Extend default SAML IdP metadata validity period
[cascardo/ipsilon.git] / ipsilon / providers / saml2idp.py
index 96a7d11..cec3e88 100644 (file)
@@ -33,6 +33,7 @@ from datetime import timedelta
 import lasso
 import os
 import time
+import uuid
 
 
 class Redirect(AuthenticateRequest):
@@ -124,8 +125,8 @@ class SLO(ProviderPageBase):
 
 # one week
 METADATA_RENEW_INTERVAL = 60 * 60 * 24 * 7
-# 30 days
-METADATA_VALIDITY_PERIOD = 30
+# five years (approximately)
+METADATA_DEFAULT_VALIDITY_PERIOD = 365 * 5
 
 
 class Metadata(ProviderPageBase):
@@ -148,8 +149,10 @@ class Metadata(ProviderPageBase):
         idp_cert = Certificate()
         idp_cert.import_cert(self.cfg.idp_certificate_file,
                              self.cfg.idp_key_file)
+
+        validity = int(self.cfg.idp_metadata_validity)
         meta = IdpMetadataGenerator(self.instance_base_url(), idp_cert,
-                                    timedelta(METADATA_VALIDITY_PERIOD))
+                                    timedelta(validity))
         body = meta.output()
         with open(self.cfg.idp_metadata_file, 'w+') as m:
             m.write(body)
@@ -184,16 +187,25 @@ Provides SAML 2.0 authentication infrastructure. """
                 '/var/lib/ipsilon/saml2'),
             pconfig.String(
                 'idp metadata file',
-                'The IdP Metadata file genearated at install time.',
+                'The IdP Metadata file generated at install time.',
                 'metadata.xml'),
+            pconfig.String(
+                'idp metadata validity',
+                'The IdP Metadata validity period (in days) to use when '
+                'generating new metadata.',
+                METADATA_DEFAULT_VALIDITY_PERIOD),
             pconfig.String(
                 'idp certificate file',
-                'The IdP PEM Certificate genearated at install time.',
+                'The IdP PEM Certificate generated at install time.',
                 'certificate.pem'),
             pconfig.String(
                 'idp key file',
-                'The IdP Certificate Key genearated at install time.',
+                'The IdP Certificate Key generated at install time.',
                 'certificate.key'),
+            pconfig.String(
+                'idp nameid salt',
+                'The salt used for persistent Name IDs.',
+                None),
             pconfig.Condition(
                 'allow self registration',
                 'Allow authenticated users to register applications.',
@@ -202,12 +214,13 @@ Provides SAML 2.0 authentication infrastructure. """
                 'default allowed nameids',
                 'Default Allowed NameIDs for Service Providers.',
                 metadata.SAML2_NAMEID_MAP.keys(),
-                ['persistent', 'transient', 'email', 'kerberos', 'x509']),
+                ['unspecified', 'persistent', 'transient', 'email',
+                 'kerberos', 'x509']),
             pconfig.Pick(
                 'default nameid',
                 'Default NameID used by Service Providers.',
                 metadata.SAML2_NAMEID_MAP.keys(),
-                'persistent'),
+                'unspecified'),
             pconfig.String(
                 'default email domain',
                 'Used for users missing the email property.',
@@ -242,6 +255,10 @@ Provides SAML 2.0 authentication infrastructure. """
         return os.path.join(self.idp_storage_path,
                             self.get_config_value('idp metadata file'))
 
+    @property
+    def idp_metadata_validity(self):
+        return self.get_config_value('idp metadata validity')
+
     @property
     def idp_certificate_file(self):
         return os.path.join(self.idp_storage_path,
@@ -252,6 +269,10 @@ Provides SAML 2.0 authentication infrastructure. """
         return os.path.join(self.idp_storage_path,
                             self.get_config_value('idp key file'))
 
+    @property
+    def idp_nameid_salt(self):
+        return self.get_config_value('idp nameid salt')
+
     @property
     def default_allowed_nameids(self):
         return self.get_config_value('default allowed nameids')
@@ -288,6 +309,8 @@ Provides SAML 2.0 authentication infrastructure. """
             self._debug('Failed to init SAML2 provider: %r' % e)
             return None
 
