Frédéric Péters
5eacaa2d22
misc: handle lasso.LoginStatusNotSuccessError ( #10633 )
2016-04-12 18:54:44 +02:00
Benjamin Dauvergne
74b61de641
replace dateutil by isodate ( #10196 )
...
isodate has better support for the full ISO8601 specification.
2016-04-11 19:14:07 +02:00
Benjamin Dauvergne
d732f6ccb7
when status is not 200, report a fragment of the response ( fixes #10270 )
2016-04-11 17:07:38 +02:00
Benjamin Dauvergne
8a2558c2da
views: wrap login view in non_atomic_requests to allow fine control of transactions' commit ( fixes #10604 )
2016-04-10 15:40:29 +02:00
Frédéric Péters
ba6c092911
add support for artifact POST ( #10596 )
2016-04-08 15:10:31 +02:00
Benjamin Dauvergne
9c28f53c52
log partial logout error as a warning ( fixes #10408 )
2016-04-06 01:33:39 +02:00
Benjamin Dauvergne
7db1d7d7ed
pep8ness
2016-04-06 01:33:39 +02:00
Benjamin Dauvergne
66d1811e2f
refactor next_url and RelayState use ( fixes #10372 )
...
The next_url parameter is no more stored directly in the RelayState, as it
RelayState should only contain strings of no more thant 80 bytes, instead
generate an uuid as the relaystate and store the next_url value in session using
a key based on this uuid.
The implementation is generic enough to accomodate storing any other kind of
data during an SSO or SLO workflow.
2016-03-22 15:20:29 +01:00
Benjamin Dauvergne
bfa84bb6ba
always consider relative URLs as being of the same origin ( fixes #10371 )
2016-03-22 15:13:48 +01:00
Benjamin Dauvergne
2aec7a3294
views: handle ProfileInvalidMsgError when resolving an artifact ( #10270 )
2016-03-11 17:10:52 +01:00
Benjamin Dauvergne
dba3f32c3a
views: handle ProfileInvalidArtifactError exception when resolving an artifact ( #10270 )
2016-03-11 17:10:52 +01:00
Frédéric Péters
a3bc087890
misc: fix passing of RequestedAuthnContext ( #10243 )
2016-03-09 09:14:38 +01:00
Benjamin Dauvergne
eb89a86ef3
add DiscoveryResponse endpoint to metadata ( fixes #10197 )
2016-03-04 11:05:01 +01:00
Benjamin Dauvergne
6aa9170982
Fix removal of admin right when users have admin attributes but is already admin ( fixes #10195 )
2016-03-04 10:07:54 +01:00
Benjamin Dauvergne
3f0f0be180
silence Django 1.10 deprecration warnings
2016-03-02 18:14:46 +01:00
Benjamin Dauvergne
ec27553789
adapters: factorize user creation in lookup_user() ( fixes #10164 )
...
User creation can have peculiarities.
2016-03-02 17:39:15 +01:00
Benjamin Dauvergne
fe53dab9ca
trivial: move utils import
2016-02-26 21:36:08 +01:00
Benjamin Dauvergne
3d91d40cb2
django 1.9 adaptations
...
- django.utils.same_origin was removed
- HttpRequest.REQUEST was removed
- settings.USE_TZ is True by default
- get_default_timezone() is now wrapped by an lrucache(), when modifying
settings.TIME_ZONE we must also clear the cache.
2016-02-26 21:35:21 +01:00
Benjamin Dauvergne
40cc598904
views: change HTTP 400 message when no idp is found
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
c1d2fb1a32
trivial: move lasso import
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
6af1ebfc55
views: do not traceback in get_idp() when no idp is declared
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
bb9451e6ba
add discovery service support ( fixes #10111 )
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
8961a743f5
move idp settings building in adapters
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
9fe8aaf0be
adapters: improve logging during provisionning
...
- user creation is logged
- attributes are only changed if different from the provisionning value,
and changes are logged.
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
cf63b7e0ce
templates: fix default_assertion_consumer_binding check, use of = instead of ==
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
66922a5f29
app_settings: fix import of ImproperlyConfigured exception
...
As sys.modules is modified, global imports do not work.
