From 606726b074d10fd4b9396d529cabd30caf268f01 Mon Sep 17 00:00:00 2001
From: rohe0002 <roland.hedberg@adm.umu.se>
Date: Wed, 26 Oct 2011 09:41:26 +0200
Subject: [PATCH] Support for adding user name to header field.

---
 etc/ecp_config.py | 10 ++++++++--
 freeradius_ecp.py | 27 +++++++++++++++++++--------
 2 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/etc/ecp_config.py b/etc/ecp_config.py
index 933e1ee..0e74bf0 100644
--- a/etc/ecp_config.py
+++ b/etc/ecp_config.py
@@ -1,7 +1,7 @@
 # You shouldn't change this line unless you know what you are doing
 CONFIG = 'pysaml_config'                # PySAML2 Configuration file name
 
-METADATA_FILE="metadata.xml"
+METADATA_FILE="/usr/local/etc/moonshot/metadata.xml"
 
 DEBUG=0
 
@@ -14,4 +14,10 @@ IDP_ENTITYID = "http://example.com/idp"
 
 # The password that should be used when authenticating with the IdP
 # This password will be used disregarding which user it is.
-PASSWD = "foobar"
\ No newline at end of file
+
+PASSWD = ""
+
+# If you don't want to used Basic-Auth you can place the username in a
+# header. This defines the header name
+
+USERNAME_HEADER = "X-Moonshot-Username"
\ No newline at end of file
diff --git a/freeradius_ecp.py b/freeradius_ecp.py
index 913289f..d80714b 100644
--- a/freeradius_ecp.py
+++ b/freeradius_ecp.py
@@ -78,7 +78,12 @@ def instantiate(p):
         return -1
 
     try:
-        ECP = Client("", config.PASSWD, None,
+        try:
+            _passwd = config.PASSWD
+        except AttributeError:
+            _passwd = ""
+            
+        ECP = Client("", _passwd, None,
                      metadata_file=config.METADATA_FILE)
     except Exception, err:
         log(radiusd.L_ERR, str(err))
@@ -111,9 +116,9 @@ def authentication_request(cls, ecp, idp_entity_id, destination,
     session_id = sid()
     acsus = cls.config.endpoint('assertion_consumer_service',
                                 saml2.BINDING_PAOS)
-    if not acsus:
-        if log:
-            log.error("Couldn't find own PAOS endpoint for")
+    if not acsus and log:
+        log.error("Couldn't find own PAOS endpoint")
+        
     acsu = acsus[0]
 
     spentityid = cls.config.entityid
@@ -130,8 +135,15 @@ def authentication_request(cls, ecp, idp_entity_id, destination,
                                 nameid_format=saml.NAMEID_FORMAT_PERSISTENT)
 
     try:
+        try:
+            headers = {config.USERNAME_HEADER: ecp.user}
+        except AttributeError:
+            headers = None
+
+        print >> sys.stderr, "Headers: %s" % headers
+            
         # send the request and receive the response
-        response = ecp.phase2(request, acsu, idp_entity_id)
+        response = ecp.phase2(request, acsu, idp_entity_id, headers)
     except Exception, exc:
         exception_trace("soap", exc, log)
         if log:
@@ -212,13 +224,12 @@ def post_auth(authData):
     _srv = "%s:%s" % (serviceName, hostName)
     log(radiusd.L_DBG, "Working on behalf of: %s" % _srv)
 
-
     # Find the endpoint to use
     sso_service = CLIENT.config.single_sign_on_services(config.IDP_ENTITYID,
                                                         saml2.BINDING_PAOS)
     if not sso_service:
         log(radiusd.L_DBG,
-            "Couldn't find an single sign on endpoint for: %s" % (
+            "Couldn't find an single-sign-on endpoint for: %s" % (
                 config.IDP_ENTITYID,))
         return radiusd.RLM_MODULE_FAIL
 
@@ -226,7 +237,7 @@ def post_auth(authData):
 
     log(radiusd.L_DBG, "location: %s" % location)
 
-    ECP.http.clear_credentials()
+    #ECP.http.clear_credentials()
     ECP.user = userName
     log(radiusd.L_DBG, "Login using user:%s password:'%s'" % (ECP.user,
                                                              ECP.passwd))
-- 
2.1.4