first commit

.gitignore

@@ -0,0 +1,3 @@
+settings.ini
+*.pyo
+*.pyc

README.md

@@ -1,2 +1,7 @@
-univnautes-idp : un IdP pour UnivNautes
+univnautes-idp : IdP multi-tenants pour UnivNautes
+
+cp settings.ini.example /somewhere/settings.ini
+export UNIVNAUTES_IDP_SETTINGS_INI=/somewhere/settings.ini
+python manage.py sync_schemas --shared --noinput
+python manage.py create-tenant xyz.univnautes-idp.dev.entrouvert.org xyz
 

manage.py

@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+import os
+import sys
+
+if __name__ == "__main__":
+    os.environ.setdefault("DJANGO_SETTINGS_MODULE", "univnautes_idp.settings")
+
+    from django.core.management import execute_from_command_line
+
+    execute_from_command_line(sys.argv)

requirements.txt

@@ -0,0 +1,3 @@
+authentic2
+django-tenant-schemas
+python-entrouvert

settings.ini.example

@@ -0,0 +1,114 @@
+[saml]
+local_metadata_cache_timeout: 600
+# Whether to autoload SAML 2.0 identity providers and services metadata
+# Only https URLS are accepted. Can be none, sp, idp or both
+metadata_autoload: both
+# these keys will changed by tenants :
+signature_public_key: -----BEGIN CERTIFICATE-----
+  MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
+  BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV
+  MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+  CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp
+  06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh
+  ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr
+  kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi
+  VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG
+  Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0
+  fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh
+  GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD
+  AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE
+  IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo
+  fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp
+  lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT
+  JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j
+  o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy
+  -----END CERTIFICATE-----
+signature_private_key: -----BEGIN RSA PRIVATE KEY-----
+  MIIEpAIBAAKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZ
+  n9Kqm4Cp06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrU
+  H8QT8NGhABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59x
+  ihSqsoFrkmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9H
+  ri8JRdXiVT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziaz
+  Zfvvw/VGTm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABAoIBAQCj8t2iKXya10HG
+  V6Saaeih8aftoLBV38VwFqqjPU0+iKqDpk2JSXBhjI6s7uFIsaTNJpR2Ga1qvns1
+  hJQEDMQSLhJvXfBgSkHylRWCpJentr4E3D7mnw5pRsd61Ev9U+uHcdv/WHP4K5hM
+  xsdiwXNXD/RYd1Q1+6bKrCuvnNJVmWe0/RV+r3T8Ni5xdMVFbRWt/VEoE620XX6c
+  a9TQPiA5i/LRVyie+js7Yv+hVjGOlArtuLs6ECQsivfPrqKLOBRWcofKdcf+4N2e
+  3cieUqwzC15C31vcMliD9Hax9c1iuTt9Q3Xzo20fOSazAnQ5YBEExyTtrFBwbfQu
+  ku6hp81pAoGBAN6bc6iJtk5ipYpsaY4ZlbqdjjG9KEXB6G1MExPU7SHXOhOF0cDH
+  /pgMsv9hF2my863MowsOj3OryVhdQhwA6RrV263LRh+JU8NyHV71BwAIfI0BuVfj
+  6r24KudwtUcvMr9pJIrJyMAMaw5ZyNoX7YqFpS6fcisSJYdSBSoxzrzVAoGBANu6
+  xVeMqGavA/EHSOQP3ipDZ3mnWbkDUDxpNhgJG8Q6lZiwKwLoSceJ8z0PNY3VetGA
+  RbqtqBGfR2mcxHyzeqVBpLnXZC4vs/Vy7lrzTiHDRZk2SG5EkHMSKFA53jN6S/nJ
+  JWpYZC8lG8w4OHaUfDHFWbptxdGYCgY4//sjeiuXAoGBANuhurJ99R5PnA8AOgEW
+  4zD1hLc0b4ir8fvshCIcAj9SUB20+afgayRv2ye3Dted1WkUL4WYPxccVhLWKITi
+  rRtqB03o8m3pG3kJnUr0LIzu0px5J/o8iH3ZOJOTE3iBa+uI/KHmxygc2H+XPGFa
+  HGeAxuJCNO2kAN0Losbnz5dlAoGAVsCn94gGWPxSjxA0PC7zpTYVnZdwOjbPr/pO
+  LDE0cEY9GBq98JjrwEd77KibmVMm+Z4uaaT0jXiYhl8pyJ5IFwUS13juCbo1z/u/
+  ldMoDvZ8/R/MexTA/1204u/mBecMJiO/jPw3GdIJ5phv2omHe1MSuSNsDfN8Sbap
+  gmsgaiMCgYB/nrTk89Fp7050VKCNnIt1mHAcO9cBwDV8qrJ5O3rIVmrg1T6vn0aY
+  wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U
+  TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
+  -----END RSA PRIVATE KEY-----
+
+
+[dirs]
+base: /home/thomas/univnautes-idp
+template_dirs: %(base)s/templates
+multitenant_template_dirs: %(base)s/tenants/templates
+  /var/lib/truc/encore
+  /bidule/machin
+media_root: %(base)s/media
+static_root: %(base)s/static
+static_dirs:
+
+[database]
+name: univnautes_idp
+host:
+port:
+user:
+password:
+
+[cache]
+memcached: on
+
+[secrets]
+secret_key: random-string-of-ascii
+csrf_secret: random-string-of-ascii
+
+[session]
+expire_at_browser_close: yes
+cookie_age:
+cookie_name:
+cookie_path:
+coolie_secure:
+cookie_domain:
+
+# all settings in debug section should be false in production
+# INTERNAL_IPS should be empty in productive environment
+[debug]
+general: true
+template: true
+toolbar: true
+internal_ips: 127.0.0.1
+skip_csrf: true
+sentry_dsn: 
+
+[email]
+server_email: django@localhost
+default_from_email: django@localhost
+subject_prefix: [unidp]
+host: localhost
+port: 25
+use_tls: no
+user:
+password:
+
+# the [admins] and [managers] sections are special. Just add lines with
+#   full name: email_address@domain.xx
+# each section must be present but may be empty.
+[admins]
+#Thomas: tnoel+unidp@entrouvert.com
+[managers]
+#Thomas: tnoel+unidp@entrouvert.com
+

