Merge pull request #295 from rebeckag/its-dirg-changes

Support for fetching extension elements from metadata

Author: Roland Hedberg

doc/howto/config.rst

@@ -452,8 +452,23 @@ This directive has as value a dictionary with one or more of the following keys:
 * single_logout_service (aa, idp, sp)
 * single_sign_on_service (idp)
 
-The values per service is a list of tuples containing endpoint and binding
-type.
+The values per service is a list of endpoint specifications.
+An endpoint specification can either be just the URL::
+
+  ”http://localhost:8088/A"
+
+or it can be a 2-tuple (URL+binding)::
+
+  from saml2 import BINDING_HTTP_POST
+  (”http://localhost:8087/A”, BINDING_HTTP_POST)
+
+or a 3-tuple (URL+binding+index)::
+
+  from saml2 import BINDING_HTTP_POST
+  (”http://lingon.catalogix.se:8087/A”, BINDING_HTTP_POST, 1)
+
+If no binding is specified, no index can be set.
+If no index is specified, the index is set based on the position in the list.
 
 Example::
 

example/idp2/idp_user.py

@@ -1,5 +1,5 @@
-#from dirg_util.dict import LDAPDict
-#ldap_settings = {
+# from dirg_util.dict import LDAPDict
+# ldap_settings = {
 #    "ldapuri": "ldaps://ldap.test.umu.se",
 #    "base": "dc=umu, dc=se",
 #    "filter_pattern": "(uid=%s)",
@@ -30,9 +30,9 @@
 #    "exact_match": True,
 #    "firstonly_len1": True,
 #    "timeout": 15,
-#}
-#Uncomment to use a LDAP directory instead.
-#USERS = LDAPDict(**ldap_settings)
+# }
+# Uncomment to use a LDAP directory instead.
+# USERS = LDAPDict(**ldap_settings)
 
 USERS = {
     "testuser": {
@@ -54,7 +54,9 @@
         "email": "[email protected]",
         "displayName": "Test Testsson",
         "labeledURL": "http://www.example.com/test My homepage",
-        "norEduPersonNIN": "SE199012315555"
+        "norEduPersonNIN": "SE199012315555",
+        "postaladdress": "postaladdress",
+        "cn": "cn"
     },
     "roland": {
         "sn": "Hedberg",
@@ -67,7 +69,7 @@
         "o": "Example Co.",
         "ou": "IT",
         "initials": "P",
-        #"schacHomeOrganization": "example.com",
+        # "schacHomeOrganization": "example.com",
         "mail": "[email protected]",
         "displayName": "P. Roland Hedberg",
         "labeledURL": "http://www.example.com/rohe My homepage",
@@ -91,4 +93,4 @@
         "schacGender": "male",
         "schacUserPresenceID": "skype:pepe.perez"
     }
-}
+}

example/sp-wsgi/service_conf.py renamed to example/sp-wsgi/service_conf.py.example

@@ -1,49 +1,47 @@
 #!/usr/bin/env python
 from __future__ import print_function
-import logging
-import re
+
 import argparse
+import importlib
+import logging
 import os
+import re
+import sys
 
-from six.moves.http_cookies import SimpleCookie
 import six
-
-from saml2.extension.pefim import SPCertEnc
-from saml2.metadata import create_metadata_string
-import service_conf
-
+from six.moves.http_cookies import SimpleCookie
 from six.moves.urllib.parse import parse_qs
-import sys
 
+import saml2.xmldsig as ds
+from saml2 import BINDING_HTTP_ARTIFACT
+from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_HTTP_REDIRECT, element_to_extension_element
 from saml2 import BINDING_SOAP
-from saml2 import time_util
 from saml2 import ecp
-from saml2 import BINDING_HTTP_ARTIFACT
-from saml2 import BINDING_HTTP_POST
+from saml2 import time_util
 from saml2.client import Saml2Client
 from saml2.ecp_client import PAOS_HEADER_INFO
-from saml2.httputil import geturl, make_cookie, parse_cookie
-from saml2.httputil import get_post
-from saml2.httputil import Response
+from saml2.extension.pefim import SPCertEnc
 from saml2.httputil import BadRequest
-from saml2.httputil import ServiceError
-from saml2.httputil import SeeOther
-from saml2.httputil import Unauthorized
 from saml2.httputil import NotFound
-from saml2.httputil import Redirect
 from saml2.httputil import NotImplemented
+from saml2.httputil import Redirect
+from saml2.httputil import Response
+from saml2.httputil import SeeOther
+from saml2.httputil import ServiceError
+from saml2.httputil import Unauthorized
+from saml2.httputil import get_post
+from saml2.httputil import geturl, make_cookie, parse_cookie
+from saml2.metadata import create_metadata_string
 from saml2.response import StatusError
 from saml2.response import VerificationError
 from saml2.s_utils import UnknownPrincipal
-from saml2.s_utils import decode_base64_and_inflate
 from saml2.s_utils import UnsupportedBinding
-from saml2.s_utils import sid
+from saml2.s_utils import decode_base64_and_inflate
 from saml2.s_utils import rndstr
-#from srtest import exception_trace
+from saml2.s_utils import sid
+from saml2.saml import NAMEID_FORMAT_PERSISTENT
 from saml2.samlp import Extensions
-from saml2 import xmldsig as ds
-import saml2.xmldsig as ds
 
 logger = logging.getLogger("")
 hdlr = logging.FileHandler('spx.log')
@@ -54,7 +52,6 @@
 logger.addHandler(hdlr)
 logger.setLevel(logging.INFO)
 
