trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/passbook/sources/saml/views.py

114 lines
4.5 KiB
Python
Raw Normal View History

sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
"""saml sp views"""
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
from django.contrib.auth import logout
sources/saml: correctly cleanup transient users, update forms
2020-06-24 20:27:14 +00:00
from django.contrib.auth.mixins import LoginRequiredMixin
sources/saml(minor): fix lint issue
2019-11-07 17:02:59 +00:00
from django.http import Http404, HttpRequest, HttpResponse
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
from django.shortcuts import get_object_or_404, redirect, render
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
from django.utils.decorators import method_decorator
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
from django.utils.http import urlencode
core: make autosubmit_form generic template
2020-07-08 12:27:32 +00:00
from django.utils.translation import gettext_lazy as _
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
from django.views import View
from django.views.decorators.csrf import csrf_exempt
sources/saml: improve error handing of invalid signatures
2020-06-23 19:49:27 +00:00
from signxml import InvalidSignature
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
sources/saml: validate SAMLResponse signature
2020-02-20 20:33:45 +00:00
from passbook.lib.views import bad_request_message
*/saml: start implementing unittests, fix signing
2020-07-11 17:57:27 +00:00
from passbook.providers.saml.utils.encoding import nice64
sources/saml: validate SAMLResponse signature
2020-02-20 20:33:45 +00:00
from passbook.sources.saml.exceptions import (
MissingSAMLResponse,
UnsupportedNameIDFormat,
all: implement black as code formatter
2019-12-31 11:51:16 +00:00
)
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
from passbook.sources.saml.models import SAMLBindingTypes, SAMLSource
sources/saml: rewrite Processors and Views to directly build XML without templates
2020-07-10 23:02:55 +00:00
from passbook.sources.saml.processors.metadata import MetadataProcessor
from passbook.sources.saml.processors.request import RequestProcessor
from passbook.sources.saml.processors.response import ResponseProcessor
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
class InitiateView(View):
"""Get the Form with SAML Request, which sends us to the IDP"""
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
def get(self, request: HttpRequest, source_slug: str) -> HttpResponse:
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
"""Replies with an XHTML SSO Request."""
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
sources/saml(minor): disallow login if source is not enabled
2019-11-07 16:35:25 +00:00
if not source.enabled:
raise Http404
sources/saml: start implementing transient NameID format
2020-06-24 19:50:30 +00:00
relay_state = request.GET.get("next", "")
sources/saml: automatically add RelayState to build_auth_n_detached
2020-07-11 23:46:46 +00:00
auth_n_req = RequestProcessor(source, request, relay_state)
sources/saml: add POST_AUTO binding which auto redirects to IdP
2020-07-08 12:18:08 +00:00
# If the source is configured for Redirect bindings, we can just redirect there
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
if source.binding_type == SAMLBindingTypes.Redirect:
sources/saml: automatically add RelayState to build_auth_n_detached
2020-07-11 23:46:46 +00:00
url_args = urlencode(auth_n_req.build_auth_n_detached())
sources/saml: correctly cleanup transient users, update forms
2020-06-24 20:27:14 +00:00
return redirect(f"{source.sso_url}?{url_args}")
sources/saml: add POST_AUTO binding which auto redirects to IdP
2020-07-08 12:18:08 +00:00
# As POST Binding we show a form
*/saml: start implementing unittests, fix signing
2020-07-11 17:57:27 +00:00
saml_request = nice64(auth_n_req.build_auth_n())
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
if source.binding_type == SAMLBindingTypes.POST:
return render(
request,
"saml/sp/login.html",
{
sources/saml: correctly cleanup transient users, update forms
2020-06-24 20:27:14 +00:00
"request_url": source.sso_url,
sources/saml: rewrite Processors and Views to directly build XML without templates
2020-07-10 23:02:55 +00:00
"request": saml_request,
sources/saml: fix SAMLRequest not being encoded properly for Redirect bindings
2020-06-24 11:12:34 +00:00
"relay_state": relay_state,
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
"source": source,
},
)
sources/saml: add POST_AUTO binding which auto redirects to IdP
2020-07-08 12:18:08 +00:00
# Or an auto-submit form
if source.binding_type == SAMLBindingTypes.POST_AUTO:
return render(
request,
core: make autosubmit_form generic template
2020-07-08 12:27:32 +00:00
"generic/autosubmit_form.html",
sources/saml: add POST_AUTO binding which auto redirects to IdP
2020-07-08 12:18:08 +00:00
{
core: make autosubmit_form generic template
2020-07-08 12:27:32 +00:00
"title": _("Redirecting to %(app)s..." % {"app": source.name}),
sources/saml: rewrite Processors and Views to directly build XML without templates
2020-07-10 23:02:55 +00:00
"attrs": {"SAMLRequest": saml_request, "RelayState": relay_state},
sources/saml: add POST_AUTO binding which auto redirects to IdP
2020-07-08 12:18:08 +00:00
"url": source.sso_url,
},
)
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
raise Http404
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
all: implement black as code formatter
2019-12-31 11:51:16 +00:00
@method_decorator(csrf_exempt, name="dispatch")
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
class ACSView(View):
"""AssertionConsumerService, consume assertion and log user in"""
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
def post(self, request: HttpRequest, source_slug: str) -> HttpResponse:
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
"""Handles a POSTed SSO Assertion and logs the user in."""
