Merge branch 'master' into ACS_customizable_0.18

# Conflicts:
#	djangosaml2/views.py

Author: sheilatron

.travis.yml

@@ -1,3 +1,4 @@
+dist: bionic
 language: python
 
 sudo: false
@@ -6,36 +7,50 @@ matrix:
   include:
     - python: 2.7
       env: TOX_ENV=py27-django18
-    - python: 3.4
-      env: TOX_ENV=py34-django18
     - python: 2.7
       env: TOX_ENV=py27-django19
-    - python: 3.4
-      env: TOX_ENV=py34-django19
     - python: 3.5
       env: TOX_ENV=py35-django19
     - python: 2.7
       env: TOX_ENV=py27-django110
-    - python: 3.4
-      env: TOX_ENV=py34-django110
     - python: 3.5
       env: TOX_ENV=py35-django110
     - python: 2.7
       env: TOX_ENV=py27-django111
-    - python: 3.4
-      env: TOX_ENV=py34-django111
     - python: 3.5
       env: TOX_ENV=py35-django111
     - python: 3.6
       env: TOX_ENV=py36-django111
     - python: 3.5
-      env: TOX_ENV=py35-djangomaster
+      env: TOX_ENV=py35-django20
+    - python: 3.6
+      env: TOX_ENV=py36-django20
+    - python: 3.7
+      env: TOX_ENV=py37-django20
+    - python: 3.5
+      env: TOX_ENV=py35-django21
+    - python: 3.6
+      env: TOX_ENV=py36-django21
+    - python: 3.7
+      env: TOX_ENV=py37-django21
+    - python: 3.5
+      env: TOX_ENV=py35-django22
+    - python: 3.6
+      env: TOX_ENV=py36-django22
+    - python: 3.7
+      env: TOX_ENV=py37-django22
+    - python: 3.6
+      env: TOX_ENV=py36-django30
+    - python: 3.7
+      env: TOX_ENV=py37-django30
     - python: 3.6
       env: TOX_ENV=py36-djangomaster
+    - python: 3.7
+      env: TOX_ENV=py37-djangomaster
   fast_finish: true
   allow_failures:
-    - env: TOX_ENV=py35-djangomaster
     - env: TOX_ENV=py36-djangomaster
+    - env: TOX_ENV=py37-djangomaster
 
 addons:
   apt:

CHANGES

@@ -1,5 +1,17 @@
 Changes
 =======
+0.18.1 (2020-02-15)
+----------
+- Fixed regression from 0.18.0. Thanks to OskarPersson
+
+0.18.0 (2020-02-14)
+----------
+- Django 3.0 support. Thanks to OskarPersson
+- forceauthn and allowcreate support. Thanks to peppelinux
+- Dropped support for Python 3.4
+- Also thanks to WebSpider, mhindery, DylannCordel, habi3000 for various fixes and improvements
+
+Thanks to plumdog
 
 TBD
 ----------

README.rst

@@ -192,7 +192,13 @@ We will see a typical configuration for protecting a Django project::
                      saml2.BINDING_HTTP_POST),
                     ],
                 },
-
+             # Mandates that the identity provider MUST authenticate the
+             # presenter directly rather than rely on a previous security context.
+            'force_authn': False, 
+            
+             # Enable AllowCreate in NameIDPolicy.
+            'name_id_format_allow_create': False,
+            
              # attributes that this project need to identify a user
             'required_attributes': ['uid'],
 

djangosaml2/backends.py

@@ -89,7 +89,9 @@ def authenticate(self, request, session_info=None, attribute_mapping=None,
             else:
                 logger.error('The nameid is not available. Cannot find user without a nameid.')
         else:
-            saml_user = self.get_attribute_value(django_user_main_attribute, attributes, attribute_mapping)
+            saml_user = self.get_attribute_value(django_user_main_attribute,
+                                                 attributes,
+                                                 attribute_mapping)
 
         if saml_user is None:
             logger.error('Could not find saml_user value')
@@ -111,7 +113,11 @@ def get_attribute_value(self, django_field, attributes, attribute_mapping):
         logger.debug('attribute_mapping: %s', attribute_mapping)
         for saml_attr, django_fields in attribute_mapping.items():
             if django_field in django_fields and saml_attr in attributes:
-                saml_user = attributes[saml_attr][0]
+                saml_user = attributes.get(saml_attr, [None])[0]
+                if not saml_user:
+                    logger.error('attributes[saml_attr] attribute '
+                                 'value is missing. Probably the user '
+                                 'session is expired.')
         return saml_user
 
     def is_authorized(self, attributes, attribute_mapping):

