Merge f4eac46 into ee6283c

uc-cdis · Jun 28, 2019 · f99efae · f99efae
2 parents ee6283c + f4eac46
commit f99efae
Show file tree

Hide file tree

Showing 5 changed files with 192 additions and 17 deletions.
diff --git a/fence/blueprints/login/__init__.py b/fence/blueprints/login/__init__.py
@@ -6,9 +6,13 @@
 the endpoints for each provider.
 """
 
+from cdislogging import get_logger
 import flask
+import requests
 
-from fence.blueprints.login.fence_login import FenceLogin, FenceCallback
+from fence.blueprints.login.fence_login import (
+    FenceLogin, FenceCallback, FenceDownstreamIDPs, get_disco_feed
+)
 from fence.blueprints.login.google import GoogleLogin, GoogleCallback
 from fence.blueprints.login.shib import ShibbolethLogin, ShibbolethCallback
 from fence.blueprints.login.microsoft import MicrosoftLogin, MicrosoftCallback
@@ -17,8 +21,6 @@
 from fence.restful import RestfulApi
 from fence.config import config
 
-from cdislogging import get_logger
-
 logger = get_logger(__name__)
 
 # Mapping from IDP ID to the name in the URL on the blueprint (see below).
@@ -97,6 +99,11 @@ def provider_info(idp_id):
     if "fence" in idps:
         blueprint_api.add_resource(FenceLogin, "/fence", strict_slashes=False)
         blueprint_api.add_resource(FenceCallback, "/fence/login", strict_slashes=False)
+        # `/downstream-idps` will forward to the `/Shibboleth.sso/DiscoFeed` endpoint on
+        # the fence IDP if it's available. otherwise it will just 404
+        blueprint_api.add_resource(
+            FenceDownstreamIDPs, "/downstream-idps", strict_slashes=False
+        )
 
     if "google" in idps:
         blueprint_api.add_resource(GoogleLogin, "/google", strict_slashes=False)
@@ -123,4 +130,5 @@ def provider_info(idp_id):
         blueprint_api.add_resource(
             ShibbolethCallback, "/shib/login", strict_slashes=False
         )
+
     return blueprint
diff --git a/fence/blueprints/login/fence_login.py b/fence/blueprints/login/fence_login.py
@@ -1,13 +1,19 @@
+from cdislogging import get_logger
 import flask
 from flask_restful import Resource
+import requests
 
 from fence.auth import login_user
 from fence.blueprints.login.redirect import validate_redirect
-from fence.errors import Unauthorized
+from fence.config import config
+from fence.errors import Unauthorized, NotFound
 from fence.jwt.validate import validate_jwt
 from fence.models import IdentityProvider
 
