Merge branch 'master' into metadata_eid_exception

Author: peppelinux

.gitignore

@@ -4,3 +4,11 @@
 *.sqp
 build/
 dist/
+_build/
+.pytest_cache
+.env
+env/
+venv
+tags
+.idea/
+.vscode/

.hgignore

@@ -1,41 +1,35 @@
+dist: bionic
 language: python
 
 sudo: false
 
 matrix:
   include:
-    - python: 2.7
-      env: TOX_ENV=py27-django18
-    - python: 3.4
-      env: TOX_ENV=py34-django18
-    - python: 2.7
-      env: TOX_ENV=py27-django19
-    - python: 3.4
-      env: TOX_ENV=py34-django19
     - python: 3.5
-      env: TOX_ENV=py35-django19
-    - python: 2.7
-      env: TOX_ENV=py27-django110
-    - python: 3.4
-      env: TOX_ENV=py34-django110
-    - python: 3.5
-      env: TOX_ENV=py35-django110
-    - python: 2.7
-      env: TOX_ENV=py27-django111
-    - python: 3.4
-      env: TOX_ENV=py34-django111
-    - python: 3.5
-      env: TOX_ENV=py35-django111
+      env: TOX_ENV=py35-django22
     - python: 3.6
-      env: TOX_ENV=py36-django111
-    - python: 3.5
-      env: TOX_ENV=py35-djangomaster
+      env: TOX_ENV=py36-django22
+    - python: 3.7
+      env: TOX_ENV=py37-django22
+    - python: 3.8
+      env: TOX_ENV=py38-django22
+    - python: 3.6
+      env: TOX_ENV=py36-django30
+    - python: 3.7
+      env: TOX_ENV=py37-django30
+    - python: 3.8
+      env: TOX_ENV=py38-django30
     - python: 3.6
       env: TOX_ENV=py36-djangomaster
+    - python: 3.7
+      env: TOX_ENV=py37-djangomaster
+    - python: 3.8
+      env: TOX_ENV=py38-djangomaster
   fast_finish: true
   allow_failures:
-    - env: TOX_ENV=py35-djangomaster
     - env: TOX_ENV=py36-djangomaster
+    - env: TOX_ENV=py37-djangomaster
+    - env: TOX_ENV=py38-djangomaster
 
 addons:
   apt:

.travis.yml

@@ -1,5 +1,17 @@
 Changes
 =======
+0.18.1 (2020-02-15)
+----------
+- Fixed regression from 0.18.0. Thanks to OskarPersson
+
+0.18.0 (2020-02-14)
+----------
+- Django 3.0 support. Thanks to OskarPersson
+- forceauthn and allowcreate support. Thanks to peppelinux
+- Dropped support for Python 3.4
+- Also thanks to WebSpider, mhindery, DylannCordel, habi3000 for various fixes and improvements
+
+Thanks to plumdog
 
 0.17.2 (2018-08-29)
 ----------

CHANGES

@@ -192,7 +192,13 @@ We will see a typical configuration for protecting a Django project::
                      saml2.BINDING_HTTP_POST),
                     ],
                 },
-
+             # Mandates that the identity provider MUST authenticate the
+             # presenter directly rather than rely on a previous security context.
+            'force_authn': False, 
+            
+             # Enable AllowCreate in NameIDPolicy.
+            'name_id_format_allow_create': False,
+            
              # attributes that this project need to identify a user
             'required_attributes': ['uid'],
 
@@ -309,6 +315,24 @@ setting::
   SAML_CONFIG_LOADER = 'python.path.to.your.callable'
 
 
+Custom error handler
+....................
+
+When an error occurs during the authentication flow, djangosaml2 will render
+a simple error page with an error message and status code. You can customize
+this behaviour by specifying the path to your own error handler in the settings:
+
+  SAML_ACS_FAILURE_RESPONSE_FUNCTION = 'python.path.to.your.view'
+
+This should be a view which takes a request, optional exception which occured
+and status code, and returns a response to serve the user. E.g. The default
+implementation looks like this::
+
+  def template_failure(request, exception=None, **kwargs):
+      """ Renders a simple template with an error message. """
+      return render(request, 'djangosaml2/login_error.html', {'exception': exception}, status=kwargs.get('status', 403))
+
+
 User attributes
 ---------------
 

README.rst

@@ -0,0 +1 @@
+default_app_config = 'djangosaml2.apps.DjangoSaml2Config'

djangosaml2/__init__.py

@@ -3,20 +3,10 @@
 # This module defines a set of useful ACS failure functions that are used to
 # produce an output suitable for end user in case of SAML failure.
 #
-from __future__ import unicode_literals
 
-from django.core.exceptions import PermissionDenied
 from django.shortcuts import render
 
