Merge remote-tracking branch 'upstream/master'

Author: Hans Hörberg

example/idp2/idp.py

@@ -7,10 +7,13 @@
 import re
 import socket
 import time
+import ssl
 
 from Cookie import SimpleCookie
 from hashlib import sha1
 from urlparse import parse_qs
+from cherrypy import wsgiserver
+from cherrypy.wsgiserver import ssl_pyopenssl
 
 from saml2 import BINDING_HTTP_ARTIFACT
 from saml2 import BINDING_URI
@@ -1044,13 +1047,15 @@ def application(environ, start_response):
     parser.add_argument(dest="config")
     args = parser.parse_args()
 
+    CONFIG = importlib.import_module(args.config)
+
     AUTHN_BROKER = AuthnBroker()
     AUTHN_BROKER.add(authn_context_class_ref(PASSWORD),
                      username_password_authn, 10,
-                     "http://%s" % socket.gethostname())
+                     CONFIG.BASE)
     AUTHN_BROKER.add(authn_context_class_ref(UNSPECIFIED),
-                     "", 0, "http://%s" % socket.gethostname())
-    CONFIG = importlib.import_module(args.config)
+                     "", 0, CONFIG.BASE)
+
     IDP = server.Server(args.config, cache=Cache())
     IDP.ticket = {}
 
@@ -1062,6 +1067,17 @@ def application(environ, start_response):
     HOST = CONFIG.HOST
     PORT = CONFIG.PORT
 
-    SRV = make_server(HOST, PORT, application)
-    print("IdP listening on %s:%s" % (HOST, PORT))
-    SRV.serve_forever()
+    SRV = wsgiserver.CherryPyWSGIServer((HOST, PORT), application)
+
+    _https = ""
+    if CONFIG.HTTPS:
+        SRV.ssl_adapter = ssl_pyopenssl.pyOpenSSLAdapter(CONFIG.SERVER_CERT,
+                                                         CONFIG.SERVER_KEY, CONFIG.CERT_CHAIN)
+        _https = " using SSL/TLS"
+    logger.info("Server starting")
+    print("IDP listening on %s:%s%s" % (HOST, PORT, _https))
+    try:
+        SRV.start()
+    except KeyboardInterrupt:
+        SRV.stop()
+

example/idp2/idp_conf.py.example

@@ -28,7 +28,17 @@ def full_path(local_file):
 HOST = 'localhost'
 PORT = 8088
 
-BASE = "http://%s:%s" % (HOST, PORT)
+HTTPS = True
+
+if HTTPS:
+    BASE = "https://%s:%s" % (HOST, PORT)
+else:
+    BASE = "http://%s:%s" % (HOST, PORT)
+
+# HTTPS cert information
+SERVER_CERT = "pki/mycert.pem"
+SERVER_KEY = "pki/mykey.pem"
+CERT_CHAIN = ""
 
 CONFIG = {
     "entityid": "%s/idp.xml" % BASE,

example/requirements.txt

@@ -0,0 +1,2 @@
+mako
+cherrypy

example/sp-wsgi/sp.py

@@ -379,7 +379,6 @@ def do(self, response, binding, relay_state="", mtype="response"):
         cookie = self.cache.set_cookie(user)
 
         resp = Redirect("/", headers=[
-            ("Location", "/"),
             cookie,
         ])
         return resp(self.environ, self.start_response)

src/saml2/client.py

@@ -14,6 +14,8 @@
 from saml2 import BINDING_HTTP_POST
 from saml2 import BINDING_SOAP
 
+import saml2.xmldsig as ds
+
 from saml2.ident import decode, code
 from saml2.httpbase import HTTPError
 from saml2.s_utils import sid
@@ -161,7 +163,7 @@ def global_logout(self, name_id, reason="", expire=None, sign=None):
         return self.do_logout(name_id, entity_ids, reason, expire, sign)
 
     def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
-                  expected_binding=None):
+                  expected_binding=None, **kwargs):
         """
 
         :param name_id: Identifier of the Subject (a NameID instance)
@@ -172,6 +174,7 @@ def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
         :param sign: Whether to sign the request or not
         :param expected_binding: Specify the expected binding then not try it
             all
+        :param kwargs: Extra key word arguments.
         :return:
         """
         # check time
@@ -203,9 +206,14 @@ def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
 
                 destination = destinations(srvs)[0]
                 logger.info("destination to provider: %s" % destination)
+                try:
+                    session_info = self.users.get_info_from(name_id, entity_id)
+                    session_indexes = [session_info['session_index']]
+                except KeyError:
+                    session_indexes = None
                 req_id, request = self.create_logout_request(
                     destination, entity_id, name_id=name_id, reason=reason,
-                    expire=expire)
+                    expire=expire, session_indexes=session_indexes)
 