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
33d305f7a7
add support for Organization and ContactPerson elements in metadata ( fixes #6656 )
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
aa95501d8b
templates: fix public key representation in metadata
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
26ffe9af97
utils: fix iso8601_to_datetime, make_naive amd make_aware need a timezone parameter
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
4320f4fa78
utils: fix flatten_datetime, isoformat() already add a timezone if needed
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
75382c9ab1
pep8ness
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
bd216c7ab7
store cached metadata in settings
2016-02-26 18:09:27 +01:00
Benjamin Dauvergne
4f77ee0e24
do not pass strings contening null characters to Lasso, return 400 or ignore ( fixes #8939 )
2016-02-26 18:09:17 +01:00
Benjamin Dauvergne
3ca64e7eaf
report lasso error at debug level
2016-02-12 19:44:24 +01:00
Benjamin Dauvergne
a597839d14
log errors when loading IdP metadata instead of throwing a traceback ( fixes #9745 )
2016-02-12 19:44:19 +01:00
Benjamin Dauvergne
fc7fd250cd
pep8ness
2016-02-12 19:44:19 +01:00
Benjamin Dauvergne
e641c6ec96
fix concurrency error when creating new users ( fixes #9965 )
...
UserSAMLIdentifier is retrieved using get_or_create() first, and if is new
we proceed with the creation of the new user, otherwise we delete the temporaru
user we created use the one attached to the existing UserSAMLIdentifier.
2016-02-12 19:44:19 +01:00
Benjamin Dauvergne
359a2f4be0
reset is_staff when superuser mapping fails ( fixes #9736 )
2016-01-21 20:02:34 +01:00
Benjamin Dauvergne
2289b8350e
implement session_not_on_or_after using new session engines ( fixes #9640 )
2016-01-15 12:29:31 +01:00
Benjamin Dauvergne
9143056569
use dateutil to parse datetime strings ( #9640 )
2016-01-15 12:26:58 +01:00
Benjamin Dauvergne
f45bb8b2d0
utils: return naive datetime if USE_TZ=False ( fixes #9521 )
2016-01-06 09:54:52 +01:00
Benjamin Dauvergne
dc1e4e56ea
do not flatten attributes inplace, and convert expiry to seconds ( fixes #9359 )
...
Original datetime must be kept for setting the expiry, but expiry using datetime
is not supported when using JSON sessions, so we convert it to seconds expiry
before setting it.
We also make iso8601 parsed datetime timezone aware, to match with other
datetimes in Django.
2015-12-16 18:06:07 +01:00
Benjamin Dauvergne
e18dd7c7e5
adapters: prevent collision in provision_groups() ( fixes #9327 )
...
Assiging related m2m fields provokes a bulk insert which is not safe with
respect to concurrent writes, we replace this by use of get_or_create() and
delete() on the through model of the User.groups field.
2015-12-15 10:52:10 +01:00
Benjamin Dauvergne
78762accf7
middleware: handle process_view ( #9131 )
...
In process_request request.resolver_match is not yet defined.
2015-11-27 12:00:24 +01:00
Benjamin Dauvergne
8da5807298
middleware: do not apply autologin to mellon views ( fixes #9131 )
2015-11-27 10:29:21 +01:00
Benjamin Dauvergne
ad2a575a35
middleware: disallow passive authentication when no IdP is found ( fixes #8123 )
2015-09-25 16:12:30 +02:00
Benjamin Dauvergne
7f70dbcb9f
Revert "views: add an iframe mode to the login view"
...
This reverts commit 0e57f99312
.
2015-09-25 15:38:13 +02:00
Benjamin Dauvergne
9667aa5f18
add PassiveAuthenticationMiddleware using a common domain cookie ( fixes #8123 )
...
Name of the cookie must be put in MELLON_OPENED_SESSION_COOKIE_NAME and
common domain can be defined in MELLON_OPENED_SESSION_COOKIE_DOMAIN, if
unset the common domain is guessed by removing the first part of the
domain name (www.xxx.com -> xxx.com).
2015-09-25 15:03:49 +02:00
Benjamin Dauvergne
0e57f99312
views: add an iframe mode to the login view
...