 
-def template_failure(request, status=403, **kwargs):
-    """ Renders a SAML-specific template with general authentication error description. """
-    return render(request, 'djangosaml2/login_error.html', status=status)
-
-
-def exception_failure(request, exc_class=PermissionDenied, **kwargs):
-    """ Rather than using a custom SAML specific template that is rendered on failure,
-    this makes use of a standard exception handling machinery present in Django
-    and thus ends up rendering a project-wide error page for Permission Denied exceptions.
-    """
-    raise exc_class
+def template_failure(request, exception=None, status=403, **kwargs):
+    """ Renders a simple template with an error message. """
+    return render(request, 'djangosaml2/login_error.html', {'exception': exception}, status=status)

djangosaml2/acs_failures.py

@@ -0,0 +1,9 @@
+from django.apps import AppConfig
+
+
+class DjangoSaml2Config(AppConfig):
+    name = 'djangosaml2'
+    verbose_name = "DjangoSAML2"
+
+    def ready(self):
+        from . import signals  # noqa

djangosaml2/apps.py

@@ -18,45 +18,28 @@
 from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.backends import ModelBackend
-from django.core.exceptions import (
-    MultipleObjectsReturned, ImproperlyConfigured,
-)
-
-from djangosaml2.signals import pre_user_save
+from django.core.exceptions import (ImproperlyConfigured,
+                                    MultipleObjectsReturned)
 
+from .signals import pre_user_save
 
 logger = logging.getLogger('djangosaml2')
 
 
 def get_model(model_path):
+    from django.apps import apps
     try:
-        from django.apps import apps
         return apps.get_model(model_path)
-    except ImportError:
-        # Django < 1.7 (cannot use the new app loader)
-        from django.db.models import get_model as django_get_model
-        try:
-            app_label, model_name = model_path.split('.')
-        except ValueError:
-            raise ImproperlyConfigured("SAML_USER_MODEL must be of the form "
-                "'app_label.model_name'")
-        user_model = django_get_model(app_label, model_name)
-        if user_model is None:
-            raise ImproperlyConfigured("SAML_USER_MODEL refers to model '%s' "
-                "that has not been installed" % model_path)
-        return user_model
+    except LookupError:
+        raise ImproperlyConfigured("SAML_USER_MODEL refers to model '%s' that has not been installed" % model_path)
+    except ValueError:
+        raise ImproperlyConfigured("SAML_USER_MODEL must be of the form 'app_label.model_name'")
 
 
 def get_saml_user_model():
-    try:
-        # djangosaml2 custom user model
+    if hasattr(settings, 'SAML_USER_MODEL'):
         return get_model(settings.SAML_USER_MODEL)
-    except AttributeError:
-        try:
-            # Django 1.5 Custom user model
-            return auth.get_user_model()
-        except AttributeError:
-            return auth.models.User
+    return auth.get_user_model()
 
 
 class Saml2Backend(ModelBackend):
@@ -89,7 +72,9 @@ def authenticate(self, request, session_info=None, attribute_mapping=None,
             else:
                 logger.error('The nameid is not available. Cannot find user without a nameid.')
         else:
-            saml_user = self.get_attribute_value(django_user_main_attribute, attributes, attribute_mapping)
+            saml_user = self.get_attribute_value(django_user_main_attribute,
+                                                 attributes,
+                                                 attribute_mapping)
 
         if saml_user is None:
             logger.error('Could not find saml_user value')
@@ -111,7 +96,11 @@ def get_attribute_value(self, django_field, attributes, attribute_mapping):
         logger.debug('attribute_mapping: %s', attribute_mapping)
         for saml_attr, django_fields in attribute_mapping.items():
             if django_field in django_fields and saml_attr in attributes:
-                saml_user = attributes[saml_attr][0]
+                saml_user = attributes.get(saml_attr, [None])[0]
+                if not saml_user:
+                    logger.error('attributes[saml_attr] attribute '
+                                 'value is missing. Probably the user '
+                                 'session is expired.')
         return saml_user
 
     def is_authorized(self, attributes, attribute_mapping):

djangosaml2/backends.py

@@ -25,7 +25,7 @@ def __init__(self, django_session, key_suffix):
         self.session = django_session
         self.key = self.key_prefix + key_suffix
 
-        super(DjangoSessionCacheAdapter, self).__init__(self._get_objects())
+        super().__init__(self._get_objects())
 
     def _get_objects(self):
         return self.session.get(self.key, {})
@@ -37,9 +37,9 @@ def sync(self):
         # Changes in inner objects do not cause session invalidation
         # https://docs.djangoproject.com/en/1.9/topics/http/sessions/#when-sessions-are-saved
 
-        #add objects to session
+        # add objects to session
         self._set_objects(dict(self))
-        #invalidate session
+        # invalidate session
         self.session.modified = True
 
 
@@ -49,8 +49,7 @@ class OutstandingQueriesCache(object):
     """
 
     def __init__(self, django_session):
-        self._db = DjangoSessionCacheAdapter(django_session,
-                                             '_outstanding_queries')
+        self._db = DjangoSessionCacheAdapter(django_session, '_outstanding_queries')
 
     def outstanding_queries(self):
         return self._db._get_objects()
@@ -86,4 +85,4 @@ class StateCache(DjangoSessionCacheAdapter):
     """
 
     def __init__(self, django_session):
-        super(StateCache, self).__init__(django_session, '_state')
+        super().__init__(django_session, '_state')

djangosaml2/cache.py

@@ -18,10 +18,9 @@
 
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured
-
 from saml2.config import SPConfig
 
