entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 33 Releases Activity

remove authsaml2, it's reborn as plugin authentic2-auth-saml2

This commit is contained in:
Benjamin Dauvergne 2014-02-25 10:01:02 +01:00
parent 833191a3df
commit 2e0e3e6567
28 changed files with 5 additions and 3193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
MANIFEST.in
View File

@ -15,7 +15,6 @@ recursive-include authentic2/auth2_auth/auth2_ssl/templates *.html *.txt *.xml
recursive-include authentic2/auth2_auth/templates *.html *.txt *.xml
recursive-include authentic2/auth2_auth/auth2_oath/templates *.html *.txt *.xml
recursive-include authentic2/auth2_auth/auth2_openid/templates *.html *.txt *.xml
recursive-include authentic2/authsaml2/templates *.html *.txt *.xml
recursive-include authentic2/vendor/totp_js/js *.js
recursive-include authentic2/saml/fixtures *.json
@ -27,7 +26,6 @@ recursive-include authentic2/auth2_auth/locale *.po *.mo
recursive-include authentic2/auth2_auth/auth2_ssl/locale *.po *.mo
recursive-include authentic2/auth2_auth/auth2_oath/locale *.po *.mo
recursive-include authentic2/auth2_auth/auth2_openid/locale *.po *.mo
recursive-include authentic2/authsaml2/locale *.po *.mo
recursive-include authentic2/attribute_aggregator/locale *.po *.mo
recursive-include authentic2/disco_service/locale *.po *.mo
recursive-include authentic2 README xrds.xml *.txt yadis.xrdf

110
authentic2/authsaml2/README
View File

@ -1,110 +0,0 @@
= Add to settings =
SAML_SIGNATURE_PRIVATE_KEY = *your_key*
INSTALLED_APPS += ('*project*.authsaml2', '*project*.authsaml2.saml',)
AUTHENTICATION_BACKENDS = (
'django.contrib.auth.backends.ModelBackend',
'*project*.authsaml2.backends.SAML2AuthBackend',
)
When login_required() with registration and you want to add on the login page the login with a federated account:
- the template is directly called: use a context processor to pass a variable
TEMPLATE_CONTEXT_PROCESSORS += (
'spsaml.views.idp_list',
)
spsaml.views.idp_list:
def idp_list(request):
return {'providers_list': authsaml2.saml.common.get_idp_list()}
- modify LOGIN_URL
LOGIN_URL = '/login/'
url(r'^login/', spsaml.views.login)
Pass {'providers_list': authsaml2.saml.common.get_idp_list()} to the template
Then configure in the admin part your SP
= Target URL =
After logout, the parameter 'Back url' is used. If empty, authsaml2 returns to the root.
After login, authsaml2 will redirect in a parameter you have to register,
authsaml2 returns to the root of the site.
To register a url, if a fonction is called with the next parameter in the url,
as it is the case usually with a login page, just call:
authsaml2.saml2_endpoints.register_next_target(request)
If there is no next parameter call this function giving the target url
authsaml2.saml2_endpoints.register_next_target(request, target_url)
After defederation, by default the local session is not sesion is not ended
and the back url is the one of calling of the defederation function.
= Call AuthSAML2 from your login page =
* Views:
from django.shortcuts import render_to_response
from django.template import RequestContext
from django.contrib.auth import views as auth_views
import authentic2.authsaml2.saml2_endpoints
def login(request):
authsaml2.saml2_endpoints.register_next_target(request)
return auth_views.login(request)
* Template:
{% if providers_list %}
{% trans "Log in with a federated account?" %}
<ul>
{% for p in providers_list %}
<li><a href="/authsaml2/sso?entity_id={{ p.entity_id }}" >{{ p.entity_id }}</a></li>
{% endfor %}
</ul>
{% endif %}
= Call AuthSAML2 into the application for user account management =
* Views:
from django.shortcuts import render_to_response
from django.template import RequestContext
from django.contrib.auth import views as auth_views
import authentic2.authsaml2.saml2_endpoints
import authentic2.authsaml2.saml.common
def inside(request):
authsaml2.saml2_endpoints.register_next_target(request, '/in')
return render_to_response('in.html', {'providers_list_federated': authsaml2.saml.common.get_idp_user_federated_list(request),
'providers_list_not_federated': authsaml2.saml.common.get_idp_user_not_federated_list(request),
'provider_active_session': authsaml2.saml.common.get_provider_of_active_session(request)},
context_instance=RequestContext(request))
* Template:
{% if providers_list_not_federated %}
{% trans "Federate your identity" %}
<ul>
{% for p in providers_list_not_federated %}
<li><a href="/authsaml2/sso?entity_id={{ p.entity_id }}/">{{ p.entity_id }}</a></li>
{% endfor %}
</ul>
{% endif %}
{% if providers_list_federated %}
{% trans "Defederate your identity" %}
<ul>
{% for p in providers_list_not_federated %}
<li><a href="/authsaml2/defederate/{{ p.entity_id }}/">{{ p.entity_id }}</a></li>
{% endfor %}
</ul>
{% endif %}
{% if provider_active_session %}
{% trans "Logout" %}
<ul>
<li>{% trans "Global Logout: " %}<a href="/authsaml2/logout/{{ provider_active_session.entity_id }}/">{{ provider_active_session.entity_id }}</a></li>
<li><p><a href="{% url 'auth_logout' %}">{% trans "Local log out" %}</a></p></li>
</ul>
{% else %}
<a href="{% url 'auth_logout' %}">{% trans "Log out" %}</a>
{% endif %}
Now in idp/__init__.py
tpl_parameters['providers_list_federated'] = authentic.saml.common.get_idp_user_federated_list(request)
tpl_parameters['providers_list_not_federated'] = authentic.saml.common.get_idp_user_not_federated_list(request)

