0001-spring-cleaning-32934.patch

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     default_app_config = 'authentic2.apps.Authentic2Config'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     default_app_config = 'authentic2.a2_rbac.apps.Authentic2RBACConfig'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib import admin
     from django.utils.translation import ugettext_lazy as _
     from django.utils import six

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     class AppSettings(object):
         __DEFAULTS = dict(
             MANAGED_CONTENT_TYPES=None,
-...
     # Ugly? Guido recommends this himself ...
     # http://mail.python.org/pipermail/python-ideas/2012-May/014969.html
     import sys
     app_settings = AppSettings('A2_RBAC_')
     app_settings.__name__ = __name__
     sys.modules[__name__] = app_settings

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.apps import AppConfig
-...
         def ready(self):
             from . import signal_handlers, models
             from django.db.models.signals import post_save, post_migrate, pre_save, \
                 post_delete
             from django.contrib.contenttypes.models import ContentType
             from django.db.models.signals import post_save, post_migrate, post_delete
             from authentic2.models import Service
             # update rbac on save to contenttype, ou and roles

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db.models import NullBooleanField
     from django import forms
     class UniqueBooleanField(NullBooleanField):
         '''BooleanField allowing only one True value in the table, and preventing
            problems with multiple False values by implicitely converting them to

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils import six
     from django.utils.translation import ugettext_lazy as _
     from django.utils.text import slugify
     from django.contrib.contenttypes.models import ContentType
     from django.db.models.signals import post_migrate
     from django.apps import apps
     from django_rbac.utils import get_role_model, get_ou_model, \
         get_permission_model
     from ..utils import get_fk_model
     from . import utils, app_settings, signal_handlers
     from . import utils, app_settings
     def update_ou_admin_roles(ou):
-...
            they give general administrative rights to all mamanged content types
            scoped to the given organizational unit.
         '''
         Role = get_role_model()
         Permission = get_permission_model()
         OU = get_ou_model()
         ou_all = OU.objects.all()
         if len(ou_all) < 2:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.contenttypes.models import ContentType
     from django_rbac.models import ADMIN_OP
-...
                 defaults={
                     'name': name,
                     'slug': slug,
                     }, **kwargs)
                 },
                 **kwargs)
             if update_name and not created and role.name != name:
                 role.name = name
                 role.save()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from collections import namedtuple
     from django.core.exceptions import ValidationError
     from django.utils import six
-...
     from django.utils.text import slugify
     from django.db import models
     from django.contrib.contenttypes.models import ContentType
     from django.core.validators import RegexValidator
     from django_rbac.models import (RoleAbstractBase, PermissionAbstractBase,
                                     OrganizationalUnitAbstractBase, RoleParentingAbstractBase, VIEW_OP,
-...
         MANUAL_PASSWORD_POLICY = 1
         USER_ADD_PASSWD_POLICY_CHOICES = (
                 (RESET_LINK_POLICY, _('Send reset link')),
                 (MANUAL_PASSWORD_POLICY, _('Manual password definition')),
             (RESET_LINK_POLICY, _('Send reset link')),
             (MANUAL_PASSWORD_POLICY, _('Manual password definition')),
+        )
         PolicyValue = namedtuple('PolicyValue', [
                 'generate_password', 'reset_password_at_next_login',
                 'send_mail', 'send_password_reset'])
             'generate_password', 'reset_password_at_next_login',
             'send_mail', 'send_password_reset'])
         USER_ADD_PASSWD_POLICY_VALUES = {
                 RESET_LINK_POLICY: PolicyValue(False, False, False, True),
                 MANUAL_PASSWORD_POLICY: PolicyValue(False, False, True, False),
             RESET_LINK_POLICY: PolicyValue(False, False, False, True),
             MANUAL_PASSWORD_POLICY: PolicyValue(False, False, True, False),
+        }
         username_is_unique = models.BooleanField(
-...
+            )
         def natural_key(self):
             return [self.slug, self.ou and self.ou.natural_key(), self.service and
                     self.service.natural_key()]
             return [
                 self.slug,
                 self.ou and self.ou.natural_key(),
                 self.service and self.service.natural_key(),
+            ]
         def to_json(self):
             return {

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import ugettext as _
     from django.conf import settings
     from django.apps import apps
-...
     from django_rbac.utils import get_ou_model, get_role_model, get_operation
     from django_rbac.managers import defer_update_transitive_closure
     def create_default_ou(app_config, verbosity=2, interactive=True,
                           using=DEFAULT_DB_ALIAS, **kwargs):
         if not router.allow_migrate(using, get_ou_model()):
-...
     def post_migrate_update_rbac(app_config, verbosity=2, interactive=True,
                                  using=DEFAULT_DB_ALIAS, **kwargs):
         # be sure new objects names are localized using the default locale
         from .management import update_ou_admin_roles, update_ous_admin_roles, \
             update_content_types_roles
         from .management import update_ous_admin_roles, update_content_types_roles
         if not router.allow_migrate(using, get_role_model()):
             return
-...
     def update_rbac_on_ou_post_save(sender, instance, created, raw, **kwargs):
         from .management import update_ou_admin_roles, update_ous_admin_roles, \
             update_content_types_roles
         from .management import update_ou_admin_roles, update_ous_admin_roles
         if get_ou_model().objects.count() < 3 and created:
             update_ous_admin_roles()
         else:
             update_ou_admin_roles(instance)
     def update_rbac_on_ou_post_delete(sender, instance, **kwargs):
         from .management import update_ou_admin_roles, update_ous_admin_roles, \
             update_content_types_roles
         from .management import update_ous_admin_roles
         if get_ou_model().objects.count() < 2:
             update_ous_admin_roles()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.test import TestCase
     from django.contrib.contenttypes.models import ContentType
     from django.contrib.auth import get_user_model
-...
     User = get_user_model()
     class A2RBACTestCase(TestCase):
         def test_update_rbac(self):
             # 3 content types managers and 1 global manager
-...
                 self.assertTrue(role.slug.startswith('_a2'), u'role %s slug must '
                                 'start with _a2: %s' % (role.name, role.slug))
         def test_admin_roles_update_slug(self):
             user = User.objects.create(username='john.doe')
             name1 = 'Can manage john.doe'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth import get_user_model
     from django.contrib.contenttypes.models import ContentType
     from django_rbac.models import VIEW_OP, SEARCH_OP

