Satosa now hashes the user id depending on hash type

Author: dallerbarn

src/satosa/backends/saml2.py

@@ -166,7 +166,7 @@ def disco_response(self, context, *args):
             return Unauthorized("You must chose an IdP")
         else:
             state = json.loads(state)
-            request_info = InternalRequest(getattr(UserIdHashType, state["user_id_hash_type"]))
+            request_info = InternalRequest(getattr(UserIdHashType, state["user_id_hash_type"]), None)
             return self.authn_request(context, entity_id, request_info, state["state"])
 
     def _translate_response(self, response):

src/satosa/base.py

@@ -1,6 +1,7 @@
 """
 The SATOSA main module
 """
+from satosa.internal_data import UserIdHasher
 from satosa.plugin_loader import load_backends, load_frontends, load_micro_services
 from satosa.routing import ModuleRouter
 
@@ -49,6 +50,7 @@ def _auth_req_callback_func(self, context, internal_request, state):
 
         :return: response
         """
+        state = UserIdHasher.save_state(internal_request, state)
         backend, state = self.module_router.backend_routing(context, state)
         context.request = None
         if self.request_micro_services:
@@ -68,9 +70,9 @@ def _auth_resp_callback_func(self, context, internal_response, state):
         :param state: The current state
         :return: response
         """
-
-        frontend, state = self.module_router.frontend_routing(state)
+        frontend, state = self.module_router.frontend_routing(context, state)
         context.request = None
+        internal_response, state = UserIdHasher.set_id(internal_response, state)
         if self.response_micro_services:
             internal_response = self.response_micro_services.process_service_queue(context, internal_response)
         return frontend.handle_authn_response(context, internal_response, state)

src/satosa/frontends/saml2.py

@@ -54,8 +54,8 @@ def get_name_id_format(hash_type):
         return None
 
     def save_state(self, context, _dict, _request):
-            return {"origin_authn_req": _dict["authn_req"].to_string().decode("utf-8"),
-                             "relay_state": _request["RelayState"]}
+        return {"origin_authn_req": _dict["authn_req"].to_string().decode("utf-8"),
+                "relay_state": _request["RelayState"]}
 
     def load_state(self, state):
         return json.loads(urlsafe_b64decode(state.encode("UTF-8")).decode("UTF-8"))
@@ -150,7 +150,8 @@ def _handle_authn_request(self, context, binding_in, idp):
             state = urlsafe_b64encode(json.dumps(request_state).encode("UTF-8")).decode(
                 "UTF-8")
 
-            internal_req = InternalRequest(self.name_format_to_hash_type(_dict['req_args']['name_id_policy'].format))
+            internal_req = InternalRequest(self.name_format_to_hash_type(_dict['req_args']['name_id_policy'].format),
+                                           _dict["resp_args"]["sp_entity_id"])
             return self.auth_req_callback_func(context, internal_req, state)
 
     def handle_authn_request(self, context, binding_in):

src/satosa/internal_data.py

@@ -2,7 +2,11 @@
 The module contains internal data representation in SATOSA and general converteras that can be used
 for converting from SAML/OAuth/OpenID connect to the internal representation.
 """
+from base64 import urlsafe_b64encode, urlsafe_b64decode
+import datetime
 from enum import Enum
+import hashlib
+import json
 
 __author__ = 'haho0032'
 
@@ -360,9 +364,40 @@
 
 class UserIdHashType(Enum):
     transient = 1
-    persistent = 3
-    pairwise = 1
-    public = 2
+    persistent = 2
+    pairwise = 2
+    public = 3
+
+
+class UserIdHasher():
+    @staticmethod
+    def save_state(internal_request, state):
+        new_state = {"state": state,
+                     "requestor": internal_request.requestor}
+        return urlsafe_b64encode(json.dumps(new_state).encode("UTF-8")).decode("UTF-8")
+
+    @staticmethod
+    def set_id(internal_response, state):
+        state = json.loads(urlsafe_b64decode(state.encode("UTF-8")).decode("UTF-8"))
+        requestor = state["requestor"]
+        user_id = internal_response.user_id
+        user_id_hash_type = internal_response.user_id_hash_type
+
+        if user_id_hash_type == UserIdHashType.transient:
+            timestamp = datetime.datetime.now().time()
+            user_id = "{req}{time}{id}".format(req=requestor, time=timestamp, id=user_id)
+        elif user_id_hash_type == UserIdHashType.persistent:
+            user_id = "{req}{id}".format(req=requestor, id=user_id)
+        elif user_id_hash_type == UserIdHashType.pairwise:
+            user_id = "{req}{id}".format(req=requestor, id=user_id)
+        elif user_id_hash_type == UserIdHashType.public:
+            user_id = "{id}".format(id=user_id)
+        else:
+            raise ValueError("Unknown id hash type: '{}'".format(user_id_hash_type))
+
+        internal_response.user_id = hashlib.md5(user_id.encode("utf-8")).hexdigest()
+
+        return (internal_response, state["state"])
 
