[ceph.git] / ceph / src / pybind / mgr / dashboard / controllers / saml2.py

# -*- coding: utf-8 -*-
from __future__ import absolute_import

import cherrypy

try:
    from onelogin.saml2.auth import OneLogin_Saml2_Auth
    from onelogin.saml2.errors import OneLogin_Saml2_Error
    from onelogin.saml2.settings import OneLogin_Saml2_Settings

    python_saml_imported = True
except ImportError:
    python_saml_imported = False

from .. import mgr
from ..exceptions import UserDoesNotExist
from ..services.auth import JwtManager
from ..tools import prepare_url_prefix
from . import Controller, Endpoint, BaseController


@Controller('/auth/saml2', secure=False)
class Saml2(BaseController):

    @staticmethod
    def _build_req(request, post_data):
        return {
            'https': 'on' if request.scheme == 'https' else 'off',
            'http_host': request.host,
            'script_name': request.path_info,
            'server_port': str(request.port),
            'get_data': {},
            'post_data': post_data
        }

    @staticmethod
    def _check_python_saml():
        if not python_saml_imported:
            raise cherrypy.HTTPError(400, 'Required library not found: `python3-saml`')
        try:
            OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
        except OneLogin_Saml2_Error:
            raise cherrypy.HTTPError(400, 'Single Sign-On is not configured.')

    @Endpoint('POST', path="")
    def auth_response(self, **kwargs):
        Saml2._check_python_saml()
        req = Saml2._build_req(self._request, kwargs)
        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
        auth.process_response()
        errors = auth.get_errors()

        if auth.is_authenticated():
            JwtManager.reset_user()
            username_attribute = auth.get_attribute(mgr.SSO_DB.saml2.get_username_attribute())
            if username_attribute is None:
                raise cherrypy.HTTPError(400,
                                         'SSO error - `{}` not found in auth attributes. '
                                         'Received attributes: {}'
                                         .format(
                                             mgr.SSO_DB.saml2.get_username_attribute(),
                                             auth.get_attributes()))
            username = username_attribute[0]
            url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
            try:
                mgr.ACCESS_CTRL_DB.get_user(username)
            except UserDoesNotExist:
                raise cherrypy.HTTPRedirect("{}/#/sso/404".format(url_prefix))

            token = JwtManager.gen_token(username)
            JwtManager.set_user(JwtManager.decode_token(token))
            token = token.decode('utf-8')
            raise cherrypy.HTTPRedirect("{}/#/login?access_token={}".format(url_prefix, token))

        return {
            'is_authenticated': auth.is_authenticated(),
            'errors': errors,
            'reason': auth.get_last_error_reason()
        }

    @Endpoint(xml=True)
    def metadata(self):
        Saml2._check_python_saml()
        saml_settings = OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
        return saml_settings.get_sp_metadata()

    @Endpoint(json_response=False)
    def login(self):
        Saml2._check_python_saml()
        req = Saml2._build_req(self._request, {})
        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
        raise cherrypy.HTTPRedirect(auth.login())

    @Endpoint(json_response=False)
    def slo(self):
        Saml2._check_python_saml()
        req = Saml2._build_req(self._request, {})
        auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
        raise cherrypy.HTTPRedirect(auth.logout())