-from djangosaml2.utils import get_custom_setting
+from .utils import get_custom_setting
 
 
 def get_config_loader(path, request=None):

djangosaml2/conf.py

@@ -0,0 +1,2 @@
+class IdPConfigurationMissing(Exception):
+    pass

djangosaml2/exceptions.py

@@ -21,4 +21,4 @@ def do_logout(self, *args, **kwargs):
             except AttributeError:
                 logger.warning('SAML_LOGOUT_REQUEST_PREFERRED_BINDING setting is'
                     ' not defined. Default binding will be used.')
-        return super(Saml2Client, self).do_logout(*args, **kwargs)
+        return super().do_logout(*args, **kwargs)

djangosaml2/models.py

@@ -14,7 +14,5 @@
 
 import django.dispatch
 
-
-pre_user_save = django.dispatch.Signal(providing_args=['attributes',
-                                                       'user_modified'])
+pre_user_save = django.dispatch.Signal(providing_args=['attributes', 'user_modified'])
 post_authenticated = django.dispatch.Signal(providing_args=['session_info'])

djangosaml2/overrides.py

@@ -9,7 +9,7 @@
 </p>
 <form method="post" action="{{ target_url }}" name="SSO_Login">
 	{% for key, value in params.items %}
-	    <input type="hidden" name="{{ key|safe }}" value="{{ value|safe }}" />
+	    <input type="hidden" name="{{ key }}" value="{{ value }}" />
 	{% endfor %}
     <input type="submit" value="Log in" />
 </form>

djangosaml2/signals.py

@@ -14,44 +14,44 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import datetime
 import base64
+import datetime
 import re
 from unittest import skip
-import sys
 
 from django.conf import settings
 from django.contrib.auth import SESSION_KEY, get_user_model
 from django.contrib.auth.models import AnonymousUser
 from django.contrib.sessions.middleware import SessionMiddleware
+from django.template import Context, Template
+from django.test import TestCase
+from django.test.client import RequestFactory
+from djangosaml2 import views
+from djangosaml2.cache import OutstandingQueriesCache
+from djangosaml2.conf import get_config
+from djangosaml2.signals import post_authenticated
+from djangosaml2.tests import conf
+from djangosaml2.tests.auth_response import auth_response
+from djangosaml2.views import finish_logout
+from saml2.config import SPConfig
+from saml2.s_utils import decode_base64_and_inflate, deflate_and_base64_encode
+
 try:
     from django.urls import reverse
 except ImportError:
     from django.core.urlresolvers import reverse
-from django.template import Template, Context
-from django.test import TestCase
-from django.test.client import RequestFactory
 try:
     from django.utils.encoding import force_text
 except ImportError:
     from django.utils.text import force_text
-from django.utils.six.moves.urllib.parse import urlparse, parse_qs
-
-from saml2.config import SPConfig
-from saml2.s_utils import decode_base64_and_inflate, deflate_and_base64_encode
+try:
+    from django.utils.six.moves.urllib.parse import urlparse, parse_qs
+except ImportError:
+    from urllib.parse import urlparse, parse_qs
 
-from djangosaml2 import views
-from djangosaml2.cache import OutstandingQueriesCache
-from djangosaml2.conf import get_config
-from djangosaml2.tests import conf
-from djangosaml2.tests.auth_response import auth_response
-from djangosaml2.signals import post_authenticated
-from djangosaml2.views import finish_logout
 
 User = get_user_model()
 
-PY_VERSION = sys.version_info[:2]
-
 
 class SAML2Tests(TestCase):
 
@@ -141,11 +141,7 @@ def test_login_one_idp(self):
         self.assertIn('RelayState', params)
 
         saml_request = params['SAMLRequest'][0]
-        if PY_VERSION < (3,):
-            expected_request = """<?xml version='1.0' encoding='UTF-8'?>
-<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://sp.example.com/saml2/acs/" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>"""
-        else:
-            expected_request = """<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://sp.example.com/saml2/acs/" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>"""
+        expected_request = """<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://sp.example.com/saml2/acs/" Destination="https://idp.example.com/simplesaml/saml2/idp/SSOService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>"""
 
         self.assertSAMLRequestsEquals(
             decode_base64_and_inflate(saml_request).decode('utf-8'),
@@ -199,11 +195,7 @@ def test_login_several_idps(self):
         self.assertIn('RelayState', params)
 