 
 class AuthenticationInformation(object):
@@ -378,8 +413,17 @@ def __init__(self, user_id_hash_type):
 
 
 class InternalRequest(InternalData):
-    def __init__(self, user_id_hash_type):
+    def __init__(self, user_id_hash_type, requestor):
+        """
+
+        :param user_id_hash_type:
+        :param requestor: identifier of the requestor
+
+        :type user_id_hash_type: UserIdHashType
+        :type requestor: str
+        """
         super(InternalRequest, self).__init__(user_id_hash_type)
+        self.requestor = requestor
 
 
 class InternalResponse(InternalData):

src/satosa/routing.py

@@ -71,19 +71,22 @@ def backend_routing(self, context, state):
         satosa_state = urlsafe_b64encode(json.dumps(satosa_state).encode("UTF-8")).decode("UTF-8")
         return backend, satosa_state
 
-    def frontend_routing(self, state):
+    def frontend_routing(self, context, state):
         """
         Returns the targeted frontend and original state
 
+        :type context: satosa.context.Context
         :type state: str
         :rtype (satosa.frontends.base.FrontendModule, str)
 
+        :param context: The response context
         :param state: The state created in the incoming function
         :return: (frontend, state)
         """
 
         unpacked_state = json.loads(urlsafe_b64decode(state.encode("UTF-8")).decode("UTF-8"))
-        frontend = self.frontends[unpacked_state["frontend"]]["instance"]
+        context._target_frontend = unpacked_state["frontend"]
+        frontend = self.frontends[context._target_frontend]["instance"]
         request_state = unpacked_state["state_key"]
         return frontend, request_state
 

tests/satosa/backends/test_saml2.py

@@ -138,7 +138,7 @@ def test_start_auth_no_request_info():
         None,
         TestConfiguration.get_instance().spconfig)
 
-    internal_data = InternalRequest(None)
+    internal_data = InternalRequest(None, None)
 
     resp = samlbackend.start_auth(Context(), internal_data, "my_state")
     assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
@@ -147,7 +147,7 @@ def test_start_auth_no_request_info():
 
     # create_name_id_policy_transient()
     user_id_hash_type = UserIdHashType.transient
-    internal_data = InternalRequest(user_id_hash_type)
+    internal_data = InternalRequest(user_id_hash_type, None)
     resp = samlbackend.start_auth(Context(), internal_data, "my_state")
     assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
 
@@ -162,7 +162,7 @@ def test_start_auth_name_id_policy():
 
     # name_id_policy = create_name_id_policy_transient()
     # request_info = {"req_args": {"name_id_policy": name_id_policy}}
-    internal_req = InternalRequest(UserIdHashType.transient)
+    internal_req = InternalRequest(UserIdHashType.transient, None)
     resp = samlbackend.start_auth(Context(), internal_req, "my_state")
 
     assert resp.status == "303 See Other", "Must be a redirect to the discovery server."
@@ -222,7 +222,7 @@ def auth_req_callback_func(context, internal_resp, state):
     # name_id_policy = create_name_id_policy_persistent()
     # request_info = {"req_args": {"name_id_policy": name_id_policy}}
 
-    internal_req = InternalRequest(UserIdHashType.persistent)
+    internal_req = InternalRequest(UserIdHashType.persistent, "example.se/sp.xml")
 
     resp = samlbackend.start_auth(Context(), internal_req, "my_state")
     assert resp.status == "303 See Other", "Must be a redirect to the discovery server."

tests/satosa/frontends/test_saml2.py

@@ -126,7 +126,7 @@ def auth_req_callback_func(context, internal_req, state):
             :param state: The current state for the module.
             :return:
             """
-
+            assert internal_req.requestor == SPCONFIG["entityid"]
             auth_info = AuthenticationInformation(PASSWORD, "2015-09-30T12:21:37Z", "unittest_idp.xml")
             internal_response = InternalResponse(internal_req.user_id_hash_type, auth_info=auth_info)
             internal_response.add_pysaml_attributes(USERS["testuser1"])

tests/satosa/test_routing.py

@@ -102,9 +102,10 @@ def test_routing(path, provider, receiver, _):
         backend, backend_state = router.backend_routing(context, original_state)
         assert backend == backends[provider]
 
-        frontend, frontend_state = router.frontend_routing(backend_state)
+        frontend, frontend_state = router.frontend_routing(context, backend_state)
         assert frontend == frontends[receiver]
         assert frontend_state == original_state
+        assert context._target_frontend == receiver
 
     foreach_frontend_endpoint(test_routing)