2018-11-16 08:10:35 +00:00
|
|
|
"""passbook saml_idp Models"""
|
2020-07-20 16:17:14 +00:00
|
|
|
from typing import Optional, Type
|
2020-09-14 16:12:42 +00:00
|
|
|
from urllib.parse import urlparse
|
2020-02-21 19:54:00 +00:00
|
|
|
|
2018-11-16 08:10:35 +00:00
|
|
|
from django.db import models
|
2020-07-20 16:17:14 +00:00
|
|
|
from django.forms import ModelForm
|
2020-02-21 19:54:00 +00:00
|
|
|
from django.http import HttpRequest
|
2018-12-26 16:21:20 +00:00
|
|
|
from django.shortcuts import reverse
|
2020-09-11 21:21:11 +00:00
|
|
|
from django.utils.translation import gettext_lazy as _
|
2019-10-01 08:24:10 +00:00
|
|
|
from structlog import get_logger
|
2018-11-16 08:10:35 +00:00
|
|
|
|
2019-03-08 11:47:50 +00:00
|
|
|
from passbook.core.models import PropertyMapping, Provider
|
2020-03-03 22:35:50 +00:00
|
|
|
from passbook.crypto.models import CertificateKeyPair
|
2020-02-21 19:54:00 +00:00
|
|
|
from passbook.lib.utils.template import render_to_string
|
2020-07-20 09:35:16 +00:00
|
|
|
from passbook.lib.utils.time import timedelta_string_validator
|
2018-11-16 08:10:35 +00:00
|
|
|
|
2019-10-04 08:08:53 +00:00
|
|
|
LOGGER = get_logger()
|
2019-04-29 19:39:41 +00:00
|
|
|
|
2018-11-16 08:10:35 +00:00
|
|
|
|
2020-06-07 14:35:08 +00:00
|
|
|
class SAMLBindings(models.TextChoices):
|
|
|
|
"""SAML Bindings supported by passbook"""
|
|
|
|
|
|
|
|
REDIRECT = "redirect"
|
|
|
|
POST = "post"
|
|
|
|
|
|
|
|
|
2018-11-26 16:17:32 +00:00
|
|
|
class SAMLProvider(Provider):
|
2020-07-01 16:40:52 +00:00
|
|
|
"""SAML 2.0 Endpoint for applications which support SAML."""
|
2018-11-16 08:10:35 +00:00
|
|
|
|
2020-02-16 11:30:26 +00:00
|
|
|
acs_url = models.URLField(verbose_name=_("ACS URL"))
|
2019-12-31 11:51:16 +00:00
|
|
|
audience = models.TextField(default="")
|
2020-05-06 16:03:12 +00:00
|
|
|
issuer = models.TextField(help_text=_("Also known as EntityID"))
|
2020-06-07 14:35:08 +00:00
|
|
|
sp_binding = models.TextField(
|
2020-06-20 19:51:52 +00:00
|
|
|
choices=SAMLBindings.choices,
|
|
|
|
default=SAMLBindings.REDIRECT,
|
|
|
|
verbose_name=_("Service Prodier Binding"),
|
2020-06-07 14:35:08 +00:00
|
|
|
)
|
2020-02-14 14:19:48 +00:00
|
|
|
|
|
|
|
assertion_valid_not_before = models.TextField(
|
2020-02-17 20:32:23 +00:00
|
|
|
default="minutes=-5",
|
2020-02-14 14:19:48 +00:00
|
|
|
validators=[timedelta_string_validator],
|
|
|
|
help_text=_(
|
|
|
|
(
|
2020-02-17 20:32:23 +00:00
|
|
|
"Assertion valid not before current time + this value "
|
|
|
|
"(Format: hours=-1;minutes=-2;seconds=-3)."
|
2020-02-14 14:19:48 +00:00
|
|
|
)
|
|
|
|
),
|
|
|
|
)
|
|
|
|
assertion_valid_not_on_or_after = models.TextField(
|
|
|
|
default="minutes=5",
|
|
|
|
validators=[timedelta_string_validator],
|
|
|
|
help_text=_(
|
|
|
|
(
|
|
|
|
"Assertion not valid on or after current time + this value "
|
|
|
|
"(Format: hours=1;minutes=2;seconds=3)."
