demo-tornado initial commit

Author: dzanin

demo-tornado/Docs/DEVELOPING.md

@@ -0,0 +1,82 @@
+# OneLogin's SAML Python Toolkit (compatible with Python3)
+
+Installation
+------------
+
+### Dependencies ###
+
+ *  python 3.6
+ * apt-get install libxml2-dev libxmlsec1-dev libxmlsec1-openssl
+ * pip install xmlsec
+ * pip install isodate
+ * pip install defusedxml
+ * pip install python3-saml
+ * pip install tornado
+
+
+***Virtualenv***
+
+The use of virtualenv/virtualenvwrapper is highly recommended.
+
+### Create certificates ###
+
+in saml/cert run :
+ * openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key
+ * openssl req -new -x509 -days 3652 -nodes -out metadata.crt -keyout metadata.key
+
+### Useful extesion for SAML messages ###
+* [SAML Chrome Panel 1.8.9](https://chrome.google.com/webstore/detail/saml-chrome-panel/paijfdbeoenhembfhkhllainmocckace/related)
+
+
+
+# Test with keycloack idp
+
+Installation
+------------
+
+### Install Docker ###
+* sudo apt-get remove docker docker-engine docker.io containerd runc
+
+* sudo apt-get update
+
+* sudo apt-get install \
+    apt-transport-https \
+    ca-certificates \
+    curl \
+    gnupg-agent \
+    software-properties-common
+* curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
+
+* sudo add-apt-repository \
+   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
+   $(lsb_release -cs) \
+   stable"
+
+* sudo apt-get update
+
+* sudo apt-get install docker-ce docker-ce-cli containerd.io
+
+* sudo docker run hello-world
+
+
+### Keycloack starting ###
+First run only:
+* docker run --name keycloackContainer -d -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -e DB_VENDOR=H2 jboss/keycloak
+
+After first run:
+* sudo docker start keycloackContainer
+
+Remember to stop keycloack after usage:
+* sudo docker stop keycloackContainer
+
+
+### Keycloack useful urls ###
+* master: http://localhost:8080/auth/admin
+* users: http://localhost:8080/auth/realms/idp_dacd/account/
+* saml request: http://localhost:8080/auth/realms/idp_dacd/protocol/saml
+* metadata: http://localhost:8080/auth/realms/idp_dacd/protocol/saml/descriptor
+
+
+
+
+

demo-tornado/README.txt

@@ -0,0 +1,7 @@
+Fully-working tornado-demo.
+
+ABOUT ISSSUE
+This is only a demo, some issues about session still remain.
+
+PRODUCTION
+Remember also to disable debugging in production.

demo-tornado/Settings.py

@@ -0,0 +1,6 @@
+import os
+
+BASE_DIR = os.path.dirname(__file__)
+
+SAML_PATH = os.path.join(BASE_DIR, 'saml')
+TEMPLATE_PATH = os.path.join(BASE_DIR, 'templates')

demo-tornado/requirements.txt

@@ -0,0 +1,13 @@
+Click==7.0
+defusedxml==0.5.0
+isodate==0.6.0
+itsdangerous==1.1.0
+Jinja2==2.10.1
+lxml==4.3.3
+MarkupSafe==1.1.1
+pkgconfig==1.5.1
+python3-saml==1.6.0
+six==1.12.0
+tornado==6.0.2
+Werkzeug==0.15.2
+xmlsec==1.3.3

demo-tornado/saml/advanced_settings (copia).json

@@ -0,0 +1,33 @@
+{
+    "security": {
+        "nameIdEncrypted": false,
+        "authnRequestsSigned": false,
+        "logoutRequestSigned": false,
+        "logoutResponseSigned": false,
+        "signMetadata": false,
+        "wantMessagesSigned": false,
+        "wantAssertionsSigned": false,
+        "wantNameId" : true,
+        "wantNameIdEncrypted": false,
+        "wantAssertionsEncrypted": false,
+        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}

demo-tornado/saml/advanced_settings.json

@@ -0,0 +1,36 @@
+{
+    "security": {
+        "nameIdEncrypted": false,
+        "authnRequestsSigned": true,
+        "logoutRequestSigned": true,
+        "logoutResponseSigned": true,
+        "signMetadata": {
+                                            "keyFileName": "metadata.key",
+                                            "certFileName": "metadata.crt"
+                                         },
+        "wantMessagesSigned": false,
+        "wantAssertionsSigned": true,
+        "wantNameId" : true,
+        "wantNameIdEncrypted": false,
+        "wantAssertionsEncrypted": false,
+        "signatureAlgorithm": "http://www.w3.org/2000/09/xmldsig#rsa-sha1",
+        "digestAlgorithm": "http://www.w3.org/2000/09/xmldsig#sha1"
+    },
+    "contactPerson": {
+        "technical": {
+            "givenName": "technical_name",
+            "emailAddress": "technical@example.com"
+        },
+        "support": {
+            "givenName": "support_name",
+            "emailAddress": "support@example.com"
+        }
+    },
+    "organization": {
+        "en-US": {
+            "name": "sp_test",
+            "displayname": "SP test",
+            "url": "http://sp.example.com"
+        }
+    }
+}

demo-tornado/saml/certs/README

@@ -0,0 +1,13 @@
+Take care of this folder that could contain private key. Be sure that this folder never is published.
+
+Onelogin Python Toolkit expects that certs for the SP could be stored in this folder as:
+
+ * sp.key     Private Key
+ * sp.crt     Public cert
+ * sp_new.crt Future Public cert
+
+
+Also you can use other cert to sign the metadata of the SP using the:
+
+ * metadata.key
+ * metadata.crt

