diff --git a/sites/admin.py b/sites/admin.py index 5d7ed91..5c51ab1 100755 --- a/sites/admin.py +++ b/sites/admin.py @@ -58,22 +58,14 @@ class ProjectAdmin(admin.ModelAdmin): readonly_fields = ('state', 'updater') ordering = ('display_order', 'organization', 'name') - #def save_model(self, request, obj, form, change): - # # now we can save the object and call super - # set_creator_and_updater(self, request, obj, form) - # obj.save() - # super(NfsExportAdmin, self).save_model(request, obj, form, change) - class SysadminAdmin(admin.ModelAdmin): - #list_display = ('username', 'organization', 'organizations_list', 'creator', 'updater') list_display = ('username', 'organization', 'organizations_list') list_display_links = list_display form = SysadminAdminForm def formfield_for_dbfield(self, db_field, request, **kwargs): field = super(SysadminAdmin, self).formfield_for_dbfield(db_field, request, **kwargs) - field = set_dbfield_to_sysad('provision.Sysadmin.creator', field, db_field, request) field = set_dbfield_to_sysad('provision.Sysadmin.updater', field, db_field, request) return field diff --git a/sites/management/commands/add_organizations.py b/sites/management/commands/add_organizations.py index cdee87e..82c80fd 100755 --- a/sites/management/commands/add_organizations.py +++ b/sites/management/commands/add_organizations.py @@ -8,7 +8,7 @@ class Command(BaseCommand): def handle(self, *args, **options): - for id in settings.ALL_ORGS_BY_ID: + for id in settings.ALL_ORGS_BY_ID.keys(): org = get_or_add_organization_by_name(settings.ALL_ORGS_BY_ID[id]['name']) org.email = settings.ALL_ORGS_BY_ID[id]['email'] org.contact = settings.ALL_ORGS_BY_ID[id]['contact'] diff --git a/sites/models.py b/sites/models.py index 8727ea2..3044efe 100755 --- a/sites/models.py +++ b/sites/models.py @@ -54,7 +54,7 @@ def runcmdl(cmdl, execute): return status, result -def get_or_add_sysadmin(user, creator, homeorg, orglist): +def get_or_add_sysadmin(user, homeorg, orglist): try: uqs = User.objects.filter(email=user.email) if uqs.count() == 0: @@ -62,7 +62,7 @@ def get_or_add_sysadmin(user, creator, homeorg, orglist): sa = Sysadmin.objects.filter(username__email=user.email) if sa.count() == 0: - sa = Sysadmin(username=user, creator=creator) + sa = Sysadmin(username=user) sa.save() else: sa = sa[0] @@ -80,7 +80,7 @@ def get_or_add_sysadmin(user, creator, homeorg, orglist): msg = str(now) + ":UserWarning:" + str(user.email) + ":e = " + str(e) logger.info(msg) -def add_sysadmins(creator): +def add_sysadmins(): # Start from an initialized database or run command 'clean_system' and then manually run the sql commands # to insure auto increment for organization table has been reset @@ -143,7 +143,7 @@ def add_sysadmins(creator): try: send_mail(subject, body, fromaddr, toaddr, fail_silently=False) except SMTPException as e: - msg = str(now) + ":Send password