sso.py

#!/usr/bin/env python 

from mod_python import apache
from mod_python import util
import httplib2
import hashlib
from base64 import b64encode, b64decode

from Crypto.Cipher import Blowfish
from Crypto.Cipher import AES
from Crypto import Random
from struct import pack

import urllib
from string import replace
from binascii import hexlify, unhexlify

from interop import decrypt

def write_var (req, var, filename):
    log_path=req.document_root() + '/assertions/' + filename
    logfile=open(log_path, 'w')
    logfile.write(var)
    logfile.close


def handler(req):
    assertionLocation = str(req.subprocess_env['Shib-Assertion-01'])
    h1 = httplib2.HTTPSConnectionWithTimeout('saml-delegation.data.kit.edu')

    # get the path portion of the assertion link
    (i, assertionPath) = assertionLocation.split('https://saml-delegation.data.kit.edu')

    # get the assertion
    h1.request('GET', assertionPath)
    response = h1.getresponse()
    assertion = response.read()

    # remove newlines
    assertion = assertion.replace("\n", "")

    # find out at which url we were called
    (none, none, location) = req.uri.split('/')

    # sso
    if location == 'sso.py':
        req.content_type = 'text/html'
        req.write('''<!DOCTYPE html>
            <html>
            <head>
            <meta http-equiv="refresh" content="1
                  URL=https://saml-delegation.data.kit.edu/sd/ecp.py">
                  <!--   URI:     %s -->
            </head>
            <body>
            <br/>
            Save your assertion as "/tmp/samlup_uXXXX.tmp" where you replace
                  "XXXX" with your user id.<br>
            </body>
            </html>'''% req.uri)
        return apache.OK

    ############################
     # js: sso via javascript #
    ############################
    if location == 'js.py':
        req.content_type = 'text/html'
        req.write('''<!DOCTYPE html> <meta charset="ASCII" />
            <html>
<!-- TODO(daniel): host locally; jquery v1 for included IE support.. --!>
<script src="js/crypto-js/aes.js"></script>
<script src="js/jquery-1.11.1.min.js"></script>
                  <p> Obtaining temporary password url </p>
                  <table border="1">
                  <tr> <th>  Action                      </th><th> Status </th></tr>
                  <tr> <td>  Get assertion:              </td><td id="stat_get">  Wait </td> </tr>
                  <tr> <td>  Encrypting assertion:       </td><td id="stat_enc">  Wait </td> </tr>
                  <tr> <td>  Upload encrypted assertion  </td><td id="stat_post"> Wait </td> </tr>
                  </table>

                  <br/><p> You can now use this URL as a temporary password:<br/>
                  <b id="url"> Wait </b></p>
<script src="js-new.js"></script>
                <head> </head>
                <body> </body>
            </html> ''')
        return apache.OK

    # ecp
    if location == 'ecp.py':
        # octet stream will force saving to disk, while
        # text will allow to open with a text editor
        #req.content_type='application/octet-stream'\
        req.content_type='application/text'\
                '\nContent-Disposition: attachment; filename=samlup_uXXXX.tmp'
        req.write(assertion)
        return apache.OK

    ########
    # test #
    ########
    if location in ( 'test_transport.py') :
        buf = req.read()
        write_var (req, buf, 'buf')
        req.write('Transport test done')
        return apache.OK

    if location in ( 'test_assertion.py') :
        req.content_type = 'text/plain'
        form = util.FieldStorage(req)
        b64_encrypted_assertion = form.get("encrypted_assertion", "Error: No assertion field sent").replace(' ', '+')
        write_var (req, b64_encrypted_assertion, "b64_encrypted_assertion")
        return apache.OK

    ############
    #  upload  #
    ############
    if location in ( 'upload.py', 'jsupload.py'):
        req.content_type = 'text/plain'
        # we expect the data via post in encrypted assertion.
        # we will return the url of where to collect the assertion
        # request.

        if req.method != 'POST':
            req.write("Error, i was expecting a post request")
            return apache.OK

        form = util.FieldStorage(req)
        client = form.get ("client", "oops").replace(' ', '+')
        if not form.has_key("encrypted_assertion"):
            req.write ("Error: did not obtain the encrypted_assertion")
            return apache.OK
        b64 = form.get("encrypted_assertion", "Error: no assertion present").replace(' ', '+')
        write_var (req, b64, 'b64')
        client_version = form.get ("client_verions", "oops").replace(' ', '+')

        # decode assertion
        if client == 'perl':
            encrypted_assertion = b64decode(b64)
        elif client == 'javascript':
            encrypted_assertion = unhexlify(b64)
        else:
            req.write ('client not supported')
            return apache.OK
        write_var (req, encrypted_assertion, 'encrypted_assertion')

        # create hash
        assertion_hash = str(hashlib.md5(encrypted_assertion).hexdigest())
        assertion_url ='https://' + req.hostname + '/assertions/' + assertion_hash

        # return the url as key=value FIXME
        req.write("url=%s" % assertion_url)
        #req.write("%s" % assertion_url)

        #########
        # debug #
        #########
        # decrypt assertion in case password is provided

        if form.has_key("key"):
            enc_key = form.get("key", "")
            client = form.get("client","")
            if client == "perl":
                key = b64decode(enc_key)
            if  client == "javascript":
                iv  = unhexlify(form.get("iv",""))
                key = unhexlify(enc_key)
                enc_ass = encrypted_assertion
                encrypted_assertion = iv + enc_ass

            write_var(req,enc_key, "key")
            write_var(req, encrypted_assertion, 'encrypted_assertion')

            # some logging
            log_path=req.document_root() + '/assertions/' + 'log'
            logfile=open(log_path, 'w')
            logfile.write("keylen:    %d\n" % len(key))
            logfile.write("cipherlen: %d\n" % len(encrypted_assertion))
            #logfile.write("iv:        %d\n" % len(iv))
            logfile.close


            plaintext = decrypt(key, encrypted_assertion)
            write_var(req, plaintext, 'plaintext')
        return apache.OK

    req.content_type = 'text/plain'
    req.write("Error: Your request was not understood")
    return apache.OK
    #return apache.HTTP_BAD_REQUEST


# Some leftovers:

#bs = Blowfish.block_size
#iv = '12333123'
#cipher = Blowfish.new(key, Blowfish.MODE_ECB, iv)
#cipher = new Crypt::CBC (symmetric_key, 'Twofish');
#my plaintext = cipher->decrypt(encrypted_assertion);
#print ("\n".plaintext."\n");

##plaintext = b'docendo discimus '
##plen = bs - divmod(len(plaintext),bs)[1]
##padding = [plen]*plen
##padding = pack('b'*plen, *padding)