[ceph.git] / ceph / src / pybind / mgr / dashboard / controllers / saml2.py

# -*- coding: utf-8 -*-

import cherrypy

try:
    from onelogin.saml2.auth import OneLogin_Saml2_Auth
    from onelogin.saml2.errors import OneLogin_Saml2_Error
    from onelogin.saml2.settings import OneLogin_Saml2_Settings

    python_saml_imported = True
except ImportError:
    python_saml_imported = False

from .. import mgr
from ..exceptions import UserDoesNotExist
from ..services.auth import JwtManager
from ..tools import prepare_url_prefix
from . import BaseController, ControllerAuthMixin, Endpoint, Router, allow_empty_body


@Router('/auth/saml2', secure=False)
class Saml2(BaseController, ControllerAuthMixin):

    @staticmethod
    def _build_req(request, post_data):
        return {
            'https': 'on' if request.scheme == 'https' else 'off',
            'http_host': request.host,
            'script_name': request.path_info,
            'server_port': str(request.port),
            'get_data': {},
            'post_data': post_data
        }

    @staticmethod
    def _check_python_saml():
        if not python_saml_imported:
            raise cherrypy.HTTPError(400, 'Required library not found: `python3-saml`')
        try:
            OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
        except OneLogin_Saml2_Error:
            raise cherrypy.HTTPError(400, 'Single Sign-On is not configured.')

    @Endpoint('POST', path="", version=None)
    @allow_empty_body
    def auth_response(self, **kwargs):
        Saml2._check_python_saml()
        req = Saml2._build_req(self._request, kwargs)
        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
        auth.process_response()
        errors = auth.get_errors()

        if auth.is_authenticated():
            JwtManager.reset_user()
            username_attribute = auth.get_attribute(mgr.SSO_DB.saml2.get_username_attribute())
            if username_attribute is None:
                raise cherrypy.HTTPError(400,
                                         'SSO error - `{}` not found in auth attributes. '
                                         'Received attributes: {}'
                                         .format(
                                             mgr.SSO_DB.saml2.get_username_attribute(),
                                             auth.get_attributes()))
            username = username_attribute[0]
            url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
            try:
                mgr.ACCESS_CTRL_DB.get_user(username)
            except UserDoesNotExist:
                raise cherrypy.HTTPRedirect("{}/#/sso/404".format(url_prefix))

            token = JwtManager.gen_token(username)
            JwtManager.set_user(JwtManager.decode_token(token))
            token = token.decode('utf-8')
            self._set_token_cookie(url_prefix, token)
            raise cherrypy.HTTPRedirect("{}/#/login?access_token={}".format(url_prefix, token))

        return {
            'is_authenticated': auth.is_authenticated(),
            'errors': errors,
            'reason': auth.get_last_error_reason()
        }

    @Endpoint(xml=True, version=None)
    def metadata(self):
        Saml2._check_python_saml()
        saml_settings = OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
        return saml_settings.get_sp_metadata()

    @Endpoint(json_response=False, version=None)
    def login(self):
        Saml2._check_python_saml()
        req = Saml2._build_req(self._request, {})
        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
        raise cherrypy.HTTPRedirect(auth.login())

    @Endpoint(json_response=False, version=None)
    def slo(self):
        Saml2._check_python_saml()
        req = Saml2._build_req(self._request, {})
        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
        raise cherrypy.HTTPRedirect(auth.logout())

