This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/passbook/providers/saml/models.py

172 lines
5.3 KiB
Python
Raw Normal View History

2018-11-16 08:10:35 +00:00
"""passbook saml_idp Models"""
Squashed commit of the following: commit 88029a43355d73011b9fd078231fd932cfa1e2a6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:55:55 2020 +0200 admin: update to work with new form commit 4040eb9619a9beb8ae6bc93f49c0170e4f198f15 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:43:30 2020 +0200 *: remove path-based import from all PropertyMappings commit c9663a08dade5b14fcc9a1ddb68637ccc2da8dc9 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:33:34 2020 +0200 flows: update work with new stages commit a3d92ebc0a9744efbe3f3940d83e357fad0c63d5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:23:30 2020 +0200 stages/*: remove path-based import from all stages commit 6fa825e372942dbc9f3733ffdac888d44f862ec5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:03:55 2020 +0200 providers/*: remove path-based import from all providers commit 6aefd072c881870948f746992803a181eb65d1e1 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:58:48 2020 +0200 policies/*: remove path-based import from all policies commit ac2dd3611fd70c880c2ce356651aee54c11014cf Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:11:27 2020 +0200 sources/*: remove path-based import from all sources commit 74e628ce9c4f3359e34b17eae922b76e47bc1a37 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:43:38 2020 +0200 ui: allow overriding of verbose_name commit d4ee18ee32491c4b41090120b72986de3c7e5222 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:08:27 2020 +0200 sources/oauth: migrate from discordapp.com to discord.com
2020-07-20 16:17:14 +00:00
from typing import Optional, Type
from urllib.parse import urlparse
2018-11-16 08:10:35 +00:00
from django.db import models
Squashed commit of the following: commit 88029a43355d73011b9fd078231fd932cfa1e2a6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:55:55 2020 +0200 admin: update to work with new form commit 4040eb9619a9beb8ae6bc93f49c0170e4f198f15 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:43:30 2020 +0200 *: remove path-based import from all PropertyMappings commit c9663a08dade5b14fcc9a1ddb68637ccc2da8dc9 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:33:34 2020 +0200 flows: update work with new stages commit a3d92ebc0a9744efbe3f3940d83e357fad0c63d5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:23:30 2020 +0200 stages/*: remove path-based import from all stages commit 6fa825e372942dbc9f3733ffdac888d44f862ec5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:03:55 2020 +0200 providers/*: remove path-based import from all providers commit 6aefd072c881870948f746992803a181eb65d1e1 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:58:48 2020 +0200 policies/*: remove path-based import from all policies commit ac2dd3611fd70c880c2ce356651aee54c11014cf Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:11:27 2020 +0200 sources/*: remove path-based import from all sources commit 74e628ce9c4f3359e34b17eae922b76e47bc1a37 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:43:38 2020 +0200 ui: allow overriding of verbose_name commit d4ee18ee32491c4b41090120b72986de3c7e5222 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:08:27 2020 +0200 sources/oauth: migrate from discordapp.com to discord.com
2020-07-20 16:17:14 +00:00
from django.forms import ModelForm
from django.http import HttpRequest
from django.shortcuts import reverse
2020-09-11 21:21:11 +00:00
from django.utils.translation import gettext_lazy as _
2019-10-01 08:24:10 +00:00
from structlog import get_logger
2018-11-16 08:10:35 +00:00
from passbook.core.models import PropertyMapping, Provider
2020-03-03 22:35:50 +00:00
from passbook.crypto.models import CertificateKeyPair
from passbook.lib.utils.template import render_to_string
from passbook.lib.utils.time import timedelta_string_validator
2018-11-16 08:10:35 +00:00
LOGGER = get_logger()
2019-04-29 19:39:41 +00:00
2018-11-16 08:10:35 +00:00
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
class SAMLBindings(models.TextChoices):
"""SAML Bindings supported by passbook"""
REDIRECT = "redirect"
POST = "post"
2018-11-26 16:17:32 +00:00
class SAMLProvider(Provider):
2020-07-01 16:40:52 +00:00
"""SAML 2.0 Endpoint for applications which support SAML."""
