django-mellon/mellon/utils.py

import logging
import datetime
import importlib
from functools import wraps
from xml.etree import ElementTree as ET
import requests
import requests.exceptions
import dateutil.parser

from django.core.urlresolvers import reverse
from django.template.loader import render_to_string
from django.utils.timezone import make_aware, now, make_naive, is_aware
from django.conf import settings
import lasso

from . import app_settings


def create_metadata(request):
    entity_id = reverse('mellon_metadata')
    cache = getattr(settings, '_MELLON_METADATA_CACHE', {})
    if not entity_id in cache:
        login_url = reverse('mellon_login')
        logout_url = reverse('mellon_logout')
        public_keys = []
        for public_key in app_settings.PUBLIC_KEYS:
            if public_key.startswith('/'):
                # clean PEM file
                public_key = ''.join(file(public_key).read().splitlines()[1:-1])
            public_keys.append(public_key)
        name_id_formats = app_settings.NAME_ID_FORMATS
        cache[entity_id] = render_to_string('mellon/metadata.xml', {
            'entity_id': request.build_absolute_uri(entity_id),
            'login_url': request.build_absolute_uri(login_url),
            'logout_url': request.build_absolute_uri(logout_url),
            'public_keys': public_keys,
            'name_id_formats': name_id_formats,
            'default_assertion_consumer_binding': app_settings.DEFAULT_ASSERTION_CONSUMER_BINDING,
        })
        settings._MELLON_METADATA_CACHE = cache
    return settings._MELLON_METADATA_CACHE[entity_id]

SERVERS = {}


def create_server(request):
    logger = logging.getLogger(__name__)
    root = request.build_absolute_uri('/')
    if root not in SERVERS:
        idps = get_idps()
        metadata = create_metadata(request)
        if app_settings.PRIVATE_KEY:
            private_key = app_settings.PRIVATE_KEY
            private_key_password = app_settings.PRIVATE_KEY_PASSWORD
        elif app_settings.PRIVATE_KEYS:
            private_key = app_settings.PRIVATE_KEYS
            private_key_password = None
            if isinstance(private_key, (tuple, list)):
                private_key_password = private_key[1]
                private_key = private_key[0]
        else:  # no signature
            private_key = None
            private_key_password = None
        server = lasso.Server.newFromBuffers(metadata,
                private_key_content=private_key,
                private_key_password=private_key_password)
        server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)
        for key in app_settings.PRIVATE_KEYS:
            password = None
            if isinstance(key, (tuple, list)):
                password = key[1]
                key = key[0]
            server.setEncryptionPrivateKeyWithPassword(key, password)
        for i, idp in enumerate(idps):
            if 'METADATA_URL' in idp and 'METADATA' not in idp:
                verify_ssl_certificate = get_setting(
                    idp, 'VERIFY_SSL_CERTIFICATE')
                try:
                    response = requests.get(idp['METADATA_URL'],
                                        verify=verify_ssl_certificate)
                    response.raise_for_status()
                except requests.exceptions.RequestException, e:
                    logger.error(u'retrieval of metadata URL %r failed with error %s for %d-th idp',
                                 idp['METADATA_URL'], e, i)
                    continue
                metadata = response.content
            elif 'METADATA' in idp:
                if idp['METADATA'].startswith('/'):
                    metadata = file(idp['METADATA']).read()
            else:
                logger.error(u'missing METADATA or METADATA_URL in %d-th idp', i)
                continue
            try:
                server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, metadata)
            except lasso.Error, e:
                logger.error(u'bad metadata in %d-th idp', i)
                logger.debug(u'lasso error: %s', e)
                continue
            idp['ENTITY_ID'] = ET.fromstring(metadata).attrib['entityID']
            idp['METADATA'] = metadata
        SERVERS[root] = server
    return SERVERS[root]


def create_login(request):
    server = create_server(request)
    login = lasso.Login(server)
    if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS:
        login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
    return login


def get_idp(entity_id):
    for adapter in get_adapters():
        if hasattr(adapter, 'get_idp'):
            idp = adapter.get_idp(entity_id)
            if idp:
                return idp
    return {}


def get_idps():
    for adapter in get_adapters():
        if hasattr(adapter, 'get_idps'):
            for idp in adapter.get_idps():
                yield idp


def flatten_datetime(d):
    d = d.copy()
    for key, value in d.iteritems():
        if isinstance(value, datetime.datetime):
            d[key] = value.isoformat() + 'Z'
    return d


def iso8601_to_datetime(date_string):
    '''Convert a string formatted as an ISO8601 date into a time_t
       value.

