sso.py

#!/usr/bin/env python 

from mod_python import apache
from mod_python import util
import httplib2
import hashlib
from base64 import b64encode, b64decode

from Crypto.Cipher import Blowfish
from Crypto.Cipher import AES
from Crypto import Random
from struct import pack

import urllib
from string import replace
from binascii import hexlify, unhexlify

from interop import decrypt

def write_var (req, var, filename):
    log_path=req.document_root() + '/assertions/' + filename
    logfile=open(log_path, 'w')
    logfile.write(var)
    logfile.close


def handler(req):
    assertionLocation = str(req.subprocess_env['Shib-Assertion-01'])
    h1 = httplib2.HTTPSConnectionWithTimeout('saml-delegation.data.kit.edu')

    # get the path portion of the assertion link
    (i, assertionPath) = assertionLocation.split('https://saml-delegation.data.kit.edu')

    # get the assertion
    h1.request('GET', assertionPath)
    response = h1.getresponse()
    assertion = response.read()

    # remove newlines
    assertion = assertion.replace("\n", "")

    # find out at which url we were called
    (none, none, location) = req.uri.split('/')

    ############################
     # js: sso via javascript #
    ############################
    if location == 'js.py':
        req.content_type = 'text/html'
        req.write('''<!DOCTYPE html> <meta charset="ASCII" />
            <html>
<!-- TODO(daniel): host locally; jquery v1 for included IE support.. --!>
<script src="js/crypto-js/aes.js"></script>
<script src="js/jquery-1.11.1.min.js"></script>
                  <p> Obtaining temporary password url </p>
                  <table border="1">
                  <tr> <th>  Action                      </th><th> Status </th></tr>
                  <tr> <td>  Get assertion:              </td><td id="stat_get">  Wait </td> </tr>
                  <tr> <td>  Encrypting assertion:       </td><td id="stat_enc">  Wait </td> </tr>
                  <tr> <td>  Upload encrypted assertion  </td><td id="stat_post"> Wait </td> </tr>
                  </table>

                  <br/><p> You can now use this URL as a temporary password:<br/>
                  <b id="url"> Wait </b></p>
                  <p> You can also download the <a  id="url2" href="" >  Wait for link </a> and save it to /tmp/samlup_uXXXX.encr</p>
				  <p> You can also download the <a href="/sd/assertion.py">unencrypted assertion</a> and save it to /tmp/samlup_uXXXX</p>
				  <p> Replace XXXX with the UID on your client system</p>
<script src="js-new.js"></script>
                <head> </head>
                <body> </body>
            </html> ''')
        return apache.OK

    # ecp
    if location in ('ecp.py', 'assertion.py'):
        # octet stream will force saving to disk, while
        # text will allow to open with a text editor
        #req.content_type='application/octet-stream'\
        req.content_type = 'application/text'\
                '\nContent-Disposition: attachment; filename=samlup_uXXXX'
        req.write(assertion)
        return apache.OK

    ############
    #  upload  #
    ############
    if location in ('upload.py', 'jsupload.py'):
        req.content_type = 'text/plain'
        # we expect the data via post in encrypted assertion.
        # we will return the url of where to collect the assertion
        # request.

        if req.method != 'POST':
            req.write("Error, i was expecting a post request")
            return apache.OK

        form = util.FieldStorage(req)
        client = form.get ("client", "oops").replace(' ', '+')
        if not form.has_key("encrypted_assertion"):
            req.write ("Error: did not obtain the encrypted_assertion")
            return apache.OK
        b64 = form.get("encrypted_assertion", "Error: no assertion present").replace(' ', '+')
        #write_var (req, b64, 'b64')
        client_version = form.get ("client_verions", "oops").replace(' ', '+')

        # decode assertion
        encrypted_assertion = unhexlify(b64)

        # create hash
        assertion_hash = str(hashlib.md5(encrypted_assertion).hexdigest())
        assertion_url ='https://' + req.hostname + '/assertions/' + assertion_hash

        # Publish encrypted assertion on the web
        write_var (req, encrypted_assertion, assertion_hash)

        # return the url as key=value FIXME
        req.write("url=%s" % assertion_url)
        #req.write("%s" % assertion_url)

        #########
        # debug #
        #########
        # decrypt assertion in case a key is uploaded by the client

        if form.has_key("key"):
            enc_key = form.get("key", "")
            write_var (req, enc_key, 'enc_key')
            client = form.get("client","")
            key = unhexlify(enc_key)

            write_var(req,enc_key, "key")
            write_var(req, encrypted_assertion, 'encrypted_assertion')

            # some logging
            log_path=req.document_root() + '/assertions/' + 'log'
            logfile=open(log_path, 'w')
            logfile.write("keylen:    %d\n" % len(key))
            logfile.write("cipherlen: %d\n" % len(encrypted_assertion))
            #logfile.write("iv:        %d\n" % len(iv))
            logfile.close


            plaintext = decrypt(key, encrypted_assertion)
            write_var(req, plaintext, 'plaintext')
        return apache.OK

    req.content_type = 'text/plain'
    req.write("Error: Your request was not understood")
    return apache.OK