IDP logout fix, add .gitignore

Make IDP logout a little more resilient by double checking content in the cache.
Added some .gitignore for generated and copied files in idp, sp and idp2 folders.
Allow both sp and idp2 to be mounted using wsgi container.
Add static handler for css and other files in idp2.

Author: richtera

example/.gitignore

@@ -0,0 +1,9 @@
+idp/idp_conf.py
+idp2/idp.subject
+idp2/idp_conf.py
+sp/outstanding
+sp/sp_conf.py
+server.crt
+server.csr
+server.key
+server.key.org

example/idp2/idp.py

@@ -120,7 +120,7 @@ def unpack_either(self):
 
     def operation(self, _dict, binding):
         logger.debug("_operation: %s" % _dict)
-        if not _dict:
+        if not _dict or not 'SAMLRequest' in _dict:
             resp = BadRequest('Error parsing request or no request')
             return resp(self.environ, self.start_response)
         else:
@@ -335,8 +335,13 @@ def redirect(self):
             self.req_info = _info["req_info"]
             del IDP.ticket[_key]
         except KeyError:
-            self.req_info = IDP.parse_authn_request(_info["SAMLRequest"],
-                                                    BINDING_HTTP_REDIRECT)
+            try:
+                self.req_info = IDP.parse_authn_request(_info["SAMLRequest"],
+                                                        BINDING_HTTP_REDIRECT)
+            except KeyError:
+                resp = BadRequest("Message signature verification failure")
+                return resp(self.environ, self.start_response)
+
             _req = self.req_info.message
 
             if "SigAlg" in _info and "Signature" in _info:  # Signed request
@@ -547,8 +552,11 @@ def do(self, request, binding, relay_state=""):
         if msg.name_id:
             lid = IDP.ident.find_local_id(msg.name_id)
             logger.info("local identifier: %s" % lid)
-            del IDP.cache.uid2user[IDP.cache.user2uid[lid]]
-            del IDP.cache.user2uid[lid]
+            if lid in IDP.cache.user2uid:
+                uid = IDP.cache.user2uid[lid]
+                if uid in IDP.cache.uid2user:
+                    del IDP.cache.uid2user[uid]
+                del IDP.cache.user2uid[lid]
             # remove the authentication
             try:
                 IDP.session_db.remove_authn_statements(msg.name_id)
@@ -843,6 +851,19 @@ def metadata(environ, start_response):
         logger.error("An error occured while creating metadata:" + ex.message)
         return not_found(environ, start_response)
 
+def staticfile(environ, start_response):
+    try:
+        path = args.path
+        if path is None or len(path) == 0:
+            path = os.path.dirname(os.path.abspath(__file__))
+        if path[-1] != "/":
+            path += "/"
+        path += environ.get('PATH_INFO', '').lstrip('/')
+        start_response('200 OK', [('Content-Type', "text/xml")])
+        return open(path, 'r').read()
+    except Exception as ex:
+        logger.error("An error occured while creating metadata:" + ex.message)
+        return not_found(environ, start_response)
 
 def application(environ, start_response):
     """
@@ -900,19 +921,40 @@ def application(environ, start_response):
                 return func()
             return callback(environ, start_response, user)
 
+    if re.search(r'static/.*', path) is not None:
+        return staticfile(environ, start_response)
     return not_found(environ, start_response)
 
 # ----------------------------------------------------------------------------
 
+# allow uwsgi or gunicorn mount
+# by moving some initialization out of __name__ == '__main__' section.
+# uwsgi -s 0.0.0.0:8088 --protocol http --callable application --module idp
+
+args = type('Config', (object,), { })
+args.config = 'idp_conf'
+args.mako_root = './'
+args.path = None
+
+import socket
+from idp_user import USERS
+from idp_user import EXTRA
+from mako.lookup import TemplateLookup
+
+AUTHN_BROKER = AuthnBroker()
+AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
+             username_password_authn, 10,
+             "http://%s" % socket.gethostname())
+AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
+             "", 0, "http://%s" % socket.gethostname())
+
+IDP = server.Server(args.config, cache=Cache())
+IDP.ticket = {}
 
 # ----------------------------------------------------------------------------
 
 if __name__ == '__main__':
-    import socket
-    from idp_user import USERS
-    from idp_user import EXTRA
     from wsgiref.simple_server import make_server
-    from mako.lookup import TemplateLookup
 
     parser = argparse.ArgumentParser()
     parser.add_argument('-p', dest='path', help='Path to configuration file.')
@@ -937,16 +979,11 @@ def application(environ, start_response):
 
     PORT = 8088
 
-    AUTHN_BROKER = AuthnBroker()
-    AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
-                     username_password_authn, 10,
-                     "http://%s" % socket.gethostname())
-    AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
-                     "", 0, "http://%s" % socket.gethostname())
-
-    IDP = server.Server(args.config, cache=Cache())
-    IDP.ticket = {}
-
     SRV = make_server('', PORT, application)
     print "IdP listening on port: %s" % PORT
     SRV.serve_forever()
+else:
+    _rot = args.mako_root
+    LOOKUP = TemplateLookup(directories=[_rot + 'templates', _rot + 'htdocs'],
+                            module_directory=_rot + 'modules',
+                            input_encoding='utf-8', output_encoding='utf-8')

example/idp2/static/css/main.css

@@ -0,0 +1,2 @@
+/* Sample css file */
+

example/idp2/templates/root.mako

@@ -6,7 +6,7 @@
     <% self.seen_css.add(path) %>
 </%def>
 <%def name="css()" filter="trim">
-    ${css_link('/css/main.css', 'screen')}
+    ${css_link('/static/css/main.css', 'screen')}
 </%def>
 <%def name="pre()" filter="trim">
     <div class="header">

example/sp/sp.py

@@ -270,6 +270,9 @@ def application(environ, start_response):
 # ----------------------------------------------------------------------------
 PORT = 8087
 
+# allow uwsgi or gunicorn mount
+# by moving some initialization out of __name__ == '__main__' section.
+# uwsgi -s 0.0.0.0:8087 --protocol http --callable app_with_auth --module idp
 
 if __name__ == '__main__':
     #make_metadata arguments