0
authentic2/authsaml2/__init__.py
View File

135
authentic2/authsaml2/backends.py
View File

@ -1,135 +0,0 @@
import string
import random
import logging
import lasso
from django.db import transaction
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _
from authentic2.compat import get_user_model
from authentic2.saml.common import \
lookup_federation_by_name_id_and_provider_id, add_federation, \
get_idp_options_policy
from authentic2.saml.models import LIBERTY_SESSION_DUMP_KIND_SP, \
LibertySessionDump, LibertyProvider
from authentic2.authsaml2.models import SAML2TransientUser
logger = logging.getLogger('authentic2.authsaml2.backends')
class AuthenticationError(Exception):
pass
class AuthSAML2Backend:
def logout_list(self, request):
pid = None
q = LibertySessionDump. \
objects.filter(django_session_key=request.session.session_key,
kind=LIBERTY_SESSION_DUMP_KIND_SP)
if not q:
logger.debug('logout_list: no LibertySessionDump found')
return []
'''
We deal with a single IdP session
'''
try:
provider_id = lasso.Session(). \
newFromDump(q[0].session_dump.encode('utf-8')). \
get_assertions().keys()[0]
except:
return []
if not provider_id:
return []
logger.debug('logout_list: Found session for %s' % provider_id)
name = provider_id
provider = None
try:
provider = LibertyProvider.objects.get(entity_id=provider_id)
name = provider.name
except LibertyProvider.DoesNotExist:
logger.error('logout_list: session found for unknown provider %s' \
% provider_id)
return []
policy = get_idp_options_policy(provider)
if not policy:
logger.error('logout_list: No policy found for %s' % provider_id)
return []
elif not policy.forward_slo:
logger.info('logout_list: %s configured to not reveive slo' \
% provider_id)
return []
else:
import saml2_endpoints
code = '<div>'
code += _('Sending logout to %(pid)s....') % { 'pid': name or provider_id }
code += '''<iframe src="%s?provider_id=%s" marginwidth="0" marginheight="0" \
scrolling="no" style="border: none" width="16" height="16" onload="window.iframe_count -= 1; console.log(window.location.href + ' decrement iframe_count');"></iframe></div>''' \
% (reverse(saml2_endpoints.sp_slo,
args=[provider_id]), provider_id)
return [ code ]
class AuthSAML2PersistentBackend:
supports_object_permissions = False
supports_anonymous_user = False
def authenticate(self, name_id=None, provider_id=None):
'''Authenticate persistent NameID'''
if not name_id or not provider_id:# or not name_id.nameQualifier:
return None
#fed = lookup_federation_by_name_identifier(name_id=name_id)
fed = lookup_federation_by_name_id_and_provider_id(name_id, provider_id)
if fed is None:
return None
fed.user.backend = '%s.%s' % (__name__, self.__class__.__name__)
return fed.user
def get_user(self, user_id):
User = get_user_model()
try:
return User.objects.get(id=user_id)
except User.DoesNotExist:
return None
@transaction.commit_on_success
def create_user(self, username=None, name_id=None, provider_id=None):
'''Create a new user mapping to the given NameID'''
if not name_id or \
name_id.format != \
lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT or \
not name_id.nameQualifier:
raise ValueError('Invalid NameID')
if not username:
# FIXME: maybe keep more information in the forged username
username = 'saml2-%s' % ''. \
join([random.SystemRandom().choice(string.letters) for x in range(10)])
User = get_user_model()
user = User()
user.username = username
if hasattr(User, 'set_unusable_password'):
user.set_unusable_password()
user.is_active = True
user.save()
add_federation(user, name_id=name_id, provider_id=provider_id)
return user
class AuthSAML2TransientBackend:
supports_object_permissions = False
supports_anonymous_user = False
def authenticate(self, name_id=None):
'''Create temporary user for transient NameID'''
if not name_id or \
name_id.format != \
lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT or \
not name_id.content:
return None
user = SAML2TransientUser(id=name_id.content)
return user
def get_user(self, user_id):
'''Create temporary user for transient NameID'''
return SAML2TransientUser(id=user_id)

54
authentic2/authsaml2/frontend.py
View File

@ -1,54 +0,0 @@
import urllib
import functools
import django.forms as forms
import authentic2.saml.common as saml_common
from django.utils.translation import gettext_noop
from django.http import HttpResponseRedirect
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.utils.translation import ugettext as _
from . import saml2_endpoints
class AuthSAML2Form(forms.Form):
def __init__(self, *args, **kwargs):
idp_list = kwargs.pop('idp_list')
super(AuthSAML2Form, self).__init__(*args, **kwargs)
self.fields['provider_id'].choices = \
[(p['entity_id'], p['name']) for p in idp_list]
provider_id = forms.ChoiceField(label=_('Choose your identity provider'),
choices=())
class AuthSAML2Frontend(object):
def __init__(self):
self.idp_list = saml_common.get_idp_list_sorted()
def enabled(self):
return bool(self.idp_list)
def id(self):
return 'saml2'
def name(self):
return gettext_noop('SAML 2.0')
def form(self):
return functools.partial(AuthSAML2Form, idp_list=self.idp_list)
def post(self, request, form, nonce, next):
provider_id = form.cleaned_data['provider_id']
return HttpResponseRedirect('/authsaml2/sso?entity_id=%s&%s=%s' %
(urllib.quote(provider_id),
REDIRECT_FIELD_NAME,
urllib.quote(next)))
def get_context(self):
'''Specific context variable used by the specific template'''
return { 'idp_providers': self.idp_list }
def template(self):
return 'auth/saml2/login_form.html'
def profile(self, request):
return saml2_endpoints.profile(request)