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from copy import deepcopy
     import pprint
-...
     from django.conf import settings
     from django.utils.translation import ugettext_lazy as _
     from django.utils import timezone
     from django.utils.http import urlencode
     from django.http import HttpResponseRedirect
     from django.views.decorators.cache import never_cache
     from django.contrib.auth.admin import UserAdmin
     from django.contrib.sessions.models import Session
     from django.contrib.auth import REDIRECT_FIELD_NAME
     from django.contrib.admin.utils import flatten_fieldsets
     from django import forms
     from django.contrib.auth.forms import ReadOnlyPasswordHashField
     from .nonce.models import Nonce
     from . import (models, compat, app_settings, decorators,
             attribute_kinds, utils)
     from .forms import modelform_factory, BaseUserForm
     from . import (models, app_settings, decorators, attribute_kinds,
                    utils)
     from .forms.profile import BaseUserForm, modelform_factory
     from .custom_user.models import User
     def cleanup_action(modeladmin, request, queryset):
         queryset.cleanup()
     cleanup_action.short_description = _('Cleanup expired objects')
     class CleanupAdminMixin(admin.ModelAdmin):
         def get_actions(self, request):
             actions = super(CleanupAdminMixin, self).get_actions(request)
-...
                 actions['cleanup_action'] = cleanup_action, 'cleanup_action', cleanup_action.short_description
             return actions
     class NonceModelAdmin(admin.ModelAdmin):
         list_display = ("value", "context", "not_on_or_after")
     admin.site.register(Nonce, NonceModelAdmin)
     class AttributeValueAdmin(admin.ModelAdmin):
         list_display = ('content_type', 'owner', 'attribute',
                 'content')
         list_display = ('content_type', 'owner', 'attribute', 'content')
     admin.site.register(models.AttributeValue, AttributeValueAdmin)
     class LogoutUrlAdmin(admin.ModelAdmin):
         list_display = ('provider', 'logout_url', 'logout_use_iframe', 'logout_use_iframe_timeout')
     admin.site.register(models.LogoutUrl, LogoutUrlAdmin)
     class AuthenticationEventAdmin(admin.ModelAdmin):
         list_display = ('when', 'who', 'how', 'nonce')
         list_filter = ('how',)
-...
         search_fields = ('who', 'nonce', 'how')
     admin.site.register(models.AuthenticationEvent, AuthenticationEventAdmin)
     class UserExternalIdAdmin(admin.ModelAdmin):
         list_display = ('user', 'source', 'external_id', 'created', 'updated')
         list_filter = ('source',)
         date_hierarchy = 'created'
         search_fields = ('user__username', 'source', 'external_id')
     admin.site.register(models.UserExternalId, UserExternalIdAdmin)
     class DeletedUserAdmin(admin.ModelAdmin):
         list_display = ('user', 'creation')
         date_hierarchy = 'creation'
-...
                 backend = auth.load_backend(backend_class)
                 try:
                     user = backend.get_user(user_id) or auth_models.AnonymousUser()
                 except:
                 except Exception:
                     user = _('deleted user %r') % user_id
                 return user
             user.short_description = _('user')
-...
         admin.site.register(Session, SessionAdmin)
     class ExternalUserListFilter(admin.SimpleListFilter):
         title = _('external')
-...
         def lookups(self, request, model_admin):
             return (
                     ('1', _('Yes')),
                     ('0', _('No'))
                 ('1', _('Yes')),
                 ('0', _('No'))
+            )
         def queryset(self, request, queryset):
-...
                 return queryset.filter(userexternalid__isnull=True)
             return queryset
     class UserRealmListFilter(admin.SimpleListFilter):
         # Human-readable title which will be displayed in the
         # right admin sidebar just above the filter options.
-...
             'missing_credential': _("You must at least give a username or an email to your user"),
+        }
         password = ReadOnlyPasswordHashField(label=_("Password"),
         password = ReadOnlyPasswordHashField(
             label=_("Password"),
             help_text=_("Raw passwords are not stored, so there is no way to see "
                         "this user's password, but you can change the password "
                         "using <a href=\"password/\">this form</a>."))
-...
                     code='missing_credential',
+                )
     class UserCreationForm(BaseUserForm):
         """
         A form that creates a user, with no privileges, from the given username and
-...
             'password_mismatch': _("The two password fields didn't match."),
             'missing_credential': _("You must at least give a username or an email to your user"),
+        }
         password1 = forms.CharField(label=_("Password"),
         password1 = forms.CharField(
             label=_("Password"),
             widget=forms.PasswordInput)
         password2 = forms.CharField(label=_("Password confirmation"),
         password2 = forms.CharField(
             label=_("Password confirmation"),
             widget=forms.PasswordInput,
             help_text=_("Enter the same password as above, for verification."))
-...
                 user.save()
             return user
     class AuthenticUserAdmin(UserAdmin):
         fieldsets = (
             (None, {'fields': ('uuid', 'ou', 'password')}),
-...
             (_('Important dates'), {'fields': ('last_login', 'date_joined')}),
+        )
         add_fieldsets = (
                 (None, {
                     'classes': ('wide',),
                     'fields': ('ou', 'username', 'first_name', 'last_name', 'email', 'password1', 'password2')}
                 ),
+            )
             (None, {
                 'classes': ('wide',),
                 'fields': ('ou', 'username', 'first_name', 'last_name', 'email', 'password1', 'password2')}),
+        )
         readonly_fields = ('uuid',)
         list_filter = UserAdmin.list_filter + (UserRealmListFilter,ExternalUserListFilter)
         list_filter = UserAdmin.list_filter + (UserRealmListFilter, ExternalUserListFilter)
         list_display = ['__str__', 'ou', 'first_name', 'last_name', 'email']
         def get_fieldsets(self, request, obj=None):
             fieldsets = deepcopy(super(AuthenticUserAdmin, self).get_fieldsets(request, obj))
             if obj:
                 if not request.user.is_superuser:
                     fieldsets[2][1]['fields'] = filter(lambda x: x !=
                             'is_superuser', fieldsets[2][1]['fields'])
                     fieldsets[2][1]['fields'] = filter(lambda x: x != 'is_superuser', fieldsets[2][1]['fields'])
                 qs = models.Attribute.objects.all()
                 insertion_idx = 2
             else:
-...
             kwargs['fields'] = fields
             return super(AuthenticUserAdmin, self).get_form(request, obj=obj, **kwargs)
     admin.site.register(User, AuthenticUserAdmin)
     class AttributeForm(forms.ModelForm):
         def __init__(self, *args, **kwargs):
-...
         def get_queryset(self, request):
             return self.model.all_objects.all()
     admin.site.register(models.Attribute, AttributeAdmin)
-...
     admin.site.login = login
     @never_cache
     def logout(request, extra_context=None):
         return utils.redirect_to_login(request, login_url='auth_logout')
-...
     admin.site.logout = logout
     admin.site.register(models.PasswordReset)
     admin.site.register(User, AuthenticUserAdmin)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from . import api_views
     urlpatterns = [
                            url(r'^register/$', api_views.register,
                                name='a2-api-register'),
                            url(r'^password-change/$', api_views.password_change,
                                name='a2-api-password-change'),
                            url(r'^user/$', api_views.user,
                                name='a2-api-user'),
                            url(r'^roles/(?P<role_uuid>[\w+]*)/members/(?P<member_uuid>[^/]+)/$',
                                api_views.role_memberships, name='a2-api-role-member'),
                            url(r'^check-password/$', api_views.check_password,
                                name='a2-api-check-password'),
                            url(r'^validate-password/$', api_views.validate_password,
                                name='a2-api-validate-password'),
         url(r'^register/$', api_views.register, name='a2-api-register'),
         url(r'^password-change/$', api_views.password_change, name='a2-api-password-change'),
         url(r'^user/$', api_views.user, name='a2-api-user'),
         url(r'^roles/(?P<role_uuid>[\w+]*)/members/(?P<member_uuid>[^/]+)/$', api_views.role_memberships,
             name='a2-api-role-member'),
         url(r'^check-password/$', api_views.check_password, name='a2-api-check-password'),
         url(r'^validate-password/$', api_views.validate_password, name='a2-api-validate-password'),
+    ]
     urlpatterns += api_views.router.urls