demo-tornado/saml/settings (copia).json

@@ -0,0 +1,30 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "https://<sp_domain>/metadata/",
+        "assertionConsumerService": {
+            "url": "https://<sp_domain>/?acs",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "singleLogoutService": {
+            "url": "https://<sp_domain>/?sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "https://app.onelogin.com/saml/metadata/<onelogin_connector_id>",
+        "singleSignOnService": {
+            "url": "https://app.onelogin.com/trust/saml2/http-post/sso/<onelogin_connector_id>",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "https://app.onelogin.com/trust/saml2/http-redirect/slo/<onelogin_connector_id>",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": "<onelogin_connector_cert>"
+    }
+}

demo-tornado/saml/settings (seconda copia).json

@@ -0,0 +1,30 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "http://0.0.0.0:8000/metadata/",
+        "assertionConsumerService": {
+            "url": "http://0.0.0.0:8000/?acs",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "singleLogoutService": {
+            "url": "http://0.0.0.0:8000/?sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "http://localhost:8080/auth/realms/idp_dacd",
+        "singleSignOnService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": "MIICnzCCAYcCBgFqC3f1FDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhpZHBfZGFjZDAeFw0xOTA0MTEwODE0MzJaFw0yOTA0MTEwODE2MTJaMBMxETAPBgNVBAMMCGlkcF9kYWNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhRERlbbwUxabS4lnGFOpxBKACpcwQwOSvyCKD3bLDvzfQIRh1x3RDq+6xxBcdP86PKRYjwZc/64HYFUbe9FCDLf1SDQz7XTtpftydRrTUydVaj+3FHhyCLcLkJldMVneVMZWIXSzUISvcURL3sr6HVJ74Uy0KPPOo3vQQ6RRaNaB3RCdZaNbzxjbG5eBgSvWHGE+vkozHpS7y6LHXDP1wXenH65RRrat8PQ/Qp4WVi2U5rVfA2SFbcwohjaJ+vOYH+oARnk5a2IosAMHBtONorPnPrcV7MqUXX7q19hnlFRZA34YVcF6kkWWsS1V/mRm2kK6EE/mABvX4mrefWg+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARKkt9TKg5jLLc7HZSYxHD0MGqDQ8jMAXjpYYaEoIGyYnE31WOEG6HlzHFrkp5ioBT8vTIfejpGGkcL0qspSjQRBYH1eHOEToFo2vhmr0yDUtePNVcQtRN0ImAwNvKU/PciSi4dX0Y8Z/VfeRn8k979o0X82xZSYIxLhKlFp9toOHz0pNTU0Ie4h1zxcPd0L7KAn5eQPHoJwXsdWkM9aoZtCQCjbiexpfOdEOfnUn8QisinAWqcC/gKl9XG7XU4P5cevTeqZgnK0W+ilJVkkJX2zZWlAji+0PKLGr3BgJCfkwUcsm1C8U2ysTGkW1mZHfKVzK2NPA0bSlGgZwbvki+"
+    }
+}

demo-tornado/saml/settings.json

@@ -0,0 +1,30 @@
+{
+    "strict": true,
+    "debug": true,
+    "sp": {
+        "entityId": "http://localhost:8000/metadata/",
+        "assertionConsumerService": {
+            "url": "http://localhost:8000/?acs",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+        },
+        "singleLogoutService": {
+            "url": "http://localhost:8000/?sls",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
+        "x509cert": "",
+        "privateKey": ""
+    },
+    "idp": {
+        "entityId": "http://localhost:8080/auth/realms/idp_dacd",
+        "singleSignOnService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "singleLogoutService": {
+            "url": "http://localhost:8080/auth/realms/idp_dacd/protocol/saml",
+            "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
+        },
+        "x509cert": "MIICnzCCAYcCBgFqC3f1FDANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhpZHBfZGFjZDAeFw0xOTA0MTEwODE0MzJaFw0yOTA0MTEwODE2MTJaMBMxETAPBgNVBAMMCGlkcF9kYWNkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhRERlbbwUxabS4lnGFOpxBKACpcwQwOSvyCKD3bLDvzfQIRh1x3RDq+6xxBcdP86PKRYjwZc/64HYFUbe9FCDLf1SDQz7XTtpftydRrTUydVaj+3FHhyCLcLkJldMVneVMZWIXSzUISvcURL3sr6HVJ74Uy0KPPOo3vQQ6RRaNaB3RCdZaNbzxjbG5eBgSvWHGE+vkozHpS7y6LHXDP1wXenH65RRrat8PQ/Qp4WVi2U5rVfA2SFbcwohjaJ+vOYH+oARnk5a2IosAMHBtONorPnPrcV7MqUXX7q19hnlFRZA34YVcF6kkWWsS1V/mRm2kK6EE/mABvX4mrefWg+QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQARKkt9TKg5jLLc7HZSYxHD0MGqDQ8jMAXjpYYaEoIGyYnE31WOEG6HlzHFrkp5ioBT8vTIfejpGGkcL0qspSjQRBYH1eHOEToFo2vhmr0yDUtePNVcQtRN0ImAwNvKU/PciSi4dX0Y8Z/VfeRn8k979o0X82xZSYIxLhKlFp9toOHz0pNTU0Ie4h1zxcPd0L7KAn5eQPHoJwXsdWkM9aoZtCQCjbiexpfOdEOfnUn8QisinAWqcC/gKl9XG7XU4P5cevTeqZgnK0W+ilJVkkJX2zZWlAji+0PKLGr3BgJCfkwUcsm1C8U2ysTGkW1mZHfKVzK2NPA0bSlGgZwbvki+"
+    }
+}