2018-11-16 08:10:35 +00:00
2018-11-26 16:17:32 +00:00
name = models.TextField()
acs_url = models.URLField(verbose_name=_("ACS URL"))
2019-12-31 11:51:16 +00:00
audience = models.TextField(default="")
issuer = models.TextField(help_text=_("Also known as EntityID"))
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
sp_binding = models.TextField(
choices=SAMLBindings.choices,
default=SAMLBindings.REDIRECT,
verbose_name=_("Service Prodier Binding"),
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
)
assertion_valid_not_before = models.TextField(
default="minutes=-5",
validators=[timedelta_string_validator],
help_text=_(
(
"Assertion valid not before current time + this value "
"(Format: hours=-1;minutes=-2;seconds=-3)."
)
),
)
assertion_valid_not_on_or_after = models.TextField(
default="minutes=5",
validators=[timedelta_string_validator],
help_text=_(
(
"Assertion not valid on or after current time + this value "
"(Format: hours=1;minutes=2;seconds=3)."
)
),
)
session_valid_not_on_or_after = models.TextField(
default="minutes=86400",
validators=[timedelta_string_validator],
help_text=_(
(
"Session not valid on or after current time + this value "
"(Format: hours=1;minutes=2;seconds=3)."
)
),
)
digest_algorithm = models.CharField(
max_length=50,
choices=(("sha1", _("SHA1")), ("sha256", _("SHA256")),),
default="sha256",
)
signature_algorithm = models.CharField(
max_length=50,
choices=(
("rsa-sha1", _("RSA-SHA1")),
("rsa-sha256", _("RSA-SHA256")),
("ecdsa-sha256", _("ECDSA-SHA256")),
("dsa-sha1", _("DSA-SHA1")),
),
default="rsa-sha256",
)
2020-03-05 16:09:08 +00:00
signing_kp = models.ForeignKey(
2020-03-03 22:35:50 +00:00
CertificateKeyPair,
default=None,
null=True,
help_text=_("Singing is enabled upon selection of a Key Pair."),
on_delete=models.SET_NULL,
verbose_name=_("Signing Keypair"),
)
require_signing = models.BooleanField(
default=False,
help_text=_(
"Require Requests to be signed by an X509 Certificate. "
"Must match the Certificate selected in `Singing Keypair`."
),
2020-03-03 22:35:50 +00:00
)
2018-11-16 08:10:35 +00:00
@property
def launch_url(self) -> Optional[str]:
"""Guess launch_url based on acs URL"""
launch_url = urlparse(self.acs_url)
return self.acs_url.replace(launch_url.path, "")
@property
Squashed commit of the following: commit 88029a43355d73011b9fd078231fd932cfa1e2a6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:55:55 2020 +0200 admin: update to work with new form commit 4040eb9619a9beb8ae6bc93f49c0170e4f198f15 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:43:30 2020 +0200 *: remove path-based import from all PropertyMappings commit c9663a08dade5b14fcc9a1ddb68637ccc2da8dc9 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:33:34 2020 +0200 flows: update work with new stages commit a3d92ebc0a9744efbe3f3940d83e357fad0c63d5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:23:30 2020 +0200 stages/*: remove path-based import from all stages commit 6fa825e372942dbc9f3733ffdac888d44f862ec5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:03:55 2020 +0200 providers/*: remove path-based import from all providers commit 6aefd072c881870948f746992803a181eb65d1e1 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:58:48 2020 +0200 policies/*: remove path-based import from all policies commit ac2dd3611fd70c880c2ce356651aee54c11014cf Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:11:27 2020 +0200 sources/*: remove path-based import from all sources commit 74e628ce9c4f3359e34b17eae922b76e47bc1a37 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:43:38 2020 +0200 ui: allow overriding of verbose_name commit d4ee18ee32491c4b41090120b72986de3c7e5222 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:08:27 2020 +0200 sources/oauth: migrate from discordapp.com to discord.com