410
authentic2/authsaml2/locale/fr/LC_MESSAGES/django.po
View File

@ -1,410 +0,0 @@
# French translation of Authentic
# Copyright (C) 2010, 2011 Entr'ouvert
# This file is distributed under the same license as the Authentic package.
# Frederic Peters <fpeters@entrouvert.com>, 2010.
#
msgid ""
msgstr ""
"Project-Id-Version: Authentic\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2013-07-23 16:39+0200\n"
"PO-Revision-Date: 2013-07-23 16:39+0200\n"
"Last-Translator: Mikaël Ates <mates@entrouvert.com>\n"
"Language-Team: None\n"
"Language: fr\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n>1;\n"
#: backends.py:67
#, python-format
msgid "Sending logout to %(pid)s...."
msgstr "Envoi de la deconnesion a %(pid)s...."
#: frontend.py:20
msgid "Choose your identity provider"
msgstr "Choisissez votre fournisseur d'identité"
#: frontend.py:34
msgid "SAML 2.0"
msgstr "SAML 2.0"
#: models.py:90
msgid "Anonymous"
msgstr "Anonyme"
#: saml2_endpoints.py:128
msgid "redirect_to_disco: unable to build disco request"
msgstr ""
#: saml2_endpoints.py:135
#, python-format
msgid "disco_response: HTTP request not supported %s"
msgstr ""
#: saml2_endpoints.py:176 saml2_endpoints.py:182
msgid "sso: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:188
msgid "sso: No SAML2 identity provider selected"
msgstr ""
#: saml2_endpoints.py:196
msgid "sso: The provider does not exist"
msgstr ""
#: saml2_endpoints.py:201
msgid "sso: Unable to create Login object"
msgstr ""
#: saml2_endpoints.py:210
#, python-format
msgid "sso: %s does not have any supported SingleSignOn endpoint"
msgstr ""
#: saml2_endpoints.py:216
#, python-format
msgid "sso: initAuthnRequest %s"
msgstr ""
#: saml2_endpoints.py:222
msgid "sso: No IdP policy defined"
msgstr ""
#: saml2_endpoints.py:228
#, python-format
msgid "SSO: buildAuthnRequestMsg %s"
msgstr ""
#: saml2_endpoints.py:255
msgid "singleSignOnArtifact: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:273
msgid "singleSignOnArtifact: Unable to create Login object"
msgstr ""
#: saml2_endpoints.py:279
msgid "singleSignOnArtifact: No message given."
msgstr ""
#: saml2_endpoints.py:300
#, python-format
msgid "singleSignOnArtifact: provider %r unknown"
msgstr ""
#: saml2_endpoints.py:309
#, python-format
msgid "singleSignOnArtifact: initRequest %s"
msgstr ""
#: saml2_endpoints.py:317
#, python-format
msgid "singleSignOnArtifact: buildRequestMsg %s"
msgstr ""
#: saml2_endpoints.py:329
#, python-format
msgid ""
"singleSignOnArtifact: Failure to communicate with artifact "
"resolver %r"
msgstr ""
#: saml2_endpoints.py:334
#, python-format
msgid ""
"singleSignOnArtifact: Artifact resolver at %r returned an empty "
"response"
msgstr ""
#: saml2_endpoints.py:350
#, python-format
msgid "singleSignOnArtifact: processResponseMsg raised %s"
msgstr ""
#: saml2_endpoints.py:365
msgid "singleSignOnPost: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:371
msgid "singleSignOnPost: Unable to create Login object"
msgstr ""
#: saml2_endpoints.py:380
msgid "singleSignOnPost: No message given."
msgstr ""
#: saml2_endpoints.py:407
#, python-format
msgid "singleSignOnPost: provider %r unknown"
msgstr ""
#: saml2_endpoints.py:418
#, python-format
msgid "singleSignOnPost: %s"
msgstr ""
#: saml2_endpoints.py:441
msgid "sso_after_response: error checking authn response"
msgstr ""
#: saml2_endpoints.py:447
#, python-format
msgid "sso_after_response: acceptSso raised %s"
msgstr ""
#: saml2_endpoints.py:583
msgid "sso_after_response: No IdP policy defined"
msgstr ""
#: saml2_endpoints.py:632
msgid ""
"sso_after_response: No backend for temporary federation "
"is configured"
msgstr ""
#: saml2_endpoints.py:653
msgid ""
"sso_after_response: Transient access policy: Configuration error"
msgstr ""
#: saml2_endpoints.py:703
msgid ""
"sso_after_response: You were not asked your consent for "
"account linking"
msgstr ""
#: saml2_endpoints.py:720
msgid ""
"sso_after_response: Persistent Account policy: Configuration "
"error"
msgstr ""
#: saml2_endpoints.py:724
msgid ""
"sso_after_response: Transient access policy: NameId format not "
"supported"
msgstr ""
#: saml2_endpoints.py:747
msgid "finish_federation: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:753
msgid "finish_federation: Unable to create Login object"
msgstr ""
#: saml2_endpoints.py:760
msgid "finish_federation: Error loading session."
msgstr ""
#: saml2_endpoints.py:777
msgid ""
"SSO/finish_federation: Error adding new federation for "
"this user"
msgstr ""
#: saml2_endpoints.py:816
msgid "finish_federation: Unable to perform federation"
msgstr ""
#: saml2_endpoints.py:958
msgid "logout: not a logged in user"
msgstr ""
#: saml2_endpoints.py:963
msgid "logout: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:968
msgid "logout: Unable to create Login object"
msgstr ""
#: saml2_endpoints.py:976
msgid "logout: No session for global logout."
msgstr ""
#: saml2_endpoints.py:984
msgid "logout: Session malformed."
msgstr ""
#: saml2_endpoints.py:990
msgid "logout: Error loading provider."
msgstr ""
#: saml2_endpoints.py:1018
msgid "logout: SOAP error - Only local logout performed."
msgstr ""
#: saml2_endpoints.py:1066
msgid "logout: Unknown HTTP method."
msgstr ""
#: saml2_endpoints.py:1076
#, python-format
msgid ""
"localLogout: SOAP error with %s - Only local logout performed."
msgstr ""
#: saml2_endpoints.py:1080
#, python-format
msgid "localLogout: %s - Only local logout performed."
msgstr ""
#: saml2_endpoints.py:1092
msgid "singleLogoutReturn: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:1098
msgid ""
"singleLogoutReturn: Unable to handle Single Logout by Redirect "
"without request"
msgstr ""
#: saml2_endpoints.py:1105
msgid "singleLogoutReturn: Unable to create Login object"
msgstr ""
#: saml2_endpoints.py:1391
#, python-format
msgid "singleLogout: provider %r unknown"
msgstr ""
#: saml2_endpoints.py:1469
msgid "fedTerm/SP UI: No provider for defederation"
msgstr ""
#: saml2_endpoints.py:1474
msgid "fedTerm/SP UI: Unable to defederate a not logged user!"
msgstr ""
#: saml2_endpoints.py:1480
msgid "fedTerm/SP UI: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:1487
msgid "fedTerm/SP UI: No such identity provider."
msgstr ""
#: saml2_endpoints.py:1497
msgid "fedTerm/SP UI: Not a valid federation"
msgstr ""
#: saml2_endpoints.py:1513
#, python-format
msgid "fedTerm/SP UI: %s"
msgstr ""
#: saml2_endpoints.py:1521 saml2_endpoints.py:1552
#, python-format
msgid "fedTerm/SP SOAP: %s"
msgstr ""
#: saml2_endpoints.py:1530
msgid ""
"fedTerm/SP SOAP: Unable to perform SOAP defederation "
"request"
msgstr ""
#: saml2_endpoints.py:1539 saml2_endpoints.py:1573
#, python-format
msgid "fedTerm/SP Redirect: %s"
msgstr ""
#: saml2_endpoints.py:1561
msgid ""
"fedTerm/SP SOAP: Unable to perform SOAP defederation request"
msgstr ""
#: saml2_endpoints.py:1578
msgid "Unknown HTTP method."
msgstr ""
#: saml2_endpoints.py:1591
msgid "fedTerm/SP Redirect: Service provider not configured"
msgstr ""
#: saml2_endpoints.py:1599
msgid "fedTerm/SP Redirect: Error managing manage dump"
msgstr ""
#: saml2_endpoints.py:1614
msgid "fedTerm/SP Redirect: Defederation failed"
msgstr ""
#: saml2_endpoints.py:1640
#, python-format
msgid "fedTerm/Return: provider %r unknown"
msgstr ""
#: saml2_endpoints.py:1647
#, python-format
msgid "fedTerm/manage_name_id_return: %s"
msgstr ""
#: saml2_endpoints.py:1695
#, python-format
msgid "fedTerm/SOAP: provider %r unknown"
msgstr ""
#: saml2_endpoints.py:1888
msgid "Successful federation deletion."
msgstr ""
#: utils.py:42
#, python-format
msgid "An error happened. Report this %s to the administrator."
msgstr ""
#: templates/error_authsaml2.html:8
msgid "Back"
msgstr "Retour"
#: templates/profile.html:3
msgid "SAML2 Federations"
msgstr "Fédérations SAML2"
#: templates/profile.html:9
msgid "Delete a federation?"
msgstr "Supprimer une fédération ?"
#: templates/profile.html:15
msgid "Delete"
msgstr "Supprimer"
#: templates/profile.html:23
msgid "Add a federation?"
msgstr "Ajouter une fédération ?"
#: templates/profile.html:27 templates/auth/saml2/account_linking.html:32
#: templates/auth/saml2/login_form.html:6
msgid "Log in"
msgstr "S'identifier"
#: templates/auth/saml2/account_linking.html:5
msgid "Log in to link your account"
msgstr "Connectez-vous pour lier vos comptes"
#: templates/auth/saml2/account_linking.html:9
msgid "Log in to link with your existing account"
msgstr "Connectez-vous pour lier avec un compte existant"
#: templates/auth/saml2/account_linking.html:17
#: templates/auth/saml2/account_linking.html:24
msgid "Username:"
msgstr "Nom d'utilisateur :"
#: templates/auth/saml2/account_linking.html:20
#: templates/auth/saml2/account_linking.html:28
msgid "Password:"
msgstr "Mot de passe :"
#: templates/auth/saml2/logout.html:5
msgid "Logout"
msgstr "Déconnexion"
#: templates/auth/saml2/logout.html:18
msgid "Continue logout"
msgstr "Continuer la déconnexion"