Use it by putting a tag:
<iframe height="0" width="0" src="{% url "mellon_login" %}?{{ request.GET.urlencode }}&passive&iframe"></iframe>
in your page. It will do a passive authentication inside the iframe and
will use JS to reload the top frame if authentication is successfull.
2015-08-27 14:37:44 +02:00
Benjamin Dauvergne
b1b0494ccc
adapters: truncate attributes assigned to user fields ( fixes #7907 )
2015-07-22 16:22:59 +02:00
Benjamin Dauvergne
7ff1969bf5
views: add missing exception for case of status is not success ( fixes #7878 )
2015-07-21 14:06:54 +02:00
Serghei Mihai
c3481b570c
use requests to retreive metadata ( #7785 )
2015-07-06 12:01:58 +02:00
Benjamin Dauvergne
06f3380eb4
Use the lasso thin-sessions feature
2015-06-25 11:26:50 +02:00
Benjamin Dauvergne
00b7fe396c
Send log message about logout before effective logout so that request.user is not Anonymous
2015-06-25 11:26:37 +02:00
Benjamin Dauvergne
1719127cae
Do not store a name_id_name_qualifier or name_id_sp_name_qualifier if there is not ( fixes #7680 )
2015-06-25 11:25:57 +02:00
Benjamin Dauvergne
d064fad15b
Add debug log of rebuilt session dumps in create_logout() ( #7680 )
2015-06-25 11:25:17 +02:00
Frédéric Péters
9e5bb02b3f
handle artifact response as a byte string ( #7544 )
2015-06-11 16:37:59 +02:00
Benjamin Dauvergne
9d8528968c
views: add a VERIFY_SSL_CERTIFICATE setting
...
It controls the validation of certificates by requests on artifact
resolve requests. It's a global and by idp setting.
Also improve logs in errors paths around when calling the artifact
resolver.
fixes #7521
2015-06-10 15:07:59 +02:00
Benjamin Dauvergne
da384ec770
Add migrations for south
2015-06-05 21:46:36 +02:00
Benjamin Dauvergne
2b6ce04423
authentication_failed.html: show the StatusMessage to the user if there is one
2015-06-01 02:44:21 +02:00
Benjamin Dauvergne
d5b8ec81a9
app_settings,views: make the default assertion consumer binding customizable, and restore POST as the default
...
And restore default to POST.
fixes #7406
2015-05-29 11:53:30 +02:00
Benjamin Dauvergne
a64d4e9da4
templates: make HTTP-Artifact the default binding for SSO
...
fixes #7625
2015-05-19 08:23:37 +02:00
Frédéric Péters
8dc0fd969a
add support for artifact GET protocol binding ( #7267 )
2015-05-18 18:09:15 +02:00
Benjamin Dauvergne
6b4cabdc27
adapters: fix DefaultAdapter.get_idp(), idp['ENTITY_ID'] is a string not a list
...
This method was incorrectly using the `in' operator instead of the == operator.
fixes #7270
2015-05-18 16:35:48 +02:00
Benjamin Dauvergne
59e93e270f
Revert "templates: make HTTP-Artifact the default binding for SSO"
...
This reverts commit 5e297925c6
.
2015-05-18 16:35:48 +02:00
Benjamin Dauvergne
4b71bbca3a
views: in sso_failure() the call to self.get_id() could never work, replace by utils.get_idp()
...
In SSO response treatment we do not know anymore the requested IdP from the query string
we must look in the LassoLogin object.
fixes #7271
2015-05-18 16:16:27 +02:00
Benjamin Dauvergne
12214b8cb5
utils: add a default return value to utils.get_idp()
...
refs #7271
2015-05-18 16:16:22 +02:00
Benjamin Dauvergne
5e297925c6
templates: make HTTP-Artifact the default binding for SSO
...
fixes #7625
2015-05-18 11:01:40 +02:00
Benjamin Dauvergne
6dab31ace8
views: fix setting of isPassive and forceAuthn ( fixes #7100 )
2015-05-18 11:01:40 +02:00
Benjamin Dauvergne
1f56211c2f
Limit username to 30 characters for now ( #7085 )
2015-05-07 11:32:53 +02:00
Frédéric Péters
0315d395bf
tests: initial adapter tests
2015-05-07 11:32:53 +02:00
Benjamin Dauvergne
86a1167b99
add a model to store user<->NameID mapping ( #7085 )
2015-05-07 11:32:52 +02:00
Benjamin Dauvergne
8eeb82c5c4
Prepare for adding tests
2015-04-29 18:33:27 +02:00
Benjamin Dauvergne
bb08da0f9e
Support encryption
2015-03-26 16:44:14 +01:00
Serghei Mihai
5dcde8614e
login view refactored ( #6801 )
...
