Merge branch 'master' into chander-saml-redirect-enhancement

Author: chander

.gitignore

@@ -4,3 +4,11 @@
 *.sqp
 build/
 dist/
+_build/
+.pytest_cache
+.env
+env/
+venv
+tags
+.idea/
+.vscode/

.hgignore

@@ -1,41 +1,35 @@
+dist: bionic
 language: python
 
 sudo: false
 
 matrix:
   include:
-    - python: 2.7
-      env: TOX_ENV=py27-django18
-    - python: 3.4
-      env: TOX_ENV=py34-django18
-    - python: 2.7
-      env: TOX_ENV=py27-django19
-    - python: 3.4
-      env: TOX_ENV=py34-django19
     - python: 3.5
-      env: TOX_ENV=py35-django19
-    - python: 2.7
-      env: TOX_ENV=py27-django110
-    - python: 3.4
-      env: TOX_ENV=py34-django110
-    - python: 3.5
-      env: TOX_ENV=py35-django110
-    - python: 2.7
-      env: TOX_ENV=py27-django111
-    - python: 3.4
-      env: TOX_ENV=py34-django111
-    - python: 3.5
-      env: TOX_ENV=py35-django111
+      env: TOX_ENV=py35-django22
     - python: 3.6
-      env: TOX_ENV=py36-django111
-    - python: 3.5
-      env: TOX_ENV=py35-djangomaster
+      env: TOX_ENV=py36-django22
+    - python: 3.7
+      env: TOX_ENV=py37-django22
+    - python: 3.8
+      env: TOX_ENV=py38-django22
+    - python: 3.6
+      env: TOX_ENV=py36-django30
+    - python: 3.7
+      env: TOX_ENV=py37-django30
+    - python: 3.8
+      env: TOX_ENV=py38-django30
     - python: 3.6
       env: TOX_ENV=py36-djangomaster
+    - python: 3.7
+      env: TOX_ENV=py37-djangomaster
+    - python: 3.8
+      env: TOX_ENV=py38-djangomaster
   fast_finish: true
   allow_failures:
-    - env: TOX_ENV=py35-djangomaster
     - env: TOX_ENV=py36-djangomaster
+    - env: TOX_ENV=py37-djangomaster
+    - env: TOX_ENV=py38-djangomaster
 
 addons:
   apt:

.travis.yml

@@ -1,12 +1,28 @@
 Changes
 =======
+0.18.1 (2020-02-15)
+----------
+- Fixed regression from 0.18.0. Thanks to OskarPersson
+
+0.18.0 (2020-02-14)
+----------
+- Django 3.0 support. Thanks to OskarPersson
+- forceauthn and allowcreate support. Thanks to peppelinux
+- Dropped support for Python 3.4
+- Also thanks to WebSpider, mhindery, DylannCordel, habi3000 for various fixes and improvements
+
+Thanks to plumdog
 
 0.17.2 (2018-08-29)
 ----------
 - Upgraded pysaml2 dependency to version 4.6.0 which fixes security issue.
 
 Thanks to plumdog
 
+UNRELEASED
+----------
+- Allowed creating Users with multiple required fields.
+
 0.17.1 (2018-07-16)
 ----------
 - A 403 (permission denied) is now raised if a SAMLResponse is replayed, instead of 500.

CHANGES

@@ -192,7 +192,13 @@ We will see a typical configuration for protecting a Django project::
                      saml2.BINDING_HTTP_POST),
                     ],
                 },
-
+             # Mandates that the identity provider MUST authenticate the
+             # presenter directly rather than rely on a previous security context.
+            'force_authn': False, 
+            
+             # Enable AllowCreate in NameIDPolicy.
+            'name_id_format_allow_create': False,
+            
              # attributes that this project need to identify a user
             'required_attributes': ['uid'],
 
@@ -309,6 +315,24 @@ setting::
   SAML_CONFIG_LOADER = 'python.path.to.your.callable'
 