|
|
|
|
)
|
|
|
|
),
|
|
|
|
)
|
|
|
|
|
|
|
|
session_valid_not_on_or_after = models.TextField(
|
|
|
|
default="minutes=86400",
|
|
|
|
validators=[timedelta_string_validator],
|
|
|
|
help_text=_(
|
|
|
|
(
|
|
|
|
"Session not valid on or after current time + this value "
|
|
|
|
"(Format: hours=1;minutes=2;seconds=3)."
|
|
|
|
)
|
|
|
|
),
|
|
|
|
)
|
|
|
|
|
2020-02-17 15:28:18 +00:00
|
|
|
digest_algorithm = models.CharField(
|
|
|
|
max_length=50,
|
2020-09-30 17:34:22 +00:00
|
|
|
choices=(
|
|
|
|
("sha1", _("SHA1")),
|
|
|
|
("sha256", _("SHA256")),
|
|
|
|
),
|
2020-02-17 15:28:18 +00:00
|
|
|
default="sha256",
|
|
|
|
)
|
|
|
|
signature_algorithm = models.CharField(
|
|
|
|
max_length=50,
|
|
|
|
choices=(
|
|
|
|
("rsa-sha1", _("RSA-SHA1")),
|
|
|
|
("rsa-sha256", _("RSA-SHA256")),
|
|
|
|
("ecdsa-sha256", _("ECDSA-SHA256")),
|
|
|
|
("dsa-sha1", _("DSA-SHA1")),
|
|
|
|
),
|
|
|
|
default="rsa-sha256",
|
|
|
|
)
|
|
|
|
|
2020-11-08 21:24:50 +00:00
|
|
|
verification_kp = models.ForeignKey(
|
|
|
|
CertificateKeyPair,
|
|
|
|
default=None,
|
|
|
|
null=True,
|
2020-11-11 21:35:26 +00:00
|
|
|
blank=True,
|
2020-11-08 21:24:50 +00:00
|
|
|
help_text=_("If selected, incoming assertion's Signatures will be validated."),
|
|
|
|
on_delete=models.SET_NULL,
|
|
|
|
verbose_name=_("Verification Keypair"),
|
|
|
|
related_name="+",
|
|
|
|
)
|
2020-03-05 16:09:08 +00:00
|
|
|
signing_kp = models.ForeignKey(
|
2020-03-03 22:35:50 +00:00
|
|
|
CertificateKeyPair,
|
|
|
|
default=None,
|
|
|
|
null=True,
|
2020-11-11 21:35:26 +00:00
|
|
|
blank=True,
|
2020-03-03 22:35:50 +00:00
|
|
|
help_text=_("Singing is enabled upon selection of a Key Pair."),
|
|
|
|
on_delete=models.SET_NULL,
|
2020-05-06 16:03:12 +00:00
|
|
|
verbose_name=_("Signing Keypair"),
|
|
|
|
)
|
|
|
|
|
|
|
|
require_signing = models.BooleanField(
|
|
|
|
default=False,
|
|
|
|
help_text=_(
|
|
|
|
"Require Requests to be signed by an X509 Certificate. "
|
|
|
|
"Must match the Certificate selected in `Singing Keypair`."