       This function ignores the sub-second resolution'''
    dt = dateutil.parser.parse(date_string)
    if is_aware(dt):
        if not settings.USE_TZ:
            dt = make_naive(dt)
    else:
        if settings.USE_TZ:
            dt = make_aware(dt)
    return dt


def get_seconds_expiry(datetime_expiry):
    return (datetime_expiry - now()).total_seconds()


def to_list(func):
    @wraps(func)
    def f(*args, **kwargs):
        return list(func(*args, **kwargs))
    return f


def import_object(path):
    module, name = path.rsplit('.', 1)
    module = importlib.import_module(module)
    return getattr(module, name)


@to_list
def get_adapters(idp={}):
    idp = idp or {}
    adapters = tuple(idp.get('ADAPTER', ())) + tuple(app_settings.ADAPTER)
    for adapter in adapters:
        yield import_object(adapter)()


def get_values(saml_attributes, name):
    values = saml_attributes.get(name)
    if values is None:
        return ()
    if not isinstance(values, (list, tuple)):
        return (values,)
    return values


def get_setting(idp, name, default=None):
    '''Get a parameter from an IdP specific configuration or from the main
       settings.
    '''
    return idp.get(name) or getattr(app_settings, name, default)


def create_logout(request):
    logger = logging.getLogger(__name__)
    server = create_server(request)
    mellon_session = request.session.get('mellon_session', {})
    entity_id = mellon_session.get('issuer')
    session_index = mellon_session.get('session_index')
    name_id_format = mellon_session.get('name_id_format')
    name_id_content = mellon_session.get('name_id_content')
    name_id_name_qualifier = mellon_session.get('name_id_name_qualifier')
    name_id_sp_name_qualifier = mellon_session.get('name_id_sp_name_qualifier')
    session_dump = render_to_string('mellon/session_dump.xml', {
        'entity_id': entity_id,
        'session_index': session_index,
        'name_id_format': name_id_format,
        'name_id_content': name_id_content,
        'name_id_name_qualifier': name_id_name_qualifier,
        'name_id_sp_name_qualifier': name_id_sp_name_qualifier,
    })
    logger.debug('session_dump %s', session_dump)
    logout = lasso.Logout(server)
    if not app_settings.PRIVATE_KEY:
        logout.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)
    logout.setSessionFromDump(session_dump)
    return logout


def is_nonnull(s):
    return not '\x00' in s
Add debug log of rebuilt session dumps in create_logout() (#7680) 2015-06-25 11:25:17 +02:00			`import logging`
first commit 2014-04-28 14:33:04 +02:00			`import datetime`
			`import importlib`
			`from functools import wraps`
			`from xml.etree import ElementTree as ET`
use requests to retreive metadata (#7785) 2015-07-06 10:37:28 +02:00			`import requests`
log errors when loading IdP metadata instead of throwing a traceback (fixes #9745) 2016-01-22 16:35:41 +01:00			`import requests.exceptions`
use dateutil to parse datetime strings (#9640) 2016-01-15 12:26:25 +01:00			`import dateutil.parser`
first commit 2014-04-28 14:33:04 +02:00
			`from django.core.urlresolvers import reverse`
			`from django.template.loader import render_to_string`
pep8ness 2016-02-26 13:04:14 +01:00			`from django.utils.timezone import make_aware, now, make_naive, is_aware`
utils: return naive datetime if USE_TZ=False (fixes #9521) 2016-01-06 09:54:52 +01:00			`from django.conf import settings`
first commit 2014-04-28 14:33:04 +02:00			`import lasso`