 
+Custom error handler
+....................
+
+When an error occurs during the authentication flow, djangosaml2 will render
+a simple error page with an error message and status code. You can customize
+this behaviour by specifying the path to your own error handler in the settings:
+
+  SAML_ACS_FAILURE_RESPONSE_FUNCTION = 'python.path.to.your.view'
+
+This should be a view which takes a request, optional exception which occured
+and status code, and returns a response to serve the user. E.g. The default
+implementation looks like this::
+
+  def template_failure(request, exception=None, **kwargs):
+      """ Renders a simple template with an error message. """
+      return render(request, 'djangosaml2/login_error.html', {'exception': exception}, status=kwargs.get('status', 403))
+
+
 User attributes
 ---------------
 

README.rst

@@ -0,0 +1 @@
+default_app_config = 'djangosaml2.apps.DjangoSaml2Config'

djangosaml2/__init__.py

@@ -3,20 +3,10 @@
 # This module defines a set of useful ACS failure functions that are used to
 # produce an output suitable for end user in case of SAML failure.
 #
-from __future__ import unicode_literals
 
-from django.core.exceptions import PermissionDenied
 from django.shortcuts import render
 
 
-def template_failure(request, status=403, **kwargs):
-    """ Renders a SAML-specific template with general authentication error description. """
-    return render(request, 'djangosaml2/login_error.html', status=status)
-
-
-def exception_failure(request, exc_class=PermissionDenied, **kwargs):
-    """ Rather than using a custom SAML specific template that is rendered on failure,
-    this makes use of a standard exception handling machinery present in Django
-    and thus ends up rendering a project-wide error page for Permission Denied exceptions.
-    """
-    raise exc_class
+def template_failure(request, exception=None, status=403, **kwargs):
+    """ Renders a simple template with an error message. """
+    return render(request, 'djangosaml2/login_error.html', {'exception': exception}, status=status)

djangosaml2/acs_failures.py

@@ -0,0 +1,9 @@
+from django.apps import AppConfig
+
+
+class DjangoSaml2Config(AppConfig):
+    name = 'djangosaml2'
+    verbose_name = "DjangoSAML2"
+
+    def ready(self):
+        from . import signals  # noqa

djangosaml2/apps.py

@@ -18,45 +18,28 @@
 from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.backends import ModelBackend
-from django.core.exceptions import (
-    MultipleObjectsReturned, ImproperlyConfigured,
-)
-
-from djangosaml2.signals import pre_user_save
+from django.core.exceptions import (ImproperlyConfigured,
+                                    MultipleObjectsReturned)
 
+from .signals import pre_user_save
 
 logger = logging.getLogger('djangosaml2')
 
 
 def get_model(model_path):
+    from django.apps import apps
     try:
-        from django.apps import apps
         return apps.get_model(model_path)
-    except ImportError:
-        # Django < 1.7 (cannot use the new app loader)
-        from django.db.models import get_model as django_get_model
-        try:
-            app_label, model_name = model_path.split('.')
-        except ValueError:
-            raise ImproperlyConfigured("SAML_USER_MODEL must be of the form "
-                "'app_label.model_name'")
-        user_model = django_get_model(app_label, model_name)
-        if user_model is None:
-            raise ImproperlyConfigured("SAML_USER_MODEL refers to model '%s' "
-                "that has not been installed" % model_path)
-        return user_model
+    except LookupError:
+        raise ImproperlyConfigured("SAML_USER_MODEL refers to model '%s' that has not been installed" % model_path)
+    except ValueError:
+        raise ImproperlyConfigured("SAML_USER_MODEL must be of the form 'app_label.model_name'")
 