         saml_request = params['SAMLRequest'][0]
-        if PY_VERSION < (3,):
-            expected_request = """<?xml version='1.0' encoding='UTF-8'?>
-<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://sp.example.com/saml2/acs/" Destination="https://idp2.example.com/simplesaml/saml2/idp/SSOService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>"""
-        else:
-            expected_request = """<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://sp.example.com/saml2/acs/" Destination="https://idp2.example.com/simplesaml/saml2/idp/SSOService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>"""
+        expected_request = """<samlp:AuthnRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="http://sp.example.com/saml2/acs/" Destination="https://idp2.example.com/simplesaml/saml2/idp/SSOService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:NameIDPolicy AllowCreate="false" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" /></samlp:AuthnRequest>"""
 
         self.assertSAMLRequestsEquals(decode_base64_and_inflate(saml_request).decode('utf-8'),
                                       expected_request)
@@ -339,11 +331,7 @@ def test_logout(self):
         self.assertIn('SAMLRequest', params)
 
         saml_request = params['SAMLRequest'][0]
-        if PY_VERSION < (3,):
-            expected_request = """<?xml version='1.0' encoding='UTF-8'?>
-<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" Reason="" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="http://sp.example.com/saml2/metadata/">58bcc81ea14700f66aeb707a0eff1360</saml:NameID><samlp:SessionIndex>a0123456789abcdef0123456789abcdef</samlp:SessionIndex></samlp:LogoutRequest>"""
-        else:
-            expected_request = """<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" Reason="" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="http://sp.example.com/saml2/metadata/">58bcc81ea14700f66aeb707a0eff1360</saml:NameID><samlp:SessionIndex>a0123456789abcdef0123456789abcdef</samlp:SessionIndex></samlp:LogoutRequest>"""
+        expected_request = """<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" Reason="" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="http://sp.example.com/saml2/metadata/">58bcc81ea14700f66aeb707a0eff1360</saml:NameID><samlp:SessionIndex>a0123456789abcdef0123456789abcdef</samlp:SessionIndex></samlp:LogoutRequest>"""
         self.assertSAMLRequestsEquals(decode_base64_and_inflate(saml_request).decode('utf-8'),
                                       expected_request)
 
@@ -369,11 +357,7 @@ def test_logout_service_local(self):
         self.assertIn('SAMLRequest', params)
 
         saml_request = params['SAMLRequest'][0]
-        if PY_VERSION < (3,):
-            expected_request = """<?xml version='1.0' encoding='UTF-8'?>
-<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" Reason="" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="http://sp.example.com/saml2/metadata/">58bcc81ea14700f66aeb707a0eff1360</saml:NameID><samlp:SessionIndex>a0123456789abcdef0123456789abcdef</samlp:SessionIndex></samlp:LogoutRequest>"""
-        else:
-            expected_request = """<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" Reason="" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="http://sp.example.com/saml2/metadata/">58bcc81ea14700f66aeb707a0eff1360</saml:NameID><samlp:SessionIndex>a0123456789abcdef0123456789abcdef</samlp:SessionIndex></samlp:LogoutRequest>"""
+        expected_request = """<samlp:LogoutRequest xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="XXXXXXXXXXXXXXXXXXXXXX" IssueInstant="2010-01-01T00:00:00Z" Reason="" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="http://sp.example.com/saml2/metadata/">58bcc81ea14700f66aeb707a0eff1360</saml:NameID><samlp:SessionIndex>a0123456789abcdef0123456789abcdef</samlp:SessionIndex></samlp:LogoutRequest>"""
         self.assertSAMLRequestsEquals(decode_base64_and_inflate(saml_request).decode('utf-8'),
                                       expected_request)
 
@@ -421,11 +405,7 @@ def test_logout_service_global(self):
         self.assertIn('SAMLResponse', params)
 
         saml_response = params['SAMLResponse'][0]
-        if PY_VERSION < (3,):
-            expected_response = """<?xml version='1.0' encoding='UTF-8'?>
-<samlp:LogoutResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="a140848e7ce2bce834d7264ecdde0151" InResponseTo="_9961abbaae6d06d251226cb25e38bf8f468036e57e" IssueInstant="2010-09-05T09:10:12Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>"""
-        else:
-            expected_response = """<samlp:LogoutResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="a140848e7ce2bce834d7264ecdde0151" InResponseTo="_9961abbaae6d06d251226cb25e38bf8f468036e57e" IssueInstant="2010-09-05T09:10:12Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>"""
+        expected_response = """<samlp:LogoutResponse xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://idp.example.com/simplesaml/saml2/idp/SingleLogoutService.php" ID="a140848e7ce2bce834d7264ecdde0151" InResponseTo="_9961abbaae6d06d251226cb25e38bf8f468036e57e" IssueInstant="2010-09-05T09:10:12Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://sp.example.com/saml2/metadata/</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status></samlp:LogoutResponse>"""
         self.assertSAMLRequestsEquals(decode_base64_and_inflate(saml_response).decode('utf-8'),
                                       expected_response)
 

