2015-10-25 00:10:20 +02:00
|
|
|
import logging
|
|
|
|
|
import os
|
2019-08-09 20:43:35 +02:00
|
|
|
import xml.etree.ElementTree as ET
|
2020-05-18 20:36:00 +02:00
|
|
|
from time import sleep
|
2015-02-11 17:47:41 +01:00
|
|
|
|
2015-04-27 17:00:48 +02:00
|
|
|
import requests
|
|
|
|
|
from authentic2 import app_settings
|
2022-11-03 12:11:24 +01:00
|
|
|
from authentic2.a2_rbac.models import OrganizationalUnit, Role
|
2015-09-25 14:40:40 +02:00
|
|
|
from authentic2.a2_rbac.utils import get_default_ou
|
2015-02-11 17:47:41 +01:00
|
|
|
from authentic2.compat_lasso import lasso
|
2015-05-08 12:11:47 +02:00
|
|
|
from authentic2.models import Attribute
|
2015-06-09 10:22:06 +02:00
|
|
|
from authentic2.saml.models import LibertyProvider, LibertyServiceProvider, SAMLAttribute, SPOptionsIdPPolicy
|
2015-09-25 14:40:40 +02:00
|
|
|
from django.conf import settings
|
2019-05-15 16:13:39 +02:00
|
|
|
from django.contrib.auth import get_user_model
|
2015-02-11 17:47:41 +01:00
|
|
|
from django.contrib.contenttypes.models import ContentType
|
2015-10-25 00:10:20 +02:00
|
|
|
from django.core import serializers
|
2019-07-06 11:56:33 +02:00
|
|
|
from django.utils.translation import activate
|
2023-03-29 12:10:39 +02:00
|
|
|
from django.utils.translation import gettext as _
|
2015-02-11 17:47:41 +01:00
|
|
|
from tenant_schemas.utils import tenant_context
|
|
|
|
|
|
2019-08-14 23:42:22 +02:00
|
|
|
from hobo.agent.authentic2.provisionning import Provisionning
|
2015-02-11 17:47:41 +01:00
|
|
|
from hobo.agent.common.management.commands import hobo_deploy
|
|
|
|
|
|
2019-05-15 16:13:39 +02:00
|
|
|
User = get_user_model()
|
|
|
|
|
|
2015-02-11 17:47:41 +01:00
|
|
|
|
|
|
|
|
class Command(hobo_deploy.Command):
|
|
|
|
|
help = 'Deploy multitenant authentic service from hobo'
|
|
|
|
|
|
2019-08-09 20:43:35 +02:00
|
|
|
backoff_factor = 5
|
|
|
|
|
|
2015-10-25 00:10:20 +02:00
|
|
|
def __init__(self, *args, **kwargs):
|
|
|
|
|
self.logger = logging.getLogger(__name__)
|
|
|
|
|
super().__init__(*args, **kwargs)
|
|
|
|
|
|
2015-02-11 17:47:41 +01:00
|
|
|
def deploy_specifics(self, hobo_environment, tenant):
|
|
|
|
|
# generate SAML keys
|
2015-05-18 14:44:39 +02:00
|
|
|
self.generate_saml_keys(tenant)
|
2015-12-28 14:36:26 +01:00
|
|
|
self.configure_theme(hobo_environment, tenant)
|
2015-02-11 17:47:41 +01:00
|
|
|
|
|
|
|
|
with tenant_context(tenant):
|
2015-10-12 18:13:47 +02:00
|
|
|
# Activate default translation
|
|
|
|
|
activate(settings.LANGUAGE_CODE)
|
2015-02-13 09:47:15 +01:00
|
|
|
for user_dict in hobo_environment.get('users'):
|
2018-02-23 17:11:12 +01:00
|
|
|
# create hobo users in authentic to bootstrap
|
|
|
|
|
# (don't update them, hobo is not a provisioning system)
|
|
|
|
|
if not user_dict.get('email'):
|
|
|
|
|
# get an email for settings, or default to system
|
2015-06-08 16:37:27 +02:00
|
|
|
try:
|
2018-02-23 17:11:12 +01:00
|
|
|
user_dict['email'] = settings.ADMINS[0][1]
|
2015-06-08 16:37:27 +02:00
|
|
|
except (IndexError, ValueError):
|
2018-02-23 17:11:12 +01:00
|
|
|
user_dict['email'] = 'root@localhost'
|
|
|
|
|
|
|
|
|
|
if not (user_dict.get('first_name') or user_dict.get('last_name')):
|
|
|
|
|
# some SP require a name
|
|
|
|
|
user_dict['first_name'] = user_dict['username']
|
|
|
|
|
|
|
|
|
|
user_dict['is_staff'] = True
|
|
|
|
|
user_dict['is_superuser'] = True
|
|
|
|
|
|
2019-05-15 16:13:39 +02:00
|
|
|
user, created = User.objects.get_or_create(defaults=user_dict, username=user_dict['username'])
|
2015-02-13 09:47:15 +01:00
|
|
|
|
2015-05-08 12:11:47 +02:00
|
|
|
# create/update user attributes
|
|
|
|
|
fields = []
|
|
|
|
|
disabled_fields = []
|
2018-03-20 15:49:59 +01:00
|
|
|
for i, attribute in enumerate(hobo_environment.get('profile', {}).get('fields')):
|
2016-08-27 10:54:20 +02:00
|
|
|
if attribute['name'] == 'email':
