entrouvert
/
django-mellon
16
0
Fork 0
Code Issues Pull Requests Releases Activity
250 Commits 7 Branches 101 Tags 867 KiB
Commit Graph

182 Commits

Author SHA1 Message Date
Frédéric Péters 5eacaa2d22 misc: handle lasso.LoginStatusNotSuccessError (#10633) 2016-04-12 18:54:44 +02:00
Benjamin Dauvergne 74b61de641 replace dateutil by isodate (#10196) 
isodate has better support for the full ISO8601 specification.
 2016-04-11 19:14:07 +02:00
Benjamin Dauvergne d732f6ccb7 when status is not 200, report a fragment of the response (fixes #10270) 2016-04-11 17:07:38 +02:00
Benjamin Dauvergne 8a2558c2da views: wrap login view in non_atomic_requests to allow fine control of transactions' commit (fixes #10604) 2016-04-10 15:40:29 +02:00
Frédéric Péters ba6c092911 add support for artifact POST (#10596) 2016-04-08 15:10:31 +02:00
Benjamin Dauvergne 9c28f53c52 log partial logout error as a warning (fixes #10408) 2016-04-06 01:33:39 +02:00
Benjamin Dauvergne 7db1d7d7ed pep8ness 2016-04-06 01:33:39 +02:00
Benjamin Dauvergne 66d1811e2f refactor next_url and RelayState use (fixes #10372) 
The next_url parameter is  no more stored directly in the RelayState, as it
RelayState should only contain strings of no more thant 80 bytes, instead
generate an uuid as the relaystate and store the next_url value in session using
a key based on this uuid.

The implementation is generic enough to accomodate storing any other kind of
data during an SSO or SLO workflow.
 2016-03-22 15:20:29 +01:00
Benjamin Dauvergne bfa84bb6ba always consider relative URLs as being of the same origin (fixes #10371) 2016-03-22 15:13:48 +01:00
Benjamin Dauvergne 2aec7a3294 views: handle ProfileInvalidMsgError when resolving an artifact (#10270) 2016-03-11 17:10:52 +01:00
Benjamin Dauvergne dba3f32c3a views: handle ProfileInvalidArtifactError exception when resolving an artifact (#10270) 2016-03-11 17:10:52 +01:00
Frédéric Péters a3bc087890 misc: fix passing of RequestedAuthnContext (#10243) 2016-03-09 09:14:38 +01:00
Benjamin Dauvergne eb89a86ef3 add DiscoveryResponse endpoint to metadata (fixes #10197) 2016-03-04 11:05:01 +01:00
Benjamin Dauvergne 6aa9170982 Fix removal of admin right when users have admin attributes but is already admin (fixes #10195) 2016-03-04 10:07:54 +01:00
Benjamin Dauvergne 3f0f0be180 silence Django 1.10 deprecration warnings 2016-03-02 18:14:46 +01:00
Benjamin Dauvergne ec27553789 adapters: factorize user creation in lookup_user() (fixes #10164) 
User creation can have peculiarities.
 2016-03-02 17:39:15 +01:00
Benjamin Dauvergne fe53dab9ca trivial: move utils import 2016-02-26 21:36:08 +01:00
Benjamin Dauvergne 3d91d40cb2 django 1.9 adaptations 
- django.utils.same_origin was removed
- HttpRequest.REQUEST was removed
- settings.USE_TZ is True by default
- get_default_timezone() is now wrapped by an lrucache(), when modifying
  settings.TIME_ZONE we must also clear the cache.
 2016-02-26 21:35:21 +01:00
Benjamin Dauvergne 40cc598904 views: change HTTP 400 message when no idp is found 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne c1d2fb1a32 trivial: move lasso import 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 6af1ebfc55 views: do not traceback in get_idp() when no idp is declared 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne bb9451e6ba add discovery service support (fixes #10111) 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 8961a743f5 move idp settings building in adapters 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 9fe8aaf0be adapters: improve logging during provisionning 
- user creation is logged
- attributes are only changed if different from the provisionning value,
  and changes are logged.
 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne cf63b7e0ce templates: fix default_assertion_consumer_binding check, use of = instead of == 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 66922a5f29 app_settings: fix import of ImproperlyConfigured exception 
As sys.modules is modified, global imports do not work.
 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 33d305f7a7 add support for Organization and ContactPerson elements in metadata (fixes #6656) 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne aa95501d8b templates: fix public key representation in metadata 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 26ffe9af97 utils: fix iso8601_to_datetime, make_naive amd make_aware need a timezone parameter 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 4320f4fa78 utils: fix flatten_datetime, isoformat() already add a timezone if needed 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 75382c9ab1 pep8ness 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne bd216c7ab7 store cached metadata in settings 2016-02-26 18:09:27 +01:00
Benjamin Dauvergne 4f77ee0e24 do not pass strings contening null characters to Lasso, return 400 or ignore (fixes #8939) 2016-02-26 18:09:17 +01:00
Benjamin Dauvergne 3ca64e7eaf report lasso error at debug level 2016-02-12 19:44:24 +01:00
Benjamin Dauvergne a597839d14 log errors when loading IdP metadata instead of throwing a traceback (fixes #9745) 2016-02-12 19:44:19 +01:00
Benjamin Dauvergne fc7fd250cd pep8ness 2016-02-12 19:44:19 +01:00
Benjamin Dauvergne e641c6ec96 fix concurrency error when creating new users (fixes #9965) 
UserSAMLIdentifier is retrieved using get_or_create() first, and if is new
we proceed with the creation of the new user, otherwise we delete the temporaru
user we created use the one attached to the existing UserSAMLIdentifier.
 2016-02-12 19:44:19 +01:00
Benjamin Dauvergne 359a2f4be0 reset is_staff when superuser mapping fails (fixes #9736) 2016-01-21 20:02:34 +01:00
Benjamin Dauvergne 2289b8350e implement session_not_on_or_after using new session engines (fixes #9640) 2016-01-15 12:29:31 +01:00
Benjamin Dauvergne 9143056569 use dateutil to parse datetime strings (#9640) 2016-01-15 12:26:58 +01:00
Benjamin Dauvergne f45bb8b2d0 utils: return naive datetime if USE_TZ=False (fixes #9521) 2016-01-06 09:54:52 +01:00
Benjamin Dauvergne dc1e4e56ea do not flatten attributes inplace, and convert expiry to seconds (fixes #9359) 
Original datetime must be kept for setting the expiry, but expiry using datetime
is not supported when using JSON sessions, so we convert it to seconds expiry
before setting it.