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2018 Entr'ouvert
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
-...
     from django.db import models
     from django.contrib.auth import get_user_model
     from django.core.exceptions import MultipleObjectsReturned
     from django.utils import six
     from django.utils.translation import ugettext as _
     from django.utils.encoding import force_text
     from django.views.decorators.vary import vary_on_headers
-...
                         User.objects.filter(ou=ou, email__iexact=data['email']).exists():
                     raise serializers.ValidationError(
                         _('You already have an account'))
                 if (ou.username_is_unique and
                         'username' not in data):
                 if (ou.username_is_unique
                         and 'username' not in data):
                     raise serializers.ValidationError(
                         _('Username is required in this ou'))
                 if ou.username_is_unique and User.objects.filter(
-...
                         result['errors'] = [exc.detail]
             return result, status.HTTP_200_OK
     check_password = CheckPasswordAPI.as_view()
-...
             result['ok'] = ok
             return result, status.HTTP_200_OK
     validate_password = ValidatePasswordAPI.as_view()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     import six
-...
         def has_default(self):
             return self.default != self.SENTINEL
     class AppSettings(object):
         def __init__(self, defaults):
             self.defaults = defaults
-...
             realms = {}
             if self.A2_REGISTRATION_REALM:
                 realms[self.A2_REGISTRATION_REALM] = self.A2_REGISTRATION_REALM
             def add_realms(new_realms):
                 for realm in new_realms:
                     if not isinstance(realm, (tuple, list)):
-...
                         return getattr(self.settings, other_key)
             if self.defaults[key].has_default():
                 return self.defaults[key].default
             raise ImproperlyConfigured('missing setting %s(%s) is mandatory' %
                     (key, self.defaults[key].description))
             raise ImproperlyConfigured(
                 'missing setting %s(%s) is mandatory' % (key, self.defaults[key].description))
     # Registration
     default_settings = dict(
         ATTRIBUTE_BACKENDS = Setting(
         ATTRIBUTE_BACKENDS=Setting(
             names=('A2_ATTRIBUTE_BACKENDS',),
             default=('authentic2.attributes_ng.sources.format',
                      'authentic2.attributes_ng.sources.function',
                      'authentic2.attributes_ng.sources.django_user',
                      'authentic2.attributes_ng.sources.ldap',
                      'authentic2.attributes_ng.sources.computed_targeted_id',
                      'authentic2.attributes_ng.sources.service_roles',
             default=(
                 'authentic2.attributes_ng.sources.format',
                 'authentic2.attributes_ng.sources.function',
                 'authentic2.attributes_ng.sources.django_user',
                 'authentic2.attributes_ng.sources.ldap',
                 'authentic2.attributes_ng.sources.computed_targeted_id',
                 'authentic2.attributes_ng.sources.service_roles',
             ),
             definition='List of attribute backend classes or modules',
         ),
         CAFILE = Setting(names=('AUTHENTIC2_CAFILE', 'CAFILE'),
                 default=None,
                 definition='File containing certificate chains as PEM certificates'),
         A2_REGISTRATION_URLCONF = Setting(default='authentic2.registration_backend.urls',
                     definition='Root urlconf for the /accounts endpoints'),
         A2_REGISTRATION_FORM_CLASS = Setting(default='authentic2.registration_backend.forms.RegistrationForm',
                     definition='Default registration form'),
         A2_REGISTRATION_COMPLETION_FORM_CLASS = Setting(default='authentic2.registration_backend.forms.RegistrationCompletionForm',
                     definition='Default registration completion form'),
         A2_REGISTRATION_SET_PASSWORD_FORM_CLASS = Setting(default='authentic2.registration_backend.forms.SetPasswordForm',
                     definition='Default set password form'),
         A2_REGISTRATION_CHANGE_PASSWORD_FORM_CLASS = Setting(default='authentic2.registration_backend.forms.PasswordChangeForm',
                     definition='Default change password form'),
         A2_REGISTRATION_CAN_DELETE_ACCOUNT = Setting(default=True,
                     definition='Can user self delete their account and all their data'),
         A2_REGISTRATION_CAN_CHANGE_PASSWORD = Setting(default=True, definition='Allow user to change its own password'),
         A2_REGISTRATION_EMAIL_BLACKLIST = Setting(default=[], definition='List of forbidden email '
                                                   'wildcards, ex.: ^.*@ville.fr$'),
         A2_REGISTRATION_REDIRECT = Setting(default=None, definition='Forced redirection after each redirect, NEXT_URL '
                                            ' substring is replaced by the original next_url passed to /accounts/register/'),
         A2_PROFILE_CAN_CHANGE_EMAIL = Setting(default=True,
                     definition='Can user self change their email'),
         A2_PROFILE_CAN_EDIT_PROFILE = Setting(default=True,
                     definition='Can user self edit their profile'),
         A2_PROFILE_CAN_MANAGE_FEDERATION = Setting(default=True,
                     definition='Can user manage its federations'),
         A2_PROFILE_DISPLAY_EMPTY_FIELDS = Setting(default=False,
                     definition='Include empty fields in profile view'),
         A2_HOMEPAGE_URL = Setting(default=None, definition='IdP has no homepage, '
             'redirect to this one.'),
         A2_USER_CAN_RESET_PASSWORD = Setting(default=None, definition='Allow online reset of passwords'),
         A2_EMAIL_IS_UNIQUE = Setting(default=False,
         CAFILE=Setting(
             names=('AUTHENTIC2_CAFILE', 'CAFILE'),
             default=None,
             definition='File containing certificate chains as PEM certificates'),
         A2_REGISTRATION_CAN_DELETE_ACCOUNT=Setting(
             default=True,
             definition='Can user self delete their account and all their data'),
         A2_REGISTRATION_CAN_CHANGE_PASSWORD=Setting(
             default=True,
             definition='Allow user to change its own password'),
         A2_REGISTRATION_EMAIL_BLACKLIST=Setting(
             default=[],
             definition='List of forbidden email wildcards, ex.: ^.*@ville.fr$'),
         A2_REGISTRATION_REDIRECT=Setting(
             default=None,
             definition='Forced redirection after each redirect, NEXT_URL substring is replaced'
             ' by the original next_url passed to /accounts/register/'),
         A2_PROFILE_CAN_CHANGE_EMAIL=Setting(
             default=True,
             definition='Can user self change their email'),
         A2_PROFILE_CAN_EDIT_PROFILE=Setting(
             default=True,
             definition='Can user self edit their profile'),
         A2_PROFILE_CAN_MANAGE_FEDERATION=Setting(
             default=True,
             definition='Can user manage its federations'),
         A2_PROFILE_DISPLAY_EMPTY_FIELDS=Setting(
             default=False,
             definition='Include empty fields in profile view'),
         A2_HOMEPAGE_URL=Setting(
             default=None,
             definition='IdP has no homepage, redirect to this one.'),
         A2_USER_CAN_RESET_PASSWORD=Setting(
             default=None,
             definition='Allow online reset of passwords'),
         A2_EMAIL_IS_UNIQUE=Setting(
             default=False,
             definition='Email of users must be unique'),
         A2_REGISTRATION_EMAIL_IS_UNIQUE = Setting(default=False,
         A2_REGISTRATION_EMAIL_IS_UNIQUE=Setting(
             default=False,
             definition='Email of registererd accounts must be unique'),
         A2_REGISTRATION_FORM_USERNAME_REGEX=Setting(default=r'^[\w.@+-]+$', definition='Regex to validate usernames'),
         A2_REGISTRATION_FORM_USERNAME_HELP_TEXT=Setting(default=_('Required. At most '
             '30 characters. Letters, digits, and @/./+/-/_ only.')),
         A2_REGISTRATION_FORM_USERNAME_LABEL=Setting(default=_('Username')),
         A2_REGISTRATION_REALM=Setting(default=None, definition='Default realm to assign to self-registrated users'),
         A2_REGISTRATION_GROUPS=Setting(default=(), definition='Default groups for self-registered users'),
         A2_PROFILE_FIELDS=Setting(default=(), definition='Fields to show to the user in the profile page'),
         A2_REGISTRATION_FIELDS=Setting(default=(), definition='Fields from the user model that must appear on the registration form'),
         A2_REQUIRED_FIELDS=Setting(default=(), definition='User fields that are required'),
         A2_REGISTRATION_REQUIRED_FIELDS=Setting(default=(), definition='Fields from the registration form that must be required'),
         A2_PRE_REGISTRATION_FIELDS=Setting(default=(), definition='User fields to ask with email'),
         A2_REALMS=Setting(default=(), definition='List of realms to search user accounts'),
         A2_USERNAME_REGEX=Setting(default=None, definition='Regex that username must validate'),
         A2_USERNAME_LABEL=Setting(default=None, definition='Alternate username label for the login'
                                   ' form'),
         A2_USERNAME_HELP_TEXT=Setting(default=None, definition='Help text to explain validation rules of usernames'),
         A2_USERNAME_IS_UNIQUE=Setting(default=True, definition='Check username uniqueness'),
         A2_LOGIN_FORM_OU_SELECTOR=Setting(default=False, definition='Whether to add an OU selector to the login form'),
         A2_LOGIN_FORM_OU_SELECTOR_LABEL=Setting(default=None, definition='Label of OU field on login page'),
         A2_REGISTRATION_USERNAME_IS_UNIQUE=Setting(default=True, definition='Check username uniqueness on registration'),
         A2_REGISTRATION_FORM_USERNAME_REGEX=Setting(
             default=r'^[\w.@+-]+$',
             definition='Regex to validate usernames'),
         A2_REGISTRATION_FORM_USERNAME_HELP_TEXT=Setting(
             default=_('Required. At most 30 characters. Letters, digits, and @/./+/-/_ only.')),
         A2_REGISTRATION_FORM_USERNAME_LABEL=Setting(
             default=_('Username')),
         A2_REGISTRATION_REALM=Setting(
             default=None,
             definition='Default realm to assign to self-registrated users'),
         A2_REGISTRATION_GROUPS=Setting(
             default=(),
             definition='Default groups for self-registered users'),
         A2_PROFILE_FIELDS=Setting(
             default=(),
             definition='Fields to show to the user in the profile page'),
         A2_REGISTRATION_FIELDS=Setting(
             default=(),
             definition='Fields from the user model that must appear on the registration form'),
         A2_REQUIRED_FIELDS=Setting(
             default=(),
             definition='User fields that are required'),
         A2_REGISTRATION_REQUIRED_FIELDS=Setting(
             default=(),
             definition='Fields from the registration form that must be required'),
         A2_PRE_REGISTRATION_FIELDS=Setting(
             default=(),
             definition='User fields to ask with email'),
         A2_REALMS=Setting(
             default=(),
             definition='List of realms to search user accounts'),
         A2_USERNAME_REGEX=Setting(
             default=None,
             definition='Regex that username must validate'),
         A2_USERNAME_LABEL=Setting(
             default=None,
             definition='Alternate username label for the login form'),
         A2_USERNAME_HELP_TEXT=Setting(
             default=None,
             definition='Help text to explain validation rules of usernames'),
         A2_USERNAME_IS_UNIQUE=Setting(
             default=True,
             definition='Check username uniqueness'),
         A2_LOGIN_FORM_OU_SELECTOR=Setting(
             default=False,
             definition='Whether to add an OU selector to the login form'),
         A2_LOGIN_FORM_OU_SELECTOR_LABEL=Setting(
             default=None,
             definition='Label of OU field on login page'),
         A2_REGISTRATION_USERNAME_IS_UNIQUE=Setting(
             default=True,
             definition='Check username uniqueness on registration'),
         IDP_BACKENDS=(),
         AUTH_FRONTENDS=(),
         AUTH_FRONTENDS_KWARGS={},
         VALID_REFERERS=Setting(default=(), definition='List of prefix to match referers'),
         A2_OPENED_SESSION_COOKIE_NAME=Setting(default='A2_OPENED_SESSION', definition='Authentic session open'),
         A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(default=None),
         A2_ATTRIBUTE_KINDS=Setting(default=(), definition='List of other attribute kinds'),
         A2_ATTRIBUTE_KIND_PROFILE_IMAGE_SIZE=Setting(default=200, definition='Width and height for a profile image'),
         A2_VALIDATE_EMAIL=Setting(default=False, definition='Validate user email server by doing an RCPT command'),
         A2_VALIDATE_EMAIL_DOMAIN=Setting(default=True, definition='Validate user email domain'),
         A2_PASSWORD_POLICY_MIN_CLASSES=Setting(default=3, definition='Minimum number of characters classes to be present in passwords'),
         A2_PASSWORD_POLICY_MIN_LENGTH=Setting(default=8, definition='Minimum number of characters in a password'),
         A2_PASSWORD_POLICY_REGEX=Setting(default=None, definition='Regular expression for validating passwords'),
         A2_PASSWORD_POLICY_REGEX_ERROR_MSG=Setting(default=None, definition='Error message to show when the password do not validate the regular expression'),
         VALID_REFERERS=Setting(
             default=(),
             definition='List of prefix to match referers'),
         A2_OPENED_SESSION_COOKIE_NAME=Setting(
             default='A2_OPENED_SESSION',
             definition='Authentic session open'),
         A2_OPENED_SESSION_COOKIE_DOMAIN=Setting(
             default=None),
         A2_ATTRIBUTE_KINDS=Setting(
             default=(),
             definition='List of other attribute kinds'),
         A2_ATTRIBUTE_KIND_PROFILE_IMAGE_SIZE=Setting(
             default=200,
             definition='Width and height for a profile image'),
         A2_VALIDATE_EMAIL=Setting(
             default=False,
             definition='Validate user email server by doing an RCPT command'),
         A2_VALIDATE_EMAIL_DOMAIN=Setting(
             default=True,
             definition='Validate user email domain'),
         A2_PASSWORD_POLICY_MIN_CLASSES=Setting(
             default=3,
             definition='Minimum number of characters classes to be present in passwords'),
         A2_PASSWORD_POLICY_MIN_LENGTH=Setting(
             default=8,
             definition='Minimum number of characters in a password'),
         A2_PASSWORD_POLICY_REGEX=Setting(
             default=None,
             definition='Regular expression for validating passwords'),
         A2_PASSWORD_POLICY_REGEX_ERROR_MSG=Setting(
             default=None,
             definition='Error message to show when the password do not validate the regular expression'),
         A2_PASSWORD_POLICY_CLASS=Setting(
             default='authentic2.passwords.DefaultPasswordChecker',
             definition='path of a class to validate passwords'),
         A2_PASSWORD_POLICY_SHOW_LAST_CHAR=Setting(default=False, definition='Show last character in password fields'),
         A2_AUTH_PASSWORD_ENABLE=Setting(default=True, definition='Activate login/password authentication', names=('AUTH_PASSWORD',)),
         A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING=Setting(default=0,
                 definition='Failure count before logging a warning to '
                 'authentic2.user_login_failure. No warning will be send if value is '
                 '0.'),
         PUSH_PROFILE_UPDATES=Setting(default=False, definition='Push profile update to linked services'),
         TEMPLATE_VARS=Setting(default={}, definition='Variable to pass to templates'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR=Setting(default=1.8,
                 definition='exponential backoff factor duration as seconds until '
                 'next try after a login failure'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION=Setting(default=0,
                 definition='exponential backoff base factor duration as secondss '
                 'until next try after a login failure'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MAX_DURATION=Setting(default=3600,
                 definition='maximum exponential backoff maximum duration as seconds until '
                 'next try after a login failure'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION=Setting(default=10,
                 definition='minimum exponential backoff maximum duration as seconds until '
                 'next try after a login failure'),
         A2_VERIFY_SSL=Setting(default=True, definition='Verify SSL certificate in HTTP requests'),
         A2_ATTRIBUTE_KIND_TITLE_CHOICES=Setting(default=(), definition='Choices for the title attribute kind'),
         A2_CORS_WHITELIST=Setting(default=(), definition='List of origin URL to whitelist, must be scheme://netloc[:port]'),
         A2_EMAIL_CHANGE_TOKEN_LIFETIME=Setting(default=7200, definition='Lifetime in seconds of the '
                                                'token sent to verify email adresses'),
         A2_PASSWORD_POLICY_SHOW_LAST_CHAR=Setting(
             default=False,
             definition='Show last character in password fields'),
         A2_AUTH_PASSWORD_ENABLE=Setting(
             default=True,
             definition='Activate login/password authentication', names=('AUTH_PASSWORD',)),
         A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING=Setting(
             default=0,
             definition='Failure count before logging a warning to '
             'authentic2.user_login_failure. No warning will be send if value is '
             '0.'),
         PUSH_PROFILE_UPDATES=Setting(
             default=False,
             definition='Push profile update to linked services'),
         TEMPLATE_VARS=Setting(
             default={},
             definition='Variable to pass to templates'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR=Setting(
             default=1.8,
             definition='exponential backoff factor duration as seconds until '
             'next try after a login failure'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION=Setting(
             default=0,
             definition='exponential backoff base factor duration as secondss '
             'until next try after a login failure'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MAX_DURATION=Setting(
             default=3600,
             definition='maximum exponential backoff maximum duration as seconds until '
             'next try after a login failure'),
         A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION=Setting(
             default=10,
             definition='minimum exponential backoff maximum duration as seconds until '
             'next try after a login failure'),
         A2_VERIFY_SSL=Setting(
             default=True,
             definition='Verify SSL certificate in HTTP requests'),
         A2_ATTRIBUTE_KIND_TITLE_CHOICES=Setting(
             default=(),
             definition='Choices for the title attribute kind'),
         A2_CORS_WHITELIST=Setting(
             default=(),
             definition='List of origin URL to whitelist, must be scheme://netloc[:port]'),
         A2_EMAIL_CHANGE_TOKEN_LIFETIME=Setting(
             default=7200,
             definition='Lifetime in seconds of the token sent to verify email adresses'),
         A2_REDIRECT_WHITELIST=Setting(
             default=(),
             definition='List of origins which are authorized to ask for redirection.'),
-...
         A2_USER_REMEMBER_ME=Setting(
             default=None,
             definition='Session duration as seconds when using the remember me '
                       'checkbox. Truthiness activates the checkbox.'),
             'checkbox. Truthiness activates the checkbox.'),
         A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE=Setting(
             default=False,
             definition='Redirect authenticated users to homepage'),
         A2_SET_RANDOM_PASSWORD_ON_RESET=Setting(
             default=True,
             definition='Set a random password on request to reset the password from the front-office'),
         A2_ACCOUNTS_URL=Setting(default=None, definition='IdP has no account page, redirect to this one.'),
         A2_CACHE_ENABLED=Setting(default=True, definition='Disable all cache decorators for testing purpose.'),
         A2_ACCEPT_EMAIL_AUTHENTICATION=Setting(default=True, definition='Enable authentication by email'),
         A2_ACCOUNTS_URL=Setting(
             default=None,
             definition='IdP has no account page, redirect to this one.'),
         A2_CACHE_ENABLED=Setting(
             default=True,
             definition='Disable all cache decorators for testing purpose.'),
         A2_ACCEPT_EMAIL_AUTHENTICATION=Setting(
             default=True,
             definition='Enable authentication by email'),
+    )
     app_settings = AppSettings(default_settings)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import re
     from django.apps import AppConfig
-...
             else:
                 expected_type = 'TEXT'
             def convert_column_to_json(model, column_name):
                 table_name = model._meta.db_table

