add sequence diagrams for SAML-to-SAML operation

Author: rhoerbe

doc/internals/authnrequ_flow.png

@@ -0,0 +1,50 @@
+# Render with https://www.websequencediagrams.com
+
+title SATOSA SAML Authn Request
+# v3.4.8
+
+
+note right of Gunicorn: GET \n/saml2/sso/redirect
+Gunicorn->+WsgiApplication\n(SATOSABase): __call__
+WsgiApplication\n(SATOSABase)->*Context:
+WsgiApplication\n(SATOSABase)->WsgiApplication\n(SATOSABase): unpack_request()\n-> Context.request
+
+WsgiApplication\n(SATOSABase)->+WsgiApplication\n(SATOSABase): run(Context)
+WsgiApplication\n(SATOSABase)->WsgiApplication\n(SATOSABase): _load_state(Context)
+WsgiApplication\n(SATOSABase)->+ModuleRouter: endpoint_routing(context)
+note right of ModuleRouter, SAMLFrontend\n(Frontendmodule): endpoint function=handle_authn_request
+ModuleRouter-->-WsgiApplication\n(SATOSABase): endpoint function
+
+WsgiApplication\n(SATOSABase)-->+WsgiApplication\n(SATOSABase): _run_bound_endpoint(\nhandle_authn_request)
+WsgiApplication\n(SATOSABase)->+SAMLFrontend\n(Frontendmodule): handle_authn_request
+SAMLFrontend\n(Frontendmodule)->+SAMLFrontend\n(Frontendmodule): _handle_authn_request
+SAMLFrontend\n(Frontendmodule)->SAMLFrontend\n(Frontendmodule): _create_state_data
+SAMLFrontend\n(Frontendmodule)->*InternalData:
+SAMLFrontend\n(Frontendmodule)->SAMLFrontend\n(Frontendmodule): _get_approved_attributes
+SAMLFrontend\n(Frontendmodule)->+WsgiApplication\n(SATOSABase): auth_req_callback_func
+
+note over ModuleRouter, SAMLBackend
+  Incorrect notation: Looping over Request Micro Services is in fact a recursive design:
+  Each microservice calls the next in the list, and the last one calls _auth_req_finish().
+end note
+loop for all Request Micro Services
+  WsgiApplication\n(SATOSABase)->+Instances of \nRequestMicroService: process
+  Instances of \nRequestMicroService->+WsgiApplication\n(SATOSABase): _auth_req_finish
+  WsgiApplication\n(SATOSABase)->+ModuleRouter:backend_routing
+  ModuleRouter-->-WsgiApplication\n(SATOSABase): Backend
+  WsgiApplication\n(SATOSABase)->+SAMLBackend: start_auth
+  SAMLBackend->+SAMLBackend: authn_request
+  SAMLBackend->*SeeOther\n(Response):
+  SAMLBackend-->-SAMLBackend:
+  SAMLBackend-->-WsgiApplication\n(SATOSABase):
+  WsgiApplication\n(SATOSABase)-->-Instances of \nRequestMicroService:
+  Instances of \nRequestMicroService-->-WsgiApplication\n(SATOSABase):
+end
+WsgiApplication\n(SATOSABase)-->-SAMLFrontend\n(Frontendmodule):
+
+SAMLFrontend\n(Frontendmodule)-->-SAMLFrontend\n(Frontendmodule):
+SAMLFrontend\n(Frontendmodule)-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->WsgiApplication\n(SATOSABase): _save_state(Context)
+WsgiApplication\n(SATOSABase)-->-WsgiApplication\n(SATOSABase): 
+WsgiApplication\n(SATOSABase)-->-Gunicorn:

doc/internals/authnrequ_flow.src

@@ -0,0 +1,57 @@
+# Render with https://www.websequencediagrams.com
+
+title SATOSA SAML Authn Response
+# v3.4.8
+
+note right of Gunicorn: GET \nsaml2/acs/post
+Gunicorn->*SATOSA_STATE: preceding\nAuthnRequest
+Gunicorn->+WsgiApplication\n(SATOSABase): __call__
+WsgiApplication\n(SATOSABase)->*Context:
+WsgiApplication\n(SATOSABase)->WsgiApplication\n(SATOSABase): unpack_request()
+WsgiApplication\n(SATOSABase)->+WsgiApplication\n(SATOSABase): run(Context)
+WsgiApplication\n(SATOSABase)->+WsgiApplication\n(SATOSABase): _load_state(Context)
+  SATOSA_STATE-->WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->+ModuleRouter: endpoint_routing(context) -> endpoint
+ModuleRouter-->-WsgiApplication\n(SATOSABase): authn_response
+
+WsgiApplication\n(SATOSABase)-->+WsgiApplication\n(SATOSABase): _run_bound_endpoint\n(\authn_response)
+WsgiApplication\n(SATOSABase)->+SAMLBackend\n(Backendmodule): authn_response
+SAMLBackend\n(Backendmodule)->+SAMLBackend\n(Backendmodule): _translate_response
+SAMLBackend\n(Backendmodule)->SAMLBackend\n(Backendmodule): saml2.sigver.\n_check_signature
+SAMLBackend\n(Backendmodule)->*InternalData:
+SAMLBackend\n(Backendmodule)-->-SAMLBackend\n(Backendmodule):
+SAMLBackend\n(Backendmodule)->+WsgiApplication\n(SATOSABase): _auth_resp_callback_func
+
+note over Context, SAMLFrontend
+  Incorrect notation: Looping over Response Micro Services is in fact a recursive design:
+  Each microservice calls the next in the list, and the last one calls _handle_authn_response().
+end note
+loop for all Response Micro Services
+  WsgiApplication\n(SATOSABase)->+Instances of \nRequestMicroService: process
+  Instances of \nRequestMicroService->+WsgiApplication\n(SATOSABase): _auth_resp_finish
+  WsgiApplication\n(SATOSABase)->+ModuleRouter:frontend_routing
+  ModuleRouter-->-WsgiApplication\n(SATOSABase): Frontend
+    WsgiApplication\n(SATOSABase)->+SAMLFrontend: handle_authn_response
+  SAMLFrontend->+SAMLFrontend: _handle_authn_response
+  SAMLFrontend->SAMLFrontend: load_state
+  SAMLFrontend->+SAMLFrontend: _get_approved_attributes
+  SAMLFrontend->+SAMLFrontend: _filter_attributes
+  SAMLFrontend->*Response:
+  SAMLFrontend-->-SAMLFrontend:
+  SAMLFrontend-->-SAMLFrontend: Response
+  SAMLFrontend-->-WsgiApplication\n(SATOSABase): Response
+  WsgiApplication\n(SATOSABase)-->-SAMLFrontend: Response
+  SAMLFrontend-->-WsgiApplication\n(SATOSABase): Response
+  WsgiApplication\n(SATOSABase)-->-Instances of \nRequestMicroService: Response
+  Instances of \nRequestMicroService-->-WsgiApplication\n(SATOSABase): Response
+end
+
+WsgiApplication\n(SATOSABase)-->-SAMLBackend\n(Backendmodule):
+SAMLBackend\n(Backendmodule)-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->+WsgiApplication\n(SATOSABase): _save_state(Context)
+  destroy SATOSA_STATE
+WsgiApplication\n(SATOSABase)-->WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)-->-Gunicorn:
+

doc/internals/authnrequ_state.png

@@ -0,0 +1,32 @@
+# Render with https://www.websequencediagrams.com
+
+title SATOSA SAML Authn Response (focus on SATOSA_STATE)
+# v3.4.8
+
+note right of Gunicorn: GET \nsaml2/acs/post
+Gunicorn->*SATOSA_STATE: preceding\nAuthnRequest
+Gunicorn->+WsgiApplication\n(SATOSABase): __call__
+WsgiApplication\n(SATOSABase)->*Context:
+WsgiApplication\n(SATOSABase)->WsgiApplication\n(SATOSABase): unpack_request()
+WsgiApplication\n(SATOSABase)->+WsgiApplication\n(SATOSABase): run(Context)
+WsgiApplication\n(SATOSABase)->+WsgiApplication\n(SATOSABase): _load_state(Context)
+  SATOSA_STATE-->WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)-->-WsgiApplication\n(SATOSABase):
+
+WsgiApplication\n(SATOSABase)->+SAMLBackend\n(Backendmodule): authn_response
+SAMLBackend\n(Backendmodule)-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->+WsgiApplication\n(SATOSABase): _save_state(Context)
+  note over WsgiApplication\n(SATOSABase), WsgiApplication\n(SATOSABase)
+    PR #234 proposes to keep STATOS_STATE \nif CONTEXT_STATE_DELETE
+  end note
+  destroy SATOSA_STATE
+WsgiApplication\n(SATOSABase)-->WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)-->-Gunicorn:
+
+
+note over A,B: text1
+note left of A: text2
+note right of A
+    multiline
+    text
+end note

doc/internals/authnresp_flow.png

@@ -0,0 +1,20 @@
+# Render with https://www.websequencediagrams.com
+
+title SATOSA Initialization Sequence
+# v3.4.8
+
+wsgi.py->*SATOSAConfig:
+wsgi.py->*WsgiApplication\n(SATOSABase): proxy_server.\nmake_app(SATOSAConfig)
+WsgiApplication\n(SATOSABase)->+plugin_loader: load_backends(SATOSAConfig, \n_auth_resp_callback_func, internal_attributes)
+plugin_loader->*SAMLBackend:
+plugin_loader-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->+plugin_loader: load_frontends()
+plugin_loader->*SAMLFrontend:
+plugin_loader-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->+plugin_loader: load_request_microservices()
+plugin_loader->*RequestMicroservice:
+plugin_loader-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->+plugin_loader: load_response_microservices()
+plugin_loader->*ResponseMicroservice:
+plugin_loader-->-WsgiApplication\n(SATOSABase):
+WsgiApplication\n(SATOSABase)->*ModuleRouter: