[saml] add a policy model for liberty service providers

Contains also a fixture setting an initial Default and Shibboleth SP policy.
2011-03-18 12:12:39 +01:00 · 2011-03-18 12:12:39 +01:00 · f1b0ad5187
parent c9aa26a988
commit f1b0ad5187
4 changed files with 274 additions and 0 deletions
--- a/authentic2/saml/admin.py
+++ b/authentic2/saml/admin.py
@ -136,11 +136,18 @@ class LibertyProviderAdmin(admin.ModelAdmin):
            LibertyIdentityProviderInline
    ]

+class LibertyProviderPolicyAdmin(admin.ModelAdmin):
+    inlines = [
+            LibertyServiceProviderInline,
+    ]
+
+
 admin.site.register(IdPOptionsSPPolicy, IdPOptionsSPPolicyAdmin)
 admin.site.register(AuthorizationSPPolicy, AuthorizationSPPolicyAdmin)
 admin.site.register(AuthorizationAttributeMap, AuthorizationAttributeMapAdmin)
 admin.site.register(AuthorizationAttributeMapping, AuthorizationAttributeMappingAdmin)
 admin.site.register(LibertyProvider, LibertyProviderAdmin)
+admin.site.register(LibertyProviderPolicy, LibertyProviderPolicyAdmin)

 if settings.DEBUG:
    admin.site.register(LibertySessionDump)
--- a/authentic2/saml/fixtures/initial_data.yaml
+++ b/authentic2/saml/fixtures/initial_data.yaml
@ -0,0 +1,6 @@
+- model: saml.libertyproviderpolicy
+  pk: 1
+  fields: {authn_request_signature_check_hint: 0, name: Default}
+- fields: {authn_request_signature_check_hint: 2, name: Shibboleth SP}
+  model: saml.libertyproviderpolicy
+  pk: 2
--- a/authentic2/saml/migrations/0007_auto__add_libertyproviderpolicy__add_field_libertyserviceprovider_poli.py
+++ b/authentic2/saml/migrations/0007_auto__add_libertyproviderpolicy__add_field_libertyserviceprovider_poli.py
@ -0,0 +1,243 @@
+# encoding: utf-8
+import datetime
+from south.db import db
+from south.v2 import SchemaMigration
+from django.db import models
+
+class Migration(SchemaMigration):
+
+    def forwards(self, orm):
+        
+        # Adding model 'LibertyProviderPolicy'
+        db.create_table('saml_libertyproviderpolicy', (
+            ('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)),
+            ('name', self.gf('django.db.models.fields.CharField')(unique=True, max_length=64)),
+            ('authn_request_signature_check_hint', self.gf('django.db.models.fields.IntegerField')(default=0)),
+        ))
+        db.send_create_signal('saml', ['LibertyProviderPolicy'])
+
+        # Adding field 'LibertyServiceProvider.policy'
+        db.add_column('saml_libertyserviceprovider', 'policy', self.gf('django.db.models.fields.related.ForeignKey')(default=1, to=orm['saml.LibertyProviderPolicy'], null=True), keep_default=False)
+
+
+    def backwards(self, orm):
+        
+        # Deleting model 'LibertyProviderPolicy'
+        db.delete_table('saml_libertyproviderpolicy')
+
+        # Deleting field 'LibertyServiceProvider.policy'
+        db.delete_column('saml_libertyserviceprovider', 'policy_id')
+
+
+    models = {
+        'auth.group': {
+            'Meta': {'object_name': 'Group'},
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '80'}),
+            'permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'})
+        },
+        'auth.permission': {
+            'Meta': {'ordering': "('content_type__app_label', 'content_type__model', 'codename')", 'unique_together': "(('content_type', 'codename'),)", 'object_name': 'Permission'},
+            'codename': ('django.db.models.fields.CharField', [], {'max_length': '100'}),
+            'content_type': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['contenttypes.ContentType']"}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name': ('django.db.models.fields.CharField', [], {'max_length': '50'})
+        },
+        'auth.user': {
+            'Meta': {'object_name': 'User'},
+            'date_joined': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
+            'email': ('django.db.models.fields.EmailField', [], {'max_length': '75', 'blank': 'True'}),
+            'first_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
+            'groups': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Group']", 'symmetrical': 'False', 'blank': 'True'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'is_active': ('django.db.models.fields.BooleanField', [], {'default': 'True'}),
+            'is_staff': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'is_superuser': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'last_login': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}),
+            'last_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}),
+            'password': ('django.db.models.fields.CharField', [], {'max_length': '128'}),
+            'user_permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}),
+            'username': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '30'})
+        },
+        'contenttypes.contenttype': {
+            'Meta': {'ordering': "('name',)", 'unique_together': "(('app_label', 'model'),)", 'object_name': 'ContentType', 'db_table': "'django_content_type'"},