We also make iso8601 parsed datetime timezone aware, to match with other
datetimes in Django.
 2015-12-16 18:06:07 +01:00
Benjamin Dauvergne e18dd7c7e5 adapters: prevent collision in provision_groups() (fixes #9327) 
Assiging related m2m fields provokes a bulk insert which is not safe with
respect to concurrent writes, we replace this by use of get_or_create() and
delete() on the through model of the User.groups field.
 2015-12-15 10:52:10 +01:00
Benjamin Dauvergne 78762accf7 middleware: handle process_view (#9131) 
In process_request request.resolver_match is not yet defined.
 2015-11-27 12:00:24 +01:00
Benjamin Dauvergne 8da5807298 middleware: do not apply autologin to mellon views (fixes #9131) 2015-11-27 10:29:21 +01:00
Benjamin Dauvergne ad2a575a35 middleware: disallow passive authentication when no IdP is found (fixes #8123) 2015-09-25 16:12:30 +02:00
Benjamin Dauvergne 7f70dbcb9f Revert "views: add an iframe mode to the login view" 
This reverts commit 0e57f99312.
 2015-09-25 15:38:13 +02:00
Benjamin Dauvergne 9667aa5f18 add PassiveAuthenticationMiddleware using a common domain cookie (fixes #8123) 
Name of the cookie must be put in MELLON_OPENED_SESSION_COOKIE_NAME and
common domain can be defined in MELLON_OPENED_SESSION_COOKIE_DOMAIN, if
unset the common domain is guessed by removing the first part of the
domain name (www.xxx.com -> xxx.com).
 2015-09-25 15:03:49 +02:00
Benjamin Dauvergne 0e57f99312 views: add an iframe mode to the login view 
Use it by putting a tag:

  <iframe height="0" width="0" src="{% url "mellon_login" %}?{{ request.GET.urlencode }}&passive&iframe"></iframe>

in your page. It will do a passive authentication inside the iframe and
will use JS to reload the top frame if authentication is successfull.
 2015-08-27 14:37:44 +02:00
Benjamin Dauvergne b1b0494ccc adapters: truncate attributes assigned to user fields (fixes #7907) 2015-07-22 16:22:59 +02:00
Benjamin Dauvergne 7ff1969bf5 views: add missing exception for case of status is not success (fixes #7878) 2015-07-21 14:06:54 +02:00
Serghei Mihai c3481b570c use requests to retreive metadata (#7785) 2015-07-06 12:01:58 +02:00
Benjamin Dauvergne 06f3380eb4 Use the lasso thin-sessions feature 2015-06-25 11:26:50 +02:00
Benjamin Dauvergne 00b7fe396c Send log message about logout before effective logout so that request.user is not Anonymous 2015-06-25 11:26:37 +02:00
Benjamin Dauvergne 1719127cae Do not store a name_id_name_qualifier or name_id_sp_name_qualifier if there is not (fixes #7680) 2015-06-25 11:25:57 +02:00
Benjamin Dauvergne d064fad15b Add debug log of rebuilt session dumps in create_logout() (#7680) 2015-06-25 11:25:17 +02:00
Frédéric Péters 9e5bb02b3f handle artifact response as a byte string (#7544) 2015-06-11 16:37:59 +02:00
Benjamin Dauvergne 9d8528968c views: add a VERIFY_SSL_CERTIFICATE setting 
It controls the validation of certificates by requests on artifact
resolve requests. It's a global and by idp setting.

Also improve logs in errors paths around when calling the artifact
resolver.

fixes #7521
 2015-06-10 15:07:59 +02:00
Benjamin Dauvergne da384ec770 Add migrations for south 2015-06-05 21:46:36 +02:00
Benjamin Dauvergne 2b6ce04423 authentication_failed.html: show the StatusMessage to the user if there is one 2015-06-01 02:44:21 +02:00
Benjamin Dauvergne d5b8ec81a9 app_settings,views: make the default assertion consumer binding customizable, and restore POST as the default 
And restore default to POST.

fixes #7406
 2015-05-29 11:53:30 +02:00
Benjamin Dauvergne a64d4e9da4 templates: make HTTP-Artifact the default binding for SSO 
fixes #7625
 2015-05-19 08:23:37 +02:00
Frédéric Péters 8dc0fd969a add support for artifact GET protocol binding (#7267) 2015-05-18 18:09:15 +02:00
Benjamin Dauvergne 6b4cabdc27 adapters: fix DefaultAdapter.get_idp(), idp['ENTITY_ID'] is a string not a list 
This method was incorrectly using the `in' operator instead of the == operator.

fixes #7270
 2015-05-18 16:35:48 +02:00
Benjamin Dauvergne 59e93e270f Revert "templates: make HTTP-Artifact the default binding for SSO" 
This reverts commit 5e297925c6.
 2015-05-18 16:35:48 +02:00
Benjamin Dauvergne 4b71bbca3a views: in sso_failure() the call to self.get_id() could never work, replace by utils.get_idp() 
In SSO response treatment we do not know anymore the requested IdP from the query string
we must look in the LassoLogin object.