djangosaml2/templates/djangosaml2/example_post_binding_form.html

@@ -0,0 +1,19 @@
+X500ATTR_OID = 'urn:oid:2.5.4.'
+PKCS_9 = 'urn:oid:1.2.840.113549.1.9.1.'
+UCL_DIR_PILOT = 'urn:oid:0.9.2342.19200300.100.1.'
+
+ MAP = {
+    'identifier': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+    'fro': {
+        X500ATTR_OID+'3': 'first_name', # cn
+        X500ATTR_OID+'4': 'last_name', # sn
+        PKCS_9+'1': 'email',
+        UCL_DIR_PILOT+'1': 'uid',
+    },
+    'to': {
+        'first_name': X500ATTR_OID+'3',
+        'last_name': X500ATTR_OID+'4',
+        'email' : PKCS_9+'1',
+        'uid': UCL_DIR_PILOT+'1',
+    }
+}

djangosaml2/tests/__init__.py

@@ -13,15 +13,15 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-from django.conf.urls import url
-from djangosaml2 import views
+from django.urls import path
 
+from . import views
 
 urlpatterns = [
-    url(r'^login/$', views.login, name='saml2_login'),
-    url(r'^acs/$', views.assertion_consumer_service, name='saml2_acs'),
-    url(r'^logout/$', views.logout, name='saml2_logout'),
-    url(r'^ls/$', views.logout_service, name='saml2_ls'),
-    url(r'^ls/post/$', views.logout_service_post, name='saml2_ls_post'),
-    url(r'^metadata/$', views.metadata, name='saml2_metadata'),
+    path('login/', views.login, name='saml2_login'),
+    path('acs/', views.assertion_consumer_service, name='saml2_acs'),
+    path('logout/', views.logout, name='saml2_logout'),
+    path('ls/', views.logout_service, name='saml2_ls'),
+    path('ls/post/', views.logout_service_post, name='saml2_ls_post'),
+    path('metadata/', views.metadata, name='saml2_metadata'),
 ]

djangosaml2/tests/attribute-maps/django_saml_uri.py

@@ -12,10 +12,8 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import django
 from django.conf import settings
 from django.core.exceptions import ImproperlyConfigured
-from django.utils.http import is_safe_url
 from django.utils.module_loading import import_string
 from saml2.s_utils import UnknownSystemEntity
 
@@ -33,23 +31,25 @@ def available_idps(config, langpref=None):
     for metadata_name, metadata in config.metadata.metadata.items():
         result = metadata.any('idpsso_descriptor', 'single_sign_on_service')
         if result:
-            idps = idps.union(set(result.keys()))
+            idps.update(result.keys())
 
-    return dict([(idp, config.metadata.name(idp, langpref)) for idp in idps])
+    return {
+        idp: config.metadata.name(idp, langpref)
+        for idp in idps
+    }
 
 
 def get_idp_sso_supported_bindings(idp_entity_id=None, config=None):
     """Returns the list of bindings supported by an IDP
     This is not clear in the pysaml2 code, so wrapping it in a util"""
     if config is None:
         # avoid circular import
-        from djangosaml2.conf import get_config
+        from .conf import get_config
         config = get_config()
     # load metadata store from config
     meta = getattr(config, 'metadata', {})
     # if idp is None, assume only one exists so just use that
     if idp_entity_id is None:
-        # .keys() returns dict_keys in python3.5+
         try:
             idp_entity_id = list(available_idps(config).keys())[0]
         except IndexError:
@@ -80,11 +80,3 @@ def fail_acs_response(request, *args, **kwargs):
     failure_function = import_string(get_custom_setting('SAML_ACS_FAILURE_RESPONSE_FUNCTION',
                                                         'djangosaml2.acs_failures.template_failure'))
     return failure_function(request, *args, **kwargs)
-
-
-def is_safe_url_compat(url, allowed_hosts=None, require_https=False):
-    if django.VERSION >= (1, 11):
-        return is_safe_url(url, allowed_hosts=allowed_hosts, require_https=require_https)
-    assert len(allowed_hosts) == 1
-    host = allowed_hosts.pop()
-    return is_safe_url(url, host=host)

