This repository has been archived on 2024-05-31. You can view files and clone it, but cannot push or open issues or pull requests.
authentik/passbook/providers/saml/views.py

316 lines
12 KiB
Python
Raw Normal View History

2018-11-16 08:10:35 +00:00
"""passbook SAML IDP Views"""
from typing import Optional
2018-12-16 16:09:26 +00:00
from django.contrib.auth import logout
from django.contrib.auth.mixins import AccessMixin
2018-11-16 08:10:35 +00:00
from django.core.exceptions import ValidationError
from django.core.validators import URLValidator
from django.http import HttpRequest, HttpResponse
2018-12-16 16:09:26 +00:00
from django.shortcuts import get_object_or_404, redirect, render, reverse
2018-11-16 08:10:35 +00:00
from django.utils.datastructures import MultiValueDictKeyError
from django.utils.decorators import method_decorator
from django.utils.html import mark_safe
2019-03-08 20:43:33 +00:00
from django.utils.translation import gettext as _
2018-12-16 16:09:26 +00:00
from django.views import View
from django.views.decorators.csrf import csrf_exempt
from signxml.util import strip_pem_header
2019-10-01 08:24:10 +00:00
from structlog import get_logger
from passbook.audit.models import Event, EventAction
from passbook.core.models import Application, Provider
2018-11-16 10:41:14 +00:00
from passbook.lib.utils.template import render_to_string
from passbook.lib.views import bad_request_message
2019-10-07 14:33:48 +00:00
from passbook.policies.engine import PolicyEngine
from passbook.providers.saml import exceptions
from passbook.providers.saml.models import SAMLProvider
from passbook.providers.saml.processors.types import SAMLResponseParams
2018-11-16 08:10:35 +00:00
LOGGER = get_logger()
2019-12-31 11:51:16 +00:00
URL_VALIDATOR = URLValidator(schemes=("http", "https"))
2018-11-16 08:10:35 +00:00
class AccessRequiredView(AccessMixin, View):
2018-12-26 20:56:08 +00:00
"""Mixin class for Views using a provider instance"""
_provider: Optional[SAMLProvider] = None
@property
def provider(self) -> SAMLProvider:
2018-12-26 20:56:08 +00:00
"""Get provider instance"""
if not self._provider:
2019-12-31 11:51:16 +00:00
application = get_object_or_404(
Application, slug=self.kwargs["application"]
)
provider: SAMLProvider = get_object_or_404(
SAMLProvider, pk=application.provider_id
)
self._provider = provider
return self._provider
return self._provider
def _has_access(self) -> bool:
"""Check if user has access to application"""
2020-02-17 14:40:49 +00:00
LOGGER.debug(
"_has_access", user=self.request.user, app=self.provider.application
)
2019-12-31 11:51:16 +00:00
policy_engine = PolicyEngine(
self.provider.application.policies.all(), self.request.user, self.request
)
policy_engine.build()
return policy_engine.passing
2020-02-17 14:40:49 +00:00
def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
if not request.user.is_authenticated:
return self.handle_no_permission()
if not self._has_access():
2019-12-31 11:51:16 +00:00
return render(
request,
"login/denied.html",
{
"title": _("You don't have access to this application"),
"is_login": True,
},
)
return super().dispatch(request, *args, **kwargs)
class LoginBeginView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Receives a SAML 2.0 AuthnRequest from a Service Provider and
stores it in the session prior to enforcing login."""
2018-11-16 08:10:35 +00:00
2019-02-27 10:20:52 +00:00
@method_decorator(csrf_exempt)
2020-02-17 14:40:49 +00:00
def dispatch(self, request: HttpRequest, application: str) -> HttpResponse:
2019-12-31 11:51:16 +00:00
if request.method == "POST":
2018-12-16 16:09:26 +00:00
source = request.POST
else:
source = request.GET
2018-11-16 08:10:35 +00:00
# Store these values now, because Django's login cycle won't preserve them.
2018-12-16 16:09:26 +00:00
try:
2019-12-31 11:51:16 +00:00
request.session["SAMLRequest"] = source["SAMLRequest"]
2018-12-16 16:09:26 +00:00
except (KeyError, MultiValueDictKeyError):
return bad_request_message(request, "The SAML request payload is missing.")
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
request.session["RelayState"] = source.get("RelayState", "")
return redirect(
reverse(
"passbook_providers_saml:saml-login-process",
kwargs={"application": application},
)
)
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
class LoginProcessView(AccessRequiredView):
"""Processor-based login continuation.
Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
2018-11-16 08:10:35 +00:00
def handle_redirect(
self, params: SAMLResponseParams, skipped_authorization: bool
2020-02-17 14:40:49 +00:00
) -> HttpResponse:
"""Handle direct redirect to SP"""
# Log Application Authorization
Event.new(
EventAction.AUTHORIZE_APPLICATION,
authorized_application=self.provider.application,
skipped_authorization=skipped_authorization,
).from_http(self.request)
2019-12-31 11:51:16 +00:00
return render(
self.request,
"saml/idp/autosubmit_form.html",
2019-12-31 11:51:16 +00:00
{
"url": params.acs_url,
"attrs": {
"SAMLResponse": params.saml_response,
"RelayState": params.relay_state,
},
2019-12-31 11:51:16 +00:00
},
)
2018-11-16 08:10:35 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Handle get request, i.e. render form"""
# User access gets checked in dispatch
# Otherwise we generate the IdP initiated session
try:
# application.skip_authorization is set so we directly redirect the user
if self.provider.application.skip_authorization:
self.provider.processor.can_handle(request)
saml_params = self.provider.processor.generate_response()
return self.handle_redirect(saml_params, True)
self.provider.processor.init_deep_link(request)
params = self.provider.processor.generate_response()
return render(
request,
"saml/idp/login.html",
{
"saml_params": params,
"provider": self.provider,
# This is only needed to for the template to render correctly
"is_login": True,
},
)
except exceptions.CannotHandleAssertion as exc:
LOGGER.error(exc)
did_you_mean_link = request.build_absolute_uri(
reverse(
"passbook_providers_saml:saml-login-initiate",
kwargs={"application": application},
)
)
did_you_mean_message = (
f" Did you mean to go <a href='{did_you_mean_link}'>here</a>?"