			`from . import app_settings`


			`def create_metadata(request):`
			`entity_id = reverse('mellon_metadata')`
store cached metadata in settings 2016-02-26 13:02:06 +01:00			`cache = getattr(settings, '_MELLON_METADATA_CACHE', {})`
			`if not entity_id in cache:`
first commit 2014-04-28 14:33:04 +02:00			`login_url = reverse('mellon_login')`
			`logout_url = reverse('mellon_logout')`
			`public_keys = []`
			`for public_key in app_settings.PUBLIC_KEYS:`
			`if public_key.startswith('/'):`
Clean PEM file before including them in the metadata 2014-11-17 16:32:29 +01:00			`# clean PEM file`
			`public_key = ''.join(file(public_key).read().splitlines()[1:-1])`
first commit 2014-04-28 14:33:04 +02:00			`public_keys.append(public_key)`
			`name_id_formats = app_settings.NAME_ID_FORMATS`
store cached metadata in settings 2016-02-26 13:02:06 +01:00			`cache[entity_id] = render_to_string('mellon/metadata.xml', {`
			`'entity_id': request.build_absolute_uri(entity_id),`
			`'login_url': request.build_absolute_uri(login_url),`
			`'logout_url': request.build_absolute_uri(logout_url),`
			`'public_keys': public_keys,`
			`'name_id_formats': name_id_formats,`
			`'default_assertion_consumer_binding': app_settings.DEFAULT_ASSERTION_CONSUMER_BINDING,`
			`})`
			`settings._MELLON_METADATA_CACHE = cache`
			`return settings._MELLON_METADATA_CACHE[entity_id]`
first commit 2014-04-28 14:33:04 +02:00
			`SERVERS = {}`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def create_server(request):`
log errors when loading IdP metadata instead of throwing a traceback (fixes #9745) 2016-01-22 16:35:41 +01:00			`logger = logging.getLogger(__name__)`
first commit 2014-04-28 14:33:04 +02:00			`root = request.build_absolute_uri('/')`
			`if root not in SERVERS:`
Always use adapters to get to IdP settings 2015-02-13 18:03:47 +01:00			`idps = get_idps()`
first commit 2014-04-28 14:33:04 +02:00			`metadata = create_metadata(request)`
Support encryption 2015-03-19 15:30:20 +01:00			`if app_settings.PRIVATE_KEY:`
			`private_key = app_settings.PRIVATE_KEY`
			`private_key_password = app_settings.PRIVATE_KEY_PASSWORD`
			`elif app_settings.PRIVATE_KEYS:`
			`private_key = app_settings.PRIVATE_KEYS`
			`private_key_password = None`
			`if isinstance(private_key, (tuple, list)):`
			`private_key_password = private_key[1]`
			`private_key = private_key[0]`
pep8ness 2016-02-26 13:04:14 +01:00			`else: # no signature`
Support encryption 2015-03-19 15:30:20 +01:00			`private_key = None`
			`private_key_password = None`
first commit 2014-04-28 14:33:04 +02:00			`server = lasso.Server.newFromBuffers(metadata,`
Support encryption 2015-03-19 15:30:20 +01:00			`private_key_content=private_key,`
			`private_key_password=private_key_password)`
			`server.setEncryptionPrivateKeyWithPassword(private_key, private_key_password)`
			`for key in app_settings.PRIVATE_KEYS:`
			`password = None`
			`if isinstance(key, (tuple, list)):`
			`password = key[1]`
			`key = key[0]`
			`server.setEncryptionPrivateKeyWithPassword(key, password)`
log errors when loading IdP metadata instead of throwing a traceback (fixes #9745) 2016-01-22 16:35:41 +01:00			`for i, idp in enumerate(idps):`
Allow getting metadata of IdP by doing an HTTP GET 2015-02-13 18:23:28 +01:00			`if 'METADATA_URL' in idp and 'METADATA' not in idp:`
use requests to retreive metadata (#7785) 2015-07-06 10:37:28 +02:00			`verify_ssl_certificate = get_setting(`
			`idp, 'VERIFY_SSL_CERTIFICATE')`
log errors when loading IdP metadata instead of throwing a traceback (fixes #9745) 2016-01-22 16:35:41 +01:00			`try:`
			`response = requests.get(idp['METADATA_URL'],`
			`verify=verify_ssl_certificate)`
			`response.raise_for_status()`
			`except requests.exceptions.RequestException, e:`
			`logger.error(u'retrieval of metadata URL %r failed with error %s for %d-th idp',`
			`idp['METADATA_URL'], e, i)`
			`continue`
			`metadata = response.content`
			`elif 'METADATA' in idp:`
			`if idp['METADATA'].startswith('/'):`
			`metadata = file(idp['METADATA']).read()`
			`else:`
			`logger.error(u'missing METADATA or METADATA_URL in %d-th idp', i)`
			`continue`
			`try:`
			`server.addProviderFromBuffer(lasso.PROVIDER_ROLE_IDP, metadata)`
			`except lasso.Error, e:`
report lasso error at debug level 2016-02-12 19:43:49 +01:00			`logger.error(u'bad metadata in %d-th idp', i)`
			`logger.debug(u'lasso error: %s', e)`
log errors when loading IdP metadata instead of throwing a traceback (fixes #9745) 2016-01-22 16:35:41 +01:00			`continue`
first commit 2014-04-28 14:33:04 +02:00			`idp['ENTITY_ID'] = ET.fromstring(metadata).attrib['entityID']`
log errors when loading IdP metadata instead of throwing a traceback (fixes #9745) 2016-01-22 16:35:41 +01:00			`idp['METADATA'] = metadata`
first commit 2014-04-28 14:33:04 +02:00			`SERVERS[root] = server`
			`return SERVERS[root]`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def create_login(request):`
			`server = create_server(request)`
			`login = lasso.Login(server)`
Support encryption 2015-03-19 15:30:20 +01:00			`if not app_settings.PRIVATE_KEY and not app_settings.PRIVATE_KEYS:`
first commit 2014-04-28 14:33:04 +02:00			`login.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)`
			`return login`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def get_idp(entity_id):`
utils: make get_idp() call adapters for getting idp configuration 2014-08-05 18:19:05 +02:00			`for adapter in get_adapters():`
			`if hasattr(adapter, 'get_idp'):`
			`idp = adapter.get_idp(entity_id)`
			`if idp:`
			`return idp`
utils: add a default return value to utils.get_idp() refs #7271 2015-05-18 14:44:59 +02:00			`return {}`
first commit 2014-04-28 14:33:04 +02:00
pep8ness 2016-02-26 13:04:14 +01:00
Always use adapters to get to IdP settings 2015-02-13 18:03:47 +01:00			`def get_idps():`
			`for adapter in get_adapters():`
			`if hasattr(adapter, 'get_idps'):`
			`for idp in adapter.get_idps():`
			`yield idp`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def flatten_datetime(d):`
do not flatten attributes inplace, and convert expiry to seconds (fixes #9359) Original datetime must be kept for setting the expiry, but expiry using datetime is not supported when using JSON sessions, so we convert it to seconds expiry before setting it. We also make iso8601 parsed datetime timezone aware, to match with other datetimes in Django. 2015-12-16 17:54:34 +01:00			`d = d.copy()`
first commit 2014-04-28 14:33:04 +02:00			`for key, value in d.iteritems():`
			`if isinstance(value, datetime.datetime):`
			`d[key] = value.isoformat() + 'Z'`
			`return d`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def iso8601_to_datetime(date_string):`
			`'''Convert a string formatted as an ISO8601 date into a time_t`
			`value.`