122
authentic2/authsaml2/migrations/0001_initial.py
View File

@ -1,122 +0,0 @@
# encoding: utf-8
import datetime
from south.db import db
from south.v2 import SchemaMigration
from django.db import models
class Migration(SchemaMigration):
def forwards(self, orm):
# Adding model 'AuthorizationAttributeMap'
db.create_table('authsaml2_authorizationattributemap', (
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
('name', self.gf('django.db.models.fields.CharField')(unique=True, max_length=40)),
))
db.send_create_signal('authsaml2', ['AuthorizationAttributeMap'])
# Adding model 'AttributeMapping'
db.create_table('authsaml2_attributemapping', (
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
('source_attribute_name', self.gf('django.db.models.fields.CharField')(max_length=40)),
('attribute_value_format', self.gf('django.db.models.fields.CharField')(max_length=40)),
('attribute_name', self.gf('django.db.models.fields.CharField')(max_length=40)),
('attribute_value', self.gf('django.db.models.fields.CharField')(max_length=40)),
('map', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['authsaml2.AuthorizationAttributeMap'])),
))
db.send_create_signal('authsaml2', ['AttributeMapping'])
# Adding model 'IdPOptionsPolicy'
db.create_table('authsaml2_idpoptionspolicy', (
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
('name', self.gf('django.db.models.fields.CharField')(unique=True, max_length=80)),
('enabled', self.gf('django.db.models.fields.BooleanField')(default=False)),
('no_nameid_policy', self.gf('django.db.models.fields.BooleanField')(default=False)),
('requested_name_id_format', self.gf('django.db.models.fields.CharField')(default='none', max_length=20)),
('transient_is_persistent', self.gf('django.db.models.fields.BooleanField')(default=False)),
('allow_create', self.gf('django.db.models.fields.BooleanField')(default=False)),
('enable_binding_for_sso_response', self.gf('django.db.models.fields.BooleanField')(default=False)),
('binding_for_sso_response', self.gf('django.db.models.fields.CharField')(default='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', max_length=60)),
('enable_http_method_for_slo_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
('http_method_for_slo_request', self.gf('django.db.models.fields.IntegerField')(default=4, max_length=60)),
('enable_http_method_for_defederation_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
('http_method_for_defederation_request', self.gf('django.db.models.fields.IntegerField')(default=5, max_length=60)),
('user_consent', self.gf('django.db.models.fields.CharField')(default='urn:oasis:names:tc:SAML:2.0:consent:current-implicit', max_length=60)),
('want_force_authn_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
('want_is_passive_authn_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
('want_authn_request_signed', self.gf('django.db.models.fields.BooleanField')(default=False)),
('attribute_map', self.gf('django.db.models.fields.related.ForeignKey')(blank=True, related_name='authorization_attributes', null=True, to=orm['authsaml2.AuthorizationAttributeMap'])),
))
db.send_create_signal('authsaml2', ['IdPOptionsPolicy'])
# Adding model 'MyServiceProvider'
db.create_table('authsaml2_myserviceprovider', (
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
('handle_persistent', self.gf('django.db.models.fields.CharField')(max_length=80)),
('handle_transient', self.gf('django.db.models.fields.CharField')(max_length=80)),
('back_url', self.gf('django.db.models.fields.CharField')(max_length=80)),
))
db.send_create_signal('authsaml2', ['MyServiceProvider'])
def backwards(self, orm):
# Deleting model 'AuthorizationAttributeMap'
db.delete_table('authsaml2_authorizationattributemap')
# Deleting model 'AttributeMapping'
db.delete_table('authsaml2_attributemapping')
# Deleting model 'IdPOptionsPolicy'
db.delete_table('authsaml2_idpoptionspolicy')
# Deleting model 'MyServiceProvider'
db.delete_table('authsaml2_myserviceprovider')
models = {
'authsaml2.attributemapping': {
'Meta': {'object_name': 'AttributeMapping'},
'attribute_name': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
'attribute_value': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
'attribute_value_format': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
'map': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['authsaml2.AuthorizationAttributeMap']"}),
'source_attribute_name': ('django.db.models.fields.CharField', [], {'max_length': '40'})
},
'authsaml2.authorizationattributemap': {
'Meta': {'object_name': 'AuthorizationAttributeMap'},
'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '40'})
},
'authsaml2.idpoptionspolicy': {
'Meta': {'object_name': 'IdPOptionsPolicy'},
'allow_create': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'attribute_map': ('django.db.models.fields.related.ForeignKey', [], {'blank': 'True', 'related_name': "'authorization_attributes'", 'null': 'True', 'to': "orm['authsaml2.AuthorizationAttributeMap']"}),
'binding_for_sso_response': ('django.db.models.fields.CharField', [], {'default': "'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'", 'max_length': '60'}),
'enable_binding_for_sso_response': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'enable_http_method_for_defederation_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'enable_http_method_for_slo_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'enabled': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'http_method_for_defederation_request': ('django.db.models.fields.IntegerField', [], {'default': '5', 'max_length': '60'}),
'http_method_for_slo_request': ('django.db.models.fields.IntegerField', [], {'default': '4', 'max_length': '60'}),
'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '80'}),
'no_nameid_policy': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'requested_name_id_format': ('django.db.models.fields.CharField', [], {'default': "'none'", 'max_length': '20'}),
'transient_is_persistent': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'user_consent': ('django.db.models.fields.CharField', [], {'default': "'urn:oasis:names:tc:SAML:2.0:consent:current-implicit'", 'max_length': '60'}),
'want_authn_request_signed': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'want_force_authn_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
'want_is_passive_authn_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'})
},
'authsaml2.myserviceprovider': {
'Meta': {'object_name': 'MyServiceProvider'},
'back_url': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
'handle_persistent': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
'handle_transient': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'})
}
}
complete_apps = ['authsaml2']