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import re
     import string
     import datetime
     import io
     import hashlib
     import os
-...
     from django.utils.functional import allow_lazy
     from django.utils import html
     from django.template.defaultfilters import capfirst
     from django.core.files import File
     from django.core.files.storage import default_storage
     from rest_framework import serializers
-...
     def get_title_choices():
         return app_settings.A2_ATTRIBUTE_KIND_TITLE_CHOICES or DEFAULT_TITLE_CHOICES
     validate_phone_number = RegexValidator('^\+?\d{,20}$', message=_('Phone number can start with a + '
                                                                      'an must contain only digits.'))
     validate_phone_number = RegexValidator(
         r'^\+?\d{,20}$',
         message=_('Phone number can start with a + an must contain only digits.'))
     class PhoneNumberField(forms.CharField):
-...
         def clean(self, value):
             if value not in self.empty_values:
                 value = re.sub('[-.\s]', '', value)
                 value = re.sub(r'[-.\s]', '', value)
                 validate_phone_number(value)
             return value
-...
     validate_fr_postcode = RegexValidator(
         '^\d{5}$', message=_('The value must be a valid french postcode'))
         r'^\d{5}$',
         message=_('The value must be a valid french postcode'))
     class FrPostcodeField(forms.CharField):
-...
     def validate_lun(value):
         l = [(int(x) * (1 + i % 2)) for i, x in enumerate(reversed(value))]
         l = [(int(x) * (1 + i % 2)) for i, x in enumerate(reversed(value))]  # noqa: E741
         return sum(x - 9 if x > 10 else x for x in l) % 10 == 0

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.core.exceptions import ImproperlyConfigured
     from django.utils.translation import ugettext as _
     from ..decorators import to_iter, to_list
-...
         def __str__(self):
             return 'UnsortableError: %r' % self.unsortable_instances
     def topological_sort(source_and_instances, ctx, raise_on_unsortable=False):
         '''
         Sort instances topologically based on their dependency declarations.
-...
                 else:
                     new_unsorted.append((source, instance))
             unsorted = new_unsorted
             if len(sorted_list) == len(source_and_instances): # finished !
             if len(sorted_list) == len(source_and_instances):  # finished !
                 break
             elif count_sorted == len(sorted_list): # no progress !
             elif count_sorted == len(sorted_list):  # no progress !
                 if raise_on_unsortable:
                     raise UnsortableError(sorted_list, unsorted)
                 else:
-...
                     for source, instance in unsorted:
                         dependencies = set(source.get_dependencies(instance, ctx))
                         sorted_list.append((source, instance))
                         logger.debug('missing dependencies for instance %r of %r: %s',
                                 instance, source,
                                 list(dependencies-variables))
                         logger.debug('missing dependencies for instance %r of %r: %s', instance, source,
                                      list(dependencies - variables))
                     break
         return sorted_list
     @to_list
     def get_sources():
         '''
-...
                 for path in plugin.get_attribute_backends():
                     yield utils.import_module_or_class(path)
     @to_list
     def get_attribute_names(ctx):
         '''
-...
         '''
         source_and_instances = []
         for source in get_sources():
             source_and_instances.extend(((source, instance) for instance in
                 source.get_instances(ctx)))
             source_and_instances.extend(((source, instance) for instance in source.get_instances(ctx)))
         source_and_instances = topological_sort(source_and_instances, ctx)
         ctx = ctx.copy()
         for source, instance in source_and_instances:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import abc
     from django.utils import six