djangosaml2/urls.py

@@ -19,44 +19,47 @@
 from django.conf import settings
 from django.contrib import auth
 from django.contrib.auth.decorators import login_required
-try:
-    from django.contrib.auth.views import LogoutView
-    django_logout = LogoutView.as_view()
-except ImportError:
-    from django.contrib.auth.views import logout as django_logout
 from django.core.exceptions import PermissionDenied, SuspiciousOperation
-from django.http import Http404, HttpResponse
-from django.http import HttpResponseRedirect  # 30x
 from django.http import HttpResponseBadRequest  # 40x
+from django.http import HttpResponseRedirect  # 30x
 from django.http import HttpResponseServerError  # 50x
-from django.views.decorators.http import require_POST
+from django.http import Http404, HttpResponse
 from django.shortcuts import render
 from django.template import TemplateDoesNotExist
-from django.utils.six import text_type, binary_type, PY3
+from django.utils.http import is_safe_url
 from django.views.decorators.csrf import csrf_exempt
-
 from saml2 import BINDING_HTTP_REDIRECT, BINDING_HTTP_POST
+from saml2.client_base import LogoutError
 from saml2.metadata import entity_descriptor
 from saml2.ident import code, decode
-from saml2.sigver import MissingKey
+from saml2.metadata import entity_descriptor
+from saml2.response import (SignatureError, StatusAuthnFailed, StatusError,
+                            StatusNoAuthnContext, StatusRequestDenied,
+                            UnsolicitedResponse)
 from saml2.s_utils import UnsupportedBinding
 from saml2.response import (
     StatusError, StatusAuthnFailed, SignatureError, StatusRequestDenied,
     UnsolicitedResponse, StatusNoAuthnContext,
 )
 from saml2.mdstore import SourceNotFound
+from saml2.sigver import MissingKey
 from saml2.validate import ResponseLifetimeExceed, ToEarly
-from saml2.xmldsig import SIG_RSA_SHA1, SIG_RSA_SHA256  # support for SHA1 is required by spec
-
-from djangosaml2.cache import IdentityCache, OutstandingQueriesCache
-from djangosaml2.cache import StateCache
-from djangosaml2.conf import get_config
-from djangosaml2.overrides import Saml2Client
-from djangosaml2.signals import post_authenticated
-from djangosaml2.utils import (
-    available_idps, fail_acs_response, get_custom_setting,
-    get_idp_sso_supported_bindings, get_location, is_safe_url_compat,
-)
+from saml2.xmldsig import (  # support for SHA1 is required by spec
+    SIG_RSA_SHA1, SIG_RSA_SHA256)
+
+from .cache import IdentityCache, OutstandingQueriesCache, StateCache
+from .conf import get_config
+from .exceptions import IdPConfigurationMissing
+from .overrides import Saml2Client
+from .signals import post_authenticated
+from .utils import (available_idps, fail_acs_response, get_custom_setting,
+                    get_idp_sso_supported_bindings, get_location)
+
+try:
+    from django.contrib.auth.views import LogoutView
+    django_logout = LogoutView.as_view()
+except ImportError:
+    from django.contrib.auth.views import logout as django_logout
 
 
 logger = logging.getLogger('djangosaml2')
@@ -73,16 +76,6 @@ def _get_subject_id(session):
         return None
 
 
-def callable_bool(value):
-    """ A compatibility wrapper for pre Django 1.10 User model API that used
-    is_authenticated() and is_anonymous() methods instead of attributes
-    """
-    if callable(value):
-        return value()
-    else:
-        return value
-
-
 def login(request,
           config_loader_path=None,
           wayf_template='djangosaml2/wayf.html',
@@ -111,7 +104,7 @@ def login(request,
         came_from = settings.LOGIN_REDIRECT_URL
 
     # Ensure the user-originating redirection url is safe.
-    if not is_safe_url_compat(url=came_from, allowed_hosts={request.get_host()}):
+    if not is_safe_url(url=came_from, allowed_hosts={request.get_host()}):
         came_from = settings.LOGIN_REDIRECT_URL
 
     # if the user is already authenticated that maybe because of two reasons:
@@ -124,7 +117,7 @@ def login(request,
     # SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN setting. If that setting
     # is True (default value) we will redirect him to the came_from view.
     # Otherwise, we will show an (configurable) authorization error.
-    if callable_bool(request.user.is_authenticated):
+    if request.user.is_authenticated:
         redirect_authenticated_user = getattr(settings, 'SAML_IGNORE_AUTHENTICATED_USERS_ON_LOGIN', True)
         if redirect_authenticated_user:
             return HttpResponseRedirect(came_from)
@@ -145,6 +138,13 @@ def login(request,
                                         'technical support.')),
                             status=500)
 
+    kwargs = {}
+    # pysaml needs a string otherwise: "cannot serialize True (type bool)"
+    if getattr(conf, '_sp_force_authn', False):
+        kwargs['force_authn'] = "true"
+    if getattr(conf, '_sp_allow_create', False):
+        kwargs['allow_create'] = "true"
+
     # is a embedded wayf needed?
     idps = available_idps(conf)
     if selected_idp is None and len(idps) > 1:
@@ -153,7 +153,14 @@ def login(request,
                 'available_idps': idps.items(),
                 'came_from': came_from,
                 })
-
+    else:
+        # is the first one, otherwise next logger message will print None
+        if not idps:
+            raise IdPConfigurationMissing(('IdP configuration is missing or '
+                                           'its metadata is expired.'))
+        if selected_idp is None:
+            selected_idp = list(idps.keys())[0]
+    
     # choose a binding to try first
     sign_requests = getattr(conf, '_sp_authn_requests_signed', False)
     binding = BINDING_HTTP_POST if sign_requests else BINDING_HTTP_REDIRECT
@@ -193,10 +200,10 @@ def login(request,
             session_id, result = client.prepare_for_authenticate(
                 entityid=selected_idp, relay_state=came_from,
                 binding=binding, sign=False, sigalg=sigalg,
-                nsprefix=nsprefix)
+                nsprefix=nsprefix, **kwargs)
         except TypeError as e:
             logger.error('Unable to know which IdP to use')
-            return HttpResponse(text_type(e))
+            return HttpResponse(str(e))
         else:
             http_response = HttpResponseRedirect(get_location(result))
     elif binding == BINDING_HTTP_POST:
@@ -206,15 +213,13 @@ def login(request,
                 location = client.sso_location(selected_idp, binding)
             except TypeError as e:
                 logger.error('Unable to know which IdP to use')
-                return HttpResponse(text_type(e))
+                return HttpResponse(str(e))
             session_id, request_xml = client.create_authn_request(
                 location,
-                binding=binding)
+                binding=binding,
+                **kwargs)
             try:
-                if PY3:
-                    saml_request = base64.b64encode(binary_type(request_xml, 'UTF-8'))
-                else:
-                    saml_request = base64.b64encode(binary_type(request_xml))
+                saml_request = base64.b64encode(bytes(request_xml, 'UTF-8')).decode('utf-8')
 