75
authentic2/authsaml2/migrations/0002_auto__del_authorizationattributemap__del_idpoptionspolicy__del_attribu.py
View File

@ -1,75 +0,0 @@
# encoding: utf-8
import datetime
from south.db import db
from south.v2 import SchemaMigration
from django.db import models
class Migration(SchemaMigration):
def forwards(self, orm):
# Deleting model 'AuthorizationAttributeMap'
db.delete_table('authsaml2_authorizationattributemap')
# Deleting model 'IdPOptionsPolicy'
db.delete_table('authsaml2_idpoptionspolicy')
# Deleting model 'AttributeMapping'
db.delete_table('authsaml2_attributemapping')
def backwards(self, orm):
# Adding model 'AuthorizationAttributeMap'
db.create_table('authsaml2_authorizationattributemap', (
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
('name', self.gf('django.db.models.fields.CharField')(max_length=40, unique=True)),
))
db.send_create_signal('authsaml2', ['AuthorizationAttributeMap'])
# Adding model 'IdPOptionsPolicy'
db.create_table('authsaml2_idpoptionspolicy', (
('enable_http_method_for_defederation_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
('name', self.gf('django.db.models.fields.CharField')(max_length=80, unique=True)),
('http_method_for_defederation_request', self.gf('django.db.models.fields.IntegerField')(default=5, max_length=60)),
('binding_for_sso_response', self.gf('django.db.models.fields.CharField')(default='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact', max_length=60)),
('enabled', self.gf('django.db.models.fields.BooleanField')(default=False)),
('allow_create', self.gf('django.db.models.fields.BooleanField')(default=False)),
('enable_http_method_for_slo_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
('http_method_for_slo_request', self.gf('django.db.models.fields.IntegerField')(default=4, max_length=60)),
('requested_name_id_format', self.gf('django.db.models.fields.CharField')(default='none', max_length=20)),
('attribute_map', self.gf('django.db.models.fields.related.ForeignKey')(related_name='authorization_attributes', null=True, to=orm['authsaml2.AuthorizationAttributeMap'], blank=True)),
('user_consent', self.gf('django.db.models.fields.CharField')(default='urn:oasis:names:tc:SAML:2.0:consent:current-implicit', max_length=60)),
('no_nameid_policy', self.gf('django.db.models.fields.BooleanField')(default=False)),
('transient_is_persistent', self.gf('django.db.models.fields.BooleanField')(default=False)),
('want_authn_request_signed', self.gf('django.db.models.fields.BooleanField')(default=False)),
('want_is_passive_authn_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
('enable_binding_for_sso_response', self.gf('django.db.models.fields.BooleanField')(default=False)),
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
('want_force_authn_request', self.gf('django.db.models.fields.BooleanField')(default=False)),
))
db.send_create_signal('authsaml2', ['IdPOptionsPolicy'])
# Adding model 'AttributeMapping'
db.create_table('authsaml2_attributemapping', (
('map', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['authsaml2.AuthorizationAttributeMap'])),
('attribute_name', self.gf('django.db.models.fields.CharField')(max_length=40)),
('source_attribute_name', self.gf('django.db.models.fields.CharField')(max_length=40)),
('attribute_value_format', self.gf('django.db.models.fields.CharField')(max_length=40)),
('attribute_value', self.gf('django.db.models.fields.CharField')(max_length=40)),
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
))
db.send_create_signal('authsaml2', ['AttributeMapping'])
models = {
'authsaml2.myserviceprovider': {
'Meta': {'object_name': 'MyServiceProvider'},
'back_url': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
'handle_persistent': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
'handle_transient': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'})
}
}
complete_apps = ['authsaml2']

31
authentic2/authsaml2/migrations/0003_auto__del_myserviceprovider.py
View File

@ -1,31 +0,0 @@
# encoding: utf-8
import datetime
from south.db import db
from south.v2 import SchemaMigration
from django.db import models
class Migration(SchemaMigration):
def forwards(self, orm):
# Deleting model 'MyServiceProvider'
db.delete_table('authsaml2_myserviceprovider')
def backwards(self, orm):
# Adding model 'MyServiceProvider'
db.create_table('authsaml2_myserviceprovider', (
('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
('handle_persistent', self.gf('django.db.models.fields.CharField')(max_length=80)),
('handle_transient', self.gf('django.db.models.fields.CharField')(max_length=80)),
('back_url', self.gf('django.db.models.fields.CharField')(max_length=80)),
))
db.send_create_signal('authsaml2', ['MyServiceProvider'])
models = {
}
complete_apps = ['authsaml2']

0
authentic2/authsaml2/migrations/__init__.py
View File

92
authentic2/authsaml2/models.py
View File

@ -1,92 +0,0 @@
from django.db import models
from django.utils.translation import ugettext_lazy as _
from django.db.models.manager import EmptyManager
from django.contrib.auth.models import _user_get_all_permissions, _user_has_perm, _user_has_module_perms
class FakePk:
name = 'pk'
class FakeMeta:
pk = FakePk()
class SAML2TransientUser(object):
'''Class compatible with django.contrib.auth.models.User
which represent an user authenticated using a Transient
federation'''
id = None
pk = None
is_staff = False
is_active = False
is_superuser = False
_groups = EmptyManager()
_user_permissions = EmptyManager()
_meta = FakeMeta()
def __init__(self, id):
self.id = id
self.pk = id
def __unicode__(self):
return 'AnonymousUser'
def __str__(self):
return unicode(self).encode('utf-8')
def __eq__(self, other):
return isinstance(other, self.__class__)
def __ne__(self, other):
return not self.__eq__(other)
def __hash__(self):
return 1 # instances always return the same hash value
def save(self, **kwargs):
pass
def delete(self):
raise NotImplementedError
def set_password(self, raw_password):
raise NotImplementedError
def check_password(self, raw_password):
raise NotImplementedError
def _get_groups(self):
return self._groups
groups = property(_get_groups)
def _get_user_permissions(self):
return self._user_permissions
user_permissions = property(_get_user_permissions)
def get_group_permissions(self, obj=None):
return set()
def get_all_permissions(self, obj=None):
return _user_get_all_permissions(self, obj=obj)
def has_perm(self, perm, obj=None):
return _user_has_perm(self, perm, obj=obj)
def has_perms(self, perm_list, obj=None):
for perm in perm_list:
if not self.has_perm(perm, obj):
return False
return True
def has_module_perms(self, module):
return _user_has_module_perms(self, module)
def is_anonymous(self):
#XXX: Should return True
return False
def is_authenticated(self):
return True
def get_username(self):
return _('Anonymous')
username = property(get_username)