    @Endpoint(json_response=False)
    def logout(self, **kwargs):
        # pylint: disable=unused-argument
        Saml2._check_python_saml()
        JwtManager.reset_user()
        url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
        raise cherrypy.HTTPRedirect("{}/#/login".format(url_prefix))
Commit	Line	Data
11fdf7f2 TL	1	# -- coding: utf-8 --
	2	from __future__ import absolute_import
	3
11fdf7f2 TL	4	import cherrypy
	5
	6	try:
	7	from onelogin.saml2.auth import OneLogin_Saml2_Auth
	8	from onelogin.saml2.errors import OneLogin_Saml2_Error
	9	from onelogin.saml2.settings import OneLogin_Saml2_Settings
	10
	11	python_saml_imported = True
	12	except ImportError:
	13	python_saml_imported = False
	14
eafe8130	15	from .. import mgr
11fdf7f2 TL	16	from ..exceptions import UserDoesNotExist
	17	from ..services.auth import JwtManager
	18	from ..tools import prepare_url_prefix
	19	from . import Controller, Endpoint, BaseController
	20
	21
	22	@Controller('/auth/saml2', secure=False)
	23	class Saml2(BaseController):
	24
	25	@staticmethod
	26	def _build_req(request, post_data):
	27	return {
	28	'https': 'on' if request.scheme == 'https' else 'off',
	29	'http_host': request.host,
	30	'script_name': request.path_info,
	31	'server_port': str(request.port),
	32	'get_data': {},
	33	'post_data': post_data
	34	}
	35
	36	@staticmethod
	37	def _check_python_saml():
	38	if not python_saml_imported:
9f95a23c	39	raise cherrypy.HTTPError(400, 'Required library not found: `python3-saml`')
11fdf7f2 TL	40	try:
	41	OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
	42	except OneLogin_Saml2_Error:
	43	raise cherrypy.HTTPError(400, 'Single Sign-On is not configured.')
	44
	45	@Endpoint('POST', path="")
	46	def auth_response(self, **kwargs):
	47	Saml2._check_python_saml()
	48	req = Saml2._build_req(self._request, kwargs)
	49	auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
	50	auth.process_response()
	51	errors = auth.get_errors()
	52
	53	if auth.is_authenticated():
	54	JwtManager.reset_user()
	55	username_attribute = auth.get_attribute(mgr.SSO_DB.saml2.get_username_attribute())
	56	if username_attribute is None:
	57	raise cherrypy.HTTPError(400,
	58	'SSO error - `{}` not found in auth attributes. '
	59	'Received attributes: {}'
	60	.format(
	61	mgr.SSO_DB.saml2.get_username_attribute(),
	62	auth.get_attributes()))
	63	username = username_attribute[0]
	64	url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
	65	try:
	66	mgr.ACCESS_CTRL_DB.get_user(username)
	67	except UserDoesNotExist:
	68	raise cherrypy.HTTPRedirect("{}/#/sso/404".format(url_prefix))
	69
	70	token = JwtManager.gen_token(username)
	71	JwtManager.set_user(JwtManager.decode_token(token))
	72	token = token.decode('utf-8')
11fdf7f2	73	raise cherrypy.HTTPRedirect("{}/#/login?access_token={}".format(url_prefix, token))
9f95a23c TL	74
	75	return {
	76	'is_authenticated': auth.is_authenticated(),
	77	'errors': errors,
	78	'reason': auth.get_last_error_reason()
	79	}
11fdf7f2 TL	80
	81	@Endpoint(xml=True)
	82	def metadata(self):
	83	Saml2._check_python_saml()
	84	saml_settings = OneLogin_Saml2_Settings(mgr.SSO_DB.saml2.onelogin_settings)
	85	return saml_settings.get_sp_metadata()
	86
	87	@Endpoint(json_response=False)
	88	def login(self):
	89	Saml2._check_python_saml()
	90	req = Saml2._build_req(self._request, {})
	91	auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
	92	raise cherrypy.HTTPRedirect(auth.login())
	93
	94	@Endpoint(json_response=False)
	95	def slo(self):
	96	Saml2._check_python_saml()
	97	req = Saml2._build_req(self._request, {})
	98	auth = OneLogin_Saml2_Auth(req, mgr.SSO_DB.saml2.onelogin_settings)
	99	raise cherrypy.HTTPRedirect(auth.logout())
	100
	101	@Endpoint(json_response=False)
	102	def logout(self, **kwargs):
	103	# pylint: disable=unused-argument
	104	Saml2._check_python_saml()
	105	JwtManager.reset_user()
	106	url_prefix = prepare_url_prefix(mgr.get_module_option('url_prefix', default=''))
	107	raise cherrypy.HTTPRedirect("{}/#/login".format(url_prefix))