                 http_response = render(request, post_binding_form_template, {
                     'target_url': location,
@@ -234,7 +239,7 @@ def login(request,
                     binding=binding)
             except TypeError as e:
                 logger.error('Unable to know which IdP to use')
-                return HttpResponse(text_type(e))
+                return HttpResponse(str(e))
             else:
                 http_response = HttpResponse(result['data'])
     else:
@@ -278,34 +283,34 @@ def assertion_consumer_service(request,
 
     try:
         response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries)
-    except (StatusError, ToEarly):
+    except (StatusError, ToEarly) as e:
         logger.exception("Error processing SAML Assertion.")
-        return fail_acs_response(request)
-    except ResponseLifetimeExceed:
+        return fail_acs_response(request, exception=e)
+    except ResponseLifetimeExceed as e:
         logger.info("SAML Assertion is no longer valid. Possibly caused by network delay or replay attack.", exc_info=True)
-        return fail_acs_response(request)
-    except SignatureError:
+        return fail_acs_response(request, exception=e)
+    except SignatureError as e:
         logger.info("Invalid or malformed SAML Assertion.", exc_info=True)
-        return fail_acs_response(request)
-    except StatusAuthnFailed:
+        return fail_acs_response(request, exception=e)
+    except StatusAuthnFailed as e:
         logger.info("Authentication denied for user by IdP.", exc_info=True)
-        return fail_acs_response(request)
-    except StatusRequestDenied:
+        return fail_acs_response(request, exception=e)
+    except StatusRequestDenied as e:
         logger.warning("Authentication interrupted at IdP.", exc_info=True)
-        return fail_acs_response(request)
-    except StatusNoAuthnContext:
+        return fail_acs_response(request, exception=e)
+    except StatusNoAuthnContext as e:
         logger.warning("Missing Authentication Context from IdP.", exc_info=True)
-        return fail_acs_response(request)
-    except MissingKey:
+        return fail_acs_response(request, exception=e)
+    except MissingKey as e:
         logger.exception("SAML Identity Provider is not configured correctly: certificate key is missing!")
-        return fail_acs_response(request)
-    except UnsolicitedResponse:
+        return fail_acs_response(request, exception=e)
+    except UnsolicitedResponse as e:
         logger.exception("Received SAMLResponse when no request has been made.")
-        return fail_acs_response(request)
+        return fail_acs_response(request, exception=e)
 
     if response is None:
         logger.warning("Invalid SAML Assertion received (unknown error).")
-        return fail_acs_response(request, status=400, exc_class=SuspiciousOperation)
+        return fail_acs_response(request, status=400, exception=SuspiciousOperation('Unknown SAML2 error'))
 
     session_id = response.session_id()
     oq_cache.delete(session_id)
@@ -325,7 +330,7 @@ def assertion_consumer_service(request,
                              create_unknown_user=create_unknown_user)
     if user is None:
         logger.warning("Could not authenticate user received in SAML Assertion. Session info: %s", session_info)
-        raise PermissionDenied
+        return fail_acs_response(request, exception=PermissionDenied('No user could be authenticated.'))
 
     auth.login(request, user)
     _set_subject_id(request.session, session_info['name_id'])
@@ -341,7 +346,7 @@ def assertion_consumer_service(request,
     if not relay_state:
         logger.warning('The RelayState parameter exists but is empty')
         relay_state = default_relay_state
-    if not is_safe_url_compat(url=relay_state, allowed_hosts={request.get_host()}):
+    if not is_safe_url(url=relay_state, allowed_hosts={request.get_host()}):
         relay_state = settings.LOGIN_REDIRECT_URL
     logger.debug('Redirecting to the RelayState: %s', relay_state)
     return HttpResponseRedirect(relay_state)
@@ -385,7 +390,13 @@ def logout(request, config_loader_path=None):
             'The session does not contain the subject id for user %s',
             request.user)
 
-    result = client.global_logout(subject_id)
+    try:
+        result = client.global_logout(subject_id)
+    except LogoutError as exp:
+        logger.exception('Error Handled - SLO not supported by IDP: {}'.format(exp))
+        auth.logout(request)
+        state.sync()
+        return HttpResponseRedirect('/')
 
     state.sync()
 