			`This function ignores the sub-second resolution'''`
use dateutil to parse datetime strings (#9640) 2016-01-15 12:26:25 +01:00			`dt = dateutil.parser.parse(date_string)`
			`if is_aware(dt):`
			`if not settings.USE_TZ:`
			`dt = make_naive(dt)`
			`else:`
			`if settings.USE_TZ:`
			`dt = make_aware(dt)`
utils: return naive datetime if USE_TZ=False (fixes #9521) 2016-01-06 09:54:52 +01:00			`return dt`
do not flatten attributes inplace, and convert expiry to seconds (fixes #9359) Original datetime must be kept for setting the expiry, but expiry using datetime is not supported when using JSON sessions, so we convert it to seconds expiry before setting it. We also make iso8601 parsed datetime timezone aware, to match with other datetimes in Django. 2015-12-16 17:54:34 +01:00
pep8ness 2016-02-26 13:04:14 +01:00
do not flatten attributes inplace, and convert expiry to seconds (fixes #9359) Original datetime must be kept for setting the expiry, but expiry using datetime is not supported when using JSON sessions, so we convert it to seconds expiry before setting it. We also make iso8601 parsed datetime timezone aware, to match with other datetimes in Django. 2015-12-16 17:54:34 +01:00			`def get_seconds_expiry(datetime_expiry):`
			`return (datetime_expiry - now()).total_seconds()`
first commit 2014-04-28 14:33:04 +02:00
pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def to_list(func):`
			`@wraps(func)`
			`def f(args, *kwargs):`
			`return list(func(args, *kwargs))`
			`return f`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def import_object(path):`
			`module, name = path.rsplit('.', 1)`
			`module = importlib.import_module(module)`
			`return getattr(module, name)`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`@to_list`
utils: make idp parameter to get_adapters() optional, return concatenation of default an specific adapters 2014-08-05 18:18:37 +02:00			`def get_adapters(idp={}):`
first commit 2014-04-28 14:33:04 +02:00			`idp = idp or {}`
Flatten adapter list as tuple before concatenation 2014-09-05 16:13:16 +02:00			`adapters = tuple(idp.get('ADAPTER', ())) + tuple(app_settings.ADAPTER)`
first commit 2014-04-28 14:33:04 +02:00			`for adapter in adapters:`
			`yield import_object(adapter)()`