djangosaml2/exceptions.py

@@ -0,0 +1,2 @@
+class IdPConfigurationMissing(Exception):
+    pass

djangosaml2/tests/__init__.py

@@ -35,7 +35,10 @@
     from django.utils.encoding import force_text
 except ImportError:
     from django.utils.text import force_text
-from django.utils.six.moves.urllib.parse import urlparse, parse_qs
+try:
+    from django.utils.six.moves.urllib.parse import urlparse, parse_qs
+except ImportError:
+    from urllib.parse import urlparse, parse_qs
 
 from saml2.config import SPConfig
 from saml2.s_utils import decode_base64_and_inflate, deflate_and_base64_encode

djangosaml2/views.py

@@ -32,7 +32,15 @@
 from django.views.decorators.http import require_POST
 from django.shortcuts import render
 from django.template import TemplateDoesNotExist
-from django.utils.six import text_type, binary_type, PY3
+
+try:
+    from django.utils.six import text_type, binary_type, PY3
+except ImportError:
+    import sys
+    PY3 = sys.version_info[0] == 3
+    text_type = str
+    binary_type = bytes
+
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View
 from django.utils.decorators import method_decorator
@@ -44,13 +52,14 @@
 from saml2.s_utils import UnsupportedBinding
 from saml2.response import (
     StatusError, StatusAuthnFailed, SignatureError, StatusRequestDenied,
-    UnsolicitedResponse,
+    UnsolicitedResponse, StatusNoAuthnContext,
 )
 from saml2.validate import ResponseLifetimeExceed, ToEarly
 from saml2.xmldsig import SIG_RSA_SHA1, SIG_RSA_SHA256  # support for SHA1 is required by spec
 
 from djangosaml2.cache import IdentityCache, OutstandingQueriesCache
 from djangosaml2.cache import StateCache
+from djangosaml2.exceptions import IdPConfigurationMissing
 from djangosaml2.conf import get_config
 from djangosaml2.overrides import Saml2Client
 from djangosaml2.signals import post_authenticated
@@ -138,6 +147,13 @@ def login(request,
     selected_idp = request.GET.get('idp', None)
     conf = get_config(config_loader_path, request)
 
+    kwargs = {}
+    # pysaml needs a string otherwise: "cannot serialize True (type bool)"
+    if getattr(conf, '_sp_force_authn', False):
+        kwargs['force_authn'] = "true"
+    if getattr(conf, '_sp_allow_create', False):
+        kwargs['allow_create'] = "true"
+
     # is a embedded wayf needed?
     idps = available_idps(conf)
     if selected_idp is None and len(idps) > 1:
@@ -146,6 +162,13 @@ def login(request,
                 'available_idps': idps.items(),
                 'came_from': came_from,
                 })
+    else:
+        # is the first one, otherwise next logger message will print None
+        if not idps:
+            raise IdPConfigurationMissing(('IdP configuration is missing or '
+                                           'its metadata is expired.'))
+        if selected_idp is None:
+            selected_idp = list(idps.keys())[0]
 
     # choose a binding to try first
     sign_requests = getattr(conf, '_sp_authn_requests_signed', False)
@@ -186,7 +209,7 @@ def login(request,
             session_id, result = client.prepare_for_authenticate(
                 entityid=selected_idp, relay_state=came_from,
                 binding=binding, sign=False, sigalg=sigalg,
-                nsprefix=nsprefix)
+                nsprefix=nsprefix, **kwargs)
         except TypeError as e:
             logger.error('Unable to know which IdP to use')
             return HttpResponse(text_type(e))
@@ -202,10 +225,11 @@ def login(request,
                 return HttpResponse(text_type(e))
             session_id, request_xml = client.create_authn_request(
                 location,
-                binding=binding)
+                binding=binding,
+                **kwargs)
             try:
                 if PY3:
-                    saml_request = base64.b64encode(binary_type(request_xml, 'UTF-8'))
+                    saml_request = base64.b64encode(binary_type(request_xml, 'UTF-8')).decode('utf-8')
                 else:
                     saml_request = base64.b64encode(binary_type(request_xml))
 