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     '''
     Compute a targeted id based on a hash of existing attributes, to compute a
     targetd id for a service provider and a user coming from an LDAP store using
-...
     REQUIRED_KEYS = set(('name', 'source_attributes', 'salt'))
     UNEXPECTED_KEYS_ERROR = \
             '{0}: unexpected key(s) {1} in configuration'
     MISSING_KEYS_ERROR = \
             '{0}: missing key(s) {1} in configuration'
     BAD_CONFIG_ERROR = \
             '{0}: template attribute source must contain a name, a list of dependencies and a function'
     NOT_CALLABLE_ERROR = \
             '{0}: function attribute must be callable'
     UNEXPECTED_KEYS_ERROR = '{0}: unexpected key(s) {1} in configuration'
     MISSING_KEYS_ERROR = '{0}: missing key(s) {1} in configuration'
     BAD_CONFIG_ERROR = '{0}: template attribute source must contain a name, a list of dependencies and a function'
     NOT_CALLABLE_ERROR = '{0}: function attribute must be callable'
     SOURCE_ATTRIBUTE_TYPE_ERROR = '{0}: source_attributes must be a list of string'
     def config_error(fmt, *args):
         raise ImproperlyConfigured(fmt.format(__name__, *args))
     @to_list
     def get_instances(ctx):
         '''
-...
         name = instance['name']
         return ((name, instance.get('label', name)),)
     def get_dependencies(instance, ctx):
         return instance['source_attributes']
     def get_attributes(instance, ctx):
         source_attributes = instance['source_attributes']
         source_attributes_values = []

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth import get_user_model
     from django.utils import six
     from django.utils.translation import ugettext_lazy as _
-...
     from ...models import Attribute, AttributeValue
     from ...decorators import to_list
     from ...compat import get_user_model
     @to_list

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import six
     from django.core.exceptions import ImproperlyConfigured
-...
     AUTHORIZED_KEYS = set(('name', 'label', 'template'))
     @to_list
     def get_field_refs(format_string):
         '''
         Extract the base references from format_string
         '''
         from string import Formatter
         l = Formatter().parse(format_string)
         l = Formatter().parse(format_string)  # noqa: E741
         for p in l:
             field_ref = p[1].split('[', 1)[0]
             field_ref = field_ref.split('.', 1)[0]
         yield field_ref
     UNEXPECTED_KEYS_ERROR = \
             '{0}: unexpected ' 'key(s) {1} in configuration'
     FORMAT_STRING_ERROR = \
             '{0}: template string must contain only keyword references: {1}'
     BAD_CONFIG_ERROR = \
             'template attribute source must contain a name and at least a template'
     TYPE_ERROR = \
             'template attribute must be a string'
     UNEXPECTED_KEYS_ERROR = '{0}: unexpected ' 'key(s) {1} in configuration'
     FORMAT_STRING_ERROR = '{0}: template string must contain only keyword references: {1}'
     BAD_CONFIG_ERROR = 'template attribute source must contain a name and at least a template'
     TYPE_ERROR = 'template attribute must be a string'
     def config_error(fmt, *args):
         raise ImproperlyConfigured(fmt.format(__name__, *args))
     @to_list
     def get_instances(ctx):
         '''
-...
         name = instance['name']
         return ((name, instance.get('label', name)),)
     def get_dependencies(instance, ctx):
         return get_field_refs(instance['template'])
     def get_attributes(instance, ctx):
         return {instance['name']: instance['template'].format(**ctx)}

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.core.exceptions import ImproperlyConfigured
     from ...decorators import to_list
-...
     REQUIRED_KEYS = set(('name', 'dependencies', 'function'))
     UNEXPECTED_KEYS_ERROR = \
             '{0}: unexpected key(s) {1} in configuration'
     MISSING_KEYS_ERROR = \
             '{0}: missing key(s) {1} in configuration'
     BAD_CONFIG_ERROR = \
             '{0}: template attribute source must contain a name, a list of dependencies and a function'
     NOT_CALLABLE_ERROR = \
             '{0}: function attribute must be callable'
     UNEXPECTED_KEYS_ERROR = '{0}: unexpected key(s) {1} in configuration'
     MISSING_KEYS_ERROR = '{0}: missing key(s) {1} in configuration'
     BAD_CONFIG_ERROR = '{0}: template attribute source must contain a name, a list of dependencies and a function'
     NOT_CALLABLE_ERROR = '{0}: function attribute must be callable'
     DEPENDENCY_TYPE_ERROR = '{0}: dependencies must be a list of string'
     def config_error(fmt, *args):
         raise ImproperlyConfigured(fmt.format(__name__, *args))
     @to_list
     def get_instances(ctx):
         '''
-...
                     not all(map(lambda x: isinstance(x, str), dependencies)):
                 config_error(DEPENDENCY_TYPE_ERROR)
             if not callable(d['function']):
                 config_error(NOT_CALLABLE_ERROR)
             yield d
-...
         name = instance['name']
         return ((name, instance.get('label', name)),)
     def get_dependencies(instance, ctx):
         return instance.get('dependencies', ())
     def get_attributes(instance, ctx):
         args = instance.get('args', ())
         kwargs = instance.get('kwargs', {})

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from ...decorators import to_list
     from authentic2.backends.ldap_backend import LDAPBackend, LDAPUser
     @to_list
     def get_instances(ctx):
         '''
-...
         '''
         return [None]
     def get_attribute_names(instance, ctx):
         return LDAPBackend.get_attribute_names()
     def get_dependencies(instance, ctx):
         return ('user',)
     def get_attributes(instance, ctx):
         user = ctx.get('user')
         if user and isinstance(user, LDAPUser):

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import ugettext_lazy as _
     from ...models import Service

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     class Plugin(object):
         def get_before_urls(self):
             from . import app_settings
-...
             from authentic2.decorators import setting_enabled, required
             return required(
                     setting_enabled('ENABLE', settings=app_settings),
+                    [
                         url(r'^accounts/sslauth/', include(__name__ + '.urls'))])
                 setting_enabled('ENABLE', settings=app_settings),
                 [url(r'^accounts/sslauth/', include(__name__ + '.urls'))])
         def get_apps(self):
             return [__name__]

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib import admin
     from . import models
     class ClientCertificateAdmin(admin.ModelAdmin):
         list_display = ('user', 'subject_dn', 'issuer_dn', 'serial')

     # -*- coding: utf-8 -*-
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
-...
     class AppSettings(object):
         '''Thanks django-allauth'''
         __DEFAULTS = dict(
                 # settings for TEST only, make it easy to simulate the SSL
                 # environment
                 ENABLE=False,
                 FORCE_ENV={},
                 ACCEPT_SELF_SIGNED=False,
                 STRICT_MATCH=False,
                 SUBJECT_MATCH_KEYS=('subject_dn', 'issuer_dn'),
                 CREATE_USERNAME_CALLBACK=None,
                 USE_COOKIE=False,
                 CREATE_USER=False,
             # settings for TEST only, make it easy to simulate the SSL
             # environment
             ENABLE=False,
             FORCE_ENV={},
             ACCEPT_SELF_SIGNED=False,
             STRICT_MATCH=False,
             SUBJECT_MATCH_KEYS=('subject_dn', 'issuer_dn'),
             CREATE_USERNAME_CALLBACK=None,
             USE_COOKIE=False,
             CREATE_USER=False,
+        )
         def __init__(self, prefix):
-...
         def _setting(self, name, dflt):
             from django.conf import settings
             return getattr(settings, self.prefix+name, dflt)
             return getattr(settings, self.prefix + name, dflt)
         def __getattr__(self, name):
             if name not in self.__DEFAULTS:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import ugettext_lazy as _
     import django.forms

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth import get_user_model
     from django.db.models import Q
     import logging
     from authentic2.compat import get_user_model
     from authentic2.backends import is_user_authenticable
     from . import models, app_settings
     logger = logging.getLogger(__name__)
     User = get_user_model()
     class AuthenticationError(Exception):
         pass
-...
             simply return the user object. That way, we only need top look-up the
             certificate once, when loggin in
             """
             User = get_user_model()
             try:
                 return User.objects.get(id=user_id)
             except User.DoesNotExist:
-...
             just a subject for the ClientCertificate.
             """
             # auto creation only created a DN for the subject, not the issuer
             User = get_user_model()
             # get username and check if the user exists already
             if app_settings.CREATE_USERNAME_CALLBACK:

     from django.contrib.auth import authenticate, login
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth import authenticate, login
     from . import util, app_settings
-...
         def process_request(self, request):
             if app_settings.USE_COOKIE and request.user.is_authenticated():
                 return
             ssl_info  = util.SSLInfo(request)
             ssl_info = util.SSLInfo(request)
             user = authenticate(ssl_info=ssl_info)
             if user and request.user != user:
                 login(request, user)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db import models
     from django.conf import settings
     from django.utils import six
     from . import util
     @six.python_2_unicode_compatible
     class ClientCertificate(models.Model):
         serial = models.CharField(max_length=255, blank=True)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from .views import (handle_request, post_account_linking, delete_certificate,
             error_ssl)
     from .views import (handle_request, post_account_linking, delete_certificate, error_ssl)
     urlpatterns = [
         url(r'^$',