+            'app_label': ('django.db.models.fields.CharField', [], {'max_length': '100'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'model': ('django.db.models.fields.CharField', [], {'max_length': '100'}),
+            'name': ('django.db.models.fields.CharField', [], {'max_length': '100'})
+        },
+        'saml.authorizationattributemap': {
+            'Meta': {'object_name': 'AuthorizationAttributeMap'},
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '40'})
+        },
+        'saml.authorizationattributemapping': {
+            'Meta': {'object_name': 'AuthorizationAttributeMapping'},
+            'attribute_name': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'attribute_value': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'attribute_value_format': ('django.db.models.fields.CharField', [], {'max_length': '40', 'blank': 'True'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'map': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['saml.AuthorizationAttributeMap']"}),
+            'source_attribute_name': ('django.db.models.fields.CharField', [], {'max_length': '40', 'blank': 'True'})
+        },
+        'saml.authorizationsppolicy': {
+            'Meta': {'object_name': 'AuthorizationSPPolicy'},
+            'attribute_map': ('django.db.models.fields.related.ForeignKey', [], {'blank': 'True', 'related_name': "'authorization_attributes'", 'null': 'True', 'to': "orm['saml.AuthorizationAttributeMap']"}),
+            'default_denial_message': ('django.db.models.fields.CharField', [], {'default': "u'You are not authorized to access the service.'", 'max_length': '80'}),
+            'enabled': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '80'})
+        },
+        'saml.idpoptionssppolicy': {
+            'Meta': {'object_name': 'IdPOptionsSPPolicy'},
+            'allow_create': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'binding_for_sso_response': ('django.db.models.fields.CharField', [], {'default': "'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact'", 'max_length': '60'}),
+            'enable_binding_for_sso_response': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'enable_http_method_for_defederation_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'enable_http_method_for_slo_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'enabled': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'http_method_for_defederation_request': ('django.db.models.fields.IntegerField', [], {'default': '5', 'max_length': '60'}),
+            'http_method_for_slo_request': ('django.db.models.fields.IntegerField', [], {'default': '4', 'max_length': '60'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '80'}),
+            'no_nameid_policy': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'requested_name_id_format': ('django.db.models.fields.CharField', [], {'default': "'none'", 'max_length': '20'}),
+            'transient_is_persistent': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'user_consent': ('django.db.models.fields.CharField', [], {'default': "'urn:oasis:names:tc:SAML:2.0:consent:current-implicit'", 'max_length': '60'}),
+            'want_authn_request_signed': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'want_force_authn_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'want_is_passive_authn_request': ('django.db.models.fields.BooleanField', [], {'default': 'False'})
+        },
+        'saml.keyvalue': {
+            'Meta': {'object_name': 'KeyValue'},
+            'key': ('django.db.models.fields.CharField', [], {'max_length': '40', 'primary_key': 'True'}),
+            'value': ('authentic2.saml.fields.PickledObjectField', [], {})
+        },
+        'saml.libertyartifact': {
+            'Meta': {'object_name': 'LibertyArtifact'},
+            'artifact': ('django.db.models.fields.CharField', [], {'max_length': '40', 'primary_key': 'True'}),
+            'content': ('django.db.models.fields.TextField', [], {}),
+            'creation': ('django.db.models.fields.DateTimeField', [], {'auto_now_add': 'True', 'blank': 'True'}),
+            'django_session_key': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'provider_id': ('django.db.models.fields.CharField', [], {'max_length': '80'})
+        },
+        'saml.libertyassertion': {
+            'Meta': {'object_name': 'LibertyAssertion'},
+            'assertion': ('django.db.models.fields.TextField', [], {}),
+            'assertion_id': ('django.db.models.fields.CharField', [], {'max_length': '50'}),
+            'creation': ('django.db.models.fields.DateTimeField', [], {'auto_now_add': 'True', 'blank': 'True'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'provider_id': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
+            'session_index': ('django.db.models.fields.CharField', [], {'max_length': '80'})
+        },
+        'saml.libertyattributemap': {
+            'Meta': {'object_name': 'LibertyAttributeMap'},
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '40'})
+        },
+        'saml.libertyattributemapping': {
+            'Meta': {'object_name': 'LibertyAttributeMapping'},