 
+logger = get_logger(__name__)
+
+
 class FenceLogin(Resource):
     """
     For ``/login/fence`` endpoint.
@@ -71,3 +77,73 @@ def get(self):
         if "redirect" in flask.session:
             return flask.redirect(flask.session.get("redirect"))
         return flask.jsonify({"username": username})
+
+
+class FenceDownstreamIDPs(Resource):
+    """
+    For ``/login/downstream-idps`` endpoint.
+
+    Should only be enabled if the fence IDP is using shibboleth.
+    """
+
+    def get(self):
+        """Handle ``GET /login/downstream-idps``."""
+        try:
+            content = get_disco_feed()
+        except EnvironmentError:
+            return flask.Response(
+                response=flask.jsonify(
+                    {"error": "couldn't reach endpoint on shibboleth provider"}
+                ),
+                status=500,
+            )
+        if not content:
+            raise NotFound("this endpoint is unavailable")
+        return flask.jsonify(content)
+
+def get_disco_feed():
+    """
+    For fence instances which point to a fence instance deployed with shibboleth IDP(s),
+    we want to list the available downstream IDPs that could be used for shibboleth
+    login. The `entityID` from the DiscoFeed can be provided to the /login/shib
+    endpoint, e.g. (without urlencoding):
+
+        /login/shib?shib_idp=urn:mace:incommon:uchicago.edu
+
+    where `urn:mace:incommon:uchicago.edu` is the `entityID` according to shibboleth.
+
+    Return:
+        Optional[dict]:
+            json response from the /Shibboleth.sso/DiscoFeed endpoint on the IDP fence;
+            or None if there is no fence IDP or if it returns 404 for DiscoFeed
+
+    Raises:
+        EnvironmentError: if the response is bad
+    """
+    # must be configured for fence IDP
+    fence_idp_url = config["OPENID_CONNECT"].get("fence", {}).get("api_base_url")
+    if not fence_idp_url:
+        return None
+    disco_feed_url = fence_idp_url.rstrip("/") + "/Shibboleth.sso/DiscoFeed"
+    try:
+        response = requests.get(disco_feed_url, timeout=3)
+    except requests.RequestException:
+        raise EnvironmentError("couldn't reach fence IDP")
+    if response.status_code != 200:
+        # if it's 404 that's fine---just no shibboleth. otherwise there could be an
+        # actual problem
+        if response.status_code != 404:
+            logger.error(
+                "got weird response ({}) from the IDP fence shibboleth disco feed ({})"
+                .format(response.status_code, disco_feed_url)
+            )
+            raise EnvironmentError("unexpected response from fence IDP")
+        return None
+    try:
+        return response.json()
+    except ValueError:
+        logger.error(
+            "didn't get JSON in response from IDP fence shibboleth disco feed ({})"
+            .format(disco_feed_url)
+        )
+        return None
diff --git a/fence/blueprints/login/shib.py b/fence/blueprints/login/shib.py
@@ -24,25 +24,37 @@ def get(self):
         validate_redirect(redirect_url)
         if redirect_url:
             flask.session["redirect"] = redirect_url
+
+        # figure out which IDP to target with shibboleth
+        # check out shibboleth docs here for more info:
+        # https://wiki.shibboleth.net/confluence/display/SP3/SSO
+        entityID = flask.request.args.get("shib_idp")
+        flask.session["entityID"] = entityID
         actual_redirect = config["BASE_URL"] + "/login/shib/login"
-        return flask.redirect(config["SSO_URL"] + actual_redirect)
+        if not entityID:
+            # default to SSO_URL from the config which should be NIH login
+            return flask.redirect(config["SSO_URL"] + actual_redirect)
+        return flask.redirect(
+            config["BASE_URL"] + "/Shibboleth.sso/Login?entityID={}&target={}"
+            .format(entityID, actual_redirect)
+        )
 
 
 class ShibbolethCallback(Resource):
     def get(self):
         """
         Complete the shibboleth login.
         """
-        if "SHIBBOLETH_HEADER" in config:
-            eppn = flask.request.headers.get(config["SHIBBOLETH_HEADER"])
-
-        else:
+        if "SHIBBOLETH_HEADER" not in config:
             raise InternalError("Missing shibboleth header configuration")
+        eppn = flask.request.headers.get(config["SHIBBOLETH_HEADER"])
         username = eppn.split("!")[-1] if eppn else None
-        if username:
-            login_user(flask.request, username, IdentityProvider.itrust)
-            if flask.session.get("redirect"):
-                return flask.redirect(flask.session.get("redirect"))
-            return "logged in"
-        else:
+        if not username:
             raise Unauthorized("Please login")
+        idp = IdentityProvider.itrust
+        if flask.session.get("entityID"):
+            idp = flask.session.get("entityID")
+        login_user(flask.request, username, idp)
+        if flask.session.get("redirect"):
+            return flask.redirect(flask.session.get("redirect"))
+        return "logged in"
diff --git a/fence/blueprints/oauth2.py b/fence/blueprints/oauth2.py
@@ -77,6 +77,8 @@ def authorize(*args, **kwargs):
                 raise UserError("idp {} is not supported".format(idp))
             idp_url = IDP_URL_MAP[idp]
             login_url = "{}/login/{}".format(config.get("BASE_URL"), idp_url)
+            if idp == "shibboleth":
+                params["shib_idp"] = flask.request.args.get("shib_idp")
         login_url = add_params_to_uri(login_url, params)
         return flask.redirect(login_url)
 

