Merge branch 'upstream' into signed-assertions

Author: leifj

doc/README.md

@@ -242,6 +242,18 @@ config:
         idp-entity-id1
             sp-entity-id1:
                 exclude: ["givenName"]
+
+
+The custom_attribute_release mechanism supports defaults based on idp and sp entity Id by specifying "" or "default"
+as the key in the dict. For instance in order to exclude givenName for any sp or idp do this:
+
+```yaml
+config:
+    config: [...]
+    custom_attribute_release:
+        "default":
+            "":
+                exclude: ["givenName"]
 
 
 #### Backend

example/plugins/microservices/attribute_authz.yaml.example

@@ -0,0 +1,21 @@
+module: satosa.micro_services.attribute_authorization.AttributeAuthorization
+name: AttributeAuthorization
+config:
+    attribute_allow:
+        target_provider1:
+            requester1:
+                attr1:
+                   - "^foo:bar$"
+                   - "^kaka$"
+            default:
+                attr1:
+                   - "plupp@.+$"
+        "":
+            "":
+                attr2:
+                   - "^knytte:.*$"
+    attribute_deny:
+        default:
+            default:
+                eppn:
+                   - "^[^@]+$"

example/plugins/microservices/attribute_generation.yaml.example

@@ -0,0 +1,11 @@
+module: satosa.micro_services.attribute_generation.AddSyntheticAttributes
+name: AddSyntheticAttributes
+config:
+    synthetic_attributes:
+        target_provider1:
+            requester1:
+                eduPersonAffiliation: member;employee
+        default:
+            default:
+                schacHomeOrganization: {{eduPersonPrincipalName.scope}}
+                schacHomeOrganizationType: tomfoolery provider

setup.py

@@ -22,10 +22,11 @@
         "PyYAML",
         "gunicorn",
         "Werkzeug",
-        "click"
+        "click",
+        "pystache"
     ],
     extras_require={
-        "ldap": ["ldap3"],
+        "ldap": ["ldap3"]
     },
     zip_safe=False,
     classifiers=[

src/satosa/backends/saml2.py

@@ -214,10 +214,16 @@ def _translate_response(self, response, state):
         issuer = response.response.issuer.text
 
         auth_info = AuthenticationInformation(auth_class_ref, timestamp, issuer)
-        internal_resp = InternalResponse(auth_info=auth_info)
+        internal_resp = SAMLInternalResponse(auth_info=auth_info)
 
         internal_resp.user_id = response.get_subject().text
         internal_resp.attributes = self.converter.to_internal(self.attribute_profile, response.ava)
+        
+        # The SAML response may not include a NameID
+        try:
+            internal_resp.name_id = response.assertion.subject.name_id
+        except AttributeError:
+            pass
 
         satosa_logging(logger, logging.DEBUG, "received attributes:\n%s" % json.dumps(response.ava, indent=4), state)
         return internal_resp
@@ -315,3 +321,32 @@ def get_metadata_desc(self):
 
             entity_descriptions.append(description)
         return entity_descriptions
+
+class SAMLInternalResponse(InternalResponse):
+    """
+    Like the parent InternalResponse, holds internal representation of 
+    service related data, but includes additional details relevant to
+    SAML interoperability.
+
+    :type name_id: instance of saml2.saml.NameID from pysaml2
+    """
+    def __init__(self, auth_info=None):
+        super().__init__(auth_info)
+
+        self.name_id = None
+
+    def to_dict(self):
+        """
+        Converts a SAMLInternalResponse object to a dict
+        :rtype: dict[str, dict[str, str] | str]
+        :return: A dict representation of the object
+        """
+        _dict = super().to_dict()
+
+        if self.name_id:
+            _dict['name_id'] = {self.name_id.format : self.name_id.text}
+        else:
+            _dict['name_id'] = None
+
+        return _dict
+

src/satosa/frontends/saml2.py

@@ -21,6 +21,7 @@
 from ..response import Response
 from ..response import ServiceError
 from ..saml_util import make_saml_response
+from ..util import get_dict_defaults
 
 logger = logging.getLogger(__name__)
 
