From 98d0bdcbfc605f7981e401cc87bd2a391e20e770 Mon Sep 17 00:00:00 2001 From: Joel Franusic Date: Mon, 6 Apr 2015 16:46:34 -0700 Subject: [PATCH] Initial commit --- .gitignore | 4 + LICENSE | 202 +++++++++++++++++++++++++++++++ app.py | 233 ++++++++++++++++++++++++++++++++++++ requirements.txt | 4 + templates/base.html | 32 +++++ templates/main_page.html | 9 ++ templates/unauthorized.html | 7 ++ templates/user.html | 21 ++++ 8 files changed, 512 insertions(+) create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 app.py create mode 100644 requirements.txt create mode 100644 templates/base.html create mode 100644 templates/main_page.html create mode 100644 templates/unauthorized.html create mode 100644 templates/user.html diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..87a36a5 --- /dev/null +++ b/.gitignore @@ -0,0 +1,4 @@ +*.pyc +venv/ + +*~ diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..d645695 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/app.py b/app.py new file mode 100644 index 0000000..0944c48 --- /dev/null +++ b/app.py @@ -0,0 +1,233 @@ +# -*- coding: utf-8 -*- +# Copyright 2015 Okta, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +import logging +import os +import uuid + +from flask import ( + Flask, + redirect, + render_template, + request, + session, + url_for, +) +from flask.ext.login import ( + LoginManager, + UserMixin, + current_user, + login_required, + login_user, + logout_user, +) +from flask_bootstrap import Bootstrap +from saml2 import ( + BINDING_HTTP_POST, + BINDING_HTTP_REDIRECT, + entity, +) +from saml2.client import Saml2Client +from saml2.config import Config as Saml2Config +import requests + +# metadata_url_for contains PER APPLICATION configuration settings. +# Each SAML service that you support will have different values here. +# +# NOTE: +# This is implemented as a dictionary for DEMONSTRATION PURPOSES ONLY. +# On a production system, this information should be stored as approprate +# for your concept of "customer company", "group", "organization", or "team" +metadata_url_for = { + # For testing with http://saml.oktadev.com use the following: + # 'test': 'http://idp.oktadev.com/metadata', + # WARNING WARNING WARNING + # You MUST remove the testing IdP from a production system, + # as the testing IdP will allow ANYBODY to log in as ANY USER! + # WARNING WARNING WARNING + } + +app = Flask(__name__) +Bootstrap(app) +app.secret_key = str(uuid.uuid4()) # Replace with your secret key +login_manager = LoginManager() +login_manager.setup_app(app) +logging.basicConfig(level=logging.DEBUG) +# NOTE: +# This is implemented as a dictionary for DEMONSTRATION PURPOSES ONLY. +# On a production system, this information must come +# from your system's user store. +user_store = {} + + +def saml_client_for(idp_name=None): + ''' + Given the name of an IdP, return a configuation. + The configuration is a hash for use by saml2.config.Config + ''' + + if idp_name not in metadata_url_for: + raise Exception("Settings for IDP '{}' not found".format(idp_name)) + acs_url = url_for( + "idp_initiated", + idp_name=idp_name, + _external=True) + + # NOTE: + # Ideally, this should fetch the metadata and pass it to + # PySAML2 via the "inline" metadata type. + # However, this method doesn't seem to work on PySAML2 v2.4.0 + # + # SAML metadata changes very rarely. On a production system, + # this data should be cached as approprate for your production system. + rv = requests.get(metadata_url_for[idp_name]) + import tempfile + tmp = tempfile.NamedTemporaryFile() + f = open(tmp.name, 'w') + f.write(rv.text) + f.close() + + settings = { + 'metadata': { + # 'inline': metadata, + "local": [tmp.name] + }, + 'service': { + 'sp': { + 'endpoints': { + 'assertion_consumer_service': [ + (acs_url, BINDING_HTTP_REDIRECT), + (acs_url, BINDING_HTTP_POST) + ], + }, + # Don't verify that the incoming requests originate from us via + # the built-in cache for authn request ids in pysaml2 + 'allow_unsolicited': True, + # Don't sign authn requests, since signed requests only make + # sense in a situation where you control both the SP and IdP + 'authn_requests_signed': False, + 'logout_requests_signed': True, + 'want_assertions_signed': True, + 'want_response_signed': False, + }, + }, + } + spConfig = Saml2Config() + spConfig.load(settings) + spConfig.allow_unknown_attributes = True + saml_client = Saml2Client(config=spConfig) + tmp.close() + return saml_client + + +class User(UserMixin): + def __init__(self, user_id): + user = {} + self.id = None + self.first_name = None + self.last_name = None + try: + user = user_store[user_id] + self.id = unicode(user_id) + self.first_name = user['first_name'] + self.last_name = user['last_name'] + except: + pass + + +@login_manager.user_loader +def load_user(user_id): + return User(user_id) + + +@app.route("/") +def main_page(): + return render_template('main_page.html', idp_dict=metadata_url_for) + + +@app.route("/saml/sso/", methods=['POST']) +def idp_initiated(idp_name): + saml_client = saml_client_for(idp_name) + authn_response = saml_client.parse_authn_request_response( + request.form['SAMLResponse'], + entity.BINDING_HTTP_POST) + authn_response.get_identity() + user_info = authn_response.get_subject() + username = user_info.text + + # This is what as known as "Just In Time (JIT) provisioning". + # What that means is that, if a user in a SAML assertion + # isn't in the user store, we create that user first, then log them in + if username not in user_store: + user_store[username] = { + 'first_name': authn_response.ava['FirstName'][0], + 'last_name': authn_response.ava['LastName'][0], + } + user = User(username) + session['saml_attributes'] = authn_response.ava + login_user(user) + url = url_for('user') + # NOTE: + # On a production system, the RelayState MUST be checked + # to make sure it doesn't contain dangerous URLs! + if 'RelayState' in request.form: + url = request.form['RelayState'] + return redirect(url) + + +@app.route("/saml/login/") +def sp_initiated(idp_name): + saml_client = saml_client_for(idp_name) + reqid, info = saml_client.prepare_for_authenticate() + + redirect_url = None + # Select the IdP URL to send the AuthN request to + for key, value in info['headers']: + if key is 'Location': + redirect_url = value + response = redirect(redirect_url, code=302) + # NOTE: + # I realize I _technically_ don't need to set Cache-Control or Pragma: + # http://stackoverflow.com/a/5494469 + # However, Section 3.2.3.2 of the SAML spec suggests they are set: + # http://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf + # We set those headers here as a "belt and suspenders" approach, + # since enterprise environments don't always conform to RFCs + response.headers['Cache-Control'] = 'no-cache, no-store' + response.headers['Pragma'] = 'no-cache' + return response + + +@app.route("/user") +@login_required +def user(): + return render_template('user.html', session=session) + + +@app.errorhandler(401) +def error_unauthorized(error): + return render_template('unauthorized.html') + + +@app.route("/logout") +@login_required +def logout(): + logout_user() + return redirect(url_for("main_page")) + +if __name__ == "__main__": + port = int(os.environ.get('PORT', 5000)) + if port == 5000: + app.debug = True + app.run(host='0.0.0.0', port=port) diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..596b5af --- /dev/null +++ b/requirements.txt @@ -0,0 +1,4 @@ +Flask==0.10.1 +Flask-Bootstrap==3.3.2.1 +Flask-Login==0.2.11 +pysaml2==2.4.0 diff --git a/templates/base.html b/templates/base.html new file mode 100644 index 0000000..53e32d5 --- /dev/null +++ b/templates/base.html @@ -0,0 +1,32 @@ +{% extends "bootstrap/base.html" %} +{% set application_name = 'PySAML2 Example SAML SP' %} +{% block title %}{{ application_name }}{% endblock %} +{% block body_attribs %} style="padding-top: 60px"{% endblock %} +{% block navbar %} + +
+ {% endblock %} + {% block content %} +
+{% endblock %} + diff --git a/templates/main_page.html b/templates/main_page.html new file mode 100644 index 0000000..f578232 --- /dev/null +++ b/templates/main_page.html @@ -0,0 +1,9 @@ +{% extends 'base.html' %} +{% block content %} +

Select the IdP you want to use to authenticate:

+
    + {% for idp in idp_dict.keys() %} +
  1. {{idp}}
    2. + {% endfor %} +
+{% endblock %} diff --git a/templates/unauthorized.html b/templates/unauthorized.html new file mode 100644 index 0000000..ff6e94e --- /dev/null +++ b/templates/unauthorized.html @@ -0,0 +1,7 @@ +{% extends 'base.html' %} +{% block content %} +

Unauthorized

+

+ The server could not verify that you are authorized to access the URL requested. You either supplied the wrong credentials (e.g. a bad password), or your browser doesn't understand how to supply the credentials required. +

+{% endblock %} diff --git a/templates/user.html b/templates/user.html new file mode 100644 index 0000000..e150520 --- /dev/null +++ b/templates/user.html @@ -0,0 +1,21 @@ +{% extends 'base.html' %} +{% block content %} +
+

Logged in

+

+ Contents of the most recent SAML assertion: +

+
+ + {% if session.saml_attributes %} + {% for attribute in session.saml_attributes.keys() %} + + + + + {% endfor %} + {% endif %} +
{{ attribute }}{{ session.saml_attributes[attribute][0] }}
+
+
+{% endblock %}