From b4bcb99e3217e658c1277cd5d484fa0c62c7aa0c Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 10 Sep 2014 17:20:02 -0400 Subject: Use transactions throughout the code Signed-off-by: Simo Sorce Reviewed-by: Patrick Uiterwijk --- ipsilon/providers/common.py | 8 ++++++- ipsilon/providers/saml2/auth.py | 50 +++++++++++++++++++++++++++++------------ ipsilon/providers/saml2idp.py | 8 +++---- 3 files changed, 47 insertions(+), 19 deletions(-) (limited to 'ipsilon/providers') diff --git a/ipsilon/providers/common.py b/ipsilon/providers/common.py index 6bcfef8..b1968f4 100755 --- a/ipsilon/providers/common.py +++ b/ipsilon/providers/common.py @@ -118,7 +118,13 @@ class ProviderPageBase(Page): raise cherrypy.HTTPError(501) def root(self, *args, **kwargs): - op = getattr(self, cherrypy.request.method, self.GET) + method = cherrypy.request.method + + preop = getattr(self, 'pre_%s' % method, None) + if preop and callable(preop): + preop(*args, **kwargs) + + op = getattr(self, method, self.GET) if callable(op): return op(*args, **kwargs) else: diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index e35ff13..861ef96 100755 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -22,6 +22,7 @@ from ipsilon.providers.saml2.provider import ServiceProvider from ipsilon.providers.saml2.provider import InvalidProviderId from ipsilon.providers.saml2.provider import NameIdNotAllowed from ipsilon.util.user import UserSession +from ipsilon.util.trans import Transaction import cherrypy import datetime import lasso @@ -53,9 +54,25 @@ class AuthenticateRequest(ProviderPageBase): def __init__(self, *args, **kwargs): super(AuthenticateRequest, self).__init__(*args, **kwargs) - self.STAGE_INIT = 0 - self.STAGE_AUTH = 1 - self.stage = self.STAGE_INIT + self.stage = 'init' + self.trans = None + + def _preop(self, *args, **kwargs): + try: + # generate a new id or get current one + self.trans = Transaction('saml2', **kwargs) + if self.trans.cookie.value != self.trans.provider: + self.debug('Invalid transaction, %s != %s' % ( + self.trans.cookie.value, self.trans.provider)) + except Exception, e: # pylint: disable=broad-except + self.debug('Transaction initialization failed: %s' % repr(e)) + raise cherrypy.HTTPError(400, 'Invalid transaction id') + + def pre_GET(self, *args, **kwargs): + self._preop(*args, **kwargs) + + def pre_POST(self, *args, **kwargs): + self._preop(*args, **kwargs) def auth(self, login): try: @@ -116,21 +133,28 @@ class AuthenticateRequest(ProviderPageBase): def saml2checks(self, login): - session = UserSession() - user = session.get_user() + us = UserSession() + user = us.get_user() if user.is_anonymous: - if self.stage < self.STAGE_AUTH: - session.save_data('saml2', 'stage', self.STAGE_AUTH) - session.save_data('saml2', 'Request', login.dump()) - session.save_data('login', 'Return', - '%s/saml2/SSO/Continue' % self.basepath) - raise cherrypy.HTTPRedirect('%s/login' % self.basepath) + if self.stage == 'init': + returl = '%s/saml2/SSO/Continue?%s' % ( + self.basepath, self.trans.get_GET_arg()) + data = {'saml2_stage': 'auth', + 'saml2_request': login.dump(), + 'login_return': returl} + self.trans.store(data) + redirect = '%s/login?%s' % (self.basepath, + self.trans.get_GET_arg()) + raise cherrypy.HTTPRedirect(redirect) else: raise AuthenticationError( "Unknown user", lasso.SAML2_STATUS_CODE_AUTHN_FAILED) self._audit("Logged in user: %s [%s]" % (user.name, user.fullname)) + # We can wipe the transaction now, as this is the last step + self.trans.wipe() + # TODO: check if this is the first time this user access this SP # If required by user prefs, ask user for consent once and then # record it @@ -157,9 +181,6 @@ class AuthenticateRequest(ProviderPageBase): authtime_notbefore = authtime - skew authtime_notafter = authtime + skew - us = UserSession() - user = us.get_user() - # TODO: get authentication type fnd name format from session # need to save which login manager authenticated and map it to a # saml2 authentication context @@ -190,6 +211,7 @@ class AuthenticateRequest(ProviderPageBase): login.assertion.subject.nameId.format = nameidfmt login.assertion.subject.nameId.content = nameid else: + self.trans.wipe() raise AuthenticationError("Unavailable Name ID type", lasso.SAML2_STATUS_CODE_AUTHN_FAILED) diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index a19899c..e30e4a1 100755 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -60,8 +60,8 @@ class Continue(AuthenticateRequest): session = UserSession() user = session.get_user() - session.nuke_data('login', 'Return') - self.stage = session.get_data('saml2', 'stage') + transdata = self.trans.retrieve() + self.stage = transdata['saml2_stage'] if user.is_anonymous: self._debug("User is marked anonymous?!") @@ -70,11 +70,11 @@ class Continue(AuthenticateRequest): self._debug('Continue auth for %s' % user.name) - dump = session.get_data('saml2', 'Request') - if not dump: + if 'saml2_request' not in transdata: self._debug("Couldn't find Request dump?!") # TODO: Return to SP with auth failed error raise cherrypy.HTTPError(400) + dump = transdata['saml2_request'] try: login = self.cfg.idp.get_login_handler(dump) -- cgit