Matrix-Mirrors/anonymousland-synapse
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/synapse.git synced 2025-08-14 15:15:24 -04:00
Code Issues Projects Releases Packages Wiki Activity

Integrate SAML2 basic authentication - uses pysaml2

Browse source
This commit is contained in:
Muthu Subramanian 2015-07-07 17:40:30 +05:30
parent 6825eef955
commit 81682d0f82
5 changed files with 122 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

62
synapse/rest/client/v1/login.py
View file

@ -20,14 +20,32 @@ from synapse.types import UserID
from base import ClientV1RestServlet, client_path_pattern
import simplejson as json
import cgi
import urllib
import logging
from saml2 import BINDING_HTTP_REDIRECT
from saml2 import BINDING_HTTP_POST
from saml2.metadata import create_metadata_string
from saml2 import config
from saml2.client import Saml2Client
from saml2.httputil import ServiceError
from saml2.samlp import Extensions
from saml2.extension.pefim import SPCertEnc
from saml2.s_utils import rndstr
class LoginRestServlet(ClientV1RestServlet):
PATTERN = client_path_pattern("/login$")
PASS_TYPE = "m.login.password"
SAML2_TYPE = "m.login.saml2"
def __init__(self, hs):
super(LoginRestServlet, self).__init__(hs)
self.idp_redirect_url = hs.config.saml2_config['idp_redirect_url']
def on_GET(self, request):
return (200, {"flows": [{"type": LoginRestServlet.PASS_TYPE}]})
return (200, {"flows": [{"type": LoginRestServlet.PASS_TYPE}, {"type": LoginRestServlet.SAML2_TYPE}]})
def on_OPTIONS(self, request):
return (200, {})
@ -39,6 +57,14 @@ class LoginRestServlet(ClientV1RestServlet):
if login_submission["type"] == LoginRestServlet.PASS_TYPE:
result = yield self.do_password_login(login_submission)
defer.returnValue(result)
elif login_submission["type"] == LoginRestServlet.SAML2_TYPE:
relay_state = ""
if "relay_state" in login_submission:
relay_state = "&RelayState="+urllib.quote(login_submission["relay_state"])
result = {
"uri": "%s%s"%(self.idp_redirect_url, relay_state)
}
defer.returnValue((200, result))
else:
raise SynapseError(400, "Bad login type.")
except KeyError:
@ -93,6 +119,39 @@ class PasswordResetRestServlet(ClientV1RestServlet):
"Missing keys. Requires 'email' and 'user_id'."
)
class SAML2RestServlet(ClientV1RestServlet):
PATTERN = client_path_pattern("/login/saml2")
def __init__(self, hs):
super(SAML2RestServlet, self).__init__(hs)
self.sp_config = hs.config.saml2_config['config_path']
@defer.inlineCallbacks
def on_POST(self, request):
saml2_auth = None
try:
conf = config.SPConfig()
conf.load_file(self.sp_config)
SP = Saml2Client(conf)
saml2_auth = SP.parse_authn_request_response(request.args['SAMLResponse'][0], BINDING_HTTP_POST)
except Exception, e: # Not authenticated
logger = logging.getLogger(__name__)
logger.exception(e)
if saml2_auth and saml2_auth.status_ok() and not saml2_auth.not_signed:
username = saml2_auth.name_id.text
handler = self.handlers.registration_handler
(user_id, token) = yield handler.register_saml2(username)
# Forward to the RelayState callback along with ava
if 'RelayState' in request.args:
request.redirect(urllib.unquote(request.args['RelayState'][0])+'?status=authenticated&access_token='+token+'&user_id='+user_id+'&ava='+urllib.quote(json.dumps(saml2_auth.ava)))
request.finish()
defer.returnValue(None)
defer.returnValue((200, {"status":"authenticated", "user_id": user_id, "token": token, "ava":saml2_auth.ava}))
elif 'RelayState' in request.args:
request.redirect(urllib.unquote(request.args['RelayState'][0])+'?status=not_authenticated')
request.finish()
defer.returnValue(None)
defer.returnValue((200, {"status":"not_authenticated"}))
def _parse_json(request):
try:
@ -106,4 +165,5 @@ def _parse_json(request):
def register_servlets(hs, http_server):
LoginRestServlet(hs).register(http_server)
SAML2RestServlet(hs).register(http_server)
# TODO PasswordResetRestServlet(hs).register(http_server)