+            'attribute_name': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'attribute_value_format': ('django.db.models.fields.URLField', [], {'max_length': '200'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'map': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['saml.LibertyAttributeMap']"}),
+            'source_attribute_name': ('django.db.models.fields.CharField', [], {'max_length': '40'})
+        },
+        'saml.libertyfederation': {
+            'Meta': {'unique_together': "(('name_id_qualifier', 'name_id_format', 'name_id_content', 'name_id_sp_name_qualifier'),)", 'object_name': 'LibertyFederation'},
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'idp_id': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
+            'name_id_content': ('django.db.models.fields.CharField', [], {'max_length': '100'}),
+            'name_id_format': ('django.db.models.fields.CharField', [], {'max_length': '100', 'null': 'True', 'blank': 'True'}),
+            'name_id_qualifier': ('django.db.models.fields.CharField', [], {'max_length': '150', 'null': 'True', 'blank': 'True'}),
+            'name_id_sp_name_qualifier': ('django.db.models.fields.CharField', [], {'max_length': '100', 'null': 'True', 'blank': 'True'}),
+            'name_id_sp_provided_id': ('django.db.models.fields.CharField', [], {'max_length': '100', 'null': 'True', 'blank': 'True'}),
+            'sp_id': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
+            'user': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['auth.User']"})
+        },
+        'saml.libertyidentitydump': {
+            'Meta': {'object_name': 'LibertyIdentityDump'},
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'identity_dump': ('django.db.models.fields.TextField', [], {'blank': 'True'}),
+            'user': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['auth.User']", 'unique': 'True'})
+        },
+        'saml.libertyidentityprovider': {
+            'Meta': {'object_name': 'LibertyIdentityProvider'},
+            'authorization_policy': ('django.db.models.fields.related.ForeignKey', [], {'blank': 'True', 'related_name': "'authorization_policy'", 'null': 'True', 'to': "orm['saml.AuthorizationSPPolicy']"}),
+            'enable_following_authorization_policy': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'enable_following_idp_options_policy': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'enabled': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'idp_options_policy': ('django.db.models.fields.related.ForeignKey', [], {'blank': 'True', 'related_name': "'idp_options_policy'", 'null': 'True', 'to': "orm['saml.IdPOptionsSPPolicy']"}),
+            'liberty_provider': ('django.db.models.fields.related.OneToOneField', [], {'related_name': "'identity_provider'", 'unique': 'True', 'primary_key': 'True', 'to': "orm['saml.LibertyProvider']"})
+        },
+        'saml.libertymanagedump': {
+            'Meta': {'object_name': 'LibertyManageDump'},
+            'django_session_key': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'manage_dump': ('django.db.models.fields.TextField', [], {'blank': 'True'})
+        },
+        'saml.libertyprovider': {
+            'Meta': {'object_name': 'LibertyProvider'},
+            'ca_cert_chain': ('django.db.models.fields.TextField', [], {'blank': 'True'}),
+            'entity_id': ('django.db.models.fields.URLField', [], {'unique': 'True', 'max_length': '200'}),
+            'entity_id_sha1': ('django.db.models.fields.CharField', [], {'max_length': '40', 'blank': 'True'}),
+            'federation_source': ('django.db.models.fields.CharField', [], {'max_length': '64', 'null': 'True', 'blank': 'True'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'metadata': ('django.db.models.fields.TextField', [], {}),
+            'name': ('django.db.models.fields.CharField', [], {'max_length': '140', 'blank': 'True'}),
+            'protocol_conformance': ('django.db.models.fields.IntegerField', [], {'max_length': '10'}),
+            'public_key': ('django.db.models.fields.TextField', [], {'blank': 'True'}),
+            'ssl_certificate': ('django.db.models.fields.TextField', [], {'blank': 'True'})
+        },
+        'saml.libertyproviderpolicy': {
+            'Meta': {'object_name': 'LibertyProviderPolicy'},
+            'authn_request_signature_check_hint': ('django.db.models.fields.IntegerField', [], {'default': '0'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '64'})
+        },
+        'saml.libertyserviceprovider': {
+            'Meta': {'object_name': 'LibertyServiceProvider'},
+            'accepted_name_id_format': ('authentic2.saml.fields.MultiSelectField', [], {'max_length': '31', 'blank': 'True'}),
+            'ask_user_consent': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'attribute_map': ('django.db.models.fields.related.ForeignKey', [], {'blank': 'True', 'related_name': "'service_providers'", 'null': 'True', 'to': "orm['saml.LibertyAttributeMap']"}),
