saml2: remove name id management service (#39086)
This commit is contained in:
parent
071d35e768
commit
be5b007d47
|
@ -88,37 +88,6 @@ def soap_endpoint(method):
|
|||
return f
|
||||
|
||||
|
||||
def save_identity(profile):
|
||||
if not profile.isIdentityDirty:
|
||||
return
|
||||
session = get_session()
|
||||
if not session:
|
||||
return
|
||||
if profile.identity:
|
||||
dump = profile.identity.dump()
|
||||
else:
|
||||
dump = None
|
||||
user = session.get_user()
|
||||
if not user:
|
||||
get_session().lasso_anonymous_identity_dump = dump
|
||||
return
|
||||
user.lasso_dump = dump
|
||||
if user.anonymous:
|
||||
get_session().lasso_anonymous_identity_dump = dump
|
||||
else:
|
||||
user.store()
|
||||
|
||||
|
||||
def load_identity(profile):
|
||||
request = get_request()
|
||||
session = get_session()
|
||||
if request.user and not request.user.anonymous:
|
||||
profile.setIdentityFromDump(request.user.lasso_dump)
|
||||
else:
|
||||
if session and session.lasso_anonymous_identity_dump:
|
||||
profile.setIdentityFromDump(session.lasso_anonymous_identity_dump)
|
||||
|
||||
|
||||
def saml2_status_summary(response):
|
||||
if not response.status or not response.status.statusCode:
|
||||
return 'No status or status code'
|
||||
|
@ -139,7 +108,6 @@ class Saml2Directory(Directory):
|
|||
'singleSignOnArtifact', 'singleSignOnPost', 'singleSignOnSOAP', 'singleSignOnRedirect',
|
||||
'assertionConsumerArtifact', 'assertionConsumerPost', 'assertionConsumerSOAP', 'assertionConsumerRedirect',
|
||||
'singleLogout', 'singleLogoutReturn', 'singleLogoutSOAP',
|
||||
'manageNameId', 'manageNameIdReturn', 'manageNameIdSOAP',
|
||||
'metadata', ('metadata.xml', 'metadata'), 'public_key']
|
||||
|
||||
def _q_traverse(self, path):
|
||||
|
@ -685,29 +653,6 @@ class Saml2Directory(Directory):
|
|||
|
||||
return self.slo_return(logout, soap_answer)
|
||||
|
||||
|
||||
def fedterm_sp(self, method = None):
|
||||
if method is None:
|
||||
method = lasso.HTTP_METHOD_REDIRECT
|
||||
|
||||
manage = lasso.NameIdManagement(misc.get_lasso_server())
|
||||
session = get_session()
|
||||
|
||||
if session.lasso_session_dump:
|
||||
manage.setSessionFromDump(session.lasso_session_dump)
|
||||
|
||||
user = get_request().user
|
||||
if user and user.lasso_dump:
|
||||
manage.setIdentityFromDump(user.lasso_dump)
|
||||
|
||||
remote_provider_id = get_session().lasso_identity_provider_id
|
||||
|
||||
if method == lasso.HTTP_METHOD_REDIRECT:
|
||||
return self.fedterm_sp_redirect(manage, remote_provider_id)
|
||||
|
||||
if method == lasso.HTTP_METHOD_SOAP:
|
||||
return self.fedterm_sp_soap(manage, remote_provider_id)
|
||||
|
||||
def get_soap_message(self):
|
||||
request = get_request()
|
||||
ctype = request.environ.get('CONTENT_TYPE')
|
||||
|
@ -823,124 +768,6 @@ class Saml2Directory(Directory):
|
|||
else:
|
||||
return redirect(logout.msgUrl)
|
||||
|
||||
def fedterm_sp_redirect(self, manage, remote_provider_id):
|
||||
manage.initRequest(remote_provider_id, None, lasso.HTTP_METHOD_REDIRECT)
|
||||
manage.buildRequestMsg()
|
||||
get_session().lasso_manage_name_id_dump = manage.dump()
|
||||
return redirect(manage.msgUrl)
|
||||
|
||||