@@ -271,9 +272,10 @@ def _handle_authn_response(self, context, internal_response, idp):
         else:
             auth_info["class_ref"] = internal_response.auth_info.auth_class_ref
 
+        auth_info["authn_auth"] = internal_response.auth_info.issuer
+
         if self.custom_attribute_release:
-            custom_release_per_idp = self.custom_attribute_release.get(internal_response.auth_info.issuer, {})
-            custom_release = custom_release_per_idp.get(resp_args["sp_entity_id"], {})
+            custom_release = get_dict_defaults(self.custom_attribute_release, internal_response.auth_info.issuer, resp_args["sp_entity_id"])
             attributes_to_remove = custom_release.get("exclude", [])
             for k in attributes_to_remove:
                 ava.pop(k, None)

src/satosa/micro_services/attribute_authorization.py

@@ -0,0 +1,64 @@
+import re
+
+from .base import ResponseMicroService
+from ..exception import SATOSAAuthenticationError
+from ..util import get_dict_defaults
+
+class AttributeAuthorization(ResponseMicroService):
+
+    """
+A microservice that performs simple regexp-based authorization based on response
+attributes. The configuration assumes a dict with two keys: attributes_allow
+and attributes_deny. An examples speaks volumes:
+
+```yaml
+config:
+    attribute_allow:
+        target_provider1:
+            requester1:
+                attr1:
+                   - "^foo:bar$"
+                   - "^kaka$"
+            default:
+                attr1:
+                   - "plupp@.+$"
+        "":
+            "":
+                attr2:
+                   - "^knytte:.*$"
+    attribute_deny:
+        default:
+            default:
+                eppn:
+                   - "^[^@]+$"
+
+```
+
+The use of "" and 'default' is synonymous. Attribute rules are not overloaded
+or inherited. For instance a response from "provider2" would only be allowed
+through if the eppn attribute had all values containing an '@' (something
+perhaps best implemented via an allow rule in practice). Responses from
+target_provider1 bound for requester1 would be allowed through only if attr1
+contained foo:bar or kaka. Note that attribute filters (the leaves of the
+structure above) are ORed together - i.e any attribute match is sufficient.
+    """
+
+    def __init__(self, config, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.attribute_allow = config.get("attribute_allow", {})
+        self.attribute_deny = config.get("attribute_deny", {})
+
+    def _check_authz(self, context, attributes, requester, provider):
+        for attribute_name, attribute_filters in get_dict_defaults(self.attribute_allow, requester, provider).items():
+            if attribute_name in attributes:
+                if not any([any(filter(re.compile(af).search, attributes[attribute_name])) for af in attribute_filters]):
+                    raise SATOSAAuthenticationError(context.state, "Permission denied")
+
+        for attribute_name, attribute_filters in get_dict_defaults(self.attribute_deny, requester, provider).items():
+            if attribute_name in attributes:
+                if any([any(filter(re.compile(af).search, attributes[attribute_name])) for af in attribute_filters]):
+                    raise SATOSAAuthenticationError(context.state, "Permission denied")
+
+    def process(self, context, data):
+        self._check_authz(context, data.attributes, data.requester, data.auth_info.issuer)
+        return super().process(context, data)

