Merge branch 'dev'

Author: peppelinux

djangosaml2/backends.py

@@ -140,7 +140,7 @@ def authenticate(self, request, session_info=None, attribute_mapping=None, creat
         if user is not None:
             user = self._update_user(
                 user, attributes, attribute_mapping, force_save=created)
-        
+
         if self.user_can_authenticate(user):
             return user
 

djangosaml2/conf.py

@@ -51,9 +51,12 @@ def config_settings_loader(request: Optional[HttpRequest] = None) -> SPConfig:
     return conf
 
 
-def get_config(config_loader_path: Optional[Union[Callable, str]] = None, request: Optional[HttpRequest] = None) -> SPConfig:
-    """ Load a config_loader function if necessary, and call that function with the request as argument.
-        If the config_loader_path is a callable instead of a string, no importing is necessary and it will be used directly.
+def get_config(config_loader_path: Optional[Union[Callable, str]] = None,
+               request: Optional[HttpRequest] = None) -> SPConfig:
+    """ Load a config_loader function if necessary, and call that
+        function with the request as argument.
+        If the config_loader_path is a callable instead of a string,
+        no importing is necessary and it will be used directly.
         Return the resulting SPConfig.
     """
     config_loader_path = config_loader_path or get_custom_setting(

djangosaml2/utils.py

@@ -104,23 +104,25 @@ def saml2_from_httpredirect_request(url):
 
 
 def get_session_id_from_saml2(saml2_xml):
-    saml2_xml = saml2_xml.encode() if isinstance(saml2_xml, str) else saml2_xml
-    return re.findall(b'ID="([a-z0-9\-]*)"', saml2_xml, re.I)[0].decode()
+    saml2_xml = saml2_xml.decode() if isinstance(saml2_xml, bytes) else saml2_xml
+    return re.findall(r'ID="([a-z0-9\-]*)"', saml2_xml, re.I)[0]
 
 
 def get_subject_id_from_saml2(saml2_xml):
     saml2_xml = saml2_xml if isinstance(saml2_xml, str) else saml2_xml.decode()
     re.findall('">([a-z0-9]+)</saml:NameID>', saml2_xml)[0]
 
-def add_param_in_url(url:str, param_key:str, param_value:str):
+
+def add_param_in_url(url: str, param_key: str, param_value: str):
     params = list(url.split('?'))
     params.append(f'{param_key}={param_value}')
-    new_url = params[0] + '?' +''.join(params[1:])
+    new_url = params[0] + '?' + ''.join(params[1:])
     return new_url
 
+
 def add_idp_hinting(request, http_response) -> bool:
     idphin_param = getattr(settings, 'SAML2_IDPHINT_PARAM', 'idphint')
-    params = urllib.parse.urlencode(request.GET)
+    urllib.parse.urlencode(request.GET)
 
     if idphin_param not in request.GET.keys():
         return False

djangosaml2/views.py

@@ -46,8 +46,6 @@
 from saml2.samlp import AuthnRequest, IDPEntry, IDPList, Scoping
 from saml2.sigver import MissingKey
 from saml2.validate import ResponseLifetimeExceed, ToEarly
-from saml2.xmldsig import (  # support for SHA1 is required by spec
-    SIG_RSA_SHA1, SIG_RSA_SHA256)
 
 from .cache import IdentityCache, OutstandingQueriesCache, StateCache
 from .conf import get_config
@@ -160,6 +158,8 @@ def get(self, request, *args, **kwargs):
         configured_idps = available_idps(conf)
         selected_idp = request.GET.get('idp', None)
 
+        sso_kwargs = {}
+
         # Do we have a Discovery Service?
         if not selected_idp:
             discovery_service = getattr(settings, 'SAML2_DISCO_URL', None)
@@ -193,14 +193,19 @@ def get(self, request, *args, **kwargs):
             selected_idp = list(configured_idps.keys())[0]
 
         # perform IdP Scoping if scoping param is present
-        idp_scoping = Scoping()
         idp_scoping_param = request.GET.get('scoping', None)
         if idp_scoping_param:
+            idp_scoping = Scoping()
             idp_scoping.idp_list = IDPList()
-            idp_scoping.idp_list.idp_entry.append(IDPEntry(provider_id = idp_scoping_param))
+            idp_scoping.idp_list.idp_entry.append(
+                IDPEntry(provider_id = idp_scoping_param)
+            )
+            sso_kwargs['scoping'] = idp_scoping
+
 
         # choose a binding to try first
-        binding = getattr(settings, 'SAML_DEFAULT_BINDING', saml2.BINDING_HTTP_POST)
+        binding = getattr(settings, 'SAML_DEFAULT_BINDING',
+                          saml2.BINDING_HTTP_POST)
         logger.debug(f'Trying binding {binding} for IDP {selected_idp}')
 
         # ensure our selected binding is supported by the IDP
@@ -232,18 +237,16 @@ def get(self, request, *args, **kwargs):
                 )
 
         client = Saml2Client(conf)
-        http_response = None
 
         # SSO options
         sign_requests = getattr(conf, '_sp_authn_requests_signed', False)
-        sso_kwargs = {}
+
         if sign_requests:
-            sso_kwargs["sigalg"] = settings.SAML_CONFIG['service']['sp']\
-                                           .get('signing_algorithm',
-                                                saml2.xmldsig.SIG_RSA_SHA256)
-            sso_kwargs["digest_alg"] = settings.SAML_CONFIG['service']['sp']\
-                                           .get('digest_algorithm',
-                                                saml2.xmldsig.DIGEST_SHA256)
+            csc = settings.SAML_CONFIG['service']['sp']
+            sso_kwargs["sigalg"] = csc.get('signing_algorithm',
+                                           saml2.xmldsig.SIG_RSA_SHA256)
+            sso_kwargs["digest_alg"] = csc.get('digest_algorithm',
+                                               saml2.xmldsig.DIGEST_SHA256)
 
         # pysaml needs a string otherwise: "cannot serialize True (type bool)"
         if getattr(conf, '_sp_force_authn', False):
@@ -256,17 +259,20 @@ def get(self, request, *args, **kwargs):
 
         logger.debug(f'Redirecting user to the IdP via {binding} binding.')
         _msg = 'Unable to know which IdP to use'
+        http_response = None
+
         if binding == saml2.BINDING_HTTP_REDIRECT:
             try:
                 session_id, result = client.prepare_for_authenticate(
                     entityid=selected_idp, relay_state=next_path,
-                    binding=binding, sign=sign_requests, scoping=idp_scoping,
+                    binding=binding, sign=sign_requests,
                     **sso_kwargs)
             except TypeError as e:
                 logger.error(f'{_msg}: {e}')
                 return HttpResponse(_msg)
             else:
                 http_response = HttpResponseRedirect(get_location(result))
+
         elif binding == saml2.BINDING_HTTP_POST:
             if self.post_binding_form_template:
                 # get request XML to build our own html based on the template
@@ -275,10 +281,12 @@ def get(self, request, *args, **kwargs):
                 except TypeError as e:
                     logger.error(f'{_msg}: {e}')
                     return HttpResponse(_msg)
+
                 session_id, request_xml = client.create_authn_request(
                     location,
                     binding=binding,
-                    **sso_kwargs)
+                    **sso_kwargs
+                )
                 try:
                     if isinstance(request_xml, AuthnRequest):
                         # request_xml will be an instance of AuthnRequest if the message is not signed
@@ -294,14 +302,16 @@ def get(self, request, *args, **kwargs):
                         },
                     })
                 except TemplateDoesNotExist as e:
-                    logger.error(f'TemplateDoesNotExist: {e}')
+                    logger.error(
+                        f'TemplateDoesNotExist: [{self.post_binding_form_template}] - {e}'
+                    )
 
             if not http_response:
                 # use the html provided by pysaml2 if no template was specified or it doesn't exist
                 try:
                     session_id, result = client.prepare_for_authenticate(
                         entityid=selected_idp, relay_state=next_path,
-                        binding=binding, scoping=idp_scoping)
+                        binding=binding, **sso_kwargs)
                 except TypeError as e:
                     _msg = f"Can't prepare the authentication for {selected_idp}"
                     logger.error(f'{_msg}: {e}')
@@ -380,7 +390,8 @@ def post(self, request, attribute_mapping=None, create_unknown_user=None):
         except ResponseLifetimeExceed as e:
             _exception = e
             logger.info(
-                ("SAML Assertion is no longer valid. Possibly caused by network delay or replay attack."), exc_info=True)
+                ("SAML Assertion is no longer valid. Possibly caused "
+                 "by network delay or replay attack."), exc_info=True)
         except SignatureError as e:
             _exception = e
             logger.info("Invalid or malformed SAML Assertion.", exc_info=True)
@@ -435,7 +446,8 @@ def post(self, request, attribute_mapping=None, create_unknown_user=None):
         for sc in assertion.subject.subject_confirmation:
             if sc.method == SCM_BEARER:
                 assertion_not_on_or_after = sc.subject_confirmation_data.not_on_or_after
-                assertion_info = {'assertion_id': assertion.id, 'not_on_or_after': assertion_not_on_or_after}
+                assertion_info = {'assertion_id': assertion.id,
+                                  'not_on_or_after': assertion_not_on_or_after}
                 break
 
         if callable(attribute_mapping):
@@ -607,10 +619,14 @@ class LogoutView(SPConfigMixin, View):
     logout_error_template = 'djangosaml2/logout_error.html'
 
     def get(self, request, *args, **kwargs):
-        return self.do_logout_service(request, request.GET, saml2.BINDING_HTTP_REDIRECT, *args, **kwargs)
+        return self.do_logout_service(
+            request, request.GET, saml2.BINDING_HTTP_REDIRECT, *args, **kwargs
+        )
 
     def post(self, request, *args, **kwargs):
-        return self.do_logout_service(request, request.POST, saml2.BINDING_HTTP_POST, *args, **kwargs)
+        return self.do_logout_service(
+            request, request.POST, saml2.BINDING_HTTP_POST, *args, **kwargs
+        )
 
     def do_logout_service(self, request, data, binding):
         logger.debug('Logout service started')

setup.py

@@ -24,7 +24,7 @@ def read(*rnames):
 
 setup(
     name='djangosaml2',
-    version='1.1.5',
+    version='1.2.0',
     description='pysaml2 integration for Django',
     long_description=read('README.md'),
     long_description_content_type='text/markdown',