opts['instance'] + '/saml2'
-        meta = metadata.Metadata(metadata.IDP_ROLE)
-        meta.set_entity_id(url + '/metadata')
-        meta.add_certs(cert, cert)
-        meta.add_service(metadata.SAML2_SERVICE_MAP['sso-post'],
-                         url + '/SSO/POST')
-        meta.add_service(metadata.SAML2_SERVICE_MAP['sso-redirect'],
-                         url + '/SSO/Redirect')
-
-        meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
-        meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
-        meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
+        proto = 'https'
+        if opts['secure'].lower() == 'no':
+            proto = 'http'
+        url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
+        meta = IdpMetadataGenerator(url, cert,
+                                    timedelta(METADATA_VALIDITY_PERIOD))
         if 'krb' in opts and opts['krb'] == 'yes':
         if 'krb' in opts and opts['krb'] == 'yes':
-            meta.add_allowed_name_format(
+            meta.meta.add_allowed_name_format(
                 lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
 
         meta.output(os.path.join(path, 'metadata.xml'))
 
         # Add configuration data to database
                 lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
 
         meta.output(os.path.join(path, 'metadata.xml'))
 
         # Add configuration data to database
-        po = PluginObject()
+        po = PluginObject(*self.pargs)
         po.name = 'saml2'
         po.wipe_data()
         po.name = 'saml2'
         po.wipe_data()
-
-        po.wipe_config_values(FACILITY)
+        po.wipe_config_values()
         config = {'idp storage path': path,
                   'idp metadata file': 'metadata.xml',
                   'idp certificate file': cert.cert,
                   'idp key file': cert.key,
         config = {'idp storage path': path,
                   'idp metadata file': 'metadata.xml',
                   'idp certificate file': cert.cert,
                   'idp key file': cert.key,
-                  'enabled': '1'}
-        po.set_config(config)
-        po.save_plugin_config(FACILITY)
+                  'idp nameid salt': uuid.uuid4().hex}
+        po.save_plugin_config(config)
+
+        # Update global config to add login plugin
+        po.is_enabled = True
+        po.save_enabled_state()
 
         # Fixup permissions so only the ipsilon user can read these files
         files.fix_user_dirs(path, opts['system_user'])
 
         # Fixup permissions so only the ipsilon user can read these files
         files.fix_user_dirs(path, opts['system_user'])
Unnamed repository; edit this file 'description' to name the repository.