-
 SP = None
 SEED = ""
 POLICY = None
@@ -139,7 +136,7 @@ class ECPResponse(object):
     def __init__(self, content):
         self.content = content
 
-    #noinspection PyUnusedLocal
+    # noinspection PyUnusedLocal
     def __call__(self, environ, start_response):
         start_response('%s %s' % (self.code, self.title),
                        [('Content-Type', "text/xml")])
@@ -351,7 +348,7 @@ def do(self, response, binding, relay_state="", mtype="response"):
         :param response: The SAML response, transport encoded
         :param binding: Which binding the query came in over
         """
-        #tmp_outstanding_queries = dict(self.outstanding_queries)
+        # tmp_outstanding_queries = dict(self.outstanding_queries)
         if not response:
             logger.info("Missing Response")
             resp = Unauthorized('Unknown user')
@@ -405,6 +402,7 @@ def verify_attributes(self, ava):
 
         return res
 
+
 # -----------------------------------------------------------------------------
 # REQUESTERS
 # -----------------------------------------------------------------------------
@@ -554,7 +552,7 @@ def redirect_to_auth(self, _cli, entity_id, came_from, sigalg=""):
                 "single_sign_on_service", self.bindings, "idpsso",
                 entity_id=entity_id)
             logger.debug("binding: %s, destination: %s", _binding,
-                                                           destination)
+                         destination)
             # Binding here is the response binding that is which binding the
             # IDP should use to return the response.
             acs = _cli.config.getattr("endpoints", "sp")[
@@ -565,19 +563,20 @@ def redirect_to_auth(self, _cli, entity_id, came_from, sigalg=""):
             extensions = None
             cert = None
             if _cli.config.generate_cert_func is not None:
-                    cert_str, req_key_str = _cli.config.generate_cert_func()
-                    cert = {
-                        "cert": cert_str,
-                        "key": req_key_str
-                    }
-                    spcertenc = SPCertEnc(x509_data=ds.X509Data(
-                        x509_certificate=ds.X509Certificate(text=cert_str)))
-                    extensions = Extensions(extension_elements=[
-                        element_to_extension_element(spcertenc)])
+                cert_str, req_key_str = _cli.config.generate_cert_func()
+                cert = {
+                    "cert": cert_str,
+                    "key": req_key_str
+                }
+                spcertenc = SPCertEnc(x509_data=ds.X509Data(
+                    x509_certificate=ds.X509Certificate(text=cert_str)))
+                extensions = Extensions(extension_elements=[
+                    element_to_extension_element(spcertenc)])
 
             req_id, req = _cli.create_authn_request(destination,
                                                     binding=return_binding,
-                                                    extensions=extensions)
+                                                    extensions=extensions,
+                                                    nameid_format=NAMEID_FORMAT_PERSISTENT)
             _rstate = rndstr()
             self.cache.relay_state[_rstate] = came_from
             ht_args = _cli.apply_binding(_binding, "%s" % req, destination,
@@ -636,7 +635,7 @@ def do(self, message, binding, relay_state="", mtype="response"):
         try:
             txt = decode_base64_and_inflate(message)
             is_logout_request = 'LogoutRequest' in txt.split('>', 1)[0]
-        except:   # TODO: parse the XML correctly
+        except:  # TODO: parse the XML correctly
             is_logout_request = False
 
         if is_logout_request:
@@ -646,10 +645,11 @@ def do(self, message, binding, relay_state="", mtype="response"):
 
         return finish_logout(self.environ, self.start_response)
 
+
 # ----------------------------------------------------------------------------
 
 
-#noinspection PyUnusedLocal
+# noinspection PyUnusedLocal
 def not_found(environ, start_response):
     """Called if no URL matches."""
     resp = NotFound('Not Found')
@@ -659,7 +659,7 @@ def not_found(environ, start_response):
 # ----------------------------------------------------------------------------
 
 
-#noinspection PyUnusedLocal
+# noinspection PyUnusedLocal
 def main(environ, start_response, sp):
     user = CACHE.get_user(environ)
 
@@ -687,10 +687,11 @@ def disco(environ, start_response, _sp):
     resp.headers.append(kaka)
     return resp(environ, start_response)
 
+
 # ----------------------------------------------------------------------------
 