+        self._root.logout.add_handler(self.name, self.idp_initiated_logout)
+
         # Import all known applications
         data = self.get_data()
         for idval in data:
@@ -310,6 +333,45 @@ Provides SAML 2.0 authentication infrastructure. """
             if self.admin:
                 self.admin.add_sps()
 
+    def idp_initiated_logout(self):
+        """
+        Logout all SP sessions when the logout comes from the IdP.
+
+        For the current user only.
+        """
+        self._debug("IdP-initiated SAML2 logout")
+        us = UserSession()
+
+        saml_sessions = us.get_provider_data('saml2')
+        if saml_sessions is None:
+            self._debug("No SAML2 sessions to logout")
+            return
+        session = saml_sessions.get_next_logout(remove=False)
+        if session is None:
+            return
+
+        # Add a fake session to indicate where the user should
+        # be redirected to when all SP's are logged out.
+        idpurl = self._root.instance_base_url()
+        saml_sessions.add_session("_idp_initiated_logout",
+                                  idpurl,
+                                  "")
+        init_session = saml_sessions.find_session_by_provider(idpurl)
+        init_session.set_logoutstate(idpurl, "idp_initiated_logout", None)
+        saml_sessions.start_logout(init_session)
+
+        logout = self.idp.get_logout_handler()
+        logout.setSessionFromDump(session.session.dump())
+        logout.initRequest(session.provider_id)
+        try:
+            logout.buildRequestMsg()
+        except lasso.Error, e:
+            self.error('failure to build logout request msg: %s' % e)
+            raise cherrypy.HTTPRedirect(400, 'Failed to log out user: %s '
+                                        % e)
+
+        raise cherrypy.HTTPRedirect(logout.msgUrl)
+
 
 class IdpMetadataGenerator(object):
 
@@ -323,10 +385,10 @@ class IdpMetadataGenerator(object):
                               '%s/saml2/SSO/Redirect' % url)
         self.meta.add_service(metadata.SAML2_SERVICE_MAP['logout-redirect'],
                               '%s/saml2/SLO/Redirect' % url)
-        self.meta.add_allowed_name_format(
-            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
         self.meta.add_allowed_name_format(
             lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT)
+        self.meta.add_allowed_name_format(
+            lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT)
         self.meta.add_allowed_name_format(
             lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL)
 
@@ -344,6 +406,11 @@ class Installer(ProviderInstaller):
     def install_args(self, group):
         group.add_argument('--saml2', choices=['yes', 'no'], default='yes',
                            help='Configure SAML2 Provider')
+        group.add_argument('--saml2-metadata-validity',
+                           default=METADATA_DEFAULT_VALIDITY_PERIOD,
+                           help=('Metadata validity period in days '
+                                 '(default - %d)' %
+                                 METADATA_DEFAULT_VALIDITY_PERIOD))
 
     def configure(self, opts):
         if opts['saml2'] != 'yes':
@@ -363,8 +430,9 @@ class Installer(ProviderInstaller):
         if opts['secure'].lower() == 'no':
             proto = 'http'
         url = '%s://%s/%s' % (proto, opts['hostname'], opts['instance'])
+        validity = int(opts['saml2_metadata_validity'])
         meta = IdpMetadataGenerator(url, cert,
-                                    timedelta(METADATA_VALIDITY_PERIOD))
+                                    timedelta(validity))
         if 'krb' in opts and opts['krb'] == 'yes':
             meta.meta.add_allowed_name_format(
                 lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
@@ -379,7 +447,9 @@ class Installer(ProviderInstaller):
         config = {'idp storage path': path,
                   'idp metadata file': 'metadata.xml',
                   'idp certificate file': cert.cert,
-                  'idp key file': cert.key}
+                  'idp key file': cert.key,
+                  'idp nameid salt': uuid.uuid4().hex,
+                  'idp metadata validity': opts['saml2_metadata_validity']}
         po.save_plugin_config(config)
 
         # Update global config to add login plugin