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
sources/saml(minor): disallow login if source is not enabled
2019-11-07 16:35:25 +00:00
if not source.enabled:
raise Http404
sources/saml: rewrite Processors and Views to directly build XML without templates
2020-07-10 23:02:55 +00:00
processor = ResponseProcessor(source)
sources/saml: validate SAMLResponse signature
2020-02-20 20:33:45 +00:00
try:
processor.parse(request)
except MissingSAMLResponse as exc:
return bad_request_message(request, str(exc))
sources/saml: improve error handing of invalid signatures
2020-06-23 19:49:27 +00:00
except InvalidSignature as exc:
return bad_request_message(request, str(exc))
sources/saml: validate SAMLResponse signature
2020-02-20 20:33:45 +00:00
try:
WIP Use Flows for Sources and Providers (#32) * core: start migrating to flows for authorisation * sources/oauth: start type-hinting * core: create default user * core: only show user delete button if an unenrollment flow exists * flows: Correctly check initial policies on flow with context * policies: add more verbosity to engine * sources/oauth: migrate to flows * sources/oauth: fix typing errors * flows: add more tests * sources/oauth: start implementing unittests * sources/ldap: add option to disable user sync, move connection init to model * sources/ldap: re-add default PropertyMappings * providers/saml: re-add default PropertyMappings * admin: fix missing stage count * stages/identification: fix sources not being shown * crypto: fix being unable to save with private key * crypto: re-add default self-signed keypair * policies: rewrite cache_key to prevent wrong cache * sources/saml: migrate to flows for auth and enrollment * stages/consent: add new stage * admin: fix PropertyMapping widget not rendering properly * core: provider.authorization_flow is mandatory * flows: add support for "autosubmit" attribute on form * flows: add InMemoryStage for dynamic stages * flows: optionally allow empty flows from FlowPlanner * providers/saml: update to authorization_flow * sources/*: fix flow executor URL * flows: fix pylint error * flows: wrap responses in JSON object to easily handle redirects * flow: dont cache plan's context * providers/oauth: rewrite OAuth2 Provider to use flows * providers/*: update docstrings of models * core: fix forms not passing help_text through safe * flows: fix HttpResponses not being converted to JSON * providers/oidc: rewrite to use flows * flows: fix linting
2020-06-07 14:35:08 +00:00
return processor.prepare_flow(request)
sources/saml: validate SAMLResponse signature
2020-02-20 20:33:45 +00:00
except UnsupportedNameIDFormat as exc:
return bad_request_message(request, str(exc))
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
sources/saml: correctly cleanup transient users, update forms
2020-06-24 20:27:14 +00:00
class SLOView(LoginRequiredMixin, View):
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
"""Single-Logout-View"""
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
def dispatch(self, request: HttpRequest, source_slug: str) -> HttpResponse:
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
"""Replies with an XHTML SSO Request."""
sources/saml: correctly cleanup transient users, update forms
2020-06-24 20:27:14 +00:00
# TODO: Replace with flows
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
sources/saml(minor): disallow login if source is not enabled
2019-11-07 16:35:25 +00:00
if not source.enabled:
raise Http404
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
logout(request)
all: implement black as code formatter
2019-12-31 11:51:16 +00:00
return render(
request,
"saml/sp/sso_single_logout.html",
sources/saml: minor formatting fixes
2020-06-24 20:46:20 +00:00
{"idp_logout_url": source.slo_url},
all: implement black as code formatter
2019-12-31 11:51:16 +00:00
)
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
class MetadataView(View):
"""Return XML Metadata for IDP"""
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
def dispatch(self, request: HttpRequest, source_slug: str) -> HttpResponse:
sources/saml(major): add saml SP
2019-11-07 16:02:56 +00:00
"""Replies with the XML Metadata SPSSODescriptor."""
all: general maintenance, prepare for pyright
2020-02-18 21:12:51 +00:00
source: SAMLSource = get_object_or_404(SAMLSource, slug=source_slug)
sources/saml: rewrite Processors and Views to directly build XML without templates
2020-07-10 23:02:55 +00:00
metadata = MetadataProcessor(source, request).build_entity_descriptor()
return HttpResponse(metadata, content_type="text/xml")