MoinMoin: attachment:patch-moinmoinsaml-saml.py.diff of PaulBoddie

   1 --- saml.py	2013-01-11 16:21:41.894383660 +0100
   2 +++ saml.py	2013-01-14 15:09:17.430496216 +0100
   3 @@ -27,13 +27,18 @@
   4  from MoinMoin.auth import MultistageRedirectLogin
   5  from MoinMoin.auth import get_multistage_continuation_url
   6  
   7 -from werkzeug import redirect, abort
   8 +try:
   9 +    from werkzeug import redirect, abort
  10 +except ImportError:
  11 +    redirect = None
  12 +    abort = None
  13  
  14  from saml2 import BINDING_HTTP_REDIRECT
  15  from saml2.cache import Cache
  16  from saml2.client import Saml2Client
  17  from saml2.config import SPConfig
  18  
  19 +from MoinSupport import get_form
  20  
  21  def get_saml_sp_conf(config_dict):
  22      conf = SPConfig()
  23 @@ -132,6 +137,7 @@
  24          except KeyError:
  25              logging.debug('SAML: The attribute %s was not found in the assertion'
  26                            % attribute)
  27 +            logging.debug('SAML attributes: %r' % saml_attributes)
  28              return CancelLogin(_('The assetion is missing required attributes'))
  29  
  30          # check if the user is valid
  31 @@ -148,12 +154,13 @@
  32          _ = request.getText
  33  
  34          logging.debug('SAML: assertion consumer service')
  35 -        saml_response = request.values.get('SAMLResponse')
  36 +        form = get_form(request)
  37 +        saml_response = form.get('SAMLResponse')
  38          if saml_response is None:
  39              logging.debug('SAML: missing SAMLResponse POST key')
  40              return CancelLogin(_('SAML error: missing SAMLResponse POST key'))
  41  
  42 -        post = {'SAMLResponse': saml_response}
  43 +        post = {'SAMLResponse': saml_response[0]}
  44          conf = get_saml_sp_conf(request.cfg.saml_config)
  45          client = Saml2Client(conf, logger=logging,
  46                               identity_cache=IdentityCache(request.session))
  47 @@ -184,7 +191,12 @@
  48          _ = request.getText
  49  
  50          # session can't be stored
  51 -        if not request.cfg.cookie_lifetime[0]:
  52 +        lifetime = request.cfg.cookie_lifetime
  53 +        try:
  54 +            lifetime = lifetime[0]
  55 +        except TypeError:
  56 +            pass
  57 +        if not lifetime:
  58              msg = _('Anonymous sessions need to be enabled for SAML login.')
  59              return ContinueLogin(user_obj, msg)
  60  
  61 @@ -214,8 +226,10 @@
  62                               state_cache=state,
  63                               identity_cache=IdentityCache(request.session))
  64  
  65 -        if 'SAMLResponse' in request.values:  # we started the logout
  66 -            saml_response = request.values.get('SAMLResponse')
  67 +        form = get_form(request)
  68 +
  69 +        if form.has_key('SAMLResponse'):  # we started the logout
  70 +            saml_response = form['SAMLResponse'][0]
  71              response = client.logout_response(saml_response,
  72                                                binding=BINDING_HTTP_REDIRECT)
  73              state.sync()
  74 @@ -227,9 +241,10 @@
  75              else:
  76                  return CancelLogin(_('Error during logout'))
  77  
  78 -        elif 'SAMLRequest' in request.values:  # logout started by the IdP
  79 +        elif form.has_key('SAMLRequest'):  # logout started by the IdP
  80              subject_id = request.session['saml_subject_id']
  81 -            response, success = client.logout_request(request.values,
  82 +            fields = dict([(k, v[0]) for (k, v) in form.items()])
  83 +            response, success = client.logout_request(fields,
  84                                                        subject_id)
  85              state.sync()
  86              if success:
  87 @@ -247,11 +262,11 @@
  88              return CancelLogin(_('No SAMLResponse or SAMLRequest parameter found'))
  89  
  90      def logout(self, request, user_obj, **kw):
  91 -        form = request.values
  92 +        form = get_form(request)
  93  
  94          stage = form.get('stage')
  95  
  96 -        if stage == 'saml':
  97 +        if stage and stage[0] == 'saml':
  98              return self._logout_service(request, user_obj)
  99  
 100          if not (self.name and user_obj
 101 @@ -269,11 +284,21 @@
 102          session_id, code, head, body = client.global_logout(subject_id)
 103          headers = dict(head)
 104          state.sync()
 105 -        # we need to manually save the session because the abort
 106 -        # function raises and exception and the standard code path
 107 -        # for saving the seession is not reached
 108 -        # In other words: MoinMoin does not support multistage logout
 109 -        # process and this is a workaround.
 110 -        request.cfg.session_service.finalize(request, request.session)
 111  
 112 -        abort(redirect(headers['Location']))
 113 +        if hasattr(request.cfg, 'session_service'):
 114 +            # we need to manually save the session because the abort
 115 +            # function raises and exception and the standard code path
 116 +            # for saving the seession is not reached
 117 +            # In other words: MoinMoin does not support multistage logout
 118 +            # process and this is a workaround.
 119 +            request.cfg.session_service.finalize(request, request.session)
 120 +        else:
 121 +            user_obj.valid = False
 122 +
 123 +        if headers.has_key('Location'):
 124 +            if abort:
 125 +                abort(redirect(headers['Location']))
 126 +            else:
 127 +                request.http_redirect(headers['Location'])
 128 +
 129 +        return user_obj, False
 130