|
|
|
|
|
# this field is hardcoded in the user model, don't add
|
|
|
|
|
# it as a new attribute, but add it to the fields list,
|
|
|
|
|
# so it gets shared as SAML attribute.
|
2015-05-12 12:19:00 +02:00
|
|
|
fields.append(attribute['name'])
|
2015-05-08 12:11:47 +02:00
|
|
|
continue
|
2020-11-21 12:15:51 +01:00
|
|
|
attr, created = Attribute.all_objects.update_or_create(
|
2018-03-09 21:51:33 +01:00
|
|
|
name=attribute['name'], defaults={'kind': attribute['kind']}
|
|
|
|
|
)
|
2015-05-08 12:11:47 +02:00
|
|
|
for key in (
|
|
|
|
|
'label',
|
|
|
|
|
'description',
|
|
|
|
|
'asked_on_registration',
|
2018-03-22 22:15:06 +01:00
|
|
|
'user_editable',
|
|
|
|
|
'user_visible',
|
|
|
|
|
'required',
|
2019-01-01 13:22:54 +01:00
|
|
|
'searchable',
|
|
|
|
|
'disabled',
|
2021-08-31 10:18:44 +02:00
|
|
|
'required_on_login',
|
2019-01-01 13:22:54 +01:00
|
|
|
):
|
2019-01-02 09:40:32 +01:00
|
|
|
if key in attribute:
|
|
|
|
|
setattr(attr, key, attribute[key])
|
2018-03-20 15:49:59 +01:00
|
|
|
attr.order = i
|
2015-05-08 12:11:47 +02:00
|
|
|
if attribute['disabled']:
|
|
|
|
|
disabled_fields.append(attr.name)
|
|
|
|
|
else:
|
|
|
|
|
fields.append(attr.name)
|
|
|
|
|
attr.save()
|
|
|
|
|
|
2015-02-11 17:47:41 +01:00
|
|
|
# creation of IdpPolicy
|
2015-02-23 09:55:14 +01:00
|
|
|
policy, created = SPOptionsIdPPolicy.objects.get_or_create(name='Default')
|
2015-05-11 21:23:35 +02:00
|
|
|
policy.enabled = True
|
|
|
|
|
policy.authn_request_signed = False
|
2015-09-14 21:03:01 +02:00
|
|
|
policy.accepted_name_id_format = ['uuid']
|
|
|
|
|
policy.default_name_id_format = 'uuid'
|
2016-07-11 11:15:45 +02:00
|
|
|
policy.idp_initiated_sso = True
|
2015-05-11 21:23:35 +02:00
|
|
|
policy.save()
|
2015-02-20 16:17:20 +01:00
|
|
|
|
2015-05-08 12:11:47 +02:00
|
|
|
policy_type = ContentType.objects.get_for_model(SPOptionsIdPPolicy)
|
2015-06-25 13:49:28 +02:00
|
|
|
provider_type = ContentType.objects.get_for_model(LibertyProvider)
|
2015-05-08 12:11:47 +02:00
|
|
|
|
|
|
|
|
# create SAML default policy attributes
|
2015-10-16 11:59:51 +02:00
|
|
|
names = ['username', 'is_superuser'] + fields + disabled_fields
|
|
|
|
|
for name in names:
|
|
|
|
|
attribute, created = SAMLAttribute.objects.get_or_create(
|
|
|
|
|
name=name,
|
|
|
|
|
name_format='basic',
|
|
|
|
|
attribute_name='django_user_%s' % name,
|
|
|
|
|
object_id=policy.id,
|
|
|
|
|
content_type=policy_type,
|
|
|
|
|
)
|
2015-05-08 12:11:47 +02:00
|
|
|
attribute.enabled = not (name in disabled_fields)
|
|
|
|
|
attribute.save()
|
|
|
|
|
|
2016-06-29 09:42:57 +02:00
|
|
|
# also pass verified attributes
|
|
|
|
|
SAMLAttribute.objects.get_or_create(
|
|
|
|
|
name='verified_attributes',
|
|
|
|
|
name_format='basic',
|
|
|
|
|
attribute_name='@verified_attributes@',
|
|
|
|
|
object_id=policy.id,
|
|
|
|
|
content_type=policy_type,
|
|
|
|
