saml logout request scratch

01bb49dd · Jan Pavlíček · 6ea38b1b · 01bb49dd · 01bb49dd
Verified Commit 01bb49dd authored 1 year ago by Jan Pavlíček
--- a/perun/utils/logout_requests/SamlLogoutRequest.py
+++ b/perun/utils/logout_requests/SamlLogoutRequest.py
+import random
+import string
+
 import flask
+from saml2.client import Saml2Client
+from saml2.saml import NameID
+
 from perun.utils.logout_requests.LogoutRequest import LogoutRequest

+
 # from saml2.client import Saml2Client
 # from saml2 import saml

@@ -19,6 +26,50 @@ class SamlLogoutRequest(LogoutRequest):
        saml_request = self.prepare_saml_request(sub, sid)
        self.iframe_src = f"{sp_url}/{saml_request}"  # todo - check this is the correct way to pass the saml request

-    def prepare_saml_request(self, sub, sid):
-        # todo - use pysaml2?
+    def prepare_saml_request(self, sub, sid, issuer):
+        sp_config = {}  # TODO load config for given backend (client) you can find our backends here: https://gitlab.ics.muni.cz/perun-proxy-aai/ansible/proxyaai_sites/-/tree/main/templates/jpmu/satosa/satosa_config/plugins/backends (sp_config)
+
+        sp = Saml2Client(sp_config)
+        binding, destination = sp.pick_binding(
+            "single_logout_service", None, "idpsso", entity_id=issuer
+        )
+
+        internal_authn_resp = {}  # TODO asi vytáhnout ze sessiony nebo z databáze
+        name_id = internal_authn_resp["subject_id"]
+        session_indexes = internal_authn_resp["auth_info"]["session_index"]
+
+        name_id_format = sp.config.getattr("name_id_format", "sp")
+        name_id = NameID(format=name_id_format, text=name_id)
+        req_id, req = sp.create_logout_request(
+            destination, issuer_entity_id=issuer, name_id=name_id,
+            session_indexes=session_indexes, sign=True
+        )
+
+        relay_state = self.rndstr()
+        http_args = sp.apply_binding(binding, "%s" % req, destination,
+                                     relay_state=relay_state)
+
+        if binding == "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect":
+            headers = dict(http_args["headers"])
+            logout_url_with_all_parameters = (str(headers["Location"]))
+        else:
+            url = http_args["url"]
+            method = http_args["method"]
+            message = http_args["data"]
+            headers = http_args["headers"]
+
        return None
+
+    def rndstr(size=16, alphabet=""):
+        """
+        Returns a string of random ascii characters or digits
+        :type size: int
+        :type alphabet: str
+        :param size: The length of the string
+        :param alphabet: A string with characters.
+        :return: string
+        """
+        rng = random.SystemRandom()
+        if not alphabet:
+            alphabet = string.ascii_letters[0:52] + string.digits
+        return type(alphabet)().join(rng.choice(alphabet) for _ in range(size))
--- a/setup.py
+++ b/setup.py
@@ -33,6 +33,7 @@ setup(
        "Jinja2~=3.1.2",
        "requests~=2.31.0",
        "Flask-Session~=0.5.0",
+        "pysaml2~=7.4"
    ],
    extras_require={
        "kerberos": [