2020-07-20 16:17:14 +00:00
def form(self) -> Type[ModelForm]:
from passbook.providers.saml.forms import SAMLProviderForm
return SAMLProviderForm
2018-11-16 08:10:35 +00:00
def __str__(self):
2020-09-02 22:04:12 +00:00
return f"SAML Provider {self.name}"
def link_download_metadata(self):
"""Get link to download XML metadata for admin interface"""
try:
2018-12-26 20:56:08 +00:00
# pylint: disable=no-member
2019-12-31 11:51:16 +00:00
return reverse(
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
"passbook_providers_saml:metadata",
kwargs={"application_slug": self.application.slug},
2019-12-31 11:51:16 +00:00
)
except Provider.application.RelatedObjectDoesNotExist:
return None
def html_metadata_view(self, request: HttpRequest) -> Optional[str]:
"""return template and context modal to view Metadata without downloading it"""
from passbook.providers.saml.views import DescriptorDownloadView
try:
# pylint: disable=no-member
metadata = DescriptorDownloadView.get_metadata(request, self)
return render_to_string(
"providers/saml/admin_metadata_modal.html",
2020-05-27 09:26:48 +00:00
{"provider": self, "metadata": metadata},
)
except Provider.application.RelatedObjectDoesNotExist:
return None
2018-11-26 16:17:32 +00:00
class Meta:
2019-12-31 11:51:16 +00:00
verbose_name = _("SAML Provider")
verbose_name_plural = _("SAML Providers")
class SAMLPropertyMapping(PropertyMapping):
2020-07-01 16:40:52 +00:00
"""Map User/Group attribute to SAML Attribute, which can be used by the Service Provider."""
saml_name = models.TextField(verbose_name="SAML Name")
friendly_name = models.TextField(default=None, blank=True, null=True)
@property
Squashed commit of the following: commit 88029a43355d73011b9fd078231fd932cfa1e2a6 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:55:55 2020 +0200 admin: update to work with new form commit 4040eb9619a9beb8ae6bc93f49c0170e4f198f15 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:43:30 2020 +0200 *: remove path-based import from all PropertyMappings commit c9663a08dade5b14fcc9a1ddb68637ccc2da8dc9 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:33:34 2020 +0200 flows: update work with new stages commit a3d92ebc0a9744efbe3f3940d83e357fad0c63d5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:23:30 2020 +0200 stages/*: remove path-based import from all stages commit 6fa825e372942dbc9f3733ffdac888d44f862ec5 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 16:03:55 2020 +0200 providers/*: remove path-based import from all providers commit 6aefd072c881870948f746992803a181eb65d1e1 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:58:48 2020 +0200 policies/*: remove path-based import from all policies commit ac2dd3611fd70c880c2ce356651aee54c11014cf Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 15:11:27 2020 +0200 sources/*: remove path-based import from all sources commit 74e628ce9c4f3359e34b17eae922b76e47bc1a37 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:43:38 2020 +0200 ui: allow overriding of verbose_name commit d4ee18ee32491c4b41090120b72986de3c7e5222 Author: Jens Langhammer <jens.langhammer@beryju.org> Date: Mon Jul 20 14:08:27 2020 +0200 sources/oauth: migrate from discordapp.com to discord.com
2020-07-20 16:17:14 +00:00
def form(self) -> Type[ModelForm]:
from passbook.providers.saml.forms import SAMLPropertyMappingForm
return SAMLPropertyMappingForm
def __str__(self):
name = self.friendly_name if self.friendly_name != "" else self.saml_name
2020-09-29 09:42:34 +00:00
return f"{self.name} ({name})"
class Meta:
2019-12-31 11:51:16 +00:00
verbose_name = _("SAML Property Mapping")
verbose_name_plural = _("SAML Property Mappings")