@@ -283,25 +307,28 @@ def post(self,
             response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries)
         except (StatusError, ToEarly):
             logger.exception("Error processing SAML Assertion.")
-            return fail_acs_response(self.request)
+            return fail_acs_response(request)
         except ResponseLifetimeExceed:
             logger.info("SAML Assertion is no longer valid. Possibly caused by network delay or replay attack.", exc_info=True)
-            return fail_acs_response(self.request)
+            return fail_acs_response(request)
         except SignatureError:
             logger.info("Invalid or malformed SAML Assertion.", exc_info=True)
-            return fail_acs_response(self.request)
+            return fail_acs_response(request)
         except StatusAuthnFailed:
             logger.info("Authentication denied for user by IdP.", exc_info=True)
-            return fail_acs_response(self.request)
+            return fail_acs_response(request)
         except StatusRequestDenied:
             logger.warning("Authentication interrupted at IdP.", exc_info=True)
-            return fail_acs_response(self.request)
+            return fail_acs_response(request)
+        except StatusNoAuthnContext:
+            logger.warning("Missing Authentication Context from IdP.", exc_info=True)
+            return fail_acs_response(request)
         except MissingKey:
             logger.exception("SAML Identity Provider is not configured correctly: certificate key is missing!")
-            return fail_acs_response(self.request)
+            return fail_acs_response(request)
         except UnsolicitedResponse:
             logger.exception("Received SAMLResponse when no request has been made.")
-            return fail_acs_response(self.request)
+            return fail_acs_response(request)
 
         if response is None:
             logger.warning("Invalid SAML Assertion received (unknown error).")
@@ -502,7 +529,17 @@ def do_logout_service(request, data, binding, config_loader_path=None, next_page
                 relay_state=data.get('RelayState', ''))
             state.sync()
             auth.logout(request)
-            return HttpResponseRedirect(get_location(http_info))
+            if (
+                http_info.get('method', 'GET') == 'POST' and
+                'data' in http_info and
+                ('Content-type', 'text/html') in http_info.get('headers', [])
+            ):
+                # need to send back to the IDP a signed POST response with user session
+                # return HTML form content to browser with auto form validation
+                # to finally send request to the IDP
+                return HttpResponse(http_info['data'])
+            else:
+                return HttpResponseRedirect(get_location(http_info))
     else:
         logger.error('No SAMLResponse or SAMLRequest parameter found')
         raise Http404('No SAMLResponse or SAMLRequest parameter found')

setup.py

@@ -31,9 +31,9 @@ def read(*rnames):
 
 setup(
     name='djangosaml2',
-    version='0.17.2',
+    version='0.18.1',
     description='pysaml2 integration for Django',
-    long_description='\n\n'.join([read('README.rst'), read('CHANGES')]),
+    long_description=read('README.rst'),
     classifiers=[
         "Development Status :: 4 - Beta",
         "Environment :: Web Environment",
@@ -42,16 +42,20 @@ def read(*rnames):
         "Framework :: Django :: 1.9",
         "Framework :: Django :: 1.10",
         "Framework :: Django :: 1.11",
+        "Framework :: Django :: 2.0",
+        "Framework :: Django :: 2.1",
+        "Framework :: Django :: 2.2",
+        "Framework :: Django :: 3.0",
         "Intended Audience :: Developers",
         "License :: OSI Approved :: Apache Software License",
         "Operating System :: OS Independent",
         "Programming Language :: Python",
         "Programming Language :: Python :: 2",
         "Programming Language :: Python :: 2.7",
         "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.4",
         "Programming Language :: Python :: 3.5",
         "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
         "Topic :: Internet :: WWW/HTTP",
         "Topic :: Internet :: WWW/HTTP :: WSGI",
         "Topic :: Security",
@@ -62,7 +66,7 @@ def read(*rnames):
     author_email="lgs@yaco.es",
     maintainer="Jozef Knaperek",
     url="https://github.com/knaperek/djangosaml2",
-    download_url="https://pypi.python.org/pypi/djangosaml2",
+    download_url="https://pypi.org/project/djangosaml2/",
     license='Apache 2.0',
     packages=find_packages(exclude=["tests", "tests.*"]),
     include_package_data=True,

tox.ini

@@ -1,10 +1,14 @@
 [tox]
 envlist =
-    py{27,34,35}-django18
-    py{27,34,35}-django19
-    py{27,34,35}-django110
-    py{27,34,35,36}-django111
-    py{35,36}-djangomaster
+    py{27,35}-django18
+    py{27,35}-django19
+    py{27,35}-django110
+    py{27,35,36}-django111
+    py{35,36,37}-django20
+    py{35,36,37}-django21
+    py{35,36,37}-django22
+    py{36,37}-django30
+    py{36,37}-djangomaster
 
 [testenv]
 commands =
@@ -15,6 +19,10 @@ deps =
     django19: Django>=1.9,<1.10
     django110: Django>=1.10,<1.11
     django111: Django>=1.11,<2.0
+    django20: Django>=2.0,<2.1
+    django21: Django>=2.1,<2.2
+    django22: Django>=2.2,<3.0
+    django30: Django>=3.0,<3.1
     djangomaster: https://github.com/django/django/archive/master.tar.gz
     .[test]