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import base64
     import six
-...
         'verify': 'SSL_CLIENT_VERIFY',
+    }
     def normalize_cert(certificate_pem):
         '''Normalize content of the certificate'''
         base64_content = ''.join(certificate_pem.splitlines()[1:-1])
         content = base64.b64decode(base64_content)
         return base64.b64encode(content)
     def explode_dn(dn):
         '''Extract sub element of a DN as displayed by mod_ssl or nginx_ssl'''
         dn = dn.strip('/')
         parts = dn.split('/')
         parts = [part.split('=') for part in parts]
         parts = [(part[0], part[1].decode('string_escape').decode('utf-8'))
                 for part in parts]
         parts = [(part[0], part[1].decode('string_escape').decode('utf-8')) for part in parts]
         return parts
     TRANSFORM = {
             'cert': normalize_cert,
         'cert': normalize_cert,
+    }
     class SSLInfo(object):
         """
         Encapsulates the SSL environment variables in a read-only object. It
-...
             else:
                 raise EnvironmentError('The SSL authentication currently only \
                     works with mod_python or wsgi requests')
             self.read_env(env);
             self.read_env(env)
             pass
         def read_env(self, env):
-...
                     else:
                         self.__dict__[attr] = None
             if self.__dict__['verify'] == 'SUCCESS':
                 self.__dict__['verify'] = True
             else:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.utils.translation import ugettext as _
-...
     logger = logging.getLogger(__name__)
     def handle_request(request):
         # Check certificate validity
         ssl_info  = util.SSLInfo(request)
         ssl_info = util.SSLInfo(request)
         accept_self_signed = app_settings.ACCEPT_SELF_SIGNED
         if not ssl_info.cert:
             logger.error('SSL Client Authentication failed: '
                 'SSL CGI variable CERT is missing')
             logger.error('SSL Client Authentication failed: SSL CGI variable CERT is missing')
             messages.add_message(request, messages.ERROR,
                 _('SSL Client Authentication failed. '
                 'No client certificate found.'))
                                  _('SSL Client Authentication failed. No client certificate found.'))
             return redirect_to_login(request)
         elif not accept_self_signed and not ssl_info.verify:
             logger.error('SSL Client Authentication failed: '
                 'SSL CGI variable VERIFY is not SUCCESS')
             logger.error('SSL Client Authentication failed: SSL CGI variable VERIFY is not SUCCESS')
             messages.add_message(request, messages.ERROR,
                 _('SSL Client Authentication failed. '
                 'Your client certificate is not valid.'))
                                  _('SSL Client Authentication failed. Your client certificate is not valid.'))
             return redirect_to_login(request)
         # SSL entries for this certificate?
-...
             else:
                 logger.error('account creation failure')
                 messages.add_message(request, messages.ERROR,
                 _('SSL Client Authentication failed. Internal server error.'))
                                      _('SSL Client Authentication failed. Internal server error.'))
                 return redirect_to_login(request)
         # No SSL entries and no user session, redirect account linking page
-...
         # No SSL entries but active user session, perform account linking
         if not user and request.user.is_authenticated():
             from backend import SSLBackend
             if SSLBackend().link_user(ssl_info, request.user):
                 logger.info('Successful linking of the SSL '
                    'Certificate to an account, redirection to %s' % next_url)
             else:
             if not SSLBackend().link_user(ssl_info, request.user):
                 logger.error('login() failed')
                 messages.add_message(request, messages.ERROR,
                 _('SSL Client Authentication failed. Internal server error.'))
                                      _('SSL Client Authentication failed. Internal server error.'))
                 return redirect_to_login(request)
             logger.info('Successful linking of the SSL Certificate to an account')
         # SSL Entries found for this certificate,
         # if the user is logged out, we login
-...
         # check that the SSL entry for the certificate is this user.
         # else, we make this certificate point on that user.
         if user.username != request.user.username:
             logger.warning(u'The certificate belongs to %s, '
                 'but %s is logged with, we change the association!',
                 user, request.user)
             logger.warning(u'The certificate belongs to %s, but %s is logged with, we change the association!',
                            user, request.user)
             from backends import SSLBackend
             cert = SSLBackend().get_certificate(ssl_info)
             cert.user = request.user
             cert.save()
         return continue_to_next_url(request)
     ###
      # post_account_linking
      # @request
+     #
      # Called after an account linking.
      ###
     @csrf_exempt
     def post_account_linking(request):
         logger.info('auth2_ssl Return after account linking form filled')
         if request.method == "POST":
             if 'do_creation' in request.POST \
                     and request.POST['do_creation'] == 'on':
                 logger.info('account creation asked')
             if 'do_creation' in request.POST and request.POST['do_creation'] == 'on':
                 request.session['do_creation'] = 'do_creation'
                 return redirect_to_login(request, login_url='user_signin_ssl')
             form = AuthenticationForm(data=request.POST)
             if form.is_valid():
                 logger.info('form valid')
                 user = form.get_user()
                 try:
                     login(request, user)
                     record_authentication_event(request, how='password')
                 except:
                     logger.error('login() failed')
                     messages.add_message(request, messages.ERROR,
                     _('SSL Client Authentication failed. Internal server error.'))
                 logger.debug('session opened')
                 login(request, user)
                 record_authentication_event(request, how='password')
                 return redirect_to_login(request, login_url='user_signin_ssl')
             else:
                 logger.warning('form not valid - Try again! (Brute force?)')
                 return render(request, 'auth/account_linking_ssl.html')
         else:
             return render(request, 'auth/account_linking_ssl.html')
     def profile(request, template_name='ssl/profile.html', *args, **kwargs):
         context = kwargs.pop('context', {})
         certificates = models.ClientCertificate.objects.filter(user=request.user)
         context.update({'certificates': certificates})
         return render_to_string(template_name, context, request=request)
     def delete_certificate(request, certificate_pk):
         qs = models.ClientCertificate.objects.filter(pk=certificate_pk)
         count = qs.count()
-...
         if count:
             logger.info('client certificate %s deleted', certificate_pk)
             messages.info(request, _('Certificate deleted.'))
         return redirect(request, 'account_management',
                 fragment='a2-ssl-certificate-profile')
         return redirect(request, 'account_management', fragment='a2-ssl-certificate-profile')
     class SslErrorView(TemplateView):
         template_name = 'error_ssl.html'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from authentic2_idp_oidc.models import OIDCClient
     from rest_framework.exceptions import AuthenticationFailed

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.shortcuts import render
     from django.utils.translation import ugettext as _, ugettext_lazy
     from . import views, app_settings, utils, constants, forms
     from . import views, app_settings, utils, constants
     from .forms import authentication as authentication_forms
     class LoginPasswordAuthenticator(object):
-...
             context = kwargs.get('context', {})
             is_post = request.method == 'POST' and self.submit_name in request.POST
             data = request.POST if is_post else None
             form = forms.AuthenticationForm(request=request, data=data)
             form = authentication_forms.AuthenticationForm(request=request, data=data)
             if app_settings.A2_ACCEPT_EMAIL_AUTHENTICATION:
                 form.fields['username'].label = _('Username or email')
             if app_settings.A2_USERNAME_LABEL:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth import get_user_model
     from authentic2 import app_settings
-...
         return get_user_queryset().filter(pk=user.pk).exists()
     from .ldap_backend import LDAPBackend
     from .models_backend import ModelBackend
     from .ldap_backend import LDAPBackend  # noqa: F401
     from .models_backend import ModelBackend  # noqa: F401