|
)
|
|
|
|
|
|
2015-02-11 17:47:41 +01:00
|
|
|
# create or update Service Providers
|
2015-10-16 11:59:51 +02:00
|
|
|
services = hobo_environment['services']
|
2019-08-09 20:43:35 +02:00
|
|
|
retries = 0
|
2019-08-14 23:42:22 +02:00
|
|
|
provision_target_ous = {}
|
2019-08-09 20:43:35 +02:00
|
|
|
max_retries = 1 if self.redeploy else 5
|
|
|
|
|
while retries < max_retries:
|
|
|
|
|
for service in services:
|
|
|
|
|
if service.get('$done'):
|
|
|
|
|
continue
|
|
|
|
|
if not service.get('saml-sp-metadata-url'):
|
|
|
|
|
service['$done'] = True
|
|
|
|
|
continue
|
|
|
|
|
sp_url = service['saml-sp-metadata-url']
|
|
|
|
|
metadata_text = None
|
|
|
|
|
try:
|
|
|
|
|
metadata_response = requests.get(sp_url, verify=app_settings.A2_VERIFY_SSL, timeout=5)
|
|
|
|
|
metadata_response.raise_for_status()
|
|
|
|
|
# verify metadata is correct
|
|
|
|
|
if self.check_saml_metadata(metadata_response.text):
|
|
|
|
|
metadata_text = metadata_response.text
|
|
|
|
|
else:
|
|
|
|
|
service['$last-error'] = 'metadata is incorrect'
|
|
|
|
|
continue
|
|
|
|
|
except requests.exceptions.RequestException as e:
|
|
|
|
|
service['$last-error'] = str(e)
|
|
|
|
|
continue
|
|
|
|
|
metadata_text = metadata_response.text
|
|
|
|
|
|
2021-12-01 15:19:45 +01:00
|
|
|
provider, service_created = None, False
|
|
|
|
|
for legacy_urls in service.get('legacy_urls', []):
|
|
|
|
|
try:
|
|
|
|
|
provider = LibertyProvider.objects.get(
|
|
|
|
|
entity_id=legacy_urls['saml-sp-metadata-url'],
|
|
|
|
|
protocol_conformance=lasso.PROTOCOL_SAML_2_0,
|
|
|
|
|
)
|
|
|
|
|
provider.entity_id = sp_url
|
|
|
|
|
break
|
|
|
|
|
except LibertyProvider.DoesNotExist:
|
|
|
|
|
pass
|
|
|
|
|
if not provider:
|
|
|
|
|
provider, service_created = LibertyProvider.objects.get_or_create(
|
|
|
|
|
entity_id=sp_url, protocol_conformance=lasso.PROTOCOL_SAML_2_0
|
|
|
|
|
)
|
2019-08-09 20:43:35 +02:00
|
|
|
provider.name = service['title']
|
|
|
|
|
provider.slug = service['slug']
|
|
|
|
|
provider.federation_source = 'hobo'
|
|
|
|
|
provider.metadata = metadata_text
|
|
|
|
|
provider.metadata_url = service['saml-sp-metadata-url']
|
2021-02-15 15:04:50 +01:00
|
|
|
variables = service.get('variables', {})
|
|
|
|
|
if variables.get('ou-slug'):
|
2022-11-03 12:11:24 +01:00
|
|
|
ou, created = OrganizationalUnit.objects.get_or_create(
|
2019-08-09 20:43:35 +02:00
|
|
|
slug=service['variables']['ou-slug']
|
|
|
|
|
)
|
|
|
|
|
ou.name = service['variables']['ou-label']
|
|
|
|
|
ou.save()
|
2021-02-15 15:04:50 +01:00
|
|
|
if service.get('secondary') and variables.get('ou-label'):
|
|
|
|
|
# for secondary services include collectivity in label
|
|
|
|
|
provider.name = '%s (%s)' % (service['title'], service['variables']['ou-label'])
|
2019-08-09 20:43:35 +02:00
|
|
|
else:
|
|
|
|
|
# if there are more than one w.c.s. service we will create an
|