def fedterm_sp_soap(self, manage, remote_provider_id):
|
||||
manage.initRequest(remote_provider_id, None, lasso.HTTP_METHOD_SOAP)
|
||||
manage.buildRequestMsg()
|
||||
remote_provider_cfg = get_cfg('idp', {}).get(misc.get_provider_key(manage.remoteProviderId))
|
||||
client_cert = remote_provider_cfg.get('clientcertificate')
|
||||
try:
|
||||
soap_answer = soap_call(manage.msgUrl, manage.msgBody, client_cert = client_cert)
|
||||
except SOAPException:
|
||||
return error_page(_('Failure to communicate with identity provider'))
|
||||
|
||||
return self.manage_name_id_return(manage, soap_answer)
|
||||
|
||||
def manageNameId(self):
|
||||
manage = lasso.NameIdManagement(misc.get_lasso_server())
|
||||
try:
|
||||
manage.processRequestMsg(get_request().get_query())
|
||||
except lasso.Error as error:
|
||||
self.log_profile_error(manage, error, 'manageNameID.processRequestMsg')
|
||||
return error_page(_('Invalid NameId Management request'))
|
||||
|
||||
session = get_session()
|
||||
user = None
|
||||
ni = manage.nameIdentifier.content
|
||||
nis = list(get_publisher().user_class.get_users_with_name_identifier(ni))
|
||||
if nis:
|
||||
user = nis[0]
|
||||
nis = nis[1:]
|
||||
self.manage_name_id(manage, user, session, users = nis)
|
||||
return redirect(manage.msgUrl)
|
||||
|
||||
@soap_endpoint
|
||||
def manageNameIdSOAP(self):
|
||||
try:
|
||||
soap_message = self.get_soap_message()
|
||||
except:
|
||||
return
|
||||
|
||||
manage = lasso.NameIdManagement(misc.get_lasso_server())
|
||||
manage.processRequestMsg(force_str(soap_message))
|
||||
|
||||
ni = manage.nameIdentifier.content
|
||||
nis = list(get_publisher().user_class.get_users_with_name_identifier(ni))
|
||||
session = None
|
||||
if nis:
|
||||
user = nis[0]
|
||||
nis = nis[1:]
|
||||
else:
|
||||
user = None
|
||||
for session in get_session_manager().values():
|
||||
if session.name_identifier == ni:
|
||||
user = session.get_user()
|
||||
break
|
||||
|
||||
self.manage_name_id(manage, user, session, users = nis)
|
||||
return manage.msgBody
|
||||
|
||||
|
||||
def manage_name_id(self, manage, user, session, users = []):
|
||||
if user and user.lasso_dump:
|
||||
manage.setIdentityFromDump(user.lasso_dump)
|
||||
|
||||
if manage.identity:
|
||||
try:
|
||||
manage.validateRequest()
|
||||
except lasso.Error as error:
|
||||
get_logger().warn('ManageNameID request error: %s' % error[1])
|
||||
else:
|
||||
# if other users are linked to this name id, defederate them also
|
||||
for u in users:
|
||||
try:
|
||||
u.name_identifiers = [ni for ni in u.name_identifiers if ni != manage.nameIdentifier.content]
|
||||
u.store()
|
||||
except:
|
||||
pass
|
||||
|
||||
if not manage.identity:
|
||||
user.lasso_dump = None
|
||||
else:
|
||||
user.lasso_dump = manage.identity.dump()
|
||||
if user.anonymous:
|
||||
session.lasso_anonymous_identity_dump = user.lasso_dump
|
||||
get_session_manager().maintain_session(session)
|
||||
else:
|
||||
user.store()
|
||||
|
||||
manage.buildResponseMsg()
|
||||
|
||||
def manageNameIdReturn(self):
|
||||
if get_session().lasso_manage_name_id_dump:
|
||||
manage = lasso.NameIdManagement.newFromDump(
|
||||
misc.get_lasso_server(),
|
||||