)
return bad_request_message(
request, mark_safe(str(exc) + did_you_mean_message)
)
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def post(self, request: HttpRequest, application: str) -> HttpResponse:
"""Handle post request, return back to ACS"""
# User access gets checked in dispatch
# we get here when skip_authorization is False, and after the user accepted
# the authorization form
self.provider.processor.can_handle(request)
saml_params = self.provider.processor.generate_response()
return self.handle_redirect(saml_params, True)
2018-12-16 16:09:26 +00:00
2020-02-18 21:28:47 +00:00
@method_decorator(csrf_exempt, name="dispatch")
class LogoutView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Allows a non-SAML 2.0 URL to log out the user and
2018-11-16 08:10:35 +00:00
returns a standard logged-out page. (SalesForce and others use this method,
2018-11-16 10:41:14 +00:00
though it's technically not SAML 2.0)."""
2018-11-16 08:10:35 +00:00
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Perform logout"""
logout(request)
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
redirect_url = request.GET.get("redirect_to", "")
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
try:
URL_VALIDATOR(redirect_url)
except ValidationError:
pass
else:
return redirect(redirect_url)
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/logged_out.html")
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
2020-02-18 21:28:47 +00:00
@method_decorator(csrf_exempt, name="dispatch")
class SLOLogout(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Receives a SAML 2.0 LogoutRequest from a Service Provider,
logs out the user and returns a standard logged-out page."""
2018-12-16 16:09:26 +00:00
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def post(self, request: HttpRequest, application: str) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Perform logout"""
2019-12-31 11:51:16 +00:00
request.session["SAMLRequest"] = request.POST["SAMLRequest"]
2018-12-16 16:09:26 +00:00
# TODO: Parse SAML LogoutRequest from POST data, similar to login_process().
# TODO: Modify the base processor to handle logouts?
# TODO: Combine this with login_process(), since they are so very similar?
# TODO: Format a LogoutResponse and return it to the browser.
# XXX: For now, simply log out without validating the request.
logout(request)
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/logged_out.html")
2018-12-16 16:09:26 +00:00
class DescriptorDownloadView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Replies with the XML Metadata IDSSODescriptor."""
2018-12-16 16:09:26 +00:00
@staticmethod
def get_metadata(request: HttpRequest, provider: SAMLProvider) -> str:
"""Return rendered XML Metadata"""
entity_id = provider.issuer
2019-12-31 11:51:16 +00:00
slo_url = request.build_absolute_uri(
reverse(
"passbook_providers_saml:saml-logout",
kwargs={"application": provider.application.slug},
2019-12-31 11:51:16 +00:00
)
)
sso_url = request.build_absolute_uri(
reverse(
"passbook_providers_saml:saml-login",
kwargs={"application": provider.application.slug},
2019-12-31 11:51:16 +00:00
)
)
pubkey = strip_pem_header(provider.signing_cert.replace("\r", "")).replace(
2019-12-31 11:51:16 +00:00
"\n", ""
)
2018-12-16 16:09:26 +00:00
ctx = {
2019-12-31 11:51:16 +00:00
"entity_id": entity_id,
"cert_public_key": pubkey,
"slo_url": slo_url,
"sso_url": sso_url,
2018-12-16 16:09:26 +00:00
}
return render_to_string("saml/xml/metadata.xml", ctx)
# pylint: disable=unused-argument
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Replies with the XML Metadata IDSSODescriptor."""
try:
metadata = DescriptorDownloadView.get_metadata(request, self.provider)
except Provider.application.RelatedObjectDoesNotExist: # pylint: disable=no-member
return bad_request_message(
request, "Provider is not assigned to an application."
)
else:
response = HttpResponse(metadata, content_type="application/xml")
response["Content-Disposition"] = (
'attachment; filename="' '%s_passbook_meta.xml"' % self.provider.name
)
return response
2018-11-16 08:10:35 +00:00
class InitiateLoginView(AccessRequiredView):
2018-12-26 20:56:08 +00:00
"""IdP-initiated Login"""
2018-11-16 08:10:35 +00:00
def handle_redirect(
self, params: SAMLResponseParams, skipped_authorization: bool
) -> HttpResponse:
"""Handle direct redirect to SP"""
# Log Application Authorization
Event.new(
EventAction.AUTHORIZE_APPLICATION,
authorized_application=self.provider.application,
skipped_authorization=skipped_authorization,
).from_http(self.request)
return render(
self.request,
"saml/idp/autosubmit_form.html",
{
"url": params.acs_url,
"attrs": {
"SAMLResponse": params.saml_response,
"RelayState": params.relay_state,
},
},
)
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Initiates an IdP-initiated link to a simple SP resource/target URL."""
2019-04-29 19:39:41 +00:00
self.provider.processor.is_idp_initiated = True
self.provider.processor.init_deep_link(request)
params = self.provider.processor.generate_response()
# IdP-initiated Login Flow
if self.provider.application.skip_authorization:
return self.handle_redirect(params, True)
return render(
request,
"saml/idp/login.html",
{
"saml_params": params,
"provider": self.provider,
# This is only needed to for the template to render correctly
"is_login": True,
},
)