    @Endpoint(json_response=False, version=None)
    def logout(self, **kwargs):
        # pylint: disable=unused-argument
        Saml2._check_python_saml()
        JwtManager.reset_user()
        token = JwtManager.get_token_from_header()
        self._delete_token_cookie(token)
        url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
        raise cherrypy.HTTPRedirect("{}/#/login".format(url_prefix))
Commit	Line	Data
11fdf7f2	1	# -- coding: utf-8 --
11fdf7f2	2
11fdf7f2 TL	3	import cherrypy
	4
	5	try:
	6	from onelogin.saml2.auth import OneLogin_Saml2_Auth
	7	from onelogin.saml2.errors import OneLogin_Saml2_Error
	8	from onelogin.saml2.settings import OneLogin_Saml2_Settings
	9
	10	python_saml_imported = True
	11	except ImportError:
	12	python_saml_imported = False
	13
eafe8130	14	from .. import mgr
11fdf7f2 TL	15	from ..exceptions import UserDoesNotExist
	16	from ..services.auth import JwtManager
	17	from ..tools import prepare_url_prefix
a4b75251	18	from . import BaseController, ControllerAuthMixin, Endpoint, Router, allow_empty_body
11fdf7f2 TL	19
11fdf7f2 TL	20
a4b75251	21	@Router('/auth/saml2', secure=False)
f67539c2	22	class Saml2(BaseController, ControllerAuthMixin):
11fdf7f2 TL	23
	24	@staticmethod
	25	def _build_req(request, post_data):
	26	return {
	27	'https': 'on' if request.scheme == 'https' else 'off',
	28	'http_host': request.host,
	29	'script_name': request.path_info,
	30	'server_port': str(request.port),
	31	'get_data': {},
	32	'post_data': post_data
	33	}
	34
	35	@staticmethod
	36	def _check_python_saml():
	37	if not python_saml_imported:
9f95a23c	38	raise cherrypy.HTTPError(400, 'Required library not found: `python3-saml`')
11fdf7f2 TL	39	try:
	40	OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
	41	except OneLogin_Saml2_Error:
	42	raise cherrypy.HTTPError(400, 'Single Sign-On is not configured.')
	43
f67539c2	44	@Endpoint('POST', path="", version=None)
adb31ebb	45	@allow_empty_body
11fdf7f2 TL	46	def auth_response(self, **kwargs):
	47	Saml2._check_python_saml()
	48	req = Saml2._build_req(self._request, kwargs)
	49	auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
	50	auth.process_response()
	51	errors = auth.get_errors()
	52
	53	if auth.is_authenticated():
	54	JwtManager.reset_user()
	55	username_attribute = auth.get_attribute(mgr.SSO_DB.saml2.get_username_attribute())
	56	if username_attribute is None:
	57	raise cherrypy.HTTPError(400,
	58	'SSO error - `{}` not found in auth attributes. '
	59	'Received attributes: {}'
	60	.format(
	61	mgr.SSO_DB.saml2.get_username_attribute(),
	62	auth.get_attributes()))
	63	username = username_attribute[0]
	64	url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
	65	try:
	66	mgr.ACCESS_CTRL_DB.get_user(username)
	67	except UserDoesNotExist:
	68	raise cherrypy.HTTPRedirect("{}/#/sso/404".format(url_prefix))
	69
	70	token = JwtManager.gen_token(username)
	71	JwtManager.set_user(JwtManager.decode_token(token))
	72	token = token.decode('utf-8')
f67539c2	73	self._set_token_cookie(url_prefix, token)
11fdf7f2	74	raise cherrypy.HTTPRedirect("{}/#/login?access_token={}".format(url_prefix, token))
9f95a23c TL	75
	76	return {
	77	'is_authenticated': auth.is_authenticated(),
	78	'errors': errors,
	79	'reason': auth.get_last_error_reason()
	80	}
11fdf7f2	81
f67539c2	82	@Endpoint(xml=True, version=None)
11fdf7f2 TL	83	def metadata(self):
	84	Saml2._check_python_saml()
	85	saml_settings = OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
	86	return saml_settings.get_sp_metadata()
	87
f67539c2	88	@Endpoint(json_response=False, version=None)
11fdf7f2 TL	89	def login(self):
	90	Saml2._check_python_saml()
	91	req = Saml2._build_req(self._request, {})
	92	auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
	93	raise cherrypy.HTTPRedirect(auth.login())
	94
f67539c2	95	@Endpoint(json_response=False, version=None)
11fdf7f2 TL	96	def slo(self):
	97	Saml2._check_python_saml()
	98	req = Saml2._build_req(self._request, {})
	99	auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
	100	raise cherrypy.HTTPRedirect(auth.logout())
	101
f67539c2	102	@Endpoint(json_response=False, version=None)
11fdf7f2 TL	103	def logout(self, **kwargs):
	104	# pylint: disable=unused-argument
	105	Saml2._check_python_saml()
	106	JwtManager.reset_user()
f67539c2 TL	107	token = JwtManager.get_token_from_header()
f67539c2 TL	108	self._delete_token_cookie(token)
11fdf7f2 TL	109	url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
11fdf7f2 TL	110	raise cherrypy.HTTPRedirect("{}/#/login".format(url_prefix))