                 # to_sign = []
                 if binding.startswith("http://"):
@@ -214,15 +222,23 @@ def do_logout(self, name_id, entity_ids, reason, expire, sign=None,
                 if sign is None:
                     sign = self.logout_requests_signed
 
+                sigalg = None
+                key = None
                 if sign:
-                    srequest = self.sign(request)
+                    if binding == BINDING_HTTP_REDIRECT:
+                        sigalg = kwargs.get("sigalg", ds.sig_default)
+                        key = kwargs.get("key", self.signkey)
+                        srequest = str(request)
+                    else:
+                        srequest = self.sign(request)
                 else:
-                    srequest = "%s" % request
+                    srequest = str(request)
 
                 relay_state = self._relay_state(req_id)
 
                 http_info = self.apply_binding(binding, srequest, destination,
-                                               relay_state)
+                                               relay_state, sigalg=sigalg,
+                                               key=key)
 
                 if binding == BINDING_SOAP:
                     response = self.send(**http_info)

src/saml2/metadata.py

@@ -59,16 +59,17 @@
 XMLNSXS = " xmlns:xs=\"http://www.w3.org/2001/XMLSchema\""
 bXMLNSXS = b" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\""
 
+
 def metadata_tostring_fix(desc, nspair, xmlstring=""):
     if not xmlstring:
         xmlstring = desc.to_string(nspair)
 
     if six.PY2:
         if "\"xs:string\"" in xmlstring and XMLNSXS not in xmlstring:
-            xmlstring = xmlstring.replace(MDNS, MDNS+XMLNSXS)
+            xmlstring = xmlstring.replace(MDNS, MDNS + XMLNSXS)
     else:
         if b"\"xs:string\"" in xmlstring and bXMLNSXS not in xmlstring:
-            xmlstring = xmlstring.replace(bMDNS, bMDNS+bXMLNSXS)
+            xmlstring = xmlstring.replace(bMDNS, bMDNS + bXMLNSXS)
 
     return xmlstring
 
@@ -77,7 +78,7 @@ def create_metadata_string(configfile, config=None, valid=None, cert=None,
                            keyfile=None, mid=None, name=None, sign=None):
     valid_for = 0
     nspair = {"xs": "http://www.w3.org/2001/XMLSchema"}
-    #paths = [".", "/opt/local/bin"]
+    # paths = [".", "/opt/local/bin"]
 
     if valid:
         valid_for = int(valid)  # Hours
@@ -97,21 +98,17 @@ def create_metadata_string(configfile, config=None, valid=None, cert=None,
     secc = security_context(conf)
 
     if mid:
-        desc = entities_descriptor(eds, valid_for, name, mid,
-                                   sign, secc)
-        valid_instance(desc)
-
-        return metadata_tostring_fix(desc, nspair)
+        eid, xmldoc = entities_descriptor(eds, valid_for, name, mid,
+                                          sign, secc)
     else:
         eid = eds[0]
         if sign:
             eid, xmldoc = sign_entity_descriptor(eid, mid, secc)
         else:
             xmldoc = None
 
-        valid_instance(eid)
-        xmldoc = metadata_tostring_fix(eid, nspair, xmldoc)
-        return xmldoc
+    valid_instance(eid)
+    return metadata_tostring_fix(eid, nspair, xmldoc)
 
 
 def _localized_name(val, klass):
@@ -346,6 +343,7 @@ def do_idpdisc(discovery_response):
     return idpdisc.DiscoveryResponse(index="0", location=discovery_response,
                                      binding=idpdisc.NAMESPACE)
 
+
 ENDPOINTS = {
     "sp": {
         "artifact_resolution_service": (md.ArtifactResolutionService, True),
@@ -425,7 +423,8 @@ def do_endpoints(conf, endpoints):
             servs = []
             i = 1
             for args in conf[endpoint]:
-                if isinstance(args, six.string_types):  # Assume it's the location
+                if isinstance(args,
+                              six.string_types):  # Assume it's the location
                     args = {"location": args,
                             "binding": DEFAULT_BINDING[endpoint]}
                 elif isinstance(args, tuple) or isinstance(args, list):
@@ -453,16 +452,16 @@ def do_endpoints(conf, endpoints):
             pass
     return service
 