univnautes_idp/settings.py

@@ -0,0 +1,294 @@
+# Django settings for univnautes_idp project.
+
+import os
+from ConfigParser import ConfigParser
+from django.core.exceptions import ImproperlyConfigured
+
+SETTINGS_INI = os.environ.get('UNIVNAUTES_IDP_SETTINGS_INI', '/etc/univnautes-idp/settings.ini')
+config = ConfigParser()
+config.read(SETTINGS_INI)
+
+
+DEBUG = config.getboolean('debug', 'general')
+INTERNAL_IPS = tuple(config.get('debug', 'internal_ips').split())
+TEMPLATE_DEBUG = config.getboolean('debug', 'template')
+ADMINS = tuple(config.items('admins'))
+MANAGERS = tuple(config.items('managers'))
+SENTRY_DSN = config.get('debug', 'sentry_dsn')
+DEBUG_TOOLBAR = config.getboolean('debug', 'toolbar')
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'tenant_schemas.postgresql_backend',
+        'NAME': config.get('database','name'),
+        'USER': config.get('database','user'),
+        'PASSWORD': config.get('database','password'),
+        'HOST': config.get('database','host'),
+        'PORT': config.get('database','port'),
+    }
+}
+SOUTH_DATABASE_ADAPTERS = {
+    'default': 'south.db.postgresql_psycopg2',
+}
+
+
+# Hosts/domain names that are valid for this site; required if DEBUG is False
+# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts
+ALLOWED_HOSTS = ['*']
+USE_X_FORWARDED_HOST = True
+
+# Local time zone for this installation. Choices can be found here:
+# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name
+# although not all choices may be available on all operating systems.
+# In a Windows environment this must be set to your system time zone.
+TIME_ZONE = 'Europe/Paris'
+
+# Language code for this installation. All choices can be found here:
+# http://www.i18nguy.com/unicode/language-identifiers.html
+LANGUAGE_CODE = 'fr-fr'
+gettext_noop = lambda s: s
+LANGUAGES = (
+    ('en', gettext_noop('English')),
+    ('fr', gettext_noop('French')),
+)
+
+SITE_ID = 1
+
+# If you set this to False, Django will make some optimizations so as not
+# to load the internationalization machinery.
+USE_I18N = True
+
+# If you set this to False, Django will not format dates, numbers and
+# calendars according to the current locale.
+USE_L10N = True
+
+# If you set this to False, Django will not use timezone-aware datetimes.
+USE_TZ = True
+
+# Absolute filesystem path to the directory that will hold user-uploaded files.
+# Example: "/var/www/example.com/media/"
+MEDIA_ROOT = config.get('dirs','media_root')
+
+# URL that handles the media served from MEDIA_ROOT. Make sure to use a
+# trailing slash.
+# Examples: "http://example.com/media/", "http://media.example.com/"
+MEDIA_URL = ''
+
+# Absolute path to the directory static files should be collected to.
+# Don't put anything in this directory yourself; store your static files
+# in apps' "static/" subdirectories and in STATICFILES_DIRS.
+# Example: "/var/www/example.com/static/"
+STATIC_ROOT = config.get('dirs','static_root')
+
+# URL prefix for static files.
+# Example: "http://example.com/static/", "http://static.example.com/"
+STATIC_URL = '/static/'
+
+# Additional locations of static files
+STATICFILES_DIRS = tuple(config.get('dirs','static_dirs').split())
+
+# List of finder classes that know how to find static files in
+# various locations.
+STATICFILES_FINDERS = (
+    'django.contrib.staticfiles.finders.FileSystemFinder',
+    'django.contrib.staticfiles.finders.AppDirectoriesFinder',
+#    'django.contrib.staticfiles.finders.DefaultStorageFinder',
+)
+
+# Make this unique, and don't share it with anybody.
+SECRET_KEY = config.get('secrets', 'secret_key')
+
+# List of callables that know how to import templates from various sources.
+TEMPLATE_LOADERS = (
+    'entrouvert.djommon.multitenant.template_loader.FilesystemLoader',
+    'django.template.loaders.filesystem.Loader',
+    'django.template.loaders.app_directories.Loader',
+)
+
+TEMPLATE_CONTEXT_PROCESSORS = (
+    'django.contrib.auth.context_processors.auth',
+    'django.core.context_processors.debug',
+    'django.core.context_processors.i18n',
+    'django.core.context_processors.media',
+    'django.core.context_processors.request',
+    'django.contrib.messages.context_processors.messages',
+    'django.core.context_processors.static',
+    'authentic2.context_processors.federations_processor',
+)
+
+MIDDLEWARE_CLASSES = (
+    'tenant_schemas.middleware.TenantMiddleware',
+    'entrouvert.djommon.multitenant.middleware.EOTenantMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.http.ConditionalGetMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.middleware.locale.LocaleMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'authentic2.idp.middleware.DebugMiddleware',
+    # Uncomment the next line for simple clickjacking protection:
+    # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
+)
+
