From c6574ff3ae5e707d002e6e02b17ef660e1f6bc96 Mon Sep 17 00:00:00 2001 From: Thomas Noel Date: Sun, 16 Mar 2014 13:22:30 +0000 Subject: [PATCH] first commit --- .gitignore | 3 + README.md | 7 +- manage.py | 10 ++ requirements.txt | 3 + settings.ini.example | 114 ++++++++++++++ univnautes_idp/__init__.py | 0 univnautes_idp/settings.py | 294 +++++++++++++++++++++++++++++++++++++ univnautes_idp/urls.py | 1 + univnautes_idp/wsgi.py | 32 ++++ 9 files changed, 463 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100755 manage.py create mode 100644 requirements.txt create mode 100644 settings.ini.example create mode 100644 univnautes_idp/__init__.py create mode 100644 univnautes_idp/settings.py create mode 100644 univnautes_idp/urls.py create mode 100644 univnautes_idp/wsgi.py diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..e9814da --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +settings.ini +*.pyo +*.pyc diff --git a/README.md b/README.md index 7b720db..cdfe073 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,7 @@ -univnautes-idp : un IdP pour UnivNautes +univnautes-idp : IdP multi-tenants pour UnivNautes + +cp settings.ini.example /somewhere/settings.ini +export UNIVNAUTES_IDP_SETTINGS_INI=/somewhere/settings.ini +python manage.py sync_schemas --shared --noinput +python manage.py create-tenant xyz.univnautes-idp.dev.entrouvert.org xyz diff --git a/manage.py b/manage.py new file mode 100755 index 0000000..aaa380a --- /dev/null +++ b/manage.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +import os +import sys + +if __name__ == "__main__": + os.environ.setdefault("DJANGO_SETTINGS_MODULE", "univnautes_idp.settings") + + from django.core.management import execute_from_command_line + + execute_from_command_line(sys.argv) diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..233cc61 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +authentic2 +django-tenant-schemas +python-entrouvert diff --git a/settings.ini.example b/settings.ini.example new file mode 100644 index 0000000..5d9beac --- /dev/null +++ b/settings.ini.example @@ -0,0 +1,114 @@ +[saml] +local_metadata_cache_timeout: 600 +# Whether to autoload SAML 2.0 identity providers and services metadata +# Only https URLS are accepted. Can be none, sp, idp or both +metadata_autoload: both +# these keys will changed by tenants : +signature_public_key: -----BEGIN CERTIFICATE----- + MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV + BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV + MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB + CgKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZn9Kqm4Cp + 06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrUH8QT8NGh + ABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59xihSqsoFr + kmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9Hri8JRdXi + VT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziazZfvvw/VG + Tm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABo3YwdDAdBgNVHQ4EFgQUeF8ePnu0 + fcAK50iBQDgAhHkOu8kwRQYDVR0jBD4wPIAUeF8ePnu0fcAK50iBQDgAhHkOu8mh + GaQXMBUxEzARBgNVBAoTCkVudHJvdXZlcnSCCQDVAaInJNaQ6TAMBgNVHRMEBTAD + AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAy8l3GhUtpPHx0FxzbRHVaaUSgMwYKGPhE + IdGhqekKUJIx8et4xpEMFBl5XQjBNq/mp5vO3SPb2h2PVSks7xWnG3cvEkqJSOeo + fEEhkqnM45b2MH1S5uxp4i8UilPG6kmQiXU2rEUBdRk9xnRWos7epVivTSIv1Ncp + lG6l41SXp6YgIb2ToT+rOKdIGIQuGDlzeR88fDxWEU0vEujZv/v1PE1YOV0xKjTT + JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j + o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy + -----END CERTIFICATE----- +signature_private_key: -----BEGIN RSA PRIVATE KEY----- + MIIEpAIBAAKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZ + n9Kqm4Cp06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrU + H8QT8NGhABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59x + ihSqsoFrkmBLH0CoepUXtAzA7WDYn8AzusIuMx3n8844pJwgxhTB7Gjuboptlz9H + ri8JRdXiVT9OS9Wt69ubcNoM6zuKASmtm48UuGnhj8v6XwvbjKZrL9kA+xf8ziaz + Zfvvw/VGTm+IVFYB7d1x457jY5zjjXJvNysoowIDAQABAoIBAQCj8t2iKXya10HG + V6Saaeih8aftoLBV38VwFqqjPU0+iKqDpk2JSXBhjI6s7uFIsaTNJpR2Ga1qvns1 + hJQEDMQSLhJvXfBgSkHylRWCpJentr4E3D7mnw5pRsd61Ev9U+uHcdv/WHP4K5hM + xsdiwXNXD/RYd1Q1+6bKrCuvnNJVmWe0/RV+r3T8Ni5xdMVFbRWt/VEoE620XX6c + a9TQPiA5i/LRVyie+js7Yv+hVjGOlArtuLs6ECQsivfPrqKLOBRWcofKdcf+4N2e + 3cieUqwzC15C31vcMliD9Hax9c1iuTt9Q3Xzo20fOSazAnQ5YBEExyTtrFBwbfQu + ku6hp81pAoGBAN6bc6iJtk5ipYpsaY4ZlbqdjjG9KEXB6G1MExPU7SHXOhOF0cDH + /pgMsv9hF2my863MowsOj3OryVhdQhwA6RrV263LRh+JU8NyHV71BwAIfI0BuVfj + 6r24KudwtUcvMr9pJIrJyMAMaw5ZyNoX7YqFpS6fcisSJYdSBSoxzrzVAoGBANu6 + xVeMqGavA/EHSOQP3ipDZ3mnWbkDUDxpNhgJG8Q6lZiwKwLoSceJ8z0PNY3VetGA + RbqtqBGfR2mcxHyzeqVBpLnXZC4vs/Vy7lrzTiHDRZk2SG5EkHMSKFA53jN6S/nJ + JWpYZC8lG8w4OHaUfDHFWbptxdGYCgY4//sjeiuXAoGBANuhurJ99R5PnA8AOgEW + 4zD1hLc0b4ir8fvshCIcAj9SUB20+afgayRv2ye3Dted1WkUL4WYPxccVhLWKITi + rRtqB03o8m3pG3kJnUr0LIzu0px5J/o8iH3ZOJOTE3iBa+uI/KHmxygc2H+XPGFa + HGeAxuJCNO2kAN0Losbnz5dlAoGAVsCn94gGWPxSjxA0PC7zpTYVnZdwOjbPr/pO + LDE0cEY9GBq98JjrwEd77KibmVMm+Z4uaaT0jXiYhl8pyJ5IFwUS13juCbo1z/u/ + ldMoDvZ8/R/MexTA/1204u/mBecMJiO/jPw3GdIJ5phv2omHe1MSuSNsDfN8Sbap + gmsgaiMCgYB/nrTk89Fp7050VKCNnIt1mHAcO9cBwDV8qrJ5O3rIVmrg1T6vn0aY + wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U + TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA== + -----END RSA PRIVATE KEY----- + + +[dirs] +base: /home/thomas/univnautes-idp +template_dirs: %(base)s/templates +multitenant_template_dirs: %(base)s/tenants/templates + /var/lib/truc/encore + /bidule/machin +media_root: %(base)s/media +static_root: %(base)s/static +static_dirs: + +[database] +name: univnautes_idp +host: +port: +user: +password: + +[cache] +memcached: on + +[secrets] +secret_key: random-string-of-ascii +csrf_secret: random-string-of-ascii + +[session] +expire_at_browser_close: yes +cookie_age: +cookie_name: +cookie_path: +coolie_secure: +cookie_domain: + +# all settings in debug section should be false in production +# INTERNAL_IPS should be empty in productive environment +[debug] +general: true +template: true +toolbar: true +internal_ips: 127.0.0.1 +skip_csrf: true +sentry_dsn: + +[email] +server_email: django@localhost +default_from_email: django@localhost +subject_prefix: [unidp] +host: localhost +port: 25 +use_tls: no +user: +password: + +# the [admins] and [managers] sections are special. Just add lines with +# full name: email_address@domain.xx +# each section must be present but may be empty. +[admins] +#Thomas: tnoel+unidp@entrouvert.com +[managers] +#Thomas: tnoel+unidp@entrouvert.com + diff --git a/univnautes_idp/__init__.py b/univnautes_idp/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/univnautes_idp/settings.py b/univnautes_idp/settings.py new file mode 100644 index 0000000..bac61a0 --- /dev/null +++ b/univnautes_idp/settings.py @@ -0,0 +1,294 @@ +# Django settings for univnautes_idp project. + +import os +from ConfigParser import ConfigParser +from django.core.exceptions import ImproperlyConfigured + +SETTINGS_INI = os.environ.get('UNIVNAUTES_IDP_SETTINGS_INI', '/etc/univnautes-idp/settings.ini') +config = ConfigParser() +config.read(SETTINGS_INI) + + +DEBUG = config.getboolean('debug', 'general') +INTERNAL_IPS = tuple(config.get('debug', 'internal_ips').split()) +TEMPLATE_DEBUG = config.getboolean('debug', 'template') +ADMINS = tuple(config.items('admins')) +MANAGERS = tuple(config.items('managers')) +SENTRY_DSN = config.get('debug', 'sentry_dsn') +DEBUG_TOOLBAR = config.getboolean('debug', 'toolbar') + +DATABASES = { + 'default': { + 'ENGINE': 'tenant_schemas.postgresql_backend', + 'NAME': config.get('database','name'), + 'USER': config.get('database','user'), + 'PASSWORD': config.get('database','password'), + 'HOST': config.get('database','host'), + 'PORT': config.get('database','port'), + } +} +SOUTH_DATABASE_ADAPTERS = { + 'default': 'south.db.postgresql_psycopg2', +} + + +# Hosts/domain names that are valid for this site; required if DEBUG is False +# See https://docs.djangoproject.com/en/1.5/ref/settings/#allowed-hosts +ALLOWED_HOSTS = ['*'] +USE_X_FORWARDED_HOST = True + +# Local time zone for this installation. Choices can be found here: +# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name +# although not all choices may be available on all operating systems. +# In a Windows environment this must be set to your system time zone. +TIME_ZONE = 'Europe/Paris' + +# Language code for this installation. All choices can be found here: +# http://www.i18nguy.com/unicode/language-identifiers.html +LANGUAGE_CODE = 'fr-fr' +gettext_noop = lambda s: s +LANGUAGES = ( + ('en', gettext_noop('English')), + ('fr', gettext_noop('French')), +) + +SITE_ID = 1 + +# If you set this to False, Django will make some optimizations so as not +# to load the internationalization machinery. +USE_I18N = True + +# If you set this to False, Django will not format dates, numbers and +# calendars according to the current locale. +USE_L10N = True + +# If you set this to False, Django will not use timezone-aware datetimes. +USE_TZ = True + +# Absolute filesystem path to the directory that will hold user-uploaded files. +# Example: "/var/www/example.com/media/" +MEDIA_ROOT = config.get('dirs','media_root') + +# URL that handles the media served from MEDIA_ROOT. Make sure to use a +# trailing slash. +# Examples: "http://example.com/media/", "http://media.example.com/" +MEDIA_URL = '' + +# Absolute path to the directory static files should be collected to. +# Don't put anything in this directory yourself; store your static files +# in apps' "static/" subdirectories and in STATICFILES_DIRS. +# Example: "/var/www/example.com/static/" +STATIC_ROOT = config.get('dirs','static_root') + +# URL prefix for static files. +# Example: "http://example.com/static/", "http://static.example.com/" +STATIC_URL = '/static/' + +# Additional locations of static files +STATICFILES_DIRS = tuple(config.get('dirs','static_dirs').split()) + +# List of finder classes that know how to find static files in +# various locations. +STATICFILES_FINDERS = ( + 'django.contrib.staticfiles.finders.FileSystemFinder', + 'django.contrib.staticfiles.finders.AppDirectoriesFinder', +# 'django.contrib.staticfiles.finders.DefaultStorageFinder', +) + +# Make this unique, and don't share it with anybody. +SECRET_KEY = config.get('secrets', 'secret_key') + +# List of callables that know how to import templates from various sources. +TEMPLATE_LOADERS = ( + 'entrouvert.djommon.multitenant.template_loader.FilesystemLoader', + 'django.template.loaders.filesystem.Loader', + 'django.template.loaders.app_directories.Loader', +) + +TEMPLATE_CONTEXT_PROCESSORS = ( + 'django.contrib.auth.context_processors.auth', + 'django.core.context_processors.debug', + 'django.core.context_processors.i18n', + 'django.core.context_processors.media', + 'django.core.context_processors.request', + 'django.contrib.messages.context_processors.messages', + 