+            'authn_request_signed': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'default_name_id_format': ('django.db.models.fields.CharField', [], {'default': "'none'", 'max_length': '20'}),
+            'enabled': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'encrypt_assertion': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'encrypt_nameid': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'idp_initiated_sso': ('django.db.models.fields.BooleanField', [], {'default': 'False'}),
+            'liberty_provider': ('django.db.models.fields.related.OneToOneField', [], {'related_name': "'service_provider'", 'unique': 'True', 'primary_key': 'True', 'to': "orm['saml.LibertyProvider']"}),
+            'policy': ('django.db.models.fields.related.ForeignKey', [], {'default': '1', 'to': "orm['saml.LibertyProviderPolicy']", 'null': 'True'}),
+            'prefered_assertion_consumer_binding': ('django.db.models.fields.CharField', [], {'default': "'meta'", 'max_length': '4'})
+        },
+        'saml.libertysession': {
+            'Meta': {'object_name': 'LibertySession'},
+            'assertion': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['saml.LibertyAssertion']", 'null': 'True'}),
+            'creation': ('django.db.models.fields.DateTimeField', [], {'auto_now_add': 'True', 'blank': 'True'}),
+            'django_session_key': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'federation': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['saml.LibertyFederation']", 'null': 'True'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'name_id_content': ('django.db.models.fields.CharField', [], {'max_length': '100'}),
+            'name_id_format': ('django.db.models.fields.CharField', [], {'max_length': '100', 'null': 'True'}),
+            'name_id_qualifier': ('django.db.models.fields.CharField', [], {'max_length': '150', 'null': 'True'}),
+            'name_id_sp_name_qualifier': ('django.db.models.fields.CharField', [], {'max_length': '100', 'null': 'True'}),
+            'provider_id': ('django.db.models.fields.CharField', [], {'max_length': '80'}),
+            'session_index': ('django.db.models.fields.CharField', [], {'max_length': '80'})
+        },
+        'saml.libertysessiondump': {
+            'Meta': {'object_name': 'LibertySessionDump'},
+            'django_session_key': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'kind': ('django.db.models.fields.IntegerField', [], {}),
+            'session_dump': ('django.db.models.fields.TextField', [], {'blank': 'True'})
+        },
+        'saml.libertysessionsp': {
+            'Meta': {'object_name': 'LibertySessionSP'},
+            'django_session_key': ('django.db.models.fields.CharField', [], {'max_length': '40'}),
+            'federation': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['saml.LibertyFederation']"}),
+            'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}),
+            'session_index': ('django.db.models.fields.CharField', [], {'max_length': '80'})
+        }
+    }
+
+    complete_apps = ['saml']
--- a/authentic2/saml/models.py
+++ b/authentic2/saml/models.py
@ -139,6 +139,11 @@ USER_CONSENT = (
    ('urn:oasis:names:tc:SAML:2.0:consent:inapplicable', _('Inapplicable'))
 )

+SIGNATURE_VERIFY_HINT = {
+        lasso.PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: _('Let authentic decides which signatures to check'),
+        lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE: _('Always check signatures'),
+        lasso.PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: _('Does not check signatures') }
+
 class LibertyAttributeMap(models.Model):
    name = models.CharField(max_length = 40, unique = True)
    def __unicode__(self):
@ -150,6 +155,17 @@ class LibertyAttributeMapping(models.Model):
    attribute_name = models.CharField(max_length = 40)
    map = models.ForeignKey(LibertyAttributeMap)

+class LibertyProviderPolicy(models.Model):
+    name = models.CharField(max_length=64, unique=True)
+    authn_request_signature_check_hint = models.IntegerField(
+            verbose_name=_("How to verify signatures Authentication Request ?"),
+            choices=SIGNATURE_VERIFY_HINT.items(),
+            default=lasso.PROFILE_SIGNATURE_VERIFY_HINT_MAYBE)
+    def __unicode__(self):
+        options = []
+        options.append('AuthnRequest signature: ' + SIGNATURE_VERIFY_HINT[self.authn_request_signature_check_hint])
+        return self.name + ' (%s)' % ', '.join(options)
+
 class IdPOptionsSPPolicy(models.Model):
    name = models.CharField(_('name'), max_length=80, unique=True)
    enabled = models.BooleanField(verbose_name = _('Enabled'))
@ -322,6 +338,8 @@ class LibertyServiceProvider(models.Model):
    # i.e. provider.roles & lasso.PROVIDER_ROLE_SP != 0
    ask_user_consent = models.BooleanField(
        verbose_name = _('Ask user for consent when creating a federation'), default = False)
+    policy = models.ForeignKey(LibertyProviderPolicy,
+            verbose_name=_("Protocol policy"), null=True, default=1)

 # TODO: The choice for requests must be restricted by the IdP metadata
 # The SP then chooses the binding in this list.