1745
authentic2/authsaml2/saml2_endpoints.py
View File

File diff suppressed because it is too large Load Diff

10
authentic2/authsaml2/signals.py
View File

@ -1,10 +0,0 @@
from django.dispatch import Signal
#authz_decision
authz_decision = Signal(providing_args = ["request","attributes","provider"])
#user login
auth_login = Signal(providing_args = ["request","attributes"])
#user logout
auth_logout = Signal(providing_args = ["user"])

39
authentic2/authsaml2/templates/auth/saml2/account_linking.html
View File

@ -1,39 +0,0 @@
{% extends "base.html" %}
{% load i18n %}
{% block title %}
{% trans "Log in to link your account" %}
{% endblock %}
{% block content %}
<p>* {% trans "Log in to link with your existing account" %}</p>
<div id="login-actions">
<form id="login-form" method="post" action="./finish_federation">
<ul class="errorlist">
{% for error in form.non_field_errors %}
<li>{{ error|escape }}</li>
{% endfor %}
{% for error in form.username.errors %}
<li>{% trans "Username:" %} {{ error|escape }}</li>
{% endfor %}
{% for error in form.password.errors %}
<li>{% trans "Password:" %} {{ error|escape }}</li>
{% endfor %}
</ul>
<p>
<label for="id_username">{% trans "Username:" %}</label>
<input id="id_username" type="text" name="username" maxlength="30" />
</p>
<p>
<label for="id_password">{% trans "Password:" %}</label>
<input type="password" name="password" id="id_password" />
</p>
<input type="submit" value="{% trans 'Log in' %}" class="submit" />
<input type="hidden" name="next" value="{{ next }}" />
</form>
</div>
<script type="text/javascript">
document.getElementById('id_username').focus();
</script>
{% endblock %}

8
authentic2/authsaml2/templates/auth/saml2/login_form.html
View File

@ -1,8 +0,0 @@
{% load i18n %}
<div>
<form method="post" action="">
{% csrf_token %}
{{ form.as_p }}
<input type="submit" name="{{ submit_name }}" value="{% trans "Log in" %}"/>
</form>
</div>

20
authentic2/authsaml2/templates/auth/saml2/logout.html
View File

@ -1,20 +0,0 @@
{% extends "base.html" %}
{% load i18n %}
{% block title %}
{% trans "Logout" %}
{% endblock %}
{% block bodyargs %}onload="setTimeout(function () { window.location='{{ next_page }}' }, {{ redir_timeout }})"{% endblock %}
{% block content %}
<h1>{% trans message %}</h1>
<ul class="logout-list">
{% for fragment in logout_list %}
{{ fragment|safe }}
{% endfor %}
</ul>
<div id="continue-link"><a href="{{ next_page }}">{% trans "Continue logout" %}</div>
{% endblock %}

9
authentic2/authsaml2/templates/error_authsaml2.html
View File

@ -1,9 +0,0 @@
{% extends "base.html" %}
{% load i18n %}
{% block bodyargs %}onload="setTimeout(function () { window.location='{{ next_page }}' }, {{ redir_timeout }})"{% endblock %}
{% block content %}
<h1>{{ title }}</h1>
<p><a href="{{ back }}">{% trans "Back" %}<a/></p>
{% endblock %}

32
authentic2/authsaml2/templates/profile.html
View File

@ -1,32 +0,0 @@
{% load i18n %}
{% if form or federations %}
<h4>{% trans "SAML2 Federations" %}</h4>
<div>
{% if federations %}
<p>
<h5>{% trans "Delete a federation?" %}</h5>
{% for f in federations %}
<form action="{% url 'authsaml2-delete-federation' %}" method="post">
<label for="id_del_fed">{{ f }}</label>
<input type="hidden" name="fed" value="{{ f }}" />
<input type="hidden" name="next" value="/profile" />
<input type="submit" class="submit-link" value="{% trans "Delete" %}">
</form>
{% endfor %}
</p>
{% endif %}
{% if form %}
<p>
<h5>{% trans "Add a federation?" %}</h5>
<form method="post" action="">
{% csrf_token %}
{{ form.as_p }}
<input type="submit" name="{{ submit_name }}" value="{% trans "Log in" %}"/>
</form>
</p>
{% endif %}
</div>
{% endif %}

50
authentic2/authsaml2/urls.py
View File

@ -1,50 +0,0 @@
from django.conf import settings
from django.conf.urls import patterns, url
from authentic2.authsaml2.saml2_endpoints import metadata, sso, finish_federation, \
singleSignOnArtifact, singleSignOnPost, sp_slo, singleLogoutReturn, \
singleLogoutSOAP, singleLogout, federationTermination, manageNameIdReturn, \
manageNameIdSOAP, manageNameId, delete_federation, redirect_to_disco, \
disco_response, finish_slo
urlpatterns = patterns('',
(r'^metadata$', metadata),
# Receive request from user interface
(r'^sso$', sso),
(r'^finish_federation$', finish_federation),
(r'^singleSignOnArtifact$', singleSignOnArtifact),
(r'^singleSignOnPost$', singleSignOnPost),
# Receive request from functions
(r'^sp_slo/(.*)$', sp_slo),
# Receive response from Redirect SP initiated
(r'^singleLogoutReturn$', singleLogoutReturn),
# Receive request from SOAP IdP initiated
(r'^singleLogoutSOAP$', singleLogoutSOAP),
# Receive request from Redirect IdP initiated
(r'^singleLogout$', singleLogout),
# Back of SLO treatment by the IdP Side
(r'^finish_slo$', finish_slo),
# Receive request from user interface
(r'^federationTermination$', federationTermination),
# Receive response from Redirect SP initiated
(r'^manageNameIdReturn$', manageNameIdReturn),
# Receive request from SOAP IdP initiated
(r'^manageNameIdSOAP$', manageNameIdSOAP),
# Receive request from Redirect IdP initiated
(r'^manageNameId$', manageNameId),
# Receive request from Redirect IdP initiated
url(r'^delete_federation/$', delete_federation,
name='authsaml2-delete-federation'),
)
try:
if settings.USE_DISCO_SERVICE:
urlpatterns += patterns('',
#Send idp discovery request
(r'^redirect_to_disco$', redirect_to_disco),
#receive idp discovery response
(r'^discoveryReturn$', disco_response),
)
except:
pass

