112 Commits

Author	SHA1	Message	Date
Benjamin Dauvergne	244ca2abcd	misc: do not read not_on_or_after if session is not loaded (#86451)	2024-02-01 16:17:22 +01:00
Benjamin Dauvergne	51ee9d8cac	views: show message when logout is refused (#85904)	2024-01-22 10:41:23 +01:00
Benjamin Dauvergne	af81da4954	adapters: do not log errors on cold cache (#84933) ... Only log errors if the cache is older than 24 hours.	2024-01-16 12:41:25 +01:00
Benjamin Dauvergne	200e009b1e	middleware: use sec-fetch-dest=document to identify page requests (#84104)	2024-01-16 12:22:24 +01:00
Benjamin Dauvergne	c98d4629ec	middleware: check ajax request with sec-fetch-mode header header (#81211)	2023-09-14 16:41:22 +02:00
Benjamin Dauvergne	170e728d3a	misc: allow login_hint parameter in login url (#76712)	2023-04-17 15:27:37 +02:00
Benjamin Dauvergne	0f7044e7a0	adapters: do not exclude already linked users (#76083) ... When two IdP are used with common directory accounts of if we migrate from a test IdP to a production IdP, it can be useful to relink existing users to the new source.	2023-04-01 17:32:39 +02:00
Valentin Deniaud	7beeffed2a	misc: change django-upgrade target version to 3.2 (#75442)	2023-03-16 17:18:53 +01:00
Benjamin Dauvergne	45c987584c	tests: remove useless import of py.io (#70797)	2022-10-28 09:47:09 +02:00
Benjamin Dauvergne	cce77e82e5	adapters: update new UserSAMLIdentifier fields on each SSO (#69955) ... On existing UserSAMLIdentifier missing values for nid_format especially, will break the SLO code as the emitted LogoutRequest will have an unknown NameID when analyzed by the identity provider (NameID content and attributes must match exactly).	2022-10-06 16:21:17 +02:00
Benjamin Dauvergne	45f81514bc	misc: clean SessionIndex during logout (#69740) ... SessionIndex are deleted when the linked session does not exist anymore and 5 minutes after the creation of the logout request.	2022-10-05 19:53:07 +02:00
Benjamin Dauvergne	f335a403c1	views: implement a sessionless logout endpoint (#69740) ... To implement SAML single logout in authentic we need a logout endpoint which works event after the user session has been killed, to do that we store the needed information in Django signed token, and use it to initiate the logout request. Afterward the next_url is stored in short-lived session cookie instead of the session.	2022-10-05 17:23:51 +02:00
Benjamin Dauvergne	218afde9cd	misc: make logout work with transient NameID (#69740) ... Implementation of transient NameID is special, the transient NameID is ignored and an attribut value is used as the federation key. But in order to producre a proper NameID for the logout request we need the transient NameID value. To work around this problem we add a transient_name_id attribute to the SessionIndex model representing the current SSO session, and we modify the session dump template to use this value instead of UserSAMLIdentifier.name_id if transient_name_id is not None.	2022-10-05 17:23:51 +02:00
Benjamin Dauvergne	7f9602c528	utils: add method to build a session dump from models (#69740) ... Storing the LassoSession dump in the Django session is no longer needed, we can rebuild it from the information in the models.	2022-10-05 17:23:51 +02:00
Benjamin Dauvergne	e98308d45c	views: allow overriding the default return url after logout (#69740)	2022-10-05 17:23:50 +02:00
Benjamin Dauvergne	86d3cad3b8	views: improve handling of next_url for sp initiated logout (#69740)	2022-10-05 17:23:20 +02:00
Valentin Deniaud	865b285828	misc: apply django-upgrade (#69798)	2022-10-03 14:27:01 +02:00
Valentin Deniaud	d20066dc44	misc: apply djhtml (#69422)	2022-09-29 12:20:38 +02:00
Valentin Deniaud	a7a3582c97	views: show debug login view on lasso exception (#68962)	2022-09-14 13:53:49 +02:00
Benjamin Dauvergne	437d1a3063	middleware: clear PASSIVE_TRIED_COOKIE when logged in (#67084)	2022-07-06 16:11:39 +02:00
