Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Various amends #20

Merged
merged 16 commits into from
Jan 11, 2019
Merged

Various amends #20

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
c5ae46c
Fix login view parses the authn request using correct binding
lgarvey Oct 17, 2018
470e888
Improve processor logic
lgarvey Dec 3, 2018
71510b1
Merge pull request #1 from lgarvey/improve_processor_logic
lgarvey Dec 3, 2018
d4395fe
Remove pdb
lgarvey Dec 3, 2018
06da0c3
Honour the CustomUser.USERNAME_FIELD for lookups
lgarvey Dec 3, 2018
9c87dfc
Failure to load processor should not pass silently
lgarvey Dec 3, 2018
cc36000
Rename IDP extra_data key to extra_config
lgarvey Dec 4, 2018
ee89864
Add logic to allow `settings.SAML_IDP_DJANGO_USER_MAIN_ATTRIBUTE`
lgarvey Dec 5, 2018
a50fd63
Add processor.is_enabled() to allow for additional checks
lgarvey Dec 10, 2018
fdbe004
.gitignore virtualenv and .idea dirs
lgarvey Dec 10, 2018
db88da3
Fix up test and add some basic tests (more to follow)
lgarvey Dec 10, 2018
c321a87
Move user id retrieval logic to processor
lgarvey Dec 12, 2018
569c31c
Merge pull request #2 from lgarvey/fix_idp_initiated_redirect_binding
lgarvey Dec 12, 2018
135c8a9
Built in exeptions don't have __module__
lgarvey Dec 12, 2018
e310de6
Merge branch 'master' into master
mhindery Jan 10, 2019
2b8ea7c
Remove Processor.is_enabled and pass request into has_access
lgarvey Jan 11, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion djangosaml2idp/processors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,19 +3,27 @@ class BaseProcessor:
and to construct the identity dictionary which is sent to the SP
"""

def __init__(self, entity_id):
self._entity_id = entity_id

def has_access(self, user):
""" Check if this user is allowed to use this IDP
"""
return True

def is_enabled(self, request):
lgarvey marked this conversation as resolved.
Show resolved Hide resolved
"""Is this saml2 integration enabled"""
return True

def enable_multifactor(self, user):
""" Check if this user should use a second authentication system
"""
return False

def create_identity(self, user, sp_mapping):
def create_identity(self, user, sp_mapping, **extra_config):
""" Generate an identity dictionary of the user based on the given mapping of desired user attributes by the SP
"""

return {
out_attr: getattr(user, user_attr)
for user_attr, out_attr in sp_mapping.items()
Expand Down
34 changes: 22 additions & 12 deletions djangosaml2idp/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,22 +74,28 @@ def dispatch(self, request, *args, **kwargs):
return self.handle_error(request, exception=e)
return super(IdPHandlerViewMixin, self).dispatch(request, *args, **kwargs)

def get_processor(self, sp_config):
def get_processor(self, entity_id, sp_config):
""" "Instantiate user-specified processor or fallback to all-access base processor
"""
processor_string = sp_config.get('processor', None)
if processor_string:
try:
return import_string(processor_string)()
return import_string(processor_string)(entity_id)
except Exception as e:
logger.error("Failed to instantiate processor: {} - {}".format(processor_string, e), exc_info=True)
return BaseProcessor
raise
return BaseProcessor(entity_id)

def get_identity(self, processor, user, sp_config):
""" Create Identity dict (using SP-specific mapping)
"""
sp_mapping = sp_config.get('attribute_mapping', {'username': 'username'})
return processor.create_identity(user, sp_mapping)
return processor.create_identity(user, sp_mapping, **sp_config.get('extra_config', {}))

def extract_user_id(self, user):
user_field = getattr(settings, 'SAML_IDP_DJANGO_USERNAME_FIELD', None) or \
getattr(user, 'USERNAME_FIELD', 'username')
return str(getattr(user, user_field))


@method_decorator(never_cache, name='dispatch')
Expand Down Expand Up @@ -129,10 +135,10 @@ def get(self, request, *args, **kwargs):
except Exception:
return self.handle_error(request, exception=ImproperlyConfigured("No config for SP %s defined in SAML_IDP_SPCONFIG" % resp_args['sp_entity_id']), status=400)

processor = self.get_processor(sp_config)
processor = self.get_processor(resp_args['sp_entity_id'], sp_config)

# Check if user has access to the service of this SP
if not processor.has_access(request.user):
if not processor.has_access(request.user) or not processor.is_enabled(request):
return self.handle_error(request, exception=PermissionDenied("You do not have access to this resource"), status=403)

identity = self.get_identity(processor, request.user, sp_config)
Expand All @@ -142,11 +148,13 @@ def get(self, request, *args, **kwargs):
AUTHN_BROKER = AuthnBroker()
AUTHN_BROKER.add(authn_context_class_ref(req_authn_context), "")

user_id = self.extract_user_id(request.user)

# Construct SamlResponse message
try:
authn_resp = self.IDP.create_authn_response(
identity=identity, userid=request.user.username,
name_id=NameID(format=resp_args['name_id_policy'].format, sp_name_qualifier=resp_args['destination'], text=request.user.username),
identity=identity, userid=user_id,
name_id=NameID(format=resp_args['name_id_policy'].format, sp_name_qualifier=resp_args['destination'], text=user_id),
authn=AUTHN_BROKER.get_authn_by_accr(req_authn_context),
sign_response=self.IDP.config.getattr("sign_response", "idp") or False,
sign_assertion=self.IDP.config.getattr("sign_assertion", "idp") or False,
Expand Down Expand Up @@ -201,10 +209,10 @@ def get(self, request, *args, **kwargs):
service="assertion_consumer_service",
entity_id=sp_entity_id)

processor = self.get_processor(sp_config)
processor = self.get_processor(sp_entity_id, sp_config)

# Check if user has access to the service of this SP
if not processor.has_access(request.user):
if not processor.has_access(request.user) or not processor.is_enabled(request):
return self.handle_error(request, exception=PermissionDenied("You do not have access to this resource"), status=403)

identity = self.get_identity(processor, request.user, sp_config)
Expand All @@ -213,10 +221,12 @@ def get(self, request, *args, **kwargs):
AUTHN_BROKER = AuthnBroker()
AUTHN_BROKER.add(authn_context_class_ref(req_authn_context), "")

user_id = self.extract_user_id(request.user)

# Construct SamlResponse messages
try:
name_id_formats = self.IDP.config.getattr("name_id_format", "idp") or [NAMEID_FORMAT_UNSPECIFIED]
name_id = NameID(format=name_id_formats[0], text=request.user.username)
name_id = NameID(format=name_id_formats[0], text=user_id)
authn = AUTHN_BROKER.get_authn_by_accr(req_authn_context)
sign_response = self.IDP.config.getattr("sign_response", "idp") or False
sign_assertion = self.IDP.config.getattr("sign_assertion", "idp") or False
Expand All @@ -225,7 +235,7 @@ def get(self, request, *args, **kwargs):
in_response_to="IdP_Initiated_Login",
destination=destination,
sp_entity_id=sp_entity_id,
userid=request.user.username,
userid=user_id,
name_id=name_id,
authn=authn,
sign_response=sign_response,
Expand Down