diff options
-rw-r--r-- | ipsilon/providers/saml2/auth.py | 6 | ||||
-rw-r--r-- | ipsilon/providers/saml2idp.py | 22 | ||||
-rwxr-xr-x | ipsilon/tools/saml2metadata.py | 2 | ||||
-rw-r--r-- | ipsilon/util/http.py (renamed from ipsilon/util/cherrypy.py) | 9 |
4 files changed, 20 insertions, 19 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index 6a1d9bf..3ddb615 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -21,6 +21,7 @@ from ipsilon.providers.saml2.provider import ServiceProvider from ipsilon.providers.saml2.provider import InvalidProviderId from ipsilon.providers.saml2.provider import NameIdNotAllowed from ipsilon.providers.saml2.sessions import SAMLSessionsContainer +from ipsilon.tools import saml2metadata as metadata from ipsilon.util.policy import Policy from ipsilon.util.user import UserSession from ipsilon.util.trans import Transaction @@ -51,7 +52,8 @@ class AuthenticateRequest(ProviderPageBase): # generate a new id or get current one self.trans = Transaction('saml2', **kwargs) - self.debug('self.binding=%s, transdata=%s', self.binding, self.trans.retrieve()) + self.debug('self.binding=%s, transdata=%s' % + (self.binding, self.trans.retrieve())) if self.binding is None: # SAML binding is unknown, try to get it from transaction transdata = self.trans.retrieve() @@ -62,7 +64,7 @@ class AuthenticateRequest(ProviderPageBase): self.trans.store(data) # Only check for cookie for those bindings which use one - if self.binding not in (SAML2_SERVICE_MAP['sso-soap'][1]): + if self.binding not in (metadata.SAML2_SERVICE_MAP['sso-soap'][1]): if self.trans.cookie.value != self.trans.provider: self.debug('Invalid transaction, %s != %s' % ( self.trans.cookie.value, self.trans.provider)) diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index af7b752..33efaa7 100644 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -25,7 +25,7 @@ from ipsilon.providers.saml2.provider import IdentityProvider from ipsilon.tools.certs import Certificate from ipsilon.tools import saml2metadata as metadata from ipsilon.tools import files -from ipsilon.util.cherrypy import require_content_type +from ipsilon.util.http import require_content_type from ipsilon.util.constants import SOAP_MEDIA_TYPE, XML_MEDIA_TYPE from ipsilon.util.user import UserSession from ipsilon.util.plugin import PluginObject @@ -37,28 +37,31 @@ import os import time import uuid +cherrypy.tools.require_content_type = cherrypy.Tool('before_request_body', + require_content_type) + + def is_lasso_ecp_enabled(): # FIXME - we do not have a 2.4.2 package yet, so for testing just # return True return True # Full ECP support appeared in lasso version 2.4.2 - return lasso.checkVersion(2, 4, 2, lasso.CHECK_VERSION_NUMERIC) - + # return lasso.checkVersion(2, 4, 2, lasso.CHECK_VERSION_NUMERIC) + class SSO_SOAP(AuthenticateRequest): def __init__(self, *args, **kwargs): super(SSO_SOAP, self).__init__(*args, **kwargs) - self.binding = SAML2_SERVICE_MAP['sso-soap'][1] + self.binding = metadata.SAML2_SERVICE_MAP['sso-soap'][1] @cherrypy.tools.require_content_type( required=[SOAP_MEDIA_TYPE, XML_MEDIA_TYPE]) @cherrypy.tools.accept(media=[SOAP_MEDIA_TYPE, XML_MEDIA_TYPE]) - @cherrypy.tools.response_headers([('Content-Type', 'SOAP_MEDIA_TYPE')]) + @cherrypy.tools.response_headers( + headers=[('Content-Type', 'SOAP_MEDIA_TYPE')]) def POST(self, *args, **kwargs): - response = cherrypy.serving.response - self.debug("SSO_SOAP.POST() begin") self.debug("SSO_SOAP transaction provider=%s id=%s" % @@ -84,8 +87,7 @@ class Redirect(AuthenticateRequest): def __init__(self, *args, **kwargs): super(Redirect, self).__init__(*args, **kwargs) - self.binding = SAML2_SERVICE_MAP['sso-redirect'][1] - + self.binding = metadata.SAML2_SERVICE_MAP['sso-redirect'][1] def GET(self, *args, **kwargs): @@ -99,7 +101,7 @@ class POSTAuth(AuthenticateRequest): def __init__(self, *args, **kwargs): super(POSTAuth, self).__init__(*args, **kwargs) - self.binding = SAML2_SERVICE_MAP['sso-post'][1] + self.binding = metadata.SAML2_SERVICE_MAP['sso-post'][1] def POST(self, *args, **kwargs): diff --git a/ipsilon/tools/saml2metadata.py b/ipsilon/tools/saml2metadata.py index af606a7..b08d739 100755 --- a/ipsilon/tools/saml2metadata.py +++ b/ipsilon/tools/saml2metadata.py @@ -41,7 +41,7 @@ SAML2_SERVICE_MAP = { 'sso-redirect': ('SingleSignOnService', lasso.SAML2_METADATA_BINDING_REDIRECT), 'sso-soap': ('SingleSignOnService', - lasso.SAML2_METADATA_BINDING_SOAP), + lasso.SAML2_METADATA_BINDING_SOAP), 'logout-redirect': ('SingleLogoutService', lasso.SAML2_METADATA_BINDING_REDIRECT), 'response-post': ('AssertionConsumerService', diff --git a/ipsilon/util/cherrypy.py b/ipsilon/util/http.py index 47d1be8..7927537 100644 --- a/ipsilon/util/cherrypy.py +++ b/ipsilon/util/http.py @@ -16,6 +16,8 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import cherrypy +import fnmatch + def require_content_type(required=None, absent_ok=True, debug=False): '''CherryPy Tool that validates request Content-Type. @@ -76,11 +78,6 @@ def require_content_type(required=None, absent_ok=True, debug=False): else: content_type = 'not specified' message = ('Content-Type must match one of following patterns [%s], ' - 'but the Content-Type was %s' % \ + 'but the Content-Type was %s' % (acceptable, content_type)) raise cherrypy.HTTPError(415, message=message) - - -cherrypy.tools.require_content_type = cherrypy.Tool('before_request_body', require_content_type) - - |