# The freeradius extension using ECP
#
__author__ = 'rolandh'
+__version__ = "0.0.5a"
import radiusd
import saml2
from saml2.ecp_client import Client
# Where's the configuration file is
-#CONFIG_DIR = "/usr/local/etc/moonshot"
-CONFIG_DIR = "../etc"
+CONFIG_DIR = "/usr/local/etc/moonshot"
+#CONFIG_DIR = "../etc"
sys.path.insert(0, CONFIG_DIR)
-import ecp_config
+import config
# Globals
CLIENT = None
# Use IdP info retrieved from the SP when metadata is missing
try:
- CLIENT = Saml2Client(ecp_config.DEBUG, config_file=ecp_config.CONFIG)
+ CLIENT = Saml2Client(config.DEBUG, config_file=config.CONFIG)
except Exception, e:
# Report the error and return -1 for failure.
return -1
try:
- ECP = Client("", "", None, metadata_file=ecp_config.METADATA_FILE)
+ try:
+ _passwd = config.PASSWD
+ except AttributeError:
+ _passwd = ""
+
+ ECP = Client("", _passwd, None,
+ metadata_file=config.METADATA_FILE)
except Exception, err:
log(radiusd.L_ERR, str(err))
return -1
log = cls.logger
session_id = sid()
- acsu = cls.config.endpoint('assertion_consumer_service',
- saml2.BINDING_PAOS)[0]
+ acsus = cls.config.endpoint('assertion_consumer_service',
+ saml2.BINDING_PAOS)
+ if not acsus and log:
+ log.error("Couldn't find own PAOS endpoint")
+
+ acsu = acsus[0]
+
spentityid = cls.config.entityid
# create the request
nameid_format=saml.NAMEID_FORMAT_PERSISTENT)
try:
+ try:
+ headers = {config.USERNAME_HEADER: ecp.user}
+ except AttributeError:
+ headers = None
+
+ print >> sys.stderr, "Headers: {0:>s}".format(headers)
+
# send the request and receive the response
- response = ecp.phase2(request, acsu, idp_entity_id)
+ response = ecp.phase2(request, acsu, idp_entity_id, headers,
+ destination)
except Exception, exc:
exception_trace("soap", exc, log)
if log:
global CLIENT
global HTTP
+ global ECP
# Extract the data we need.
userName = None
serviceName = ""
hostName = ""
- #userPasswd = None
for t in authData:
if t[0] == 'User-Name':
_srv = "%s:%s" % (serviceName, hostName)
log(radiusd.L_DBG, "Working on behalf of: %s" % _srv)
-
# Find the endpoint to use
- attribute_service = CLIENT.config.attribute_services(ecp_config.IDP_ENTITYID)
- location = attribute_service[0].location
+ sso_service = CLIENT.config.single_sign_on_services(config.IDP_ENTITYID,
+ saml2.BINDING_PAOS)
+ if not sso_service:
+ log(radiusd.L_DBG,
+ "Couldn't find an single-sign-on endpoint for: %s" % (
+ config.IDP_ENTITYID,))
+ return radiusd.RLM_MODULE_FAIL
+
+ location = sso_service[0]
log(radiusd.L_DBG, "location: %s" % location)
+ #ECP.http.clear_credentials()
+ ECP.user = userName
+ log(radiusd.L_DBG, "Login using user:%s password:'%s'" % (ECP.user,
+ ECP.passwd))
_assertion = authentication_request(CLIENT, ECP,
- ecp_config.IDP_ENTITYID,
+ config.IDP_ENTITYID,
location,
log=LOG(),
- sign=ecp_config.SIGN)
+ sign=config.SIGN)
if _assertion is None:
return radiusd.RLM_MODULE_FAIL
# remove the subject confirmation if there is one
_assertion.subject.subject_confirmation = []
- # Only allow attributes that the service should have
- try:
- _assertion = only_allowed_attributes(CLIENT, _assertion,
- ecp_config.ATTRIBUTE_FILTER[_srv])
- except KeyError:
- pass
log(radiusd.L_DBG, "Assertion: %s" % _assertion)
attr = "SAML-AAA-Assertion"
#attr = "UKERNA-Attr-%d" % 132
#attr = "Vendor-%d-Attr-%d" % (25622, 132)
- restup = (tuple([(attr, x) for x in eq_len_parts("%s" % _assertion, 248)]))
+ restup = (tuple([(attr, x) for x in eq_len_parts("%s" % _assertion, 247)]))
return radiusd.RLM_MODULE_UPDATED, restup, None