diff options
author | Simo Sorce <simo@redhat.com> | 2014-02-24 21:43:12 -0500 |
---|---|---|
committer | Simo Sorce <simo@redhat.com> | 2014-02-26 18:41:08 -0500 |
commit | 87f1f56c157145e81efa6b58ec9b0d7f89facfc0 (patch) | |
tree | c0aa3c93372831207cefc5012d0589034202a0b8 | |
parent | 953a4e418b1bdcbfddaf52d27a4cba9e9d8062e5 (diff) | |
download | ipsilon-87f1f56c157145e81efa6b58ec9b0d7f89facfc0.tar.gz ipsilon-87f1f56c157145e81efa6b58ec9b0d7f89facfc0.tar.xz ipsilon-87f1f56c157145e81efa6b58ec9b0d7f89facfc0.zip |
Add authentication exception support
This also add code to return an error code to the SP.
Signed-off-by: Simo Sorce <simo@redhat.com>
-rwxr-xr-x | ipsilon/providers/saml2/auth.py | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index e73a692..4adb959 100755 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -24,6 +24,17 @@ import datetime import lasso +class AuthenticationError(Exception): + + def __init__(self, message, code): + super(AuthenticationError, self).__init__(message) + self.message = message + self.code = code + + def __str__(self): + return repr(self.message) + + class InvalidRequest(Exception): def __init__(self, message): @@ -43,8 +54,11 @@ class AuthenticateRequest(ProviderPageBase): self.stage = self.STAGE_INIT def auth(self, login): - self.saml2checks(login) - self.saml2assertion(login) + try: + self.saml2checks(login) + self.saml2assertion(login) + except AuthenticationError, e: + self.saml2error(login, e.code, e.message) return self.reply(login) def _parse_request(self, message): @@ -69,10 +83,12 @@ class AuthenticateRequest(ProviderPageBase): except (lasso.ServerProviderNotFoundError, lasso.ProfileUnknownProviderError), e: - msg = 'Invalid Service Provider (%r [%r])' % (e, message) - # TODO: return to SP anyway ? + msg = 'Invalid SP [%s] (%r [%r])' % (login.remoteProviderId, + e, message) raise InvalidRequest(msg) + self._debug('SP %s requested authentication' % login.remoteProviderId) + return login def saml2login(self, request): @@ -104,7 +120,8 @@ class AuthenticateRequest(ProviderPageBase): '%s/saml2/SSO/Continue' % self.basepath) raise cherrypy.HTTPRedirect('%s/login' % self.basepath) else: - raise cherrypy.HTTPError(401) + raise AuthenticationError( + "Unknown user", lasso.SAML2_STATUS_CODE_AUTHN_FAILED) self._audit("Logged in user: %s [%s]" % (user.name, user.fullname)) @@ -145,6 +162,14 @@ class AuthenticateRequest(ProviderPageBase): # TODO: add user attributes as policy requires taking from 'user' + def saml2error(self, login, code, message): + status = lasso.Samlp2Status() + status.statusCode = lasso.Samlp2StatusCode() + status.statusCode.value = lasso.SAML2_STATUS_CODE_RESPONDER + status.statusCode.statusCode = lasso.Samlp2StatusCode() + status.statusCode.statusCode.value = code + login.response.status = status + def reply(self, login): if login.protocolProfile == lasso.LOGIN_PROTOCOL_PROFILE_BRWS_ART: # TODO |