 
 def get_saml_user_model():
-    try:
-        # djangosaml2 custom user model
+    if hasattr(settings, 'SAML_USER_MODEL'):
         return get_model(settings.SAML_USER_MODEL)
-    except AttributeError:
-        try:
-            # Django 1.5 Custom user model
-            return auth.get_user_model()
-        except AttributeError:
-            return auth.models.User
+    return auth.get_user_model()
 
 
 class Saml2Backend(ModelBackend):
@@ -89,7 +72,9 @@ def authenticate(self, request, session_info=None, attribute_mapping=None,
             else:
                 logger.error('The nameid is not available. Cannot find user without a nameid.')
         else:
-            saml_user = self.get_attribute_value(django_user_main_attribute, attributes, attribute_mapping)
+            saml_user = self.get_attribute_value(django_user_main_attribute,
+                                                 attributes,
+                                                 attribute_mapping)
 
         if saml_user is None:
             logger.error('Could not find saml_user value')
@@ -111,7 +96,11 @@ def get_attribute_value(self, django_field, attributes, attribute_mapping):
         logger.debug('attribute_mapping: %s', attribute_mapping)
         for saml_attr, django_fields in attribute_mapping.items():
             if django_field in django_fields and saml_attr in attributes:
-                saml_user = attributes[saml_attr][0]
+                saml_user = attributes.get(saml_attr, [None])[0]
+                if not saml_user:
+                    logger.error('attributes[saml_attr] attribute '
+                                 'value is missing. Probably the user '
+                                 'session is expired.')
         return saml_user
 
     def is_authorized(self, attributes, attribute_mapping):
@@ -158,19 +147,21 @@ def _get_or_create_saml2_user(self, main_attribute, attributes, attribute_mappin
                      main_attribute)
         django_user_main_attribute = self.get_django_user_main_attribute()
         user_query_args = self.get_user_query_args(main_attribute)
-        user_create_defaults = {django_user_main_attribute: main_attribute}
 
         User = get_saml_user_model()
+        built = False
         try:
-            user, created = User.objects.get_or_create(
-                defaults=user_create_defaults, **user_query_args)
+            user = User.objects.get(**user_query_args)
+        except User.DoesNotExist:
+            user = User(**{django_user_main_attribute: main_attribute})
+            built = True
         except MultipleObjectsReturned:
             logger.error("There are more than one user with %s = %s",
                          django_user_main_attribute, main_attribute)
             return None
 
-        if created:
-            logger.debug('New user created')
+        if built:
+            logger.debug('Configuring new user "%s"', main_attribute)
             user = self.configure_user(user, attributes, attribute_mapping)
         else:
             logger.debug('User updated')

djangosaml2/backends.py

@@ -25,7 +25,7 @@ def __init__(self, django_session, key_suffix):
         self.session = django_session
         self.key = self.key_prefix + key_suffix
 
-        super(DjangoSessionCacheAdapter, self).__init__(self._get_objects())
+        super().__init__(self._get_objects())
 
     def _get_objects(self):
         return self.session.get(self.key, {})
@@ -37,9 +37,9 @@ def sync(self):
         # Changes in inner objects do not cause session invalidation
         # https://docs.djangoproject.com/en/1.9/topics/http/sessions/#when-sessions-are-saved
 
-        #add objects to session
+        # add objects to session
         self._set_objects(dict(self))
-        #invalidate session
+        # invalidate session
         self.session.modified = True
 
 
@@ -49,8 +49,7 @@ class OutstandingQueriesCache(object):
     """
 
     def __init__(self, django_session):
-        self._db = DjangoSessionCacheAdapter(django_session,
-                                             '_outstanding_queries')
+        self._db = DjangoSessionCacheAdapter(django_session, '_outstanding_queries')
 
     def outstanding_queries(self):
         return self._db._get_objects()
@@ -86,4 +85,4 @@ class StateCache(DjangoSessionCacheAdapter):
     """
 
     def __init__(self, django_session):
-        super(StateCache, self).__init__(django_session, '_state')
+        super().__init__(django_session, '_state')