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     try:
         import ldap
         import ldap.modlist
-...
     # code originaly copied from by now merely inspired by
     # http://www.amherst.k12.oh.us/django-ldap.html
     log = logging.getLogger(__name__)
     from django.core.exceptions import ImproperlyConfigured
     from django.conf import settings
     from django.contrib.auth import get_user_model
     from django.contrib.auth.models import Group
     from django.utils.encoding import force_bytes, force_text
     from django.utils import six
     from django.utils.six.moves.urllib import parse as urlparse
     from django.utils import six
     from authentic2.a2_rbac.models import Role
     from authentic2.compat_lasso import lasso
     from authentic2 import crypto, app_settings
     from authentic2.decorators import to_list
     from authentic2.compat import get_user_model
     from authentic2.models import UserExternalId
     from authentic2.middleware import StoreRequestMiddleware
     from authentic2.user_login_failure import user_login_failure, user_login_success
-...
     from authentic2.backends import is_user_authenticable
     log = logging.getLogger(__name__)
     User = get_user_model()
     DEFAULT_CA_BUNDLE = ''
-...
         raise NotImplementedError
     class LDAPUser(get_user_model()):
     class LDAPUser(User):
         SESSION_LDAP_DATA_KEY = 'ldap-data'
         _changed = False
-...
         def update_request(self):
             request = StoreRequestMiddleware.get_request()
             if request:
                 assert not request.session is None
                 assert request.session is not None
                 self.init_to_session(request.session)
         def init_from_request(self):
             request = StoreRequestMiddleware.get_request()
             assert request and not request.session is None
             assert request and request.session is not None
             self.init_from_session(request.session)
         def keep_password(self, password):
-...
             'bindpw': '',
             'bindsasl': (),
             'user_dn_template': '',
             'user_filter': 'uid=%s',  # will be '(|(mail=%s)(uid=%s))' if A2_ACCEPT_EMAIL_AUTHENTICATION is set (see update_default)
             'user_filter': 'uid=%s',  # will be '(|(mail=%s)(uid=%s))' if
             # A2_ACCEPT_EMAIL_AUTHENTICATION is set (see update_default)
             'sync_ldap_users_filter': '',
             'user_basedn': '',
             'group_dn_template': '',
-...
                                 if not block['connect_with_user_credentials']:
                                     try:
                                         self.bind(block, conn)
                                     except Exception as e:
                                     except Exception:
                                         log.exception(u'rebind failure after login bind')
                                         raise ldap.SERVER_DOWN
                                 break
-...
                 for role_name in role_names:
                     role, error = self.get_role(block, role_id=role_name)
                     if role is None:
                         log.warning('error %s: couldn\'t retrieve role %r',
                                 error, role_name)
                         log.warning('error %s: couldn\'t retrieve role %r', error, role_name)
                         continue
                     # Add missing roles
                     if dn in role_dns and role not in roles:
-...
                 if group not in groups:
                     user.groups.add(group)
         def populate_mandatory_roles(self, user, block):
             mandatory_roles = block.get('set_mandatory_roles')
             if not mandatory_roles:
-...
             for role_name in mandatory_roles:
                 role, error = self.get_role(block, role_id=role_name)
                 if role is None:
                     log.warning('error %s: couldn\'t retrieve role %r',
                             error, role_name)
                     log.warning('error %s: couldn\'t retrieve role %r', error, role_name)
                     continue
                 if role not in roles:
                     user.roles.add(role)
-...
             return ' '.join(part for part in parts)
         def lookup_by_username(self, username):
             User = get_user_model()
             try:
                 log.debug('lookup using username %r', username)
                 return LDAPUser.objects.prefetch_related('groups').get(username=username)
-...
                 return
         def lookup_by_external_id(self, block, attributes):
             User = get_user_model()
             for eid_tuple in map_text(block['external_id_tuples']):
                 external_id = self.build_external_id(eid_tuple, attributes)
                 if not external_id:
-...
                     user = users[0]
                     if len(users) > 1:
                         log.info('found %d users, collectings roles into the first one and deleting the other ones.',
                                   len(users))
                                  len(users))
                         for other in users[1:]:
                             for r in other.roles.all():
                                 user.roles.add(r)
-...
                     if isinstance(cls._DEFAULTS[d], bool) and not isinstance(block[d], bool):
                         raise ImproperlyConfigured(
                             'LDAP_AUTH_SETTINGS: attribute %r must be a boolean' % d)
                     if (isinstance(cls._DEFAULTS[d], (list, tuple)) and
                             not isinstance(block[d], (list, tuple))):
                     if (isinstance(cls._DEFAULTS[d], (list, tuple))
                             and not isinstance(block[d], (list, tuple))):
                         raise ImproperlyConfigured(
                             'LDAP_AUTH_SETTINGS: attribute %r must be a list or a tuple' % d)
                     if isinstance(cls._DEFAULTS[d], dict) and not isinstance(block[d], dict):

src/authentic2/backends/models_backend.py
1		#
	1	# authentic2 - versatile identity manager
2	2	# Copyright (C) 2010-2019 Entr'ouvert
3	3	#
4	4	# This program is free software: you can redistribute it and/or modify it

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.views.decorators.csrf import ensure_csrf_cookie, csrf_exempt
     from django.utils.decorators import method_decorator

     from datetime import datetime
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import inspect
     import django
     from django.conf import settings
     from django.db import connection
     from django.db.utils import OperationalError
     from django.core.exceptions import ImproperlyConfigured
     from django.contrib.auth.tokens import PasswordResetTokenGenerator
     try:
         from django.contrib.auth import get_user_model
     except ImportError:
         from django.contrib.auth.models import User
         get_user_model = lambda: User
     try:
         from django.db.transaction import atomic
         commit_on_success = atomic
     except ImportError:
         from django.db.transaction import commit_on_success
     user_model_label = getattr(settings, 'AUTH_USER_MODEL', 'auth.User')
     default_token_generator = PasswordResetTokenGenerator()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     try:
         import lasso
     except ImportError:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     NONCE_FIELD_NAME = 'nonce'
     CANCEL_FIELD_NAME = 'cancel'

     from collections import defaultdict
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from pkg_resources import get_distribution
     from django.conf import settings
     from . import utils, app_settings, constants
     class UserFederations(object):
         '''Provide access to all federations of the current user'''
         def __init__(self, request):
             self.request = request
         def __getattr__(self, name):
             d = { 'provider': None, 'links': [] }
             d = {'provider': None, 'links': [] }
             if name.startswith('service_'):
                 try:
                     provider_id = int(name.split('_', 1)[1])
-...
     __AUTHENTIC2_DISTRIBUTION = None
     def a2_processor(request):
         global __AUTHENTIC2_DISTRIBUTION
         variables = {}

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from .decorators import SessionCache
     from django.conf import settings

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import base64
     import hashlib
     import struct
-...
         iv = hashmod.new(salt).digest()
         prf = lambda secret, salt: HMAC.new(secret, salt, hashmod).digest()
         def prf(secret, salt):
             return HMAC.new(secret, salt, hashmod).digest()
         aes_key = PBKDF2(key, iv, dkLen=key_size, count=count, prf=prf)
-...
         hashmod = SHA256
         key_size = 16
         hmac_size = key_size
         prf = lambda secret, salt: HMAC.new(secret, salt, hashmod).digest()
         def prf(secret, salt):
             return HMAC.new(secret, salt, hashmod).digest()
         try:
             try:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     default_app_config = 'authentic2.custom_user.apps.CustomUserConfig'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db import DEFAULT_DB_ALIAS, router
     from django.apps import AppConfig

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import unicode_literals, print_function
     import getpass
-...
             UserModel = get_user_model()
             qs = UserModel._default_manager.using(options.get('database'))
             qs = qs.filter(Q(uuid=username)|Q(username=username)|Q(email=username))
             qs = qs.filter(Q(uuid=username) | Q(username=username) | Q(email=username))
             try:
                 u = qs.get()
             except UserModel.DoesNotExist:
-...
                 while True:
                     print('Select a user:')
                     for i, user in enumerate(qs):
                         print('%d.' % (i+1), user)
                         print('%d.' % (i + 1), user)
                     print('> ', end=' ')
                     try:
                         j = input()
                     except SyntaxError:
                         print('Please enter an integer')
                         continue
                     if not isinstance(uid, int):
                     if not isinstance(j, int):
                         print('Please enter an integer')
                         continue
                     try:
                         u = qs[j-1]
                         u = qs[j - 1]
                         break
                     except IndexError:
                         print('Please enter an integer between 1 and %d' % qs.count())

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import unicode_literals, print_function
     from django.core.management.base import BaseCommand

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db import models
     from django.utils import timezone
     from django.contrib.auth.models import BaseUserManager
-...
             searchable_attributes = Attribute.objects.filter(searchable=True)
             queries = []
             for term in terms:
                 q = (models.query.Q(username__icontains=term) |
                      models.query.Q(first_name__icontains=term) |
                      models.query.Q(last_name__icontains=term) |
                      models.query.Q(email__icontains=term))
                 q = (
                     models.query.Q(username__icontains=term)
                     | models.query.Q(first_name__icontains=term)
                     | models.query.Q(last_name__icontains=term)
                     | models.query.Q(email__icontains=term)
+                )
                 for a in searchable_attributes:
                     if a.name in ('first_name', 'last_name'):
                         continue

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db import models
     from django.utils import timezone
     from django.core.mail import send_mail
-...
         def __getattr__(self, name):
             v = getattr(self.user.attributes, name, None)
             return (
                 v is not None and
                 v == getattr(self.user.verified_attributes, name, None)
                 v is not None
                 and v == getattr(self.user.verified_attributes, name, None)
+            )
-...
         Username, password and email are required. Other fields are optional.
         """
         uuid = models.CharField(_('uuid'), max_length=32,
                 default=utils.get_hex_uuid, editable=False, unique=True)
         uuid = models.CharField(
             _('uuid'),
             max_length=32,
             default=utils.get_hex_uuid, editable=False, unique=True)
         username = models.CharField(_('username'), max_length=256, null=True, blank=True)
         first_name = models.CharField(_('first name'), max_length=128, blank=True)
         last_name = models.CharField(_('last name'), max_length=128, blank=True)
         email = models.EmailField(_('email address'), blank=True,
                 validators=[validators.EmailValidator], max_length=254)
         email = models.EmailField(
             _('email address'),
             blank=True,
             validators=[validators.EmailValidator],
             max_length=254)
         email_verified = models.BooleanField(
             default=False,
             verbose_name=_('email verified'))
         is_staff = models.BooleanField(_('staff status'), default=False,
         is_staff = models.BooleanField(
             _('staff status'),
             default=False,
             help_text=_('Designates whether the user can log into this admin '
                         'site.'))
         is_active = models.BooleanField(_('active'), default=True,
         is_active = models.BooleanField(
             _('active'),
             default=True,
             help_text=_('Designates whether this user should be treated as '
                         'active. Unselect this instead of deleting accounts.'))
         date_joined = models.DateTimeField(_('date joined'), default=timezone.now)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.contenttypes.models import ContentType
     from django_rbac.models import Operation