|
|
|
|
# ou of the same name
|
|
|
|
|
ou = get_default_ou()
|
|
|
|
|
create_ou = False
|
|
|
|
|
if service_created and service['service-id'] == 'wcs':
|
|
|
|
|
for s in services:
|
|
|
|
|
if s['service-id'] != 'wcs':
|
|
|
|
|
continue
|
|
|
|
|
if s['slug'] == service['slug']:
|
|
|
|
|
continue
|
|
|
|
|
if LibertyProvider.objects.filter(slug=s['slug']).exists():
|
|
|
|
|
create_ou = True
|
|
|
|
|
break
|
|
|
|
|
if create_ou:
|
2022-11-03 12:11:24 +01:00
|
|
|
ou, created = OrganizationalUnit.objects.get_or_create(name=service['title'])
|
2019-08-09 20:43:35 +02:00
|
|
|
if service_created or not provider.ou:
|
|
|
|
|
provider.ou = ou
|
2019-08-14 23:42:22 +02:00
|
|
|
provision_target_ous[provider.ou.id] = provider.ou
|
2022-01-25 17:47:28 +01:00
|
|
|
if service.get('template_name') == 'portal-user':
|
2022-01-28 14:55:27 +01:00
|
|
|
provider.ou.home_url = service['base_url']
|
2022-01-25 17:47:28 +01:00
|
|
|
provider.ou.save()
|
2019-08-09 20:43:35 +02:00
|
|
|
provider.save()
|
|
|
|
|
if service_created:
|
|
|
|
|
service_provider = LibertyServiceProvider(
|
|
|
|
|
enabled=True,
|
|
|
|
|
liberty_provider=provider,
|
|
|
|
|
sp_options_policy=policy,
|
|
|
|
|
users_can_manage_federations=False,
|
|
|
|
|
)
|
|
|
|
|
service_provider.save()
|
|
|
|
|
|
|
|
|
|
# add a superuser role for the service
|
|
|
|
|
name = _('Superuser of %s') % service['title']
|
|
|
|
|
su_role, created = Role.objects.get_or_create(
|
|
|
|
|
service=provider, slug='_a2-hobo-superuser', defaults={'name': name}
|
|
|
|
|
)
|
|
|
|
|
if su_role.name != name:
|
|
|
|
|
su_role.name = name
|
|
|
|
|
su_role.save()
|
2022-12-05 12:22:01 +01:00
|
|
|
|
|
|
|
|
su_role.is_superuser = True
|
|
|
|
|
su_role.save()
|
|
|
|
|
|
2019-08-09 20:43:35 +02:00
|
|
|
# pass the new attribute to the service
|
|
|
|
|
SAMLAttribute.objects.get_or_create(
|
|
|
|
|
name='is_superuser',
|
|
|
|
|
name_format='basic',
|
|
|
|
|
attribute_name='is_superuser',
|
|
|
|
|
object_id=provider.pk,
|
|
|
|
|
content_type=provider_type,
|
|
|
|
|
)
|
|
|
|
|
SAMLAttribute.objects.get_or_create(
|
|
|
|
|
name='role-slug',
|
|
|
|
|
name_format='basic',
|
|
|
|
|
attribute_name='a2_service_ou_role_uuids',
|
|
|
|
|
object_id=provider.pk,
|
|
|
|
|
content_type=provider_type,
|
|
|
|
|
)
|
|
|
|
|
# load skeleton if service is new
|
|
|
|
|
if service.get('template_name'):
|
|
|
|
|
# if there are more of the same servie, we will create an
|
|
|
|
|
# ou
|
|
|
|
|
self.load_skeleton(provider, service['service-id'], service['template_name'])
|
|
|
|
|
service['$done'] = True
|
|
|
|
|
|
2020-05-18 20:42:20 +02:00
|
|
|
if all(service.get('$done') for service in services):
|
2019-08-09 20:43:35 +02:00
|
|
|
# it's finished no need to continue
|
|
|
|
|
break
|
|
|
|
|
|
|
|
|
|
# wait 5, 10, 20, 40, .. seconds
|
2020-05-18 20:36:00 +02:00
|
|
|