+
 DEFAULT = {
     "want_assertions_signed": "true",
     "authn_requests_signed": "false",
     "want_authn_requests_signed": "false",
-    #"want_authn_requests_only_with_valid_cert": "false",
+    # "want_authn_requests_only_with_valid_cert": "false",
 }
 
 
 def do_attribute_consuming_service(conf, spsso):
-
     service_description = service_name = None
     requested_attributes = []
     acs = conf.attribute_converters
@@ -557,7 +556,8 @@ def do_spsso_descriptor(conf, cert=None, enc_cert=None):
 
     if cert or enc_cert:
         metadata_key_usage = conf.metadata_key_usage
-        spsso.key_descriptor = do_key_descriptor(cert=cert, enc_cert=enc_cert, use=metadata_key_usage)
+        spsso.key_descriptor = do_key_descriptor(cert=cert, enc_cert=enc_cert,
+                                                 use=metadata_key_usage)
 
     for key in ["want_assertions_signed", "authn_requests_signed"]:
         try:
@@ -605,10 +605,11 @@ def do_idpsso_descriptor(conf, cert=None, enc_cert=None):
         idpsso.extensions.add_extension_element(do_uiinfo(ui_info))
 
     if cert or enc_cert:
-        idpsso.key_descriptor = do_key_descriptor(cert, enc_cert, use=conf.metadata_key_usage)
+        idpsso.key_descriptor = do_key_descriptor(cert, enc_cert,
+                                                  use=conf.metadata_key_usage)
 
     for key in ["want_authn_requests_signed"]:
-                #"want_authn_requests_only_with_valid_cert"]:
+        # "want_authn_requests_only_with_valid_cert"]:
         try:
             val = conf.getattr(key, "idp")
             if val is None:
@@ -635,7 +636,8 @@ def do_aa_descriptor(conf, cert=None, enc_cert=None):
     _do_nameid_format(aad, conf, "aa")
 
     if cert or enc_cert:
-        aad.key_descriptor = do_key_descriptor(cert, enc_cert, use=conf.metadata_key_usage)
+        aad.key_descriptor = do_key_descriptor(cert, enc_cert,
+                                               use=conf.metadata_key_usage)
 
     attributes = conf.getattr("attribute", "aa")
     if attributes:
@@ -664,7 +666,8 @@ def do_aq_descriptor(conf, cert=None, enc_cert=None):
     _do_nameid_format(aqs, conf, "aq")
 
     if cert or enc_cert:
-        aqs.key_descriptor = do_key_descriptor(cert, enc_cert, use=conf.metadata_key_usage)
+        aqs.key_descriptor = do_key_descriptor(cert, enc_cert,
+                                               use=conf.metadata_key_usage)
 
     return aqs
 
@@ -685,7 +688,8 @@ def do_pdp_descriptor(conf, cert=None, enc_cert=None):
     _do_nameid_format(pdp, conf, "pdp")
 
     if cert:
-        pdp.key_descriptor = do_key_descriptor(cert, enc_cert, use=conf.metadata_key_usage)
+        pdp.key_descriptor = do_key_descriptor(cert, enc_cert,
+                                               use=conf.metadata_key_usage)
 
     return pdp
 
@@ -702,7 +706,8 @@ def entity_descriptor(confd):
     if confd.encryption_keypairs is not None:
         enc_cert = []
         for _encryption in confd.encryption_keypairs:
-            enc_cert.append("".join(open(_encryption["cert_file"]).readlines()[1:-1]))
+            enc_cert.append(
+                "".join(open(_encryption["cert_file"]).readlines()[1:-1]))
 
     entd = md.EntityDescriptor()
     entd.entity_id = confd.entityid
@@ -736,13 +741,15 @@ def entity_descriptor(confd):
         entd.idpsso_descriptor = do_idpsso_descriptor(confd, mycert, enc_cert)
     if "aa" in serves:
         confd.context = "aa"
-        entd.attribute_authority_descriptor = do_aa_descriptor(confd, mycert, enc_cert)
+        entd.attribute_authority_descriptor = do_aa_descriptor(confd, mycert,
+                                                               enc_cert)
     if "pdp" in serves:
         confd.context = "pdp"
         entd.pdp_descriptor = do_pdp_descriptor(confd, mycert, enc_cert)
     if "aq" in serves:
         confd.context = "aq"
-        entd.authn_authority_descriptor = do_aq_descriptor(confd, mycert, enc_cert)
+        entd.authn_authority_descriptor = do_aq_descriptor(confd, mycert,
+                                                           enc_cert)
 
     return entd
 

src/saml2/response.py

@@ -1036,9 +1036,11 @@ def session_info(self):
                     "issuer": self.issuer(), "not_on_or_after": nooa,
                     "authz_decision_info": self.authz_decision_info()}
         else:
+            authn_statement = self.assertion.authn_statement[0]
             return {"ava": self.ava, "name_id": self.name_id,
                     "came_from": self.came_from, "issuer": self.issuer(),
-                    "not_on_or_after": nooa, "authn_info": self.authn_info()}
+                    "not_on_or_after": nooa, "authn_info": self.authn_info(),
+                    "session_index": authn_statement.session_index}
 
     def __str__(self):
         if not isinstance(self.xmlstr, six.string_types):