WsTrust

Author: rayluo

msal/wstrust_request.py

@@ -0,0 +1,130 @@
+#------------------------------------------------------------------------------
+#
+# Copyright (c) Microsoft Corporation.
+# All rights reserved.
+#
+# This code is licensed under the MIT License.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files(the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions :
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+#------------------------------------------------------------------------------
+
+import uuid
+from datetime import datetime, timedelta
+import re
+import logging
+
+import requests
+
+from .mex import Mex
+import wstrust_response
+
+
+logger = logging.getLogger(__file__)
+
+def send_request(
+        username, password, cloud_audience_urn, endpoint_address, soap_action,
+        **kwargs):
+    if not endpoint_address:
+        raise ValueError("WsTrust endpoint address can not be empty")
+    if soap_action is None:
+        wstrust2005_regex = r'[/trust]?[2005][/usernamemixed]?'
+        wstrust13_regex = r'[/trust]?[13][/usernamemixed]?'
+        if re.search(wstrust2005_regex, endpoint_address):
+            soap_action = Mex.ACTION_2005
+        elif re.search(wstrust13_regex, endpoint_address):
+            soap_action = Mex.ACTION_13
+    assert soap_action in (Mex.ACTION_13, Mex.ACTION_2005)  # A loose check here
+    data = _build_rst(
+        username, password, cloud_audience_urn, endpoint_address, soap_action)
+    resp = requests.post(endpoint_address, data=data, headers={
+            'Content-type':'application/soap+xml; charset=utf-8',
+            'SOAPAction': soap_action,
+            }, **kwargs)
+    if resp.status_code >= 400:
+        logger.debug("Unsuccessful WsTrust request receives: %s", resp.text)
+    # It turns out ADFS uses 5xx status code even with client-side incorrect password error
+    # resp.raise_for_status()
+    return wstrust_response.parse_response(resp.text)
+
+def escape_password(password):
+    return (password.replace('&', '&').replace('"', '"')
+        .replace("'", ''')  # the only one not provided by cgi.escape(s, True)
+        .replace('<', '&lt;').replace('>', '&gt;'))
+
+def wsu_time_format(datetime_obj):
+    # WsTrust (http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html)
+    # does not seem to define timestamp format, but we see YYYY-mm-ddTHH:MM:SSZ
+    # here (https://www.ibm.com/developerworks/websphere/library/techarticles/1003_chades/1003_chades.html)
+    # It avoids the uncertainty of the optional ".ssssss" in datetime.isoformat()
+    # https://docs.python.org/2/library/datetime.html#datetime.datetime.isoformat
+    return datetime_obj.strftime('%Y-%m-%dT%H:%M:%SZ')
+
+def _build_rst(username, password, cloud_audience_urn, endpoint_address, soap_action):
+    now = datetime.utcnow()
+    return """<s:Envelope xmlns:s='{s}' xmlns:wsa='{wsa}' xmlns:wsu='{wsu}'>
+        <s:Header>
+            <wsa:Action s:mustUnderstand='1'>{soap_action}</wsa:Action>
+            <wsa:messageID>urn:uuid:{message_id}</wsa:messageID>
+            <wsa:ReplyTo>
+            <wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
+            </wsa:ReplyTo>
+            <wsa:To s:mustUnderstand='1'>{endpoint_address}</wsa:To>
+
+            <wsse:Security s:mustUnderstand='1'
+            xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'>
+                <wsu:Timestamp wsu:Id='_0'>
+                    <wsu:Created>{time_now}</wsu:Created>
+                    <wsu:Expires>{time_expire}</wsu:Expires>
+                </wsu:Timestamp>
+                <wsse:UsernameToken wsu:Id='ADALUsernameToken'>
+                    <wsse:Username>{username}</wsse:Username>
+                    <wsse:Password>{password}</wsse:Password>
+                </wsse:UsernameToken>
+            </wsse:Security>
+
+        </s:Header>
+        <s:Body>
+        <wst:RequestSecurityToken xmlns:wst='{wst}'>
+        <wsp:AppliesTo xmlns:wsp='http://schemas.xmlsoap.org/ws/2004/09/policy'>
+            <wsa:EndpointReference>
+                <wsa:Address>{applies_to}</wsa:Address>
+            </wsa:EndpointReference>
+        </wsp:AppliesTo>
+        <wst:KeyType>{key_type}</wst:KeyType>
+            <wst:RequestType>{request_type}</wst:RequestType>
+        </wst:RequestSecurityToken>
+        </s:Body>
+        </s:Envelope>""".format(
+            s=Mex.NS["s"], wsu=Mex.NS["wsu"], wsa=Mex.NS["wsa10"],
+            soap_action=soap_action, message_id=str(uuid.uuid4()),
+            endpoint_address=endpoint_address,
+            time_now=wsu_time_format(now),
+            time_expire=wsu_time_format(now + timedelta(minutes=10)),
+            username=username, password=escape_password(password),
+            wst=Mex.NS["wst"] if soap_action == Mex.ACTION_13 else Mex.NS["wst2005"],
+            applies_to=cloud_audience_urn,
+            key_type='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer'
+                if soap_action == Mex.ACTION_13 else
+                'http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey',
+            request_type='http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue'
+                if soap_action == Mex.ACTION_13 else
+                'http://schemas.xmlsoap.org/ws/2005/02/trust/Issue',
+        )
+