+ROOT_URLCONF = 'univnautes_idp.urls'
+
+# Python dotted path to the WSGI application used by Django's runserver.
+WSGI_APPLICATION = 'univnautes_idp.wsgi.application'
+
+TEMPLATE_DIRS = tuple(config.get('dirs', 'template_dirs').split())
+MULTITENANT_TEMPLATE_DIRS = tuple(config.get('dirs', 'multitenant_template_dirs').split())
+
+SHARED_APPS = (
+    'tenant_schemas',
+    'entrouvert.djommon.multitenant',
+    'django.contrib.auth',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.admin',
+    'django.contrib.staticfiles',
+    'django.contrib.contenttypes',
+    'south',
+)
+
+TENANT_APPS = (
+    'django.contrib.auth',
+    'django.contrib.sessions',
+    'django.contrib.messages',
+    'django.contrib.admin',
+    'django.contrib.staticfiles',
+    'django.contrib.contenttypes',
+    'south',
+    'admin_tools',
+    'admin_tools.theming',
+    'admin_tools.menu',
+    'admin_tools.dashboard',
+    'registration',
+    'authentic2.nonce',
+    'authentic2.saml',
+    'authentic2.idp',
+    'authentic2.idp.saml',
+    'authentic2.auth2_auth',
+    'authentic2.attribute_aggregator',
+    'authentic2.disco_service',
+    'authentic2',
+)
+
+INSTALLED_APPS = SHARED_APPS + TENANT_APPS
+
+# to override commands (hey, fixme if you can)
+INSTALLED_APPS += ('tenant_schemas', 'entrouvert.djommon.multitenant',)
+
+TENANT_MODEL = 'multitenant.Tenant'
+
+SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer'
+
+if config.getboolean('cache', 'memcached'):
+    CACHES = {
+        'default': {
+            'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache',
+            'LOCATION': '127.0.0.1:11211',
+        },
+    }
+
+# A sample logging configuration. The only tangible logging
+# performed by this configuration is to send an email to
+# the site admins on every HTTP 500 error when DEBUG=False.
+# See http://docs.djangoproject.com/en/dev/topics/logging for
+# more details on how to customize your logging configuration.
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'filters': {
+        'require_debug_false': {
+            '()': 'django.utils.log.RequireDebugFalse'
+        }
+    },
+    'handlers': {
+        'mail_admins': {
+            'level': 'ERROR',
+            'filters': ['require_debug_false'],
+            'class': 'django.utils.log.AdminEmailHandler'
+        }
+    },
+    'loggers': {
+        'django.request': {
+            'handlers': ['mail_admins'],
+            'level': 'ERROR',
+            'propagate': True,
+        },
+    }
+}
+
+# email settings
+EMAIL_HOST = config.get('email', 'host')
+EMAIL_PORT = config.getint('email', 'port')
+EMAIL_HOST_USER = config.get('email', 'user')
+EMAIL_HOST_PASSWORD = config.get('email', 'password')
+EMAIL_SUBJECT_PREFIX = config.get('email', 'subject_prefix')
+EMAIL_USE_TLS = config.getboolean('email', 'use_tls')
+SERVER_EMAIL = config.get('email', 'server_email')
+DEFAULT_FROM_EMAIL = config.get('email', 'default_from_email')
+
+# sessions
+SESSION_EXPIRE_AT_BROWSER_CLOSE = config.get('session', 'expire_at_browser_close')
+
+LOGIN_REDIRECT_URL = '/'
+LOGIN_URL = '/login'
+LOGOUT_URL = '/accounts/logout'
+
+# Authentic2
+
+DISCO_SERVICE = False
+DISCO_USE_OF_METADATA = False
+DISCO_SERVICE_NAME = 'http://www.identity-hub.com/disco_service/disco'
+DISCO_RETURN_ID_PARAM = 'entityID'
+SHOW_DISCO_IN_MD = False
+USE_DISCO_SERVICE = False
+
+# Authentication settings
+
+AUTH_FRONTENDS = ('authentic2.auth2_auth.backend.LoginPasswordBackend',)
+SSLAUTH_CREATE_USER = False
+AUTHENTICATION_EVENT_EXPIRATION = 3600*24*7
+
+# IdP settings
+
+LOCAL_METADATA_CACHE_TIMEOUT = config.getint('saml', 'local_metadata_cache_timeout')
+SAML_SIGNATURE_PUBLIC_KEY = config.get('saml', 'signature_public_key')
+SAML_SIGNATURE_PRIVATE_KEY = config.get('saml', 'signature_private_key')
+SAML_METADATA_AUTOLOAD = config.get('saml', 'metadata_autoload')
+
+A2_CAN_RESET_PASSWORD = True
+A2_REGISTRATION_CAN_DELETE_ACCOUNT = True
+A2_REGISTRATION_EMAIL_IS_UNIQUE = True
+REGISTRATION_OPEN = True
+ACCOUNT_ACTIVATION_DAYS = 3
+PASSWORD_RESET_TIMEOUT_DAYS = 3
+
+# Admin tools
+ADMIN_TOOLS_INDEX_DASHBOARD = 'authentic2.dashboard.CustomIndexDashboard'
+ADMIN_TOOLS_APP_INDEX_DASHBOARD = 'authentic2.dashboard.CustomAppIndexDashboard'
+ADMIN_TOOLS_MENU = 'authentic2.menu.CustomMenu'
+
+# AUTH systels
+AUTH_SAML2 = False
+AUTH_OPENID = False
+AUTH_SSL = False
+
+# IdP protocols
+IDP_SAML2 = True
+IDP_OPENID = False
+IDP_CAS = False
+
+# List of IdP backends, mainly used to show available services in the homepage
+# of user, and to handle SLO for each protocols
+IDP_BACKENDS = ('authentic2.idp.saml.backend.SamlBackend',)
+
+
+# debug toolbar needs more
+if DEBUG_TOOLBAR:
+    DEBUG_TOOLBAR_CONFIG = {'INTERCEPT_REDIRECTS': False}
+    INSTALLED_APPS += ('debug_toolbar',)
+    MIDDLEWARE_CLASSES += ('debug_toolbar.middleware.DebugToolbarMiddleware',)
+

