Merge branch 'master' of github.com:rohe/pysaml2

Author: Roland Hedberg

example/.gitignore

@@ -0,0 +1,9 @@
+idp/idp_conf.py
+idp2/idp.subject
+idp2/idp_conf.py
+sp/outstanding
+sp/sp_conf.py
+server.crt
+server.csr
+server.key
+server.key.org

example/idp2/idp.py

@@ -120,7 +120,7 @@ def unpack_either(self):
 
     def operation(self, _dict, binding):
         logger.debug("_operation: %s" % _dict)
-        if not _dict:
+        if not _dict or not 'SAMLRequest' in _dict:
             resp = BadRequest('Error parsing request or no request')
             return resp(self.environ, self.start_response)
         else:
@@ -335,8 +335,13 @@ def redirect(self):
             self.req_info = _info["req_info"]
             del IDP.ticket[_key]
         except KeyError:
-            self.req_info = IDP.parse_authn_request(_info["SAMLRequest"],
-                                                    BINDING_HTTP_REDIRECT)
+            try:
+                self.req_info = IDP.parse_authn_request(_info["SAMLRequest"],
+                                                        BINDING_HTTP_REDIRECT)
+            except KeyError:
+                resp = BadRequest("Message signature verification failure")
+                return resp(self.environ, self.start_response)
+
             _req = self.req_info.message
 
             if "SigAlg" in _info and "Signature" in _info:  # Signed request
@@ -547,8 +552,11 @@ def do(self, request, binding, relay_state=""):
         if msg.name_id:
             lid = IDP.ident.find_local_id(msg.name_id)
             logger.info("local identifier: %s" % lid)
-            del IDP.cache.uid2user[IDP.cache.user2uid[lid]]
-            del IDP.cache.user2uid[lid]
+            if lid in IDP.cache.user2uid:
+                uid = IDP.cache.user2uid[lid]
+                if uid in IDP.cache.uid2user:
+                    del IDP.cache.uid2user[uid]
+                del IDP.cache.user2uid[lid]
             # remove the authentication
             try:
                 IDP.session_db.remove_authn_statements(msg.name_id)
@@ -843,6 +851,19 @@ def metadata(environ, start_response):
         logger.error("An error occured while creating metadata:" + ex.message)
         return not_found(environ, start_response)
 
+def staticfile(environ, start_response):
+    try:
+        path = args.path
+        if path is None or len(path) == 0:
+            path = os.path.dirname(os.path.abspath(__file__))
+        if path[-1] != "/":
+            path += "/"
+        path += environ.get('PATH_INFO', '').lstrip('/')
+        start_response('200 OK', [('Content-Type', "text/xml")])
+        return open(path, 'r').read()
+    except Exception as ex:
+        logger.error("An error occured while creating metadata:" + ex.message)
+        return not_found(environ, start_response)
 
 def application(environ, start_response):
     """
@@ -900,19 +921,40 @@ def application(environ, start_response):
                 return func()
             return callback(environ, start_response, user)
 
+    if re.search(r'static/.*', path) is not None:
+        return staticfile(environ, start_response)
     return not_found(environ, start_response)
 
 # ----------------------------------------------------------------------------
 
+# allow uwsgi or gunicorn mount
+# by moving some initialization out of __name__ == '__main__' section.
+# uwsgi -s 0.0.0.0:8088 --protocol http --callable application --module idp
+
+args = type('Config', (object,), { })
+args.config = 'idp_conf'
+args.mako_root = './'
+args.path = None
+
+import socket
+from idp_user import USERS
+from idp_user import EXTRA
+from mako.lookup import TemplateLookup
+
+AUTHN_BROKER = AuthnBroker()
+AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
+             username_password_authn, 10,
+             "http://%s" % socket.gethostname())
+AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
+             "", 0, "http://%s" % socket.gethostname())
+
+IDP = server.Server(args.config, cache=Cache())
+IDP.ticket = {}
 
 # ----------------------------------------------------------------------------
 
 if __name__ == '__main__':
-    import socket
-    from idp_user import USERS
-    from idp_user import EXTRA
     from wsgiref.simple_server import make_server
-    from mako.lookup import TemplateLookup
 
     parser = argparse.ArgumentParser()
     parser.add_argument('-p', dest='path', help='Path to configuration file.')
@@ -937,16 +979,11 @@ def application(environ, start_response):
 
     PORT = 8088
 
-    AUTHN_BROKER = AuthnBroker()
-    AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
-                     username_password_authn, 10,
-                     "http://%s" % socket.gethostname())
-    AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
-                     "", 0, "http://%s" % socket.gethostname())
-
-    IDP = server.Server(args.config, cache=Cache())
-    IDP.ticket = {}
-
     SRV = make_server('', PORT, application)
     print "IdP listening on port: %s" % PORT
     SRV.serve_forever()
+else:
+    _rot = args.mako_root
+    LOOKUP = TemplateLookup(directories=[_rot + 'templates', _rot + 'htdocs'],
+                            module_directory=_rot + 'modules',
+                            input_encoding='utf-8', output_encoding='utf-8')

example/idp2/static/css/main.css

@@ -0,0 +1,2 @@
+/* Sample css file */
+

example/idp2/templates/root.mako

@@ -6,7 +6,7 @@
     <% self.seen_css.add(path) %>
 </%def>
 <%def name="css()" filter="trim">
-    ${css_link('/css/main.css', 'screen')}
+    ${css_link('/static/css/main.css', 'screen')}
 </%def>
 <%def name="pre()" filter="trim">
     <div class="header">

example/sp-repoze/sp.py

@@ -270,6 +270,9 @@ def application(environ, start_response):
 # ----------------------------------------------------------------------------
 PORT = 8087
 
+# allow uwsgi or gunicorn mount
+# by moving some initialization out of __name__ == '__main__' section.
+# uwsgi -s 0.0.0.0:8087 --protocol http --callable app_with_auth --module idp
 
 if __name__ == '__main__':
     #make_metadata arguments