failed:" + str(username) + ":" + creator + msg = str(now) + ":Send password failed:" + str(username) logger.info(msg) groupnames = ['cn=_OAR ESRL GSL Sysadm,cn=groups,cn=nems,ou=apps,dc=noaa,dc=gov', @@ -155,15 +155,15 @@ def add_sysadmins(creator): user.groups.add(newgroup) user.save() except Group.DoesNotExist as e: - msg = str(now) + ":" + str(e) + ':' + str(username) + ":" + creator + msg = str(now) + ":" + str(e) + ':' + str(username) logger.info(msg) - get_or_add_sysadmin(user, creator, homeorg, orglist) + get_or_add_sysadmin(user, homeorg, orglist) # pause a moment to allow objects to created (Organizations were being duplicated) naptime = 1 time.sleep(naptime) -def add_groups_and_permissions(creator): +def add_groups_and_permissions(): perms = ['add', 'change', 'delete', 'view'] for groupname in settings.AUTH_SAML_GROUPS.keys(): @@ -204,7 +204,7 @@ def add_groups_and_permissions(creator): group.save() now = datetime.datetime.utcnow() - msg = str(now) + ":GroupobjectAddedPerms:" + groupname + ":" + creator + msg = str(now) + ":GroupobjectAddedPerms:" + groupname logger.info(msg) def hash_to_fingerprint(data): @@ -734,7 +734,7 @@ def graph_node_id(self): def initstate(self): need_to_save = False - if 'setme' in self.name: + if 'setme' in self.get_fingerprint() or 'showme' in str(self.clearallattrs()): utcnow = datetime.datetime.utcnow() yydoy = utcnow.strftime('%y') + utcnow.strftime('%j') userstoday = 1 @@ -747,9 +747,7 @@ def initstate(self): gn = GraphNode(name=self.name, nodetype=nt) gn.save() self.graphnode = gn - need_to_save = True - if 'setme' in self.get_fingerprint() or 'showme' in str(self.clearallattrs()): da = {} uu = {} if self.nameattrsgroup is not None: @@ -1168,8 +1166,7 @@ def is_user_a_sysad(**kwargs): oukeylist.sort() for k in oukeylist: orglist.append(kwargs['request'].session['samlUserdata'][str(k)][0]) - creator = "is_user_a_sysad" - get_or_add_sysadmin(user, creator, homeorg, orglist) + get_or_add_sysadmin(user, homeorg, orglist) class Sysadmin(models.Model): """ @@ -1180,9 +1177,6 @@ class Sysadmin(models.Model): organizations = models.ManyToManyField('Organization', verbose_name='Organizations') organization = models.ForeignKey('Organization', default=1, related_name='sysadmin_organization', verbose_name='Primary Organization', on_delete=models.CASCADE) - #creator = models.CharField(default='unknown', max_length=200) - #updater = models.CharField(default='None', max_length=200) - #updated = models.TimeField(auto_now_add=True) class Meta: unique_together = ['username', 'organization'] diff --git a/sites/saml/.settings.json.swp b/sites/saml/.settings.json.swp new file mode 100755 index 0000000..52e5814 Binary files /dev/null and b/sites/saml/.settings.json.swp differ diff --git a/sites/saml/dev_settings.json b/sites/saml/dev_settings.json new file mode 100755 index 0000000..c78fb00 --- /dev/null +++ b/sites/saml/dev_settings.json @@ -0,0 +1,31 @@ +{ + "strict": true, + "debug": true, + "sp": { + "entityId": "https://gsl-webstage8.gsd.esrl.noaa.gov/ssopsb/metadata/", + "assertionConsumerService": { + "url": "https://gsl-webstage8.gsd.esrl.noaa.gov/ssopsb/?acs", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + }, + "singleLogoutService": { + "url": "https://gsl-webstage8.gsd.esrl.noaa.gov/ssopsb/?sls", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", + "x509cert": "", + "privateKey": "", + "x509certNew": "" + }, + "idp": { + "entityId": "cac-idp", + "singleSignOnService": { + "url": "https://sso-dev.noaa.gov:443/openam/SSORedirect/metaAlias/cac/cac-idp", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "singleLogoutService": { + "url": "https://sso-dev.noaa.gov:443/openam/IDPSloRedirect/metaAlias/cac/cac-idp", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "x509cert": "MIIEtjCCA56gAwIBAgIDAX04MA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRUwEwYDVQQDEwxET0QgU1cgQ0EtNjAwHhcNMjIwNDI4MjM1MjI2WhcNMjUwNDAyMTMzNDQ5WjB6MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTENMAsGA1UECxMERElTQTEmMCQGA1UEAxMdc3NvLWRldi5ub2FhLmdvdi1zaWduaW5nLTIwMjIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5jO5BjFoSQ3zJHx9sBMJfqLMKu/gjJgCbdtbCBb26hNntDeXQ1pe9676hQOZj0hjfnY4yQgnl33VXTiqPTnAvXezyFAwOt8E4YXdYsIGh4dlQoG6DS2IFSj+oi9FG+/r5Go62TwulSUt1MgPF7Ln/ihKZWfRmWUC6M20hQQqf6Jhl5bcfdNlihcxCN0LQnIshIsFeUHFkf64rF0rcAcHK7vgNz0CfydWttc18u9/YuEWvkPm6VgUrxpANlibVTVHYV6wewRzKImwyjscuyzzMQzznaW2ltCEPv46RfUp0bcnxnas+oaVNLN+u00+a/n56oOFeSyuH7yjbpX73iLA7AgMBAAGjggFjMIIBXzAfBgNVHSMEGDAWgBR9/vAQFzm/03KE/a0pcPjiPZnzGDAdBgNVHQ4EFgQUaxDUaGEYrFoT1OA6pUIYkuoaNsYwZQYIKwYBBQUHAQEEWTBXMDMGCCsGAQUFBzAChidodHRwOi8vY3JsLmRpc2EubWlsL3NpZ24vRE9EU1dDQV82MC5jZXIwIAYIKwYBBQUHMAGGFGh0dHA6Ly9vY3NwLmRpc2EubWlsMA4GA1UdDwEB/wQEAwIFoDA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmRpc2EubWlsL2NybC9ET0RTV0NBXzYwX1NTTC5jcmwwKAYDVR0RBCEwH4Idc3NvLWRldi5ub2FhLmdvdi1zaWduaW5nLTIwMjIwFgYDVR0gBA8wDTALBglghkgBZQIBCycwJwYDVR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQgCAjANBgkqhkiG9w0BAQsFAAOCAQEAbTcGmNM3VxVra7XtuacfBP6deLQ8VKB0pJudviPjQmx8PR1vGQhtnrRINIyLGMg7090FZug/jMcZ/VaIQW6hlqoCEAexpYDkRFqc5HNVTYIMFV+AXhyrOsKNek+39XTyPic1oMLOi7YY+VchSuwpvKaoQtjMdC73KPN/o7QVfUJCt4nNP9kTmKbpggsnk5rmuFDcrbHEEqXG4Z48O5HsCv/6VK56+EL0IjvuLgDbAEG8enfMDvSRIBv+2MKKdbWWQM0idIWe9iSQLtgxw8XyzQINXLk4yENeNoW4D7ME5FD//dawRP2X1dY+kDfd+AjnDHZN+tc96Imkt2TNPMGlTA==" + } +} diff --git a/sites/saml/key.modulus b/sites/saml/key.modulus deleted file mode 100755 index e69de29..0000000 diff --git a/sites/saml/ssopsb.xml b/sites/saml/old_ssopsb.xml similarity index 100% rename from sites/saml/ssopsb.xml rename to sites/saml/old_ssopsb.xml diff --git a/sites/saml/prod_settings.json b/sites/saml/prod_settings.json new file mode 100755 index 0000000..fbe952f --- /dev/null +++ b/sites/saml/prod_settings.json @@ -0,0 +1,31 @@ +{ + "strict": true, + "debug": true, + "sp": { + "entityId": "https://gsl-webstage8.gsd.esrl.noaa.gov/ssopsb/metadata/", + "assertionConsumerService": { + "url": "https://gsl-webstage8.gsd.esrl.noaa.gov/ssopsb/?acs", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" + }, + "singleLogoutService": { + "url": "https://gsl-webstage8.gsd.esrl.noaa.gov/ssopsb/?sls", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", + "x509cert": "", + "privateKey": "", + "x509certNew": "" + }, + "idp": { + "entityId": "cac-idp", + "singleSignOnService": { + "url": "https://sso.noaa.gov:443/openam/SSORedirect/metaAlias/cac/cac-idp", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "singleLogoutService": { + "url": "https://sso.noaa.gov:443/openam/IDPSloRedirect/metaAlias/cac/cac-idp", + "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" + }, + "x509cert": "MIIErjCCA5agAwIBAgIDAXZbMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9VLlMuIEdvdmVybm1lbnQxDDAKBgNVBAsTA0RvRDEMMAoGA1UECxMDUEtJMRUwEwYDVQQDEwxET0QgU1cgQ0EtNjAwHhcNMjIwNDI1MjMzNDM1WhcNMjUwNDAyMTMzNDQ5WjB2MQswCQYDVQQGEwJVUzEYMBYGA1UEChMPVS5TLiBHb3Zlcm5tZW50MQwwCgYDVQQLEwNEb0QxDDAKBgNVBAsTA1BLSTENMAsGA1UECxMERElTQTEiMCAGA1UEAxMZc3NvLm5vYWEuZ292LXNpZ25pbmctMjAyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKT7+lcHbw5COCySht0jGbAoUJr5xaani3q+RNb923Z8CkhogS05m9SGe9q8ZyR6U6lRSBsj/DShz1OGgXX682TWSG5d5hVc6eC4PAif4lsAgZf2ZJmPWtVnarLx4RccBGfjuJYm8WcrSOIHXF6uatGbys+MMprJrN9/tvXI1C6szyIsFh8qTBex2+YEXdPXg/xwSYlcP7iGwQdH9HY6VyDDvkVLoDynGsT9aGJ6yzSE6EHLyohvPC4R727wCrT+CT9iiUE5YUwqA/6FFKUr5ioO0MALBfgCVcyae/ubwH1Ea28Jivf7pSJ7Fb7pvTLcXmPR80xi0Mpch/e5bW4zCBMCAwEAAaOCAV8wggFbMB8GA1UdIwQYMBaAFH3+8BAXOb/TcoT9rSlw+OI9mfMYMB0GA1UdDgQWBBQCl4xNI8Ok/8k7e91wPWqrZKS5sjBlBggrBgEFBQcBAQRZMFcwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9jcmwuZGlzYS5taWwvc2lnbi9ET0RTV0NBXzYwLmNlcjAgBggrBgEFBQcwAYYUaHR0cDovL29jc3AuZGlzYS5taWwwDgYDVR0PAQH/BAQDAgWgMDsGA1UdHwQ0MDIwMKAuoCyGKmh0dHA6Ly9jcmwuZGlzYS5taWwvY3JsL0RPRFNXQ0FfNjBfU1NMLmNybDAkBgNVHREEHTAbghlzc28ubm9hYS5nb3Ytc2lnbmluZy0yMDIyMBYGA1UdIAQPMA0wCwYJYIZIAWUCAQsnMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUIAgIwDQYJKoZIhvcNAQELBQADggEBAEgvMlzbAZTWwbPgPd0AEAYqM4qyUOAKa0PILI64M0hVVs23/zfaDp3DaKGnPiybgEvq5u7+044bLkcn4934zHPFjNFGYulxQh+QNUMdqGB6b24INrgAFTFnDPEeWXyZBsgYJLbf53+jBe3xLrqlNekb5nf1A3XxgsCIf6zWToNqV4scz4vfG6qAAJvfKIDSsWSU9rM1BWpWY3llcDvCYGzBQZENQVWjaZL+Ry9l7lT749GO9bcym7Tyzrqf/fSCGRMZ/m2JmFDb1pdVWWNJO+O40f2zVyduTkml6X5ZpiS2e2SmPM7vfbt/2GCK1G+wlPsRjFRbGJyHrWhiBOloktg=" + } +} diff --git a/sites/views.py b/sites/views.py index 8b4678b..09907b1 100755 --- a/sites/views.py +++ b/sites/views.py @@ -518,7 +518,6 @@ def project_ldg(request, projectname): username = request.POST['username'] password = request.POST['password'] user = authenticate(request, username=username, password=password) - creator = str(user) if user.is_authenticated: if form.is_valid(): @@ -2191,10 +2190,6 @@ def index(request): logger.info(msg) req = prepare_django_request(request) - #msg = 'index_icam -- prepare_django_request req = ' - #for k in req.keys(): - # msg = msg + '\n' + str(k) + ': ' + str(req[k]) - #logger.info(msg) #try: # thissession = request.session @@ -2205,8 +2200,8 @@ def index(request): #logger.info(msg) auth = noaaOneLogin_Saml2_Auth(req, custom_base_path=settings.SAML_FOLDER) - #msg = 'auth: ' + str(auth) - #logger.info(msg) + msg = ' auth: ' + str(auth) + logger.info(msg) errors = [] error_reason = None @@ -2222,20 +2217,14 @@ def index(request): lenshortened = len(shortened) shortened = login[0:100] + '... ' + str(lenshortened) + ' chars removed ...' + login[-15:] msg = ' sso login HttpResponseRedirect( ' + str(shortened) + ' )' + msg = ' sso login HttpResponseRedirect( ' + str(login) + ' )' logger.info(msg) return HttpResponseRedirect(login) - # If AuthNRequest ID need to be stored in order to later validate it, do instead - #sso_built_url = auth.login() - #msg = 'sso_built_url: ' + str(sso_built_url) - #logger.info(msg) - #request.session['AuthNRequestID'] = auth.get_last_request_id() - #msg = 'sso request.session[AuthNRequestID]: '+ str(request.session['AuthNRequestID']) - #logger.info(msg) - #return HttpResponseRedirect(sso_built_url) elif 'sso2' in req['get_data']: return_to = OneLogin_Saml2_Utils.get_self_url(req) + reverse('attrs') return HttpResponseRedirect(auth.login(return_to)) + elif 'slo' in req['get_data']: name_id = session_index_icam = name_id_format = name_id_nq = name_id_spnq = None if 'samlNameId' in request.session: @@ -2271,8 +2260,8 @@ def index(request): #return HttpResponseRedirect(slo_built_url) elif 'acs' in req['get_data']: - #msg = ' acs req = ' + str(req) - #logger.info(msg) + msg = ' acs req = ' + str(req) + logger.info(msg) request_id = None if 'AuthNRequestID' in request.session: diff --git a/ssop/settings.py b/ssop/settings.py index ffdec5c..38ea009 100755 --- a/ssop/settings.py +++ b/ssop/settings.py @@ -73,7 +73,7 @@ def get_secret(key): } # SSO -CSRF_TRUSTED_ORIGINS = ['https://sso-dev.noaa.gov'] +CSRF_TRUSTED_ORIGINS = ['https://sso-dev.noaa.gov', 'https://sso.noaa.gov'] SAML_FOLDER = os.path.join(BASE_DIR, 'sites/saml') AUTH_RETURN_TO = "/ssopsb/adminssop/sites/" diff --git a/ssop/urls.py b/ssop/urls.py index 853a7d6..439e4a4 100755 --- a/ssop/urls.py +++ b/ssop/urls.py @@ -23,8 +23,8 @@ # path('admin/', admin.site.urls), # path('ssopsb/admin/', admin.site.urls), urlpatterns = [ - path('adminssop/', admin.site.urls), - path('ssopsb/adminssop/', admin.site.urls), + path('adminssopsb/', admin.site.urls), + path('ssopsb/adminssopsb/', admin.site.urls), path('ldg_authenticated/', ldg_authenticated, name='ldg_authenticated'), path('ldg/', ldg, name='ldg'), path('ldg//', ldg, name='ldg'),