78
authentic2/authsaml2/utils.py
View File

@ -1,78 +0,0 @@
import re
import time
import logging
from django.template import RequestContext
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.utils.translation import ugettext as _
from django.shortcuts import render_to_response
from django.contrib import messages
from django.conf import settings
__redirection_timeout = 1600
__root_refererer_re = re.compile('^(https?://[^/]*/?)')
def error_page(request, message=None, back=None, logger=None,
default_message=True, timer=False):
'''View that show a simple error page to the user with a back link.
back - url for the back link, if None, return to root of the referer
or the local root.
'''
if logger:
logger.error('Showing message %r on an error page' % message)
else:
logging.error('Showing message %r on an error page' % message)
if back is None:
referer = request.META.get('HTTP_REFERER')
if referer:
root_referer = __root_refererer_re.match(referer)
if root_referer:
back = root_referer.group(1)
if back is None:
back = '/'
global __redirection_timeout
context = RequestContext(request)
if timer:
context['redir_timeout'] = __redirection_timeout
context['next_page'] = back
display_message = getattr(settings, 'DISPLAY_MESSAGE_ERROR_PAGE', ())
if default_message and not display_message:
messages.add_message(request, messages.ERROR,
_('An error happened. Report this %s to the administrator.') % \
time.strftime("[%Y-%m-%d %a %H:%M:%S]", time.localtime()))
elif message:
messages.add_message(request, messages.ERROR, message)
return render_to_response('error_authsaml2.html', {'back': back},
context_instance=context)
# Used to register requested url during SAML redirections
def register_next_target(request, url=None):
if url:
next = url
else:
next = request.GET.get(REDIRECT_FIELD_NAME)
if not next:
next = '/'
request.session['next'] = next
def get_registered_url(request):
if 'next' in request.session:
return request.session['next']
return None
def register_request_id(request, request_id):
request.session['saml_request_id'] = request_id
# Used for account linking
def save_federation_temp(request, login, attributes=None):
if login and login.identity:
request.session['identity_dump'] = login.identity.dump()
request.session['remoteProviderId'] = login.remoteProviderId
request.session['nameId'] = login.nameIdentifier
if attributes:
request.session['attributes'] = attributes
def load_federation_temp(request, login):
if 'identity_dump' in request.session:
login.setIdentityFromDump(request.session['identity_dump'])

6
authentic2/decorators.py
View File

@ -2,12 +2,10 @@ from django.contrib.auth.decorators import login_required
from django.http import HttpResponseRedirect
from functools import wraps
from authentic2.authsaml2.models import SAML2TransientUser
TRANSIENT_USER_TYPES = (SAML2TransientUser, )
TRANSIENT_USER_TYPES = []
def is_transient_user(user):
return isinstance(user, TRANSIENT_USER_TYPES)
return isinstance(user, tuple(TRANSIENT_USER_TYPES))
def prevent_access_to_transient_users(view_func):
def _wrapped_view(request, *args, **kwargs):

58
authentic2/idp/saml/saml2_endpoints.py
View File

@ -72,9 +72,9 @@ from authentic2.constants import NONCE_FIELD_NAME
from authentic2.idp import signals as idp_signals
# from authentic2.idp.models import *
from authentic2.authsaml2.models import SAML2TransientUser
from authentic2.utils import (cache_and_validate, get_backends as
get_idp_backends, get_username)
from authentic2.decorators import is_transient_user
logger = logging.getLogger('authentic2.idp.saml')
@ -252,13 +252,6 @@ def build_assertion(request, login, nid_format='transient', attributes=None):
authn_context = lasso.SAML2_AUTHN_CONTEXT_PASSWORD
elif backend == 'authentic2.auth2_auth.auth2_ssl.backend.SSLBackend':
authn_context = lasso.SAML2_AUTHN_CONTEXT_X509
# XXX: grab context from the assertion received
elif backend == \
'authentic2.authsaml2.backends.AuthSAML2PersistentBackend':
authn_context = lasso.SAML2_AUTHN_CONTEXT_UNSPECIFIED
elif backend == \
'authentic2.authsaml2.backends.AuthSAML2TransientBackend':
authn_context = lasso.SAML2_AUTHN_CONTEXT_UNSPECIFIED
else:
backend = load_backend(backend)
if hasattr(backend, 'get_saml2_authn_context'):
@ -581,8 +574,7 @@ def sso_after_process_request(request, login, consent_obtained=False,
#Deal with transient users
transient_user = False
# XXX: Deal with all kind of transient users
type(SAML2TransientUser)
if isinstance(request.user, SAML2TransientUser):
if is_transient_user(request.user):
logger.debug('the user is transient')
transient_user = True
if transient_user and login.request.nameIdPolicy.format == \
@ -1285,52 +1277,6 @@ def slo_soap(request):
logger.exception('slo, relaying to %s failed ' %
lib_session.provider_id)
#Send SLO to IdP
pid = None
q = LibertySessionDump. \
objects.filter(django_session_key__in=django_session_keys,
kind=LIBERTY_SESSION_DUMP_KIND_SP)
if not q:
logger.info('No session found for a third IdP')
else:
from authentic2.authsaml2 import saml2_endpoints
server = saml2_endpoints.create_server(request)
logout2 = lasso.Logout(server)
for s in q:
logger.debug('IdP session found %s' % s.session_dump)
try:
lib_session = lasso.Session().newFromDump(s.session_dump.encode('utf-8'))
except lasso.Error:
logger.debug('Unable to load session %s' % s.session_dump)
else:
try:
pid = lib_session.get_assertions().keys()[0]
logger.debug('SLO to %s' % pid)
logout2.setSessionFromDump(s.session_dump.encode('utf8'))
provider = load_provider(request, pid,
server=server, sp_or_idp='idp')
policy = get_idp_options_policy(provider)
if not policy:
logger.error('No policy found for %s'\
% provider)
elif not policy.forward_slo:
logger.info('%s configured to not receive \
slo' % provider)
else:
'''
As we are in a synchronous binding,
we need SOAP support
'''
logout2.initRequest(None, lasso.HTTP_METHOD_SOAP)
logout2.buildRequestMsg()
soap_response = send_soap_request(request, logout2)
logout2.processResponseMsg(soap_response)
logger.info('successful SLO with %s' \
% pid)
except Exception, e:
logger.error('error treating SLO with IdP %s' \
% str(e))
'''
Respond to the SP initiating SLO
'''

