diff --git a/src/eduid/webapp/idp/login.py b/src/eduid/webapp/idp/login.py index f22778b88..339237e39 100644 --- a/src/eduid/webapp/idp/login.py +++ b/src/eduid/webapp/idp/login.py @@ -234,45 +234,16 @@ def _redirect_or_post(self, info: SAMLQueryParams, binding: str) -> WerkzeugResp current_app.logger.info(f"Redirecting user without a SAML request to {current_app.conf.eduid_site_url}") return redirect(current_app.conf.eduid_site_url) - if current_app.conf.login_bundle_url: - if info.SAMLRequest: - # redirect user to the Login javascript bundle - loc = urlappend(current_app.conf.login_bundle_url, ticket.request_ref) - current_app.logger.info(f"Redirecting user to login bundle {loc}") - return redirect(loc) - else: - raise BadRequest("No SAMLRequest, and login_bundle_url is set") - - def perform_login(self, ticket: LoginContextSAML, authn_info: AuthnInfo) -> WerkzeugResponse: - """ - Validate request, and then proceed with creating an AuthnResponse and - invoking the 'outgoing' SAML2 binding. - - :param ticket: Login process state - :return: Response - """ - current_app.logger.debug("\n\n---\n\n") - current_app.logger.debug("--- In SSO.perform_login() ---") - - if not isinstance(self.sso_session, SSOSession): - raise RuntimeError(f"self.sso_session is not of type {SSOSession} ({type(self.sso_session)})") - - user = current_app.userdb.lookup_user(self.sso_session.eppn) - if not user: - current_app.logger.error(f"User with eppn {self.sso_session.eppn} (from SSO session) not found") - raise Forbidden("User in SSO session not found") - - params = self.get_response_params(authn_info, ticket, user) - - if session.common.eppn and session.common.eppn != user.eppn: - current_app.logger.warning(f"Refusing to change eppn in session from {session.common.eppn} to {user.eppn}") - raise BadRequest("WRONG_USER") - session.common.eppn = user.eppn - - # We're done with this SAML request. Remove it from the session. - del session.idp.pending_requests[ticket.request_ref] + if not current_app.conf.login_bundle_url: + raise BadRequest("No login_bundle_url configured") - return mischttp.create_html_response(params.binding, params.http_args) + if info.SAMLRequest: + # redirect user to the Login javascript bundle + loc = urlappend(current_app.conf.login_bundle_url, ticket.request_ref) + current_app.logger.info(f"Redirecting user to login bundle {loc}") + return redirect(loc) + else: + raise BadRequest("No SAMLRequest, and login_bundle_url is set") def get_response_params(self, authn_info: AuthnInfo, ticket: LoginContextSAML, user: IdPUser) -> SAMLResponseParams: resp_args = self._validate_login_request(ticket) @@ -533,41 +504,6 @@ def _validate_login_request(ticket: LoginContextSAML) -> ResponseArgs: return ticket.saml_req.get_response_args(ticket.request_ref, current_app.conf) -# ----------------------------------------------------------------------------- -# === Authentication ==== -# ----------------------------------------------------------------------------- - - -def do_verify() -> WerkzeugResponse: - """ - Perform authentication of user based on user provided credentials. - - What kind of authentication to perform was chosen by SSO._not_authn() when - the login web page was to be rendered. It is passed to this function through - an HTTP POST parameter (authn_reference). - - This function should not be thought of as a "was login successful" or not. - It will figure out what authentication level to assert based on the authncontext - requested, and the actual authentication that succeeded. - - :return: Does not return - :raise eduid_idp.mischttp.Redirect: On successful authentication, redirect to redirect_uri. - """ - query = mischttp.get_post() - # extract password to keep it away from as much code as possible - password = query.pop("password", None) - if password: - query["password"] = "" - current_app.logger.debug(f"do_verify parsed query :\n{pprint.pformat(query)}") - - if "ref" not in query: - raise BadRequest(f"Missing parameter - please re-initiate login") - _info = SAMLQueryParams(request_ref=query["ref"]) - _ticket = get_ticket(_info, None) - if not _ticket: - raise BadRequest(f"Missing parameter - please re-initiate login") - - # ---------------------------------------------------------------------------- def _add_saml_request_to_session(info: SAMLQueryParams, binding: str) -> RequestRef: if info.request_ref: diff --git a/src/eduid/webapp/idp/views/misc.py b/src/eduid/webapp/idp/views/misc.py index 703a1532f..0a53fd6ac 100644 --- a/src/eduid/webapp/idp/views/misc.py +++ b/src/eduid/webapp/idp/views/misc.py @@ -39,10 +39,10 @@ from eduid.webapp.common.api.decorators import MarshalWith, UnmarshalWith from eduid.webapp.common.api.messages import FluxData, success_response from eduid.webapp.common.api.schemas.models import FluxSuccessResponse -from eduid.webapp.common.session.namespaces import IdP_SAMLPendingRequest, RequestRef +from eduid.webapp.common.session.namespaces import IdP_SAMLPendingRequest from eduid.webapp.idp.app import current_idp_app as current_app from eduid.webapp.idp.decorators import require_ticket, uses_sso_session -from eduid.webapp.idp.login import do_verify, get_ticket +from eduid.webapp.idp.login import get_ticket from eduid.webapp.idp.login_context import LoginContext, LoginContextSAML from eduid.webapp.idp.service import SAMLQueryParams from eduid.webapp.idp.sso_session import SSOSession, session @@ -139,23 +139,3 @@ def logout(ref: Optional[str], sso_session: Optional[SSOSession]) -> WerkzeugRes current_app.logger.info("User logged out") return resp - - -@misc_views.route("/verify", methods=["GET", "POST"]) -def verify() -> WerkzeugResponse: - current_app.logger.debug("\n\n") - current_app.logger.debug(f"--- Verify ({request.method}) ---") - - if request.method == "GET": - query = parse_query_string() - if "ref" not in query: - raise BadRequest(f"Missing parameter - please re-initiate login") - _info = SAMLQueryParams(request_ref=RequestRef(query["ref"])) - ticket = get_ticket(_info, None) - if not ticket: - raise BadRequest(f"Missing parameter - please re-initiate login") - - if request.method == "POST": - return do_verify() - - raise BadRequest()