 
-#noinspection PyUnusedLocal
+# noinspection PyUnusedLocal
 def logout(environ, start_response, sp):
     user = CACHE.get_user(environ)
 
@@ -737,10 +738,11 @@ def finish_logout(environ, start_response):
     cookie = CACHE.delete_cookie(environ)
 
     resp = Response('You are now logged out of this service', headers=[
-      cookie,
+        cookie,
     ])
     return resp(environ, start_response)
 
+
 # ----------------------------------------------------------------------------
 
 # map urls to functions
@@ -768,16 +770,17 @@ def add_urls():
     urls.append(("%s/redirect$" % base, (SLO, "redirect", SP)))
     urls.append(("%s/redirect/(.*)$" % base, (SLO, "redirect", SP)))
 
+
 # ----------------------------------------------------------------------------
 
 def metadata(environ, start_response):
     try:
         path = _args.path
         if path is None or len(path) == 0:
-            path = os.path.dirname(os.path.abspath( __file__ ))
+            path = os.path.dirname(os.path.abspath(__file__))
         if path[-1] != "/":
             path += "/"
-        metadata = create_metadata_string(path+"sp_conf.py", None,
+        metadata = create_metadata_string(path + "sp_conf.py", None,
                                           _args.valid, _args.cert, _args.keyfile,
                                           _args.id, _args.name, _args.sign)
         start_response('200 OK', [('Content-Type', "text/xml")])
@@ -786,6 +789,7 @@ def metadata(environ, start_response):
         logger.error("An error occured while creating metadata: %s", ex.message)
         return not_found(environ, start_response)
 
+
 def application(environ, start_response):
     """
     The main WSGI application. Dispatch the current request to
@@ -824,23 +828,12 @@ def application(environ, start_response):
         resp = BadRequest("%s" % err)
         return resp(environ, start_response)
     except Exception as err:
-        #_err = exception_trace("RUN", err)
-        #logging.error(exception_trace("RUN", _err))
+        # _err = exception_trace("RUN", err)
+        # logging.error(exception_trace("RUN", _err))
         print(err, file=sys.stderr)
         resp = ServiceError("%s" % err)
         return resp(environ, start_response)
 
-# ----------------------------------------------------------------------------
-
-HOST = service_conf.HOST
-PORT = service_conf.PORT
-# ------- HTTPS -------
-# These should point to relevant files
-SERVER_CERT = service_conf.SERVER_CERT
-SERVER_KEY = service_conf.SERVER_KEY
-# This is of course the certificate chain for the CA that signed
-# your cert and all the way up to the top
-CERT_CHAIN = service_conf.CERT_CHAIN
 
 if __name__ == '__main__':
     from cherrypy import wsgiserver
@@ -866,7 +859,8 @@ def application(environ, start_response):
     _parser.add_argument('-n', dest='name')
     _parser.add_argument('-S', dest='sign', action='store_true',
                          help="sign the metadata")
-
+    _parser.add_argument('-C', dest='service_conf_module',
+                         help="service config module")
 
     ARGS = {}
     _args = _parser.parse_args()
@@ -882,6 +876,21 @@ def application(environ, start_response):
     else:
         SEED = "SnabbtInspel"
 
+    if _args.service_conf_module:
+        service_conf = importlib.import_module(_args.service_conf_module)
+    else:
+        import service_conf
+
+    HOST = service_conf.HOST
+    PORT = service_conf.PORT
+    # ------- HTTPS -------
+    # These should point to relevant files
+    SERVER_CERT = service_conf.SERVER_CERT
+    SERVER_KEY = service_conf.SERVER_KEY
+    # This is of course the certificate chain for the CA that signed
+    # your cert and all the way up to the top
+    CERT_CHAIN = service_conf.CERT_CHAIN
+
     SP = Saml2Client(config_file="%s" % CNFBASE)
 
     POLICY = service_conf.POLICY
@@ -904,6 +913,7 @@ def application(environ, start_response):
     _https = ""
     if service_conf.HTTPS:
         from cherrypy.wsgiserver import ssl_pyopenssl
+
         SRV.ssl_adapter = ssl_pyopenssl.pyOpenSSLAdapter(SERVER_CERT,
                                                          SERVER_KEY, CERT_CHAIN)
         _https = " using SSL/TLS"

example/sp-wsgi/sp.py

@@ -243,9 +243,9 @@ def create_authn_request(self, destination, vorg="", scoping=None,
                 del kwargs["assertion_consumer_service_url"]
             except KeyError:
                 try:
-                    args["attribute_consuming_service_index"] = str(kwargs[
-                        "attribute_consuming_service_index"])
-                    del kwargs["attribute_consuming_service_index"]
+                    args["assertion_consumer_service_index"] = str(kwargs[
+                        "assertion_consumer_service_index"])
+                    del kwargs["assertion_consumer_service_index"]
                 except KeyError:
                     if service_url_binding is None:
                         service_urls = self.service_urls(binding)