sleep(self.backoff_factor * (2**retries))
|
2019-08-09 20:43:35 +02:00
|
|
|
retries += 1
|
|
|
|
|
|
2019-08-14 23:42:22 +02:00
|
|
|
if provision_target_ous:
|
|
|
|
|
# mass provision roles on new created services
|
|
|
|
|
engine = Provisionning()
|
2022-11-03 12:11:24 +01:00
|
|
|
roles = Role.objects.all()
|
2019-08-14 23:42:22 +02:00
|
|
|
engine.notify_roles(provision_target_ous, roles, full=True)
|
|
|
|
|
|
2019-08-09 20:43:35 +02:00
|
|
|
for service in services:
|
|
|
|
|
if not service.get('$done'):
|
|
|
|
|
last_error = service['$last-error']
|
|
|
|
|
sp_url = service['saml-sp-metadata-url']
|
|
|
|
|
self.stderr.write(self.style.WARNING('Error registering %s: %s\n' % (sp_url, last_error)))
|
2015-10-25 00:10:20 +02:00
|
|
|
|
|
|
|
|
def load_skeleton(self, provider, service_id, template_name, create_ou=False):
|
|
|
|
|
if not getattr(settings, 'HOBO_SKELETONS_DIR', None):
|
|
|
|
|
self.logger.debug('no skeleton: no HOBO_SKELETONS_DIR setting')
|
|
|
|
|
return
|
|
|
|
|
# ex.: /var/lib/authentic2-multitenant/skeletons/communes/wcs/
|
|
|
|
|
skeleton_dir = os.path.join(settings.HOBO_SKELETONS_DIR, template_name, service_id)
|
|
|
|
|
if not os.path.exists(skeleton_dir):
|
|
|
|
|
self.logger.debug('no skeleton: skeleton dir %r does not exist', skeleton_dir)
|
|
|
|
|
return
|
|
|
|
|
self.load_skeleton_roles(skeleton_dir, provider)
|
|
|
|
|
|
|
|
|
|
def load_skeleton_roles(self, skeleton_dir, provider):
|
|
|
|
|
'''Load default roles based on a template'''
|
|
|
|
|
roles_filename = os.path.join(skeleton_dir, 'roles.json')
|
|
|
|
|
if not os.path.exists(roles_filename):
|
|
|
|
|
self.logger.debug('no skeleton roles: roles file %r does not ' 'exist', roles_filename)
|
|
|
|
|
return
|
2015-11-09 13:42:18 +01:00
|
|
|
if Role.objects.filter(ou=provider.ou).exclude(slug__startswith='_').exists():
|
|
|
|
|
return
|
2015-11-09 11:39:25 +01:00
|
|
|
roles = []
|
2015-10-25 00:10:20 +02:00
|
|
|
for role in serializers.deserialize('json', open(roles_filename)):
|
|
|
|
|
assert isinstance(role.object, Role)
|
|
|
|
|
# reset id and natural key
|
|
|
|
|
role.object.pk = None
|
|
|
|
|
role.object.uuid = Role._meta.get_field('uuid').default()
|
|
|
|
|
# same ou as provider
|
|
|
|
|
role.object.ou = provider.ou
|
|
|
|
|
# XXX: attach to service or not ?
|
2015-11-09 13:06:35 +01:00
|
|
|
roles.append(role.object)
|
2015-11-09 11:39:25 +01:00
|
|
|
if roles:
|
|
|
|
|
Role.objects.bulk_create(roles)
|
|
|
|
|
Role.objects.get(uuid=roles[-1].uuid).save()
|
2019-08-09 20:43:35 +02:00
|
|
|
|
|
|
|
|
def check_saml_metadata(self, saml_metadata):
|
|
|
|
|
try:
|
2019-08-16 18:34:48 +02:00
|
|
|
root = ET.fromstring(saml_metadata.encode('utf-8'))
|
2019-08-09 20:43:35 +02:00
|
|
|
except ET.ParseError:
|
|
|
|
|
return False
|
|
|
|
|
return root.tag == '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF
|