29
authentic2/saml/common.py
View File

@ -26,7 +26,6 @@ from authentic2.saml.models import LibertyFederation, LibertyProvider, \
from authentic2.saml import models
from authentic2.saml import saml2utils
from authentic2.authsaml2 import signals
from authentic2.http_utils import get_url
from .. import nonce
@ -438,31 +437,6 @@ def lookup_federation_by_user(user, qualifier):
return None
return fed[0]
# List Idp providers - Use from display in templates
# WARNING: No way for multiple federation by user with a single IdP (is it a problem??)
def get_idp_list():
return LibertyProvider.objects.exclude(identity_provider=None) \
.values('entity_id','name')
def get_idp_list_sorted():
return LibertyProvider.objects.exclude(identity_provider=None) \
.order_by('name').values('entity_id','name')
def get_idp_user_federated_list(request):
user = request.user
if request.user.is_anonymous():
return None
return [p for p in get_idp_list() \
if lookup_federation_by_user(user, p.entity_id)]
def get_idp_user_not_federated_list(request):
user = request.user
if request.user.is_anonymous():
return None
return [p for p in get_idp_list() \
if not lookup_federation_by_user(user, p.entity_id)]
# The session_index is the "session on the IdP" identifiers
# One identifier is dedicated for each sp for each user session
# to not be a factor of linkability between sp
@ -724,9 +698,6 @@ def authz_decision_cb(sender, request=None, attributes={},
_('Your access is denied. At least one attribute does not match.')
return dic
signals.authz_decision.connect(authz_decision_cb,
dispatch_uid='authz_decision_on_attributes')
def get_session_not_on_or_after(assertion):
'''Extract the minimal value for the SessionNotOnOrAfter found in the given
assertion AuthenticationStatement(s).

11
authentic2/settings.py
View File

@ -213,7 +213,6 @@ DISCO_USE_OF_METADATA = 'DISCO_USE_OF_METADATA' in os.environ
DISCO_SERVICE_NAME = os.environ.get('DISCO_SERVICE_NAME', "http://www.identity-hub.com/disco_service/disco")
DISCO_RETURN_ID_PARAM = "entityID"
SHOW_DISCO_IN_MD = 'SHOW_DISCO_IN_MD' in os.environ
USE_DISCO_SERVICE = 'USE_DISCO_SERVICE' in os.environ
###########################
# Authentication settings
@ -339,7 +338,6 @@ ADMIN_TOOLS_INDEX_DASHBOARD = 'authentic2.dashboard.CustomIndexDashboard'
ADMIN_TOOLS_APP_INDEX_DASHBOARD = 'authentic2.dashboard.CustomAppIndexDashboard'
ADMIN_TOOLS_MENU = 'authentic2.menu.CustomMenu'
AUTH_SAML2 = 'AUTH_SAML2' in os.environ
AUTH_OPENID = 'AUTH_OPENID' in os.environ
AUTH_SSL = 'AUTH_SSL' in os.environ
IDP_SAML2 = 'IDP_SAML2' in os.environ
@ -435,15 +433,6 @@ if USE_DEBUG_TOOLBAR:
except ImportError:
print "Debug toolbar missing, not loaded"
if AUTH_SAML2:
INSTALLED_APPS += ('authentic2.authsaml2',)
AUTHENTICATION_BACKENDS += (
'authentic2.authsaml2.backends.AuthSAML2PersistentBackend',
'authentic2.authsaml2.backends.AuthSAML2TransientBackend')
AUTH_FRONTENDS += ('authentic2.authsaml2.frontend.AuthSAML2Frontend',)
IDP_BACKENDS += ('authentic2.authsaml2.backends.AuthSAML2Backend',)
DISPLAY_MESSAGE_ERROR_PAGE = True
if AUTH_OPENID:
INSTALLED_APPS += ('authentic2.auth2_auth.auth2_openid', 'django_authopenid',)
AUTH_FRONTENDS += ('authentic2.auth2_auth.auth2_openid.backend.OpenIDFrontend',)

54
authentic2/templates/registration/login.html
View File

@ -1,54 +0,0 @@
{% extends "base.html" %}
{% load i18n %}
{% block title %}
{% trans "Log in" %}
{% endblock %}
{% block content %}
<form id="login-form" method="post" action=".">
{% csrf_token %}
{{ form.as_p }}
<input type="submit" value="{% trans 'Log in' %}" class="submit" />
<input type="hidden" name="next" value="{{ next }}" />
</form>
<div class="login-actions">
<p>→ {% trans "Forgot password?" %} <a href="{% url 'auth_password_reset' %}">{% trans "Reset it!" %}</a></p>
<p>→ {% trans "Not a member?" %} <a href="{% url 'registration_register' %}">{% trans "Register!" %}</a></p>
</div>
<div id="alt-methods">
{% for method in alt_methods %}
<p><a class="{{ method.class }}" href="{{ method.url }}">{% trans method.caption %}</a></p>
{% endfor %}
</div>
{% if providers_list %}
<div id="login-actions">
{% trans "Log in with a federated account?" %}
</div>
<div>
<form>
{% csrf_token %}
<select name="list_providers" size="1" onChange="redirect_from_list(this.form)">
<option selected="selected">{% trans "Tell me where!" %}</option>
{% for p in providers_list %}
<option><a href="/authsaml2/selectProvider/{{ p.entity_id }}" >{{ p.entity_id }}</a></option>
{% endfor %}
</select>
</form>
</div>
{% endif %}
<script type="text/javascript">
document.getElementById('id_username').focus();
</script>
{% endblock %}
{% block extra_scripts %}
<script type="text/javascript" src="{{ STATIC_URL }}jquery/js/jquery.js"></script>
<script type="text/javascript" src="{{ STATIC_URL }}jquery/js/jquery-ui.js"></script>
{% endblock %}

4
authentic2/urls.py
View File

@ -37,10 +37,6 @@ if settings.AUTH_SSL:
urlpatterns += not_homepage_patterns
urlpatterns += patterns('',
(r'^authsaml2/', include('authentic2.authsaml2.urls')),
)
try:
if settings.DISCO_SERVICE:
urlpatterns += patterns('',

4
authentic2/views.py
View File

@ -310,9 +310,7 @@ def homepage(request):
def _homepage(request):
'''Homepage of the IdP'''
tpl_parameters = {}
# FIXME: we should not refer to a specific authentication module here
from authentic2.authsaml2.models import SAML2TransientUser
if not isinstance(request.user, SAML2TransientUser):
if not decorators.is_transient_user(request.user):
tpl_parameters['account_management'] = 'account_management'
tpl_parameters['authorized_services'] = service_list(request)
return render_to_response('idp/homepage.html',

10
doc/settings.rst
View File

@ -61,16 +61,6 @@ Values:
* False: deactivate SSL authentication
* True: activate SSL authentication
Activate or deactivate SAML2 authentication, Authentic 2 is a SAML2 service provider
====================================================================================
Variable: AUTH_SAML2
Values:
* False: deactivate SAML2 authentication
* True: activate SAML2 authentication
Activate or deactivate OpenID authentication, Authentic 2 is an OpenID relying party
====================================================================================