1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
|
from saml2.saml import AuthnContext, AuthnContextClassRef
from saml2.samlp import RequestedAuthnContext
__author__ = 'rolandh'
from saml2 import extension_elements_to_elements
UNSPECIFIED = "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"
INTERNETPROTOCOLPASSWORD = \
'urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword'
MOBILETWOFACTORCONTRACT = \
'urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract'
PASSWORDPROTECTEDTRANSPORT = \
'urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport'
PASSWORD = 'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
TLSCLIENT = 'urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient'
TIMESYNCTOKEN = "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"
AL1 = "http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel1"
AL2 = "http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel2"
AL3 = "http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel3"
AL4 = "http://idmanagement.gov/icam/2009/12/saml_2.0_profile/assurancelevel4"
from saml2.authn_context import ippword
from saml2.authn_context import mobiletwofactor
from saml2.authn_context import ppt
from saml2.authn_context import pword
from saml2.authn_context import sslcert
CMP_TYPE = ['exact', 'minimum', 'maximum', 'better']
class AuthnBroker(object):
def __init__(self):
self.db = {"info": {}, "key": {}}
self.next = 0
@staticmethod
def exact(a, b):
return a == b
@staticmethod
def minimum(a, b):
return b >= a
@staticmethod
def maximum(a, b):
return b <= a
@staticmethod
def better(a, b):
return b > a
def add(self, spec, method, level=0, authn_authority="", reference=None):
"""
Adds a new authentication method.
Assumes not more than one authentication method per AuthnContext
specification.
:param spec: What the authentication endpoint offers in the form
of an AuthnContext
:param method: A identifier of the authentication method.
:param level: security level, positive integers, 0 is lowest
:param reference: Desired unique reference to this `spec'
:return:
"""
if spec.authn_context_class_ref:
key = spec.authn_context_class_ref.text
_info = {
"class_ref": key,
"method": method,
"level": level,
"authn_auth": authn_authority
}
elif spec.authn_context_decl:
key = spec.authn_context_decl.c_namespace
_info = {
"method": method,
"decl": spec.authn_context_decl,
"level": level,
"authn_auth": authn_authority
}
else:
raise NotImplementedError()
self.next += 1
_ref = reference
if _ref is None:
_ref = str(self.next)
if _ref in self.db["info"]:
raise Exception("Internal error: reference is not unique")
self.db["info"][_ref] = _info
try:
self.db["key"][key].append(_ref)
except KeyError:
self.db["key"][key] = [_ref]
def remove(self, spec, method=None, level=0, authn_authority=""):
if spec.authn_context_class_ref:
_cls_ref = spec.authn_context_class_ref.text
try:
_refs = self.db["key"][_cls_ref]
except KeyError:
return
else:
_remain = []
for _ref in _refs:
item = self.db["info"][_ref]
if method and method != item["method"]:
_remain.append(_ref)
if level and level != item["level"]:
_remain.append(_ref)
if authn_authority and \
authn_authority != item["authn_authority"]:
_remain.append(_ref)
if _remain:
self.db[_cls_ref] = _remain
def _pick_by_class_ref(self, cls_ref, comparision_type="exact"):
func = getattr(self, comparision_type)
try:
_refs = self.db["key"][cls_ref]
except KeyError:
return []
else:
_item = self.db["info"][_refs[0]]
_level = _item["level"]
if comparision_type != "better":
if _item["method"]:
res = [(_item["method"], _refs[0])]
else:
res = []
else:
res = []
for ref in _refs[1:]:
item = self.db["info"][ref]
res.append((item["method"], ref))
if func(_level, item["level"]):
_level = item["level"]
for ref, _dic in self.db["info"].items():
if ref in _refs:
continue
elif func(_level, _dic["level"]):
if _dic["method"]:
_val = (_dic["method"], ref)
if _val not in res:
res.append(_val)
return res
def pick(self, req_authn_context=None):
"""
Given the authentication context find zero or more places where
the user could be sent next. Ordered according to security level.
:param req_authn_context: The requested context as an
RequestedAuthnContext instance
:return: An URL
"""
if req_authn_context is None:
return self._pick_by_class_ref(UNSPECIFIED, "minimum")
if req_authn_context.authn_context_class_ref:
if req_authn_context.comparison:
_cmp = req_authn_context.comparison
else:
_cmp = "exact"
if _cmp == 'exact':
res = []
for cls_ref in req_authn_context.authn_context_class_ref:
res += (self._pick_by_class_ref(cls_ref.text, _cmp))
return res
else:
return self._pick_by_class_ref(
req_authn_context.authn_context_class_ref[0].text, _cmp)
elif req_authn_context.authn_context_decl_ref:
if req_authn_context.comparison:
_cmp = req_authn_context.comparison
else:
_cmp = "exact"
return self._pick_by_class_ref(
req_authn_context.authn_context_decl_ref, _cmp)
def match(self, requested, provided):
if requested == provided:
return True
else:
return False
def __getitem__(self, ref):
return self.db["info"][ref]
def get_authn_by_accr(self, accr):
_ids = self.db["key"][accr]
return self[_ids[0]]
def authn_context_factory(text):
# brute force
for mod in [ippword, mobiletwofactor, ppt, pword, sslcert]:
inst = mod.authentication_context_declaration_from_string(text)
if inst:
return inst
return None
def authn_context_decl_from_extension_elements(extelems):
res = extension_elements_to_elements(extelems, [ippword, mobiletwofactor,
ppt, pword, sslcert])
try:
return res[0]
except IndexError:
return None
def authn_context_class_ref(ref):
return AuthnContext(authn_context_class_ref=AuthnContextClassRef(text=ref))
def requested_authn_context(class_ref, comparison="minimum"):
if not isinstance(class_ref, list):
class_ref = [class_ref]
return RequestedAuthnContext(
authn_context_class_ref=[AuthnContextClassRef(text=i) for i in class_ref],
comparison=comparison)
|