source: TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py @ 3658

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/TI12-security/trunk/python/ndg.security.server/ndg/security/server/sso/sso/controllers/wayf.py@3658
Revision 3658, 3.9 KB checked in by pjkersha, 12 years ago (diff)

sso: refactoring redirects from NDG Browse version.

Line 
1import logging
2
3from sso.lib.base import *
4from ndg.security.common.AttAuthority import AttAuthorityClient
5import base64
6
7log = logging.getLogger(__name__)
8
9
10class WayfController(BaseController):
11    """Where Are You From Controller - display a list of trusted sites for
12    login"""
13   
14    def __before__(self, action): 
15        """For each action, get 'r' return to URL argument from current URL
16        query string.  c.b64encReturnTo is used in some of the .kid files"""
17        c.b64encReturnTo = request.params.get('r', '') 
18        log.debug("WayfController.__before__: c.b64encReturnTo = %s" % \
19                                                              c.b64encReturnTo)
20       
21        # Decode the return URL so that it can be displayed to the user by
22        # wayf.kid
23        # The URL has previously been encoded from the BaseController and set
24        # in ndgPage.kid 
25        # Use str() - urlsafe_b64decode() doesn't like unicode
26        c.returnTo = base64.urlsafe_b64decode(str(c.b64encReturnTo))
27       
28        # Ensure login can return to an address over https to
29        # preserve confidentiality of credentials
30        if g.securityCfg.server in c.returnTo:
31            c.returnTo = c.returnTo.replace(g.securityCfg.server, 
32                                            g.securityCfg.sslServer)
33            c.b64encReturnTo = urlsafe_b64encode(c.returnTo)       
34            log.debug(\
35    "WayfController.__before__: switched return to address to https = %s" % \
36                                                              c.returnTo) 
37#       
38#        # Check return to address - getCredentials should NOT be returned to
39#        # with its query args intact
40#        b64decReturnTo = base64.urlsafe_b64decode(c.returnTo)
41#        scheme, netloc, pathInfo, query, frag = urlsplit(b64decReturnTo)
42#        if 'getCredentials' in pathInfo:
43#            # Swap to discovery and remove sensitive creds query args
44#            #
45#            # TODO: re-write to be more robust and modular.  Nb.
46#            # BaseController.__call__ should filter out 'getCredentials'
47#            # calls from c.requestURL so this code should never need to be
48#            # executed.
49#            filteredReturnTo = urlunsplit((scheme,netloc,'/login','',''))
50#            c.returnTo = base64.urlsafe_b64encode(filteredReturnTo)
51#       
52#        # Check return to address - getCredentials should NOT be returned to
53#        # with its query args intact
54#        log.debug("LoginController.__before__: Decoded c.returnTo = %s" % \
55#                                      base64.urlsafe_b64decode(c.returnTo))
56
57    def index(self):
58        ''' NDG equivalent to Shibboleth WAYF '''
59        log.debug("WayfController.index ...")
60
61        # Inclusive namespace prefixes for WS-Security digital signature
62        # (Exclusive C14N only)
63        refC14nKw = {'unsuppressedPrefixes':g.securityCfg.wssRefInclNS}
64        signedInfoC14nKw = {'unsuppressedPrefixes':
65                            g.securityCfg.wssSignedInfoInclNS}
66       
67        aaClnt = AttAuthorityClient(uri=g.securityCfg.aaURI,
68                        signingCertFilePath=g.securityCfg.wssCertFilePath,
69                        signingPriKeyFilePath=g.securityCfg.wssPriKeyFilePath,
70                        signingPriKeyPwd=g.securityCfg.wssPriKeyPwd,
71                        caCertFilePathList=g.securityCfg.wssCACertFilePathList,
72                        refC14nKw=refC14nKw,
73                        signedInfoC14nKw=signedInfoC14nKw,
74                        tracefile=g.securityCfg.tracefile)
75
76        # Get list of login uris for trusted sites including THIS one
77        log.debug("Calling Attribute Authority getTrustedHostInfo and " + \
78                  "getHostInfo for wayf")
79
80        hosts = aaClnt.getAllHostsInfo()   
81        c.providers=dict([(k, v['loginURI']) for k, v in hosts.items()])
82       
83        session.save()
84       
85        return render('ndg.security.wayf')
Note: See TracBrowser for help on using the repository browser.