diff options
author | Jamie Lennox <jamielennox@redhat.com> | 2015-10-02 07:17:21 +1000 |
---|---|---|
committer | Jamie Lennox <jamielennox@redhat.com> | 2015-10-02 07:17:21 +1000 |
commit | 9cd71c064c77a22a0a58084a2abab77b023017b5 (patch) | |
tree | 8ef004de92237b0ee6176c13ea4572ae4db33406 /keystoneclient/contrib/auth/v3/saml2.py | |
parent | eb1dbe8e5a20700a64de50f1d85a972a00c23319 (diff) | |
download | python-keystoneclient-9cd71c064c77a22a0a58084a2abab77b023017b5.tar.gz |
Redirect on 303 in SAML plugin
The SAML plugin handles redirects in a custom manner but currently only
checks for the 302 redirect code. This doesn't cover the mod_auth_mellon
case which responds with a 303.
Also handle the 303 redirect case.
Change-Id: Idab5f381fcbfb8c561184845d3aa5c8aab142ecd
Closes-Bug: #1501918
Diffstat (limited to 'keystoneclient/contrib/auth/v3/saml2.py')
-rw-r--r-- | keystoneclient/contrib/auth/v3/saml2.py | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/keystoneclient/contrib/auth/v3/saml2.py b/keystoneclient/contrib/auth/v3/saml2.py index 929d99e..3a311d4 100644 --- a/keystoneclient/contrib/auth/v3/saml2.py +++ b/keystoneclient/contrib/auth/v3/saml2.py @@ -26,6 +26,8 @@ from keystoneclient.i18n import _ class _BaseSAMLPlugin(v3.AuthConstructor): HTTP_MOVED_TEMPORARILY = 302 + HTTP_SEE_OTHER = 303 + PROTOCOL = 'saml2' @staticmethod @@ -192,9 +194,9 @@ class Saml2UnscopedToken(_BaseSAMLPlugin): # Override to remove deprecation. self._password = value - def _handle_http_302_ecp_redirect(self, session, response, method, - **kwargs): - if response.status_code != self.HTTP_MOVED_TEMPORARILY: + def _handle_http_ecp_redirect(self, session, response, method, **kwargs): + if response.status_code not in (self.HTTP_MOVED_TEMPORARILY, + self.HTTP_SEE_OTHER): return response location = response.headers['location'] @@ -327,7 +329,7 @@ class Saml2UnscopedToken(_BaseSAMLPlugin): managed URL, for instance: ``https://<host>:<port>/Shibboleth.sso/ SAML2/ECP``. Upon success the there's a session created and access to the protected - resource is granted. Many implementations of the SP return HTTP 302 + resource is granted. Many implementations of the SP return HTTP 302/303 status code pointing to the protected URL (``https://<host>:<port>/v3/ OS-FEDERATION/identity_providers/{identity_provider}/protocols/ {protocol_id}/auth`` in this case). Saml2 plugin should point to that @@ -344,11 +346,11 @@ class Saml2UnscopedToken(_BaseSAMLPlugin): data=etree.tostring(self.saml2_idp_authn_response), authenticated=False, redirect=False) - # Don't follow HTTP specs - after the HTTP 302 response don't repeat - # the call directed to the Location URL. In this case, this is an - # indication that saml2 session is now active and protected resource + # Don't follow HTTP specs - after the HTTP 302/303 response don't + # repeat the call directed to the Location URL. In this case, this is + # an indication that saml2 session is now active and protected resource # can be accessed. - response = self._handle_http_302_ecp_redirect( + response = self._handle_http_ecp_redirect( session, response, method='GET', headers=self.ECP_SP_SAML2_REQUEST_HEADERS) |