pep8ness 2016-02-26 13:04:14 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def get_values(saml_attributes, name):`
			`values = saml_attributes.get(name)`
			`if values is None:`
			`return ()`
			`if not isinstance(values, (list, tuple)):`
			`return (values,)`
			`return values`

pep8ness 2016-02-26 13:04:14 +01:00
rename get_parameter() to get_setting() 2014-08-05 17:55:29 +02:00			`def get_setting(idp, name, default=None):`
utils: add a default parameter to get_parameter 2014-08-05 17:54:58 +02:00			`'''Get a parameter from an IdP specific configuration or from the main`
			`settings.`
			`'''`
Fix use of getattr 2014-09-08 09:13:10 +02:00			`return idp.get(name) or getattr(app_settings, name, default)`
add logout support 2014-05-02 11:48:05 +02:00
pep8ness 2016-02-26 13:04:14 +01:00
add logout support 2014-05-02 11:48:05 +02:00			`def create_logout(request):`
Add debug log of rebuilt session dumps in create_logout() (#7680) 2015-06-25 11:25:17 +02:00			`logger = logging.getLogger(__name__)`
add logout support 2014-05-02 11:48:05 +02:00			`server = create_server(request)`
			`mellon_session = request.session.get('mellon_session', {})`
			`entity_id = mellon_session.get('issuer')`
			`session_index = mellon_session.get('session_index')`
			`name_id_format = mellon_session.get('name_id_format')`
			`name_id_content = mellon_session.get('name_id_content')`
views,utils: keep the NameQualifier and SPNameQualifier attribut of NameID as they could be mandatory for some IdPs 2014-05-02 16:00:48 +02:00			`name_id_name_qualifier = mellon_session.get('name_id_name_qualifier')`
			`name_id_sp_name_qualifier = mellon_session.get('name_id_sp_name_qualifier')`
add logout support 2014-05-02 11:48:05 +02:00			`session_dump = render_to_string('mellon/session_dump.xml', {`
pep8ness 2016-02-26 13:04:14 +01:00			`'entity_id': entity_id,`
			`'session_index': session_index,`
			`'name_id_format': name_id_format,`
			`'name_id_content': name_id_content,`
			`'name_id_name_qualifier': name_id_name_qualifier,`
			`'name_id_sp_name_qualifier': name_id_sp_name_qualifier,`
add logout support 2014-05-02 11:48:05 +02:00			`})`
Add debug log of rebuilt session dumps in create_logout() (#7680) 2015-06-25 11:25:17 +02:00			`logger.debug('session_dump %s', session_dump)`
add logout support 2014-05-02 11:48:05 +02:00			`logout = lasso.Logout(server)`
			`if not app_settings.PRIVATE_KEY:`
			`logout.setSignatureHint(lasso.PROFILE_SIGNATURE_HINT_FORBID)`
			`logout.setSessionFromDump(session_dump)`
			`return logout`
do not pass strings contening null characters to Lasso, return 400 or ignore (fixes #8939) 2016-02-26 12:03:32 +01:00
pep8ness 2016-02-26 13:04:14 +01:00
do not pass strings contening null characters to Lasso, return 400 or ignore (fixes #8939) 2016-02-26 12:03:32 +01:00			`def is_nonnull(s):`
			`return not '\x00' in s`