get_session().lasso_manage_name_id_dump)
|
||||
get_session().lasso_manage_name_id_dump = None
|
||||
else:
|
||||
manage = lasso.NameIdManagement(misc.get_lasso_server())
|
||||
|
||||
message = get_request().get_query()
|
||||
return self.manage_name_id_return(manage, message)
|
||||
|
||||
|
||||
def manage_name_id_return(self, manage, message):
|
||||
load_identity(manage)
|
||||
try:
|
||||
manage.processResponseMsg(force_str(message))
|
||||
except lasso.Error as error:
|
||||
self.log_profile_error(manage, error, 'manageNameID.processResponseMsg')
|
||||
get_session().message = ('error', _('Defederation failed'))
|
||||
else:
|
||||
if manage.isIdentityDirty:
|
||||
save_identity(manage)
|
||||
return redirect(get_publisher().get_root_url())
|
||||
|
||||
def metadata(self):
|
||||
try:
|
||||
metadata = force_text(open(misc.get_abs_path(
|
||||
|
|
|
@ -31,7 +31,6 @@ def bool2xs(boolean):
|
|||
class Metadata(object):
|
||||
__endpoints = {
|
||||
'slo' : 'singleLogout',
|
||||
'mni' : 'manageNameId',
|
||||
'ac' : 'assertionConsumer' }
|
||||
|
||||
def __init__(self, publisher, provider_id, config):
|
||||
|
@ -116,13 +115,6 @@ class Metadata(object):
|
|||
<SingleLogoutService
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||
Location="%(saml2_base_url)s/%(slo)sSOAP" />
|
||||
<ManageNameIDService
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
Location="%(saml2_base_url)s/%(mni)s"
|
||||
ResponseLocation="%(saml2_base_url)s/%(mni)sReturn" />
|
||||
<ManageNameIDService
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||
Location="%(saml2_base_url)s/%(mni)sSOAP" />
|
||||
<AssertionConsumerService isDefault="true" index="0"
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
|
||||
Location="%(saml2_base_url)s/%(ac)sArtifact" />
|
||||
|
@ -158,13 +150,6 @@ class Metadata(object):
|
|||
<SingleLogoutService
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||
Location="%(saml2_base_soap_url)s/singleLogoutSOAP" />
|
||||
<ManageNameIDService
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
Location="%(saml2_base_url)s/manageNameId"
|
||||
ResponseLocation="%(saml2_base_url)s/manageNameIdReturn" />
|
||||
<ManageNameIDService
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
|
||||
Location="%(saml2_base_soap_url)s/manageNameIdSOAP" />
|
||||
<SingleSignOnService
|
||||
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
||||
Location="%(saml2_base_url)s/singleSignOn" />
|
||||
|
|
|
@ -82,7 +82,6 @@ class Session(QommonSession, CaptchaSession, StorableObject):
|
|||
lasso_session_index = None
|
||||
lasso_anonymous_identity_dump = None
|
||||
lasso_identity_provider_id = None
|
||||
lasso_manage_name_id_dump = None
|
||||
message = None
|
||||
saml_authn_context = None
|
||||
saml_idp_cookie = None
|
||||
|
@ -126,7 +125,6 @@ class Session(QommonSession, CaptchaSession, StorableObject):
|
|||
return self.name_identifier or \
|
||||
self.lasso_session_dump or self.message or \
|
||||
self.lasso_anonymous_identity_dump or \
|
||||
self.lasso_manage_name_id_dump or \
|
||||
self.lasso_identity_provider_id or \
|
||||
self.saml_authn_context or \
|
||||
self.ident_idp_token or \
|
||||
|
|
Loading…
Reference in New Issue