Authentication logic split into another, overridable, method
2015-03-24 09:40:25 +01:00
Benjamin Dauvergne
c8cad9b814
Fix include of base.html in mellon/base.html
2015-03-18 10:43:36 +01:00
Benjamin Dauvergne
50c3d544d4
Add mellon/base.html
2015-03-18 10:34:50 +01:00
Frédéric Péters
40a31aba9e
save provisioned users ( #6667 )
2015-03-16 10:40:35 +01:00
Benjamin Dauvergne
9c83540415
Set version only from git tags
2015-03-09 13:01:43 +01:00
Frédéric Péters
adb72da954
set login.msgRelayState to the value from POST ( #6384 )
2015-03-09 12:59:01 +01:00
Benjamin Dauvergne
8f8f47b1a9
Allow getting metadata of IdP by doing an HTTP GET
2015-02-13 18:23:28 +01:00
Benjamin Dauvergne
9525e29b03
Always use adapters to get to IdP settings
2015-02-13 18:10:51 +01:00
Benjamin Dauvergne
144da5f72e
bump release to 1.2.11
2015-02-06 10:41:51 +01:00
Jérôme Schneider
4f0f50f816
mellon/views.py: store and load the liberty session dump for slo
2015-02-05 18:26:29 +01:00
Benjamin Dauvergne
9376d444d4
adapters: force template string to be unicode as attributes are unicode values
2015-02-04 12:48:08 +01:00
Benjamin Dauvergne
6a6f5e58df
urls: fix error in pattern, includable patterns must not start with a ^
2015-02-04 12:13:02 +01:00
Benjamin Dauvergne
83c8367e6b
bump release to 1.2.10
2015-01-15 17:09:39 +01:00
Benjamin Dauvergne
3675773635
Add a mellon/base.html template to make an indirection between mellon templates and the project base.html template ( fixes #6301 )
2015-01-15 17:08:30 +01:00
Benjamin Dauvergne
3c8e472f47
bump release to 1.2.9
2014-12-09 10:31:00 +01:00
Benjamin Dauvergne
b0f5c49893
Always set the issuer attribtute to the AuthnResponse issuer
2014-12-09 10:30:32 +01:00
Benjamin Dauvergne
d0509d55d9
bump release to 1.2.8
2014-12-09 00:34:51 +01:00
Benjamin Dauvergne
96a51c4952
Use IdP entity id for default name qualifier and SP entity id for default sp name qualifier
2014-12-09 00:33:40 +01:00
Benjamin Dauvergne
94cfed8a8e
If name qualifier are missing use the implicit IdP or SP name qualifiers
2014-12-07 20:55:52 +01:00
Benjamin Dauvergne
49858a0823
bump release to 1.2.7
2014-11-24 12:04:42 +01:00
Benjamin Dauvergne
ff548d020d
Force unicode on NameID qualifiers to enforce them being ASCII
2014-11-24 10:35:39 +01:00
Benjamin Dauvergne
15d420f728
Improve logging in views
2014-11-24 10:35:01 +01:00
Benjamin Dauvergne
9a2caa3a6a
Set AllowCreate flag on emitted AuthnRequest
2014-11-17 17:35:36 +01:00
Benjamin Dauvergne
99341f910e
Fix typo in session_dump.xml
2014-11-17 17:35:28 +01:00
Benjamin Dauvergne
ae18a24a25
bump release to 1.2.6
2014-11-17 16:33:13 +01:00
Benjamin Dauvergne
4112e4b153
Clean PEM file before including them in the metadata
2014-11-17 16:32:29 +01:00