|
|
|
|
),
|
2020-03-03 22:35:50 +00:00
|
|
|
)
|
2018-11-16 08:10:35 +00:00
|
|
|
|
2020-09-14 16:12:42 +00:00
|
|
|
@property
|
|
|
|
def launch_url(self) -> Optional[str]:
|
|
|
|
"""Guess launch_url based on acs URL"""
|
|
|
|
launch_url = urlparse(self.acs_url)
|
2020-09-17 19:53:57 +00:00
|
|
|
return self.acs_url.replace(launch_url.path, "")
|
2020-09-14 16:12:42 +00:00
|
|
|
|
2020-09-29 08:32:41 +00:00
|
|
|
@property
|
2020-07-20 16:17:14 +00:00
|
|
|
def form(self) -> Type[ModelForm]:
|
|
|
|
from passbook.providers.saml.forms import SAMLProviderForm
|
|
|
|
|
|
|
|
return SAMLProviderForm
|
2018-12-26 16:21:20 +00:00
|
|
|
|
2018-11-16 08:10:35 +00:00
|
|
|
def __str__(self):
|
2020-09-02 22:04:12 +00:00
|
|
|
return f"SAML Provider {self.name}"
|
2018-11-16 12:08:37 +00:00
|
|
|
|
2018-12-26 16:21:20 +00:00
|
|
|
def link_download_metadata(self):
|
|
|
|
"""Get link to download XML metadata for admin interface"""
|
2019-02-27 13:47:11 +00:00
|
|
|
try:
|
2018-12-26 20:56:08 +00:00
|
|
|
# pylint: disable=no-member
|
2019-12-31 11:51:16 +00:00
|
|
|
return reverse(
|
2020-06-07 14:35:08 +00:00
|
|
|
"passbook_providers_saml:metadata",
|
|
|
|
kwargs={"application_slug": self.application.slug},
|
2019-12-31 11:51:16 +00:00
|
|
|
)
|
2019-02-27 13:47:11 +00:00
|
|
|
except Provider.application.RelatedObjectDoesNotExist:
|
|
|
|
return None
|
2018-12-26 16:21:20 +00:00
|
|
|
|
2020-02-21 19:54:00 +00:00
|
|
|
def html_metadata_view(self, request: HttpRequest) -> Optional[str]:
|
2020-09-18 22:25:28 +00:00
|
|
|
"""return template and context modal to view Metadata without downloading it"""
|
2020-02-18 09:57:43 +00:00
|
|
|
from passbook.providers.saml.views import DescriptorDownloadView
|
|
|
|
|
2020-02-21 19:54:00 +00:00
|
|
|
try:
|
|
|
|
# pylint: disable=no-member
|
|
|
|
metadata = DescriptorDownloadView.get_metadata(request, self)
|
|
|
|
return render_to_string(
|
2020-06-20 19:51:52 +00:00
|
|
|
"providers/saml/admin_metadata_modal.html",
|
2020-05-27 09:26:48 +00:00
|
|
|
{"provider": self, "metadata": metadata},
|
2020-02-21 19:54:00 +00:00
|
|
|
)
|
|
|
|
except Provider.application.RelatedObjectDoesNotExist:
|
|
|
|
return None
|
2020-02-18 09:57:43 +00:00
|
|
|
|
2018-11-26 16:17:32 +00:00
|
|
|
class Meta:
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
verbose_name = _("SAML Provider")
|
|
|
|
verbose_name_plural = _("SAML Providers")
|
2018-12-09 22:06:14 +00:00
|
|
|
|
|
|
|
|
2019-03-08 11:47:50 +00:00
|
|
|
class SAMLPropertyMapping(PropertyMapping):
|
2020-07-01 16:40:52 +00:00
|
|
|
"""Map User/Group attribute to SAML Attribute, which can be used by the Service Provider."""
|
2019-03-08 11:47:50 +00:00
|
|
|
|
2020-02-16 11:30:26 +00:00
|
|
|
saml_name = models.TextField(verbose_name="SAML Name")
|
2019-03-08 11:47:50 +00:00
|
|
|
friendly_name = models.TextField(default=None, blank=True, null=True)
|
|
|
|
|
2020-09-29 08:32:41 +00:00
|
|
|
@property
|
2020-07-20 16:17:14 +00:00
|
|
|
def form(self) -> Type[ModelForm]:
|
|
|
|
from passbook.providers.saml.forms import SAMLPropertyMappingForm
|
|
|
|
|
|
|
|
return SAMLPropertyMappingForm
|
2019-03-08 11:47:50 +00:00
|
|
|
|
|
|
|
def __str__(self):
|
2020-09-18 21:50:31 +00:00
|
|
|
name = self.friendly_name if self.friendly_name != "" else self.saml_name
|
2020-09-29 09:42:34 +00:00
|
|
|
return f"{self.name} ({name})"
|
2019-03-08 11:47:50 +00:00
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
2019-12-31 11:51:16 +00:00
|
|
|
verbose_name = _("SAML Property Mapping")
|
|
|
|
verbose_name_plural = _("SAML Property Mappings")
|