univnautes_idp/urls.py

@@ -0,0 +1 @@
+from authentic2.urls import urlpatterns

univnautes_idp/wsgi.py

@@ -0,0 +1,32 @@
+"""
+WSGI config for univnautes_idp project.
+
+This module contains the WSGI application used by Django's development server
+and any production WSGI deployments. It should expose a module-level variable
+named ``application``. Django's ``runserver`` and ``runfcgi`` commands discover
+this application via the ``WSGI_APPLICATION`` setting.
+
+Usually you will have the standard Django WSGI application here, but it also
+might make sense to replace the whole Django WSGI application with a custom one
+that later delegates to the Django one. For example, you could introduce WSGI
+middleware here, or combine a Django application with an application of another
+framework.
+
+"""
+import os
+
+# We defer to a DJANGO_SETTINGS_MODULE already in the environment. This breaks
+# if running multiple sites in the same mod_wsgi process. To fix this, use
+# mod_wsgi daemon mode with each site in its own daemon process, or use
+# os.environ["DJANGO_SETTINGS_MODULE"] = "univnautes_idp.settings"
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "univnautes_idp.settings")
+
+# This application object is used by any WSGI server configured to use this
+# file. This includes Django's development server, if the WSGI_APPLICATION
+# setting points here.
+from django.core.wsgi import get_wsgi_application
+application = get_wsgi_application()
+
+# Apply WSGI middleware here.
+# from helloworld.wsgi import HelloWorldApplication
+# application = HelloWorldApplication(application)