src/satosa/micro_services/attribute_generation.py

@@ -0,0 +1,138 @@
+import re
+import pystache
+
+from .base import ResponseMicroService
+from ..util import get_dict_defaults
+
+class MustachAttrValue(object):
+    def __init__(self, attr_name, values):
+       self._attr_name = attr_name
+       self._values = values
+       if any(['@' in v for v in values]):
+          local_parts = []
+          domain_parts = []
+          scopes = dict()
+          for v in values:
+             (local_part, sep, domain_part) = v.partition('@')
+             # probably not needed now...
+             local_parts.append(local_part)
+             domain_parts.append(domain_part)
+             scopes[domain_part] = True
+          self._scopes = list(scopes.keys())
+       else:
+          self._scopes = None
+
+    def __str__(self):
+        return ";".join(self._values)
+
+    @property
+    def values(self):
+        [{self._attr_name: v} for v in self._values]
+   
+    @property 
+    def value(self):
+        if len(self._values) == 1:
+           return self._values[0]
+        else:
+           return self._values
+
+    @property
+    def first(self):
+        if len(self._values) > 0:
+           return self._values[0]
+        else:
+           return ""
+
+    @property
+    def scope(self):
+        if self._scopes is not None:
+           return self._scopes[0]
+        return ""
+     
+
+class AddSyntheticAttributes(ResponseMicroService):
+    """
+A class that add generated or synthetic attributes to a response set. Attribute
+generation is done using mustach (http://mustache.github.io) templates. The
+following example configuration illustrates most common features:
+
+```yaml
+module: satosa.micro_services.attribute_generation.AddSyntheticAttributes
+name: AddSyntheticAttributes
+config:
+    synthetic_attributes:
+        target_provider1:
+            requester1:
+                eduPersonAffiliation: member;employee
+        default:
+            default:
+                schacHomeOrganization: {{eduPersonPrincipalName.scope}}
+                schacHomeOrganizationType: tomfoolery provider
+
+```
+
+The use of "" and 'default' is synonymous. Attribute rules are not
+overloaded or inherited. For instance a response from "target_provider1"
+and requester1 in the above config will generate a (static) attribute
+set of 'member' and 'employee' for the eduPersonAffiliation attribute
+and nothing else. Note that synthetic attributes override existing
+attributes if present.
+
+*Evaluating and interpreting templates*
+
+Attribute values are split on combinations of ';' and newline so that
+a template resulting in the following text:
+```
+a;
+b;c
+```
+results in three attribute values: 'a','b' and 'c'. Templates are
+evaluated with a single context that represents the response attributes
+before the microservice is processed. De-referencing the attribute
+name as in '{{name}}' results in a ';'-separated list of all attribute
+values. This notation is useful when you know there is only a single
+attribute value in the set.
+
+*Special contexts*
+
+For treating the values as a list - eg for interating using mustach,
+use the .values sub-context For instance to synthesize all first-last
+name combinations do this:
+
+```
+{{#givenName.values}}
+   {{#sn.values}}{{givenName}} {{sn}}{{/sn.values}}
+{{/givenName.values}}
+```
+
+Note that the .values sub-context behaves as if it is an iterator
+over single-value context with the same key name as the original
+attribute name.
+
+The .scope sub-context evalues to the right-hand part of any @
+sign. This is assumed to be single valued.
+
+The .first sub-context evalues to the first value of a context
+which may be safer to use if the attribute is multivalued but
+you don't care which value is used in a template.
+    """
+
+    def __init__(self, config, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.synthetic_attributes = config["synthetic_attributes"]
+
+    def _synthesize(self, attributes, requester, provider):
+        syn_attributes = dict()
+        context = dict()
+        
+        for attr_name,values in attributes.items():
+           context[attr_name] = MustachAttrValue(attr_name, values)
+
+        recipes = get_dict_defaults(self.synthetic_attributes, requester, provider)
+        for attr_name, fmt in recipes.items():
+           syn_attributes[attr_name] = [v.strip().strip(';') for v in re.split("[;\n]+", pystache.render(fmt, context))]
+        return syn_attributes
+
+    def process(self, context, data):
+        data.attributes.update(self._synthesize(data.attributes, data.requester, data.auth_info.issuer))
+        return super().process(context, data)

src/satosa/util.py

@@ -7,6 +7,10 @@
 
 logger = logging.getLogger(__name__)
 
+def get_dict_defaults(d, *keys):
+    for key in keys:
+       d = d.get(key, d.get("", d.get("default", {})))
+    return d
 
 def rndstr(size=16, alphabet=""):
     """