msal/wstrust_response.py

@@ -0,0 +1,89 @@
+#------------------------------------------------------------------------------
+#
+# Copyright (c) Microsoft Corporation.
+# All rights reserved.
+#
+# This code is licensed under the MIT License.
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files(the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and / or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions :
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#
+#------------------------------------------------------------------------------
+
+try:
+    from xml.etree import cElementTree as ET
+except ImportError:
+    from xml.etree import ElementTree as ET
+import re
+
+from .mex import Mex
+
+
+SAML_TOKEN_TYPE_V1 = 'urn:oasis:names:tc:SAML:1.0:assertion'
+SAML_TOKEN_TYPE_V2 = 'urn:oasis:names:tc:SAML:2.0:assertion'
+
+def parse_response(body):  # Returns {"token": "<saml:assertion ...>", "type": "..."}
+    token = parse_token_by_re(body)
+    if token:
+        return token
+    error = parse_error(body)
+    raise RuntimeError("WsTrust server returned error in RSTR: %s" % (error or body))
+
+def parse_error(body):  # Returns error as a dict. See unit test case for an example.
+    dom = ET.fromstring(body)
+    reason_text_node = dom.find('s:Body/s:Fault/s:Reason/s:Text', Mex.NS)
+    subcode_value_node = dom.find('s:Body/s:Fault/s:Code/s:Subcode/s:Value', Mex.NS)
+    if reason_text_node is not None or subcode_value_node is not None:
+        return {"reason": reason_text_node.text, "code": subcode_value_node.text}
+
+def findall_content(xml_string, tag):
+    """
+    Given a tag name without any prefix,
+    this function returns a list of the raw content inside this tag as-is.
+
+    >>> findall_content("<ns0:foo> what <bar> ever </bar> content </ns0:foo>", "foo")
+    [" what <bar> ever </bar> content "]
+
+    Motivation:
+
+    Usually we would use XML parser to extract the data by xpath.
+    However the ElementTree in Python will implicitly normalize the output
+    by "hoisting" the inner inline namespaces into the outmost element.
+    The result will be a semantically equivalent XML snippet,
+    but not fully identical to the original one.
+    While this effect shouldn't become a problem in all other cases,
+    it does not seem to fully comply with Exclusive XML Canonicalization spec
+    (https://www.w3.org/TR/xml-exc-c14n/), and void the SAML token signature.
+    SAML signature algo needs the "XML -> C14N(XML) -> Signed(C14N(Xml))" order.
+
+    The binary extention lxml is probably the canonical way to solve this
+    (https://stackoverflow.com/questions/22959577/python-exclusive-xml-canonicalization-xml-exc-c14n)
+    but here we use this workaround, based on Regex, to return raw content as-is.
+    """
+    # \w+ is good enough for https://www.w3.org/TR/REC-xml/#NT-NameChar
+    pattern = r"<(?:\w+:)?%(tag)s(?:[^>]*)>(.*)</(?:\w+:)?%(tag)s" % {"tag": tag}
+    return re.findall(pattern, xml_string, re.DOTALL)
+
+def parse_token_by_re(raw_response):  # Returns the saml:assertion
+    for rstr in findall_content(raw_response, "RequestSecurityTokenResponse"):
+        token_types = findall_content(rstr, "TokenType")
+        tokens = findall_content(rstr, "RequestedSecurityToken")
+        if token_types and tokens:
+            assert token_types[0] in (SAML_TOKEN_TYPE_V1, SAML_TOKEN_TYPE_V2)
+            return {"token": tokens[0].encode('us-ascii'), "type": token_types[0]}
+

tests/rst_response.xml

@@ -0,0 +1,90 @@
+<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
+    <s:Header>
+        <a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</a:Action>
+        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+            <u:Timestamp u:Id="_0">
+                <u:Created>2013-11-15T03:08:25.221Z</u:Created>
+                <u:Expires>2013-11-15T03:13:25.221Z</u:Expires>
+            </u:Timestamp>
+        </o:Security>
+    </s:Header>
+    <s:Body>
+        <trust:RequestSecurityTokenResponseCollection xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
+            <trust:RequestSecurityTokenResponse>
+                <trust:Lifetime>
+                    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-11-15T03:08:25.205Z</wsu:Created>
+                    <wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2013-11-15T04:08:25.205Z</wsu:Expires>
+                </trust:Lifetime>
+                <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
+                    <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
+                        <wsa:Address>https://login.microsoftonline.com/extSTS.srf</wsa:Address>
+                    </wsa:EndpointReference>
+                </wsp:AppliesTo>
+                <trust:RequestedSecurityToken>
+                    <saml:Assertion AssertionID="_9bd2b280-f153-471a-9b73-c1df0d555075" IssueInstant="2013-11-15T03:08:25.221Z" Issuer="http://fs.richard-randall.com/adfs/services/trust" MajorVersion="1" MinorVersion="1" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
+                        <saml:Conditions NotBefore="2013-11-15T03:08:25.205Z" NotOnOrAfter="2013-11-15T04:08:25.205Z">
+                            <saml:AudienceRestrictionCondition>
+                                <saml:Audience>https://login.microsoftonline.com/extSTS.srf</saml:Audience>
+                            </saml:AudienceRestrictionCondition>
+                        </saml:Conditions>
+                        <saml:AttributeStatement>
+                            <saml:Subject>
+                                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">1TIu064jGEmmf+hnI+F0Jg==</saml:NameIdentifier>
+                                <saml:SubjectConfirmation>
+                                    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
+                                </saml:SubjectConfirmation>
+                            </saml:Subject>
+                            <saml:Attribute AttributeName="UPN" AttributeNamespace="http://schemas.xmlsoap.org/claims">
+                                <saml:AttributeValue>[email protected]</saml:AttributeValue>
+                            </saml:Attribute>
+                            <saml:Attribute AttributeName="ImmutableID" AttributeNamespace="http://schemas.microsoft.com/LiveID/Federation/2008/05">
+                                <saml:AttributeValue>1TIu064jGEmmf+hnI+F0Jg==</saml:AttributeValue>
+                            </saml:Attribute>
+                        </saml:AttributeStatement>
+                        <saml:AuthenticationStatement AuthenticationInstant="2013-11-15T03:08:25.174Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
+                            <saml:Subject>
+                                <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">1TIu064jGEmmf+hnI+F0Jg==</saml:NameIdentifier>
+                                <saml:SubjectConfirmation>
+                                    <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
+                                </saml:SubjectConfirmation>
+                            </saml:Subject>
+                        </saml:AuthenticationStatement>
+                        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+                            <ds:SignedInfo>
