Integrate SAML2 basic authentication - uses pysaml2

author: Muthu Subramanian <muthu.subramanian.karunanidhi@ericsson.com> 2015-07-07 17:40:30 +0530
committer: Muthu Subramanian <muthu.subramanian.karunanidhi@ericsson.com> 2015-07-08 15:36:54 +0530
commit: 81682d0f820a6209535267a45ee28b8f66ff7794 (patch)
tree: f5cda857c38fe8af6291eb58f937f62280232738 /synapse/rest/client/v1/login.py
parent: Oops: underride rule had an identifier with override in it. (diff)
download: synapse-81682d0f820a6209535267a45ee28b8f66ff7794.tar.xz
1 files changed, 61 insertions, 1 deletions
diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py
index b2257b749d..dc7615c6f3 100644
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@@ -20,14 +20,32 @@ from synapse.types import UserID
 from base import ClientV1RestServlet, client_path_pattern
 
 import simplejson as json
+import cgi
+import urllib
+
+import logging
+from saml2 import BINDING_HTTP_REDIRECT
+from saml2 import BINDING_HTTP_POST
+from saml2.metadata import create_metadata_string
+from saml2 import config
+from saml2.client import Saml2Client
+from saml2.httputil import ServiceError
+from saml2.samlp import Extensions
+from saml2.extension.pefim import SPCertEnc
+from saml2.s_utils import rndstr
 
 
 class LoginRestServlet(ClientV1RestServlet):
     PATTERN = client_path_pattern("/login$")
     PASS_TYPE = "m.login.password"
+    SAML2_TYPE = "m.login.saml2"
+
+    def __init__(self, hs):
+        super(LoginRestServlet, self).__init__(hs)
+        self.idp_redirect_url = hs.config.saml2_config['idp_redirect_url']
 
     def on_GET(self, request):
-        return (200, {"flows": [{"type": LoginRestServlet.PASS_TYPE}]})
+        return (200, {"flows": [{"type": LoginRestServlet.PASS_TYPE}, {"type": LoginRestServlet.SAML2_TYPE}]})
 
     def on_OPTIONS(self, request):
         return (200, {})
@@ -39,6 +57,14 @@ class LoginRestServlet(ClientV1RestServlet):
             if login_submission["type"] == LoginRestServlet.PASS_TYPE:
                 result = yield self.do_password_login(login_submission)
                 defer.returnValue(result)
+            elif login_submission["type"] == LoginRestServlet.SAML2_TYPE:
+                relay_state = ""
+                if "relay_state" in login_submission:
+                    relay_state = "&RelayState="+urllib.quote(login_submission["relay_state"])
+                result = {
+                    "uri": "%s%s"%(self.idp_redirect_url, relay_state)
+                }
+                defer.returnValue((200, result))
             else:
                 raise SynapseError(400, "Bad login type.")
         except KeyError:
@@ -93,6 +119,39 @@ class PasswordResetRestServlet(ClientV1RestServlet):
                 "Missing keys. Requires 'email' and 'user_id'."
             )
 
+class SAML2RestServlet(ClientV1RestServlet):
+    PATTERN = client_path_pattern("/login/saml2")
+
+    def __init__(self, hs):
+        super(SAML2RestServlet, self).__init__(hs)
+        self.sp_config = hs.config.saml2_config['config_path']
+
+    @defer.inlineCallbacks
+    def on_POST(self, request):
+        saml2_auth = None
+        try:
+            conf = config.SPConfig()
+            conf.load_file(self.sp_config)
+            SP = Saml2Client(conf)
+            saml2_auth = SP.parse_authn_request_response(request.args['SAMLResponse'][0], BINDING_HTTP_POST)
+        except Exception, e: # Not authenticated
+            logger = logging.getLogger(__name__)
+            logger.exception(e)
+        if  saml2_auth and saml2_auth.status_ok() and not saml2_auth.not_signed:
+            username = saml2_auth.name_id.text
+            handler = self.handlers.registration_handler
+            (user_id, token) = yield handler.register_saml2(username)
+            # Forward to the RelayState callback along with ava
+            if 'RelayState' in request.args:
+                request.redirect(urllib.unquote(request.args['RelayState'][0])+'?status=authenticated&access_token='+token+'&user_id='+user_id+'&ava='+urllib.quote(json.dumps(saml2_auth.ava)))
+                request.finish()
+                defer.returnValue(None)
+            defer.returnValue((200, {"status":"authenticated", "user_id": user_id, "token": token, "ava":saml2_auth.ava}))
+        elif 'RelayState' in request.args:
+            request.redirect(urllib.unquote(request.args['RelayState'][0])+'?status=not_authenticated')
+            request.finish()
+            defer.returnValue(None)
+        defer.returnValue((200, {"status":"not_authenticated"}))
 
 def _parse_json(request):
     try:
@@ -106,4 +165,5 @@ def _parse_json(request):
 
 def register_servlets(hs, http_server):
     LoginRestServlet(hs).register(http_server)
+    SAML2RestServlet(hs).register(http_server)
     # TODO PasswordResetRestServlet(hs).register(http_server)
author	Muthu Subramanian <muthu.subramanian.karunanidhi@ericsson.com>	2015-07-07 17:40:30 +0530
committer	Muthu Subramanian <muthu.subramanian.karunanidhi@ericsson.com>	2015-07-08 15:36:54 +0530
commit	81682d0f820a6209535267a45ee28b8f66ff7794 (patch)
tree	f5cda857c38fe8af6291eb58f937f62280232738 /synapse/rest/client/v1/login.py
parent	Oops: underride rule had an identifier with override in it. (diff)
download	synapse-81682d0f820a6209535267a45ee28b8f66ff7794.tar.xz