Paul Marillonnet	1fa1541c02	views: use MELLON_OPENED_SESSION to anchor local session to the global session (#66747) ... If the MELLON_OPENED_SESSION cookie change or disappear during an opened session, the user is automatically logged out. If it changes after a previous passive login try, passive login is allowed again.	2022-06-29 11:14:05 +02:00
Paul Marillonnet	e27bafd8cb	handle long attribute truncate variations between django2 & 3 (#64309)	2022-04-20 15:01:59 +02:00
Paul Marillonnet	dedd924f99	use force_str only when necessary (#64309)	2022-04-20 09:54:54 +02:00
Paul Marillonnet	b4704b16c9	use django3.2-compatible re_path urls util (#64309)	2022-04-20 09:54:05 +02:00
Benjamin Dauvergne	7c9ca09de7	misc: remove six module usage (#63688)	2022-04-08 10:14:54 +02:00
Benjamin Dauvergne	947c355baf	views: keep next_url trough sp logout (#61431) ... * first, create relaystate before build logout.msgUrl * second, retrieve it in sp_logout_response	2022-02-04 13:00:55 +01:00
Benjamin Dauvergne	be1e50e826	views: log SAML response and assertion in debug view (#58915)	2021-11-23 19:21:23 +01:00
Benjamin Dauvergne	4941fd7281	show an error page when create_server fails (#57176)	2021-09-23 10:39:04 +02:00
Benjamin Dauvergne	73bfa476ef	drop and rename issuer field (#56819)	2021-09-15 16:55:59 +02:00
Benjamin Dauvergne	a851b5b2ca	migrate issuer data (#56819)	2021-09-15 16:55:59 +02:00
Benjamin Dauvergne	2d1510aae1	adapters: truncate username to the field's max_length (#56482)	2021-08-30 15:29:37 +02:00
Benjamin Dauvergne	fbc3588f1b	add MELLON_ASSERTION_CONSUMER_BINDINGS (#52063) ... The default value is ['post', 'artifact'].	2021-08-05 15:57:39 +02:00
Benjamin Dauvergne	4729ef9a3b	apply isort and pyupgrade (#55990)	2021-08-05 11:13:19 +02:00
Benjamin Dauvergne	2704f4feaa	views: keep a nonce during a forceAuthn request (#55953) ... Nonce value and forceAuthn is linked to the request id which is randomly generated by lasso and returned by IdPs as part of a SAML SSO.	2021-08-03 17:20:49 +02:00
Valentin Deniaud	dbdd6fd70b	views: add debug login view (#55557)	2021-08-03 11:59:17 +02:00
Benjamin Dauvergne	74e6f5a93d	middleware: disable automatic passive authentication if ?no-passive-auth (#55854) ... You can add ?no-passive-auth to an URL do disable passive authentication based on an IdP set common domain cookie.	2021-07-27 12:04:24 +02:00
Benjamin Dauvergne	472ce61844	adapters: improve log messages (#55544) ... - add mellon: prefix to all messages - log all failures at the warning or error level instead of debug	2021-07-13 12:09:12 +02:00
Benjamin Dauvergne	5b9bc1ff57	trivial: apply black (#51575)	2021-03-02 14:52:10 +01:00
Benjamin Dauvergne	672cfb90a4	adapters: report warning about TRANSIENT_FEDERATION_ATTRIBUTE to user (#51568)	2021-03-02 14:47:56 +01:00
Lauréline Guérin	7cd78e96ab	views: fix logout is user is already logged out (#50155)	2021-01-15 10:51:51 +01:00
Valentin Deniaud	bdbc251291	views: handle empty session at authentication (#45461)	2020-07-28 09:33:12 +02:00
Benjamin Dauvergne	e1deb96f8c	tests: clear caplog between sessions (#41949)	2020-06-21 13:13:57 +02:00
Benjamin Dauvergne	482aa09f92	misc: add support for SOAP SLO (#41949)	2020-06-21 13:13:57 +02:00
Benjamin Dauvergne	65cbdcefc3	misc: support asynchronous logout (#41949) ... It means that will lookup for other Django sessions linked to the received logout request; logout request can specify session indexes or ask for logout of all sessions of the user targeted by the NameID.	2020-06-21 13:13:57 +02:00
Benjamin Dauvergne	c05f4a3129	views: ignore XML content in SAML attributes (#43193)	2020-05-21 21:04:51 +02:00
Frédéric Péters	d67297c7aa	misc: return bad request messages as plain text (#41602)	2020-04-10 16:45:29 +02:00
Frédéric Péters	74230b51ec	general: remove compatibility with django < 1.11 (#38616)	2020-01-29 20:33:02 +01:00
Frédéric Péters	7802e85d52	misc: allow all views to receive template_base/context_hook kwargs (#38610)	2019-12-18 09:39:48 +01:00
Frédéric Péters	b1b85cf0d2	add possibility to define a hook to alter login template context (#38533)	2019-12-16 14:22:18 +01:00
Benjamin Dauvergne	09c32c83d5	misc: make login_hint works without next parameter (#38163)	2019-12-03 19:53:37 +01:00