+                                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+                                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
+                                <ds:Reference URI="#_9bd2b280-f153-471a-9b73-c1df0d555075">
+                                    <ds:Transforms>
+                                        <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
+                                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
+                                    </ds:Transforms>
+                                    <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
+                                    <ds:DigestValue>3i95D+nRbsyRitSPeT7ZtEr5vbM=</ds:DigestValue>
+                                </ds:Reference>
+                            </ds:SignedInfo>
+                            <ds:SignatureValue>aVNmmKLNdAlBxxcNciWVfxynZUPR9ql8ZZSZt/qpqL/GB3HX/cL/QnfG2OOKrmhgEaR0Ul4grZhGJxlxMPDL0fhnBz+VJ5HwztMFgMYs3Md8A2sZd9n4dfu7+CByAna06lCwwfdFWlNV1MBFvlWvYtCLNkpYVr/aglmb9zpMkNxEOmHe/cwxUtYlzH4RpIsIT5pruoJtUxKcqTRDEeeYdzjBAiJuguQTChLmHNoMPdX1RmtJlPsrZ1s9R/IJky7fHLjB7jiTDceRCS5QUbgUqYbLG1MjFXthY2Hr7K9kpYjxxIk6xmM7mFQE3Hts3bj6UU7ElUvHpX9bxxk3pqzlhg==</ds:SignatureValue>
+                            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
+                                <X509Data>
+                                    <X509Certificate>MIIC6DCCAdCgAwIBAgIQaztYF2TpvZZG6yreA3NRpzANBgkqhkiG9w0BAQsFADAwMS4wLAYDVQQDEyVBREZTIFNpZ25pbmcgLSBmcy5yaWNoYXJkLXJhbmRhbGwuY29tMB4XDTEzMTExMTAzNTMwMFoXDTE0MTExMTAzNTMwMFowMDEuMCwGA1UEAxMlQURGUyBTaWduaW5nIC0gZnMucmljaGFyZC1yYW5kYWxsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO+1VWY/sYDdN3hdsvT+mWHTcOwjp2G9e0AEZdmgh7bS54WUJw9y0cMxJmGB0jAAW40zomzIbS8/o3iuxcJyFgBVtMFfXwFjVQJnZJ7IMXFs1V/pJHrwWHxePz/WzXFtMaqEIe8QummJ07UBg9UsYZUYTGO9NDGw1Yr/oRNsl7bLA0S/QlW6yryf6l3snHzIgtO2xiWn6q3vCJTTVNMROkI2YKNKdYiD5fFD77kFACfJmOwP8MN9u+HM2IN6g0Nv5s7rMyw077Co/xKefamWQCB0jLpv89jo3hLgkwIgWX4cMVgHSNmdzXSgC3owG8ivRuJDATh83GiqI6jzA1+x4rkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAxA5MQZHw9lJYDpU4f45EYrWPEaAPnncaoxIeLE9fG14gA01frajRfdyoO0AKqb+ZG6sePKngsuq4QHA2EnEI4Di5uWKsXy1Id0AXUSUhLpe63alZ8OwiNKDKn71nwpXnlGwKqljnG3xBMniGtGKrFS4WM+joEHzaKpvgtGRGoDdtXF4UXZJcn2maw6d/kiHrQ3kWoQcQcJ9hVIo8bC0BPvxV0Qh4TF3Nb3tKhaXsY68eMxMGbHok9trVHQ3Vew35FuTg1JzsfCFSDF8sxu7FJ4iZ7VLM8MQLnvIMcubLJvc57EHSsNyeiqBFQIYkdg7MSf+Ot2qJjfExgo+NOtWN+g==</X509Certificate>
+                                </X509Data>
+                            </KeyInfo>
+                        </ds:Signature>
+                    </saml:Assertion>
+                </trust:RequestedSecurityToken>
+                <trust:RequestedAttachedReference>
+                    <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_9bd2b280-f153-471a-9b73-c1df0d555075</o:KeyIdentifier>
+                    </o:SecurityTokenReference>
+                </trust:RequestedAttachedReference>
+                <trust:RequestedUnattachedReference>
+                    <o:SecurityTokenReference k:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" xmlns:k="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
+                        <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_9bd2b280-f153-471a-9b73-c1df0d555075</o:KeyIdentifier>
+                    </o:SecurityTokenReference>
+                </trust:RequestedUnattachedReference>
+                <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
+                <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
+                <trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType>
+            </trust:RequestSecurityTokenResponse>
+        </trust:RequestSecurityTokenResponseCollection>
+    </s:Body>
+</s:Envelope>