'django.core.context_processors.static', + 'authentic2.context_processors.federations_processor', +) + +MIDDLEWARE_CLASSES = ( + 'tenant_schemas.middleware.TenantMiddleware', + 'entrouvert.djommon.multitenant.middleware.EOTenantMiddleware', + 'django.middleware.common.CommonMiddleware', + 'django.middleware.http.ConditionalGetMiddleware', + 'django.contrib.sessions.middleware.SessionMiddleware', + 'django.middleware.csrf.CsrfViewMiddleware', + 'django.middleware.locale.LocaleMiddleware', + 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'django.contrib.messages.middleware.MessageMiddleware', + 'authentic2.idp.middleware.DebugMiddleware', + # Uncomment the next line for simple clickjacking protection: + # 'django.middleware.clickjacking.XFrameOptionsMiddleware', +) + +ROOT_URLCONF = 'univnautes_idp.urls' + +# Python dotted path to the WSGI application used by Django's runserver. +WSGI_APPLICATION = 'univnautes_idp.wsgi.application' + +TEMPLATE_DIRS = tuple(config.get('dirs', 'template_dirs').split()) +MULTITENANT_TEMPLATE_DIRS = tuple(config.get('dirs', 'multitenant_template_dirs').split()) + +SHARED_APPS = ( + 'tenant_schemas', + 'entrouvert.djommon.multitenant', + 'django.contrib.auth', + 'django.contrib.sessions', + 'django.contrib.messages', + 'django.contrib.admin', + 'django.contrib.staticfiles', + 'django.contrib.contenttypes', + 'south', +) + +TENANT_APPS = ( + 'django.contrib.auth', + 'django.contrib.sessions', + 'django.contrib.messages', + 'django.contrib.admin', + 'django.contrib.staticfiles', + 'django.contrib.contenttypes', + 'south', + 'admin_tools', + 'admin_tools.theming', + 'admin_tools.menu', + 'admin_tools.dashboard', + 'registration', + 'authentic2.nonce', + 'authentic2.saml', + 'authentic2.idp', + 'authentic2.idp.saml', + 'authentic2.auth2_auth', + 'authentic2.attribute_aggregator', + 'authentic2.disco_service', + 'authentic2', +) + +INSTALLED_APPS = SHARED_APPS + TENANT_APPS + +# to override commands (hey, fixme if you can) +INSTALLED_APPS += ('tenant_schemas', 'entrouvert.djommon.multitenant',) + +TENANT_MODEL = 'multitenant.Tenant' + +SESSION_SERIALIZER = 'django.contrib.sessions.serializers.JSONSerializer' + +if config.getboolean('cache', 'memcached'): + CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': '127.0.0.1:11211', + }, + } + +# A sample logging configuration. The only tangible logging +# performed by this configuration is to send an email to +# the site admins on every HTTP 500 error when DEBUG=False. +# See http://docs.djangoproject.com/en/dev/topics/logging for +# more details on how to customize your logging configuration. +LOGGING = { + 'version': 1, + 'disable_existing_loggers': False, + 'filters': { + 'require_debug_false': { + '()': 'django.utils.log.RequireDebugFalse' + } + }, + 'handlers': { + 'mail_admins': { + 'level': 'ERROR', + 'filters': ['require_debug_false'], + 'class': 'django.utils.log.AdminEmailHandler' + } + }, + 'loggers': { + 'django.request': { + 'handlers': ['mail_admins'], + 'level': 'ERROR', + 'propagate': True, + }, + } +} + +# email settings +EMAIL_HOST = config.get('email', 'host') +EMAIL_PORT = config.getint('email', 'port') +EMAIL_HOST_USER = config.get('email', 'user') +EMAIL_HOST_PASSWORD = config.get('email', 'password') +EMAIL_SUBJECT_PREFIX = config.get('email', 'subject_prefix') +EMAIL_USE_TLS = config.getboolean('email', 'use_tls') +SERVER_EMAIL = config.get('email', 'server_email') +DEFAULT_FROM_EMAIL = config.get('email', 'default_from_email') + +# sessions +SESSION_EXPIRE_AT_BROWSER_CLOSE = config.get('session', 'expire_at_browser_close') + +LOGIN_REDIRECT_URL = '/' +LOGIN_URL = '/login' +LOGOUT_URL = '/accounts/logout' + +# Authentic2 + +DISCO_SERVICE = False +DISCO_USE_OF_METADATA = False +DISCO_SERVICE_NAME = 'http://www.identity-hub.com/disco_service/disco' +DISCO_RETURN_ID_PARAM = 'entityID' +SHOW_DISCO_IN_MD = False +USE_DISCO_SERVICE = False + +# Authentication settings + +AUTH_FRONTENDS = ('authentic2.auth2_auth.backend.LoginPasswordBackend',) +SSLAUTH_CREATE_USER = False +AUTHENTICATION_EVENT_EXPIRATION = 3600*24*7 + +# IdP settings + +LOCAL_METADATA_CACHE_TIMEOUT = config.getint('saml', 'local_metadata_cache_timeout') +SAML_SIGNATURE_PUBLIC_KEY = config.get('saml', 'signature_public_key') +SAML_SIGNATURE_PRIVATE_KEY = config.get('saml', 'signature_private_key') +SAML_METADATA_AUTOLOAD = config.get('saml', 'metadata_autoload') + +A2_CAN_RESET_PASSWORD = True +A2_REGISTRATION_CAN_DELETE_ACCOUNT = True +A2_REGISTRATION_EMAIL_IS_UNIQUE = True +REGISTRATION_OPEN = True +ACCOUNT_ACTIVATION_DAYS = 3 +PASSWORD_RESET_TIMEOUT_DAYS = 3 + +# Admin tools +ADMIN_TOOLS_INDEX_DASHBOARD = 'authentic2.dashboard.CustomIndexDashboard' +ADMIN_TOOLS_APP_INDEX_DASHBOARD = 'authentic2.dashboard.CustomAppIndexDashboard' +ADMIN_TOOLS_MENU = 'authentic2.menu.CustomMenu' + +# AUTH systels +AUTH_SAML2 = False +AUTH_OPENID = False +AUTH_SSL = False + +# IdP protocols +IDP_SAML2 = True +IDP_OPENID = False +IDP_CAS = False + +# List of IdP backends, mainly used to show available services in the homepage +# of user, and to handle SLO for each protocols +IDP_BACKENDS = ('authentic2.idp.saml.backend.SamlBackend',) + + +# debug toolbar needs more +if DEBUG_TOOLBAR: + DEBUG_TOOLBAR_CONFIG = {'INTERCEPT_REDIRECTS': False} + INSTALLED_APPS += ('debug_toolbar',) + MIDDLEWARE_CLASSES += ('debug_toolbar.middleware.DebugToolbarMiddleware',) + diff --git a/univnautes_idp/urls.py b/univnautes_idp/urls.py new file mode 100644 index 0000000..7a53ac9 --- /dev/null +++ b/univnautes_idp/urls.py @@ -0,0 +1 @@ +from authentic2.urls import urlpatterns diff --git a/univnautes_idp/wsgi.py b/univnautes_idp/wsgi.py new file mode 100644 index 0000000..5798f1f --- /dev/null +++ b/univnautes_idp/wsgi.py @@ -0,0 +1,32 @@ +""" +WSGI config for univnautes_idp project. + +This module contains the WSGI application used by Django's development server +and any production WSGI deployments. It should expose a module-level variable +named ``application``. Django's ``runserver`` and ``runfcgi`` commands discover +this application via the ``WSGI_APPLICATION`` setting. + +Usually you will have the standard Django WSGI application here, but it also +might make sense to replace the whole Django WSGI application with a custom one +that later delegates to the Django one. For example, you could introduce WSGI +middleware here, or combine a Django application with an application of another +framework. + +""" +import os + +# We defer to a DJANGO_SETTINGS_MODULE already in the environment. This breaks +# if running multiple sites in the same mod_wsgi process. To fix this, use +# mod_wsgi daemon mode with each site in its own daemon process, or use +# os.environ["DJANGO_SETTINGS_MODULE"] = "univnautes_idp.settings" +os.environ.setdefault("DJANGO_SETTINGS_MODULE", "univnautes_idp.settings") + +# This application object is used by any WSGI server configured to use this +# file. This includes Django's development server, if the WSGI_APPLICATION +# setting points here. +from django.core.wsgi import get_wsgi_application +application = get_wsgi_application() + +# Apply WSGI middleware here. +# from helloworld.wsgi import HelloWorldApplication +# application = HelloWorldApplication(application)