@@ -467,7 +478,17 @@ def do_logout_service(request, data, binding, config_loader_path=None, next_page
                 relay_state=data.get('RelayState', ''))
             state.sync()
             auth.logout(request)
-            return HttpResponseRedirect(get_location(http_info))
+            if (
+                http_info.get('method', 'GET') == 'POST' and
+                'data' in http_info and
+                ('Content-type', 'text/html') in http_info.get('headers', [])
+            ):
+                # need to send back to the IDP a signed POST response with user session
+                # return HTML form content to browser with auto form validation
+                # to finally send request to the IDP
+                return HttpResponse(http_info['data'])
+            else:
+                return HttpResponseRedirect(get_location(http_info))
     else:
         logger.error('No SAMLResponse or SAMLRequest parameter found')
         raise Http404('No SAMLResponse or SAMLRequest parameter found')
@@ -491,7 +512,7 @@ def metadata(request, config_loader_path=None, valid_for=None):
     """
     conf = get_config(config_loader_path, request)
     metadata = entity_descriptor(conf)
-    return HttpResponse(content=text_type(metadata).encode('utf-8'),
+    return HttpResponse(content=str(metadata).encode('utf-8'),
                         content_type="text/xml; charset=utf8")
 
 

djangosaml2/utils.py

@@ -23,35 +23,26 @@ def read(*rnames):
     return codecs.open(os.path.join(os.path.dirname(__file__), *rnames), encoding='utf-8').read()
 
 
-extra = {'test': []}
-if sys.version_info < (3, 4):
-    # Necessary to use assertLogs in tests
-    extra['test'].append('unittest2')
-
-
 setup(
     name='djangosaml2',
-    version='0.17.2',
+    version='0.18.1',
     description='pysaml2 integration for Django',
-    long_description='\n\n'.join([read('README.rst'), read('CHANGES')]),
+    long_description=read('README.rst'),
     classifiers=[
-        "Development Status :: 4 - Beta",
+        "Development Status :: 5 - Production/Stable",
         "Environment :: Web Environment",
         "Framework :: Django",
-        "Framework :: Django :: 1.8",
-        "Framework :: Django :: 1.9",
-        "Framework :: Django :: 1.10",
-        "Framework :: Django :: 1.11",
+        "Framework :: Django :: 2.2",
+        "Framework :: Django :: 3.0",
         "Intended Audience :: Developers",
         "License :: OSI Approved :: Apache Software License",
         "Operating System :: OS Independent",
         "Programming Language :: Python",
-        "Programming Language :: Python :: 2",
-        "Programming Language :: Python :: 2.7",
         "Programming Language :: Python :: 3",
-        "Programming Language :: Python :: 3.4",
         "Programming Language :: Python :: 3.5",
         "Programming Language :: Python :: 3.6",
+        "Programming Language :: Python :: 3.7",
+        "Programming Language :: Python :: 3.8",
         "Topic :: Internet :: WWW/HTTP",
         "Topic :: Internet :: WWW/HTTP :: WSGI",
         "Topic :: Security",
@@ -62,15 +53,14 @@ def read(*rnames):
     author_email="lgs@yaco.es",
     maintainer="Jozef Knaperek",
     url="https://github.com/knaperek/djangosaml2",
-    download_url="https://pypi.python.org/pypi/djangosaml2",
+    download_url="https://pypi.org/project/djangosaml2/",
     license='Apache 2.0',
     packages=find_packages(exclude=["tests", "tests.*"]),
     include_package_data=True,
     zip_safe=False,
     install_requires=[
         'defusedxml>=0.4.1',
-        'Django>=1.8',
+        'Django>=2.2',
         'pysaml2>=4.6.0',
         ],
-    extras_require=extra,
     )

djangosaml2/views.py

@@ -46,9 +46,6 @@
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )
 
-if django.VERSION < (1, 10):
-    MIDDLEWARE_CLASSES = MIDDLEWARE
-
 ROOT_URLCONF = 'testprofiles.urls'
 
 TEMPLATES = [

setup.py

@@ -1,20 +1,16 @@
 [tox]
 envlist =
-    py{27,34,35}-django18
-    py{27,34,35}-django19
-    py{27,34,35}-django110
-    py{27,34,35,36}-django111
-    py{35,36}-djangomaster
+    py{35,36,37,38}-django22
+    py{36,37,38}-django30
+    py{36,37,38}-djangomaster
 
 [testenv]
 commands =
     python tests/run_tests.py
 
 deps =
-    django18: Django>=1.8,<1.9
-    django19: Django>=1.9,<1.10
-    django110: Django>=1.10,<1.11
-    django111: Django>=1.11,<2.0
+    django22: Django>=2.2,<3.0
+    django30: Django>=3.0,<3.1
     djangomaster: https://github.com/django/django/archive/master.tar.gz
     .[test]