fixes #7271
 2015-05-18 16:16:27 +02:00
Benjamin Dauvergne 12214b8cb5 utils: add a default return value to utils.get_idp() 
refs #7271
 2015-05-18 16:16:22 +02:00
Benjamin Dauvergne 5e297925c6 templates: make HTTP-Artifact the default binding for SSO 
fixes #7625
 2015-05-18 11:01:40 +02:00
Benjamin Dauvergne 6dab31ace8 views: fix setting of isPassive and forceAuthn (fixes #7100) 2015-05-18 11:01:40 +02:00
Benjamin Dauvergne 1f56211c2f Limit username to 30 characters for now (#7085) 2015-05-07 11:32:53 +02:00
Frédéric Péters 0315d395bf tests: initial adapter tests 2015-05-07 11:32:53 +02:00
Benjamin Dauvergne 86a1167b99 add a model to store user<->NameID mapping (#7085) 2015-05-07 11:32:52 +02:00
Benjamin Dauvergne 8eeb82c5c4 Prepare for adding tests 2015-04-29 18:33:27 +02:00
Benjamin Dauvergne bb08da0f9e Support encryption 2015-03-26 16:44:14 +01:00
Serghei Mihai 5dcde8614e login view refactored (#6801) 
Authentication logic split into another, overridable, method
 2015-03-24 09:40:25 +01:00
Benjamin Dauvergne c8cad9b814 Fix include of base.html in mellon/base.html 2015-03-18 10:43:36 +01:00
Benjamin Dauvergne 50c3d544d4 Add mellon/base.html 2015-03-18 10:34:50 +01:00
Frédéric Péters 40a31aba9e save provisioned users (#6667) 2015-03-16 10:40:35 +01:00
Benjamin Dauvergne 9c83540415 Set version only from git tags 2015-03-09 13:01:43 +01:00
Frédéric Péters adb72da954 set login.msgRelayState to the value from POST (#6384) 2015-03-09 12:59:01 +01:00
Benjamin Dauvergne 8f8f47b1a9 Allow getting metadata of IdP by doing an HTTP GET 2015-02-13 18:23:28 +01:00
Benjamin Dauvergne 9525e29b03 Always use adapters to get to IdP settings 2015-02-13 18:10:51 +01:00
Benjamin Dauvergne 144da5f72e bump release to 1.2.11 2015-02-06 10:41:51 +01:00
Jérôme Schneider 4f0f50f816 mellon/views.py: store and load the liberty session dump for slo 2015-02-05 18:26:29 +01:00
Benjamin Dauvergne 9376d444d4 adapters: force template string to be unicode as attributes are unicode values 2015-02-04 12:48:08 +01:00
Benjamin Dauvergne 6a6f5e58df urls: fix error in pattern, includable patterns must not start with a ^ 2015-02-04 12:13:02 +01:00
Benjamin Dauvergne 83c8367e6b bump release to 1.2.10 2015-01-15 17:09:39 +01:00
Benjamin Dauvergne 3675773635 Add a mellon/base.html template to make an indirection between mellon templates and the project base.html template (fixes #6301) 2015-01-15 17:08:30 +01:00
Benjamin Dauvergne 3c8e472f47 bump release to 1.2.9 2014-12-09 10:31:00 +01:00
Benjamin Dauvergne b0f5c49893 Always set the issuer attribtute to the AuthnResponse issuer 2014-12-09 10:30:32 +01:00
Benjamin Dauvergne d0509d55d9 bump release to 1.2.8 2014-12-09 00:34:51 +01:00
Benjamin Dauvergne 96a51c4952 Use IdP entity id for default name qualifier and SP entity id for default sp name qualifier 2014-12-09 00:33:40 +01:00
Benjamin Dauvergne 94cfed8a8e If name qualifier are missing use the implicit IdP or SP name qualifiers 2014-12-07 20:55:52 +01:00
Benjamin Dauvergne 49858a0823 bump release to 1.2.7 2014-11-24 12:04:42 +01:00
Benjamin Dauvergne ff548d020d Force unicode on NameID qualifiers to enforce them being ASCII 2014-11-24 10:35:39 +01:00
Benjamin Dauvergne 15d420f728 Improve logging in views 2014-11-24 10:35:01 +01:00
Benjamin Dauvergne 9a2caa3a6a Set AllowCreate flag on emitted AuthnRequest 2014-11-17 17:35:36 +01:00
Benjamin Dauvergne 99341f910e Fix typo in session_dump.xml 2014-11-17 17:35:28 +01:00
Benjamin Dauvergne ae18a24a25 bump release to 1.2.6 2014-11-17 16:33:13 +01:00
Benjamin Dauvergne 4112e4b153 Clean PEM file before including them in the metadata 2014-11-17 16:32:29 +01:00