diff --git a/tests/login/test_fence_login.py b/tests/login/test_fence_login.py
@@ -1,7 +1,10 @@
+from collections import OrderedDict
+
 from addict import Dict
 from authutils.oauth2.client import OAuthClient
-from collections import OrderedDict
+import mock
 import pytest
+import requests
 
 import fence
 from fence.config import config
@@ -48,7 +51,7 @@ def config_idp_in_client(
 
     yield Dict(
         client_id=config["OPENID_CONNECT"]["fence"]["client_id"],
-        client_secret=config["OPENID_CONNECT"]["fence"]["client_id"],
+        client_secret=config["OPENID_CONNECT"]["fence"]["client_secret"],
     )
 
     app.keypairs = saved_keypairs
@@ -78,3 +81,77 @@ def test_redirect_login_fence(app, client, config_idp_in_client):
     assert r.status_code == 302
     assert "/oauth2/authorize" in r.location
     assert config["OPENID_CONNECT"]["fence"]["api_base_url"] in r.location
+
+
+def test_downstream_idps_no_idp(app, client):
+    """
+    If we don't include the config here, then the client doesn't have any fence IDP, so
+    this endpoint should return 404.
+    """
+    response = client.get("/login/downstream-idps")
+    assert response.status_code == 404
+
+
+def test_downstream_idps_no_shibboleth(app, client, config_idp_in_client):
+    """
+    If we include the config pointing to a fence IDP but the IDP fence doesn't have
+    shibboleth, that request will 404, and this request should also return 404.
+    """
+
+    def mock_get_404(*args, **kwargs):
+        mocked_response = mock.MagicMock(requests.Response)
+        mocked_response.status_code = 404
+        return mocked_response
+
+    with mock.patch("fence.blueprints.login.fence_login.requests.get", mock_get_404):
+        response = client.get("/login/downstream-idps")
+        assert response.status_code == 404
+
+
+def test_downstream_idps(app, client, config_idp_in_client):
+    """
+    Test that if we mock the request to `/Shibboleth.sso/DiscoFeed` on the IDP fence,
+    this client fence will correctly return the same response from
+    `/login-downstream-idps`.
+    """
+    entityID = "urn:mace:incommon:uchicago.edu"
+
+    def mock_get(*args, **kwargs):
+        mocked_response = mock.MagicMock(requests.Response)
+        mocked_response.status_code = 200
+        mocked_response.json.return_value = [{
+            "entityID": entityID,
+            "DisplayNames": [
+                {
+                    "value": "University of Chicago",
+                    "lang": "en"
+                    }
+                ],
+            "Descriptions": [
+                {
+                    "value": "The University of Chicago Web Single Sign-On servce",
+                    "lang": "en"
+                    }
+                ],
+            "PrivacyStatementURLs": [
+                {
+                    "value": "https://its.uchicago.edu/acceptable-use-policy/",
+                    "lang": "en"
+                    }
+                ],
+            "Logos": [
+                {
+                    "value": "https://shibboleth2.uchicago.edu/idp/shib_img/idplogo.png",
+                    "height": "83",
+                    "width": "350",
+                    "lang": "en"
+                }
+            ]
+        }]
+        return mocked_response
+
+    with mock.patch("fence.blueprints.login.fence_login.requests.get", mock_get):
+        response = client.get("/login/downstream-idps")
+        assert len(response.json) == 1
+        assert [entity for entity in response.json if entity["entityID"] == entityID]
+        assert response.status_code == 200