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import base64
     import pickle
     import re
-...
     import time
     from functools import wraps
     from django.contrib.auth.decorators import login_required
     from django.views.debug import technical_404_response
     from django.http import Http404, HttpResponseForbidden, HttpResponse, HttpResponseBadRequest
     from django.core.cache import cache as django_cache
     from django.core.exceptions import ValidationError
     from django.utils import six
     from . import utils, app_settings, middleware
     from .utils import to_list, to_iter
     from . import app_settings, middleware
     # XXX: import to_list for retrocompaibility
     from .utils import to_list, to_iter  # noqa: F401
     class CacheUnusable(RuntimeError):
-...
             return f
         return decorator
     def setting_enabled(name, settings=app_settings):
         '''Generate a decorator for enabling a view based on a setting'''
         full_name = getattr(settings, 'prefix', '') + name
         def test():
             return getattr(settings, name, False)
         return unless(test, 'please enable %s' % full_name)
     def lasso_required():
         def test():
             try:
                 import lasso
                 import lasso  # noqa: F401
                 return True
             except ImportError:
                 return False
         return unless(test, 'please install lasso')
     def required(wrapping_functions,patterns_rslt):
     def required(wrapping_functions, patterns_rslt):
         '''
         Used to require 1..n decorators in any view returned by a url tree
-...
               patterns(...)
+          )
         '''
         if not hasattr(wrapping_functions,'__iter__'):
         if not hasattr(wrapping_functions, '__iter__'):
             wrapping_functions = (wrapping_functions,)
         return [
             _wrap_instance__resolve(wrapping_functions,instance)
             _wrap_instance__resolve(wrapping_functions, instance)
             for instance in patterns_rslt
+        ]
     def _wrap_instance__resolve(wrapping_functions,instance):
         if not hasattr(instance,'resolve'): return instance
         resolve = getattr(instance,'resolve')
         def _wrap_func_in_returned_resolver_match(*args,**kwargs):
             rslt = resolve(*args,**kwargs)
     def _wrap_instance__resolve(wrapping_functions, instance):
         if not hasattr(instance, 'resolve'):
             return instance
         resolve = getattr(instance, 'resolve')
             if not hasattr(rslt,'func'):return rslt
             f = getattr(rslt,'func')
         def _wrap_func_in_returned_resolver_match(*args, **kwargs):
             rslt = resolve(*args, **kwargs)
             if not hasattr(rslt, 'func'):
                 return rslt
             f = getattr(rslt, 'func')
             for _f in reversed(wrapping_functions):
                 # @decorate the function from inner to outter
                 f = _f(f)
             setattr(rslt,'func',f)
             setattr(rslt, 'func', f)
             return rslt
         setattr(instance,'resolve',_wrap_func_in_returned_resolver_match)
         setattr(instance, 'resolve', _wrap_func_in_returned_resolver_match)
         return instance
     class CacheDecoratorBase(object):
         '''Base class to build cache decorators.
-...
         '''
         def __new__(cls, *args, **kwargs):
             if len(args) > 1:
                 raise TypeError('%s got unexpected arguments, only one argument '
                         'must be given, the function to decorate' % cls.__name__)
                 raise TypeError(
                     '%s got unexpected arguments, only one argument must be given, the function to decorate' % cls.__name__)
             if args:
                 # Case of a decorator used directly
                 return cls(**kwargs)(args[0])
-...
                     key = self.key(*args, **kwargs)
                     value, tstamp = self.get(key)
                     if tstamp is not None:
                         if self.timeout is None or \
                            tstamp + self.timeout > now:
                                return value
                         if (self.timeout is None
                                 or tstamp + self.timeout > now):
                             return value
                         if hasattr(self, 'delete'):
                             self.delete(key, (key, tstamp))
                     value = func(*args, **kwargs)
                     self.set(key, (value, now))
                     return value
                 except CacheUnusable: # fallback when cache cannot be used
                 except CacheUnusable:  # fallback when cache cannot be used
                     return func(*args, **kwargs)
             f.cache = self
             return f
         def key(self, *args, **kwargs):
             '''Transform arguments to string and build a key from it'''
             parts = [str(id(self))] # add cache instance to the key
             parts = [str(id(self))]  # add cache instance to the key
             if self.hostname_vary:
                 request = middleware.StoreRequestMiddleware.get_request()
                 if request:
                     parts.append(request.get_host())
                 else:
                 else:
                     # if we cannot determine the hostname it's better to ignore the
                     # cache
                     raise CacheUnusable
-...
     def json(func):
         '''Convert view to a JSON or JSON web-service supporting CORS'''
         from . import cors
         @wraps(func)
         def f(request, *args, **kwargs):
             jsonp = False

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     """
         Discovery Service Responder
         See Identity Provider Discovery Service Protocol and Profile
-...
         try:
             liberty_provider = LibertyProvider.objects.get(entity_id=entity_id)
             liberty_provider.service_provider
         except:
             logger.warn("get_disco_return_url_from_metadata: "
                 "unknown service provider %s" \
                     % entity_id)
         except Exception:
             logger.warn('get_disco_return_url_from_metadata: unknown service provider %s', entity_id)
             return None
         dom = parseString(liberty_provider.metadata.encode('utf8'))
         endpoints = dom.getElementsByTagNameNS('urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol', 'DiscoveryResponse')
         endpoints = dom.getElementsByTagNameNS('urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol',
                                                'DiscoveryResponse')
         if not endpoints:
             logger.warn("get_disco_return_url_from_metadata: "
                 "no discovery service endpoint for %s" \
                     % entity_id)
             logger.warn('get_disco_return_url_from_metadata: no discovery service endpoint for %s', entity_id)
             return None
         ep = None
         value = 0
-...
                     value = int(endpoint.attributes['index'].value)
                     ep = endpoint
         if not ep:
             logger.warn("get_disco_return_url_from_metadata: "
                 "no valid endpoint for %s" \
                     % entity_id)
             logger.warn("get_disco_return_url_from_metadata: no valid endpoint for %s", entity_id)
             return None
         logger.debug("get_disco_return_url_from_metadata: "
             "found endpoint with index %s" \
                 % str(value))
         logger.debug('get_disco_return_url_from_metadata: found endpoint with index %s', value)
         if 'Location' in ep.attributes.keys():
             location = ep.attributes['Location'].value
             logger.debug("get_disco_return_url_from_metadata: "
                 "location is %s" \
                     % location)
             logger.debug('get_disco_return_url_from_metadata: location is %s', location)
             return location
         logger.warn("get_disco_return_url_from_metadata: "
             "no location found for endpoint with index %s" \
                 % str(value))
         logger.warn('get_disco_return_url_from_metadata: no location found for endpoint with index %s', value)
         return None
-...
         # Back from the selection interface
         if idp_selected:
             logger.info("disco: "
                 "back from the idp selection interface with value %s" \
                     % idp_selected)
             logger.info('disco: back from the idp selection interface with value %s', idp_selected)
             if not is_known_idp(idp_selected):
                 message = 'The idp is unknown.'
-...
             # Discovery request parameters
             entityID = request.GET.get('entityID', '')
             _return = request.GET.get('return', '')
             policy = request.GET.get('idp_selected',
         'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single')
             policy = request.GET.get('idp_selected', 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single')
             returnIDParam = request.GET.get('returnIDParam', 'entityID')
             # XXX: isPassive is unused
             isPassive = request.GET.get('isPassive', '')
             if isPassive and isPassive == 'true':
                 isPassive=True
                 isPassive = True
             else:
                 isPAssive=False
                 isPassive = False
         if not entityID:
             message = _('missing mandatory parameter entityID')
             return error_page(request, message, logger=logger)
         if policy != \
     'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single':
         if policy != 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol:single':
             message = _('policy %r not implemented') % policy
             return error_page(request, message, logger=logger)
-...
         else:
             return_url = _return
         if not return_url:
             message = _('unable to find a valid return url for %s' \
                 % entityID)
             message = _('unable to find a valid return url for %s') % entityID
             return error_page(request, message, logger=logger)
         # Check that the return_url does not already contain a param with name
         # equal to returnIDParam. Else, it is an unconformant SP.
         if is_param_id_in_return_url(return_url, returnIDParam):
             message = _('invalid return url %(return_url)s for %(entity_id)s' \
                 % dict(return_url=return_url, entity_id=entityID))
             message = _('invalid return url %(return_url)s for %(entity_id)s') % dict(
                 return_url=return_url, entity_id=entityID)
             return error_page(request, message, logger=logger)
         # not back from selection interface
-...
         if not idp_selected:
             # no idp selected and we must not interect with the user
             if isPassive:
                 #No IdP selected = just return to the return url
                 # No IdP selected = just return to the return url
                 return HttpResponseRedirect(return_url)
             # Go to selection interface
             else:
                 save_key_values(request, entityID, _return, policy, returnIDParam,
                     isPassive)
                 save_key_values(request, entityID, _return, policy, returnIDParam, isPassive)
                 return HttpResponseRedirect(reverse(idp_selection))
         # We got it!
         set_or_refresh_prefered_idp(request, idp_selected)
         return HttpResponseRedirect(add_param_to_url(return_url, returnIDParam,
             idp_selected))
         return HttpResponseRedirect(add_param_to_url(return_url, returnIDParam, idp_selected))
     def idp_selection(request):
         # XXX: Code here the IdP selection
         idp_selected = urlquote('http://www.identity-hub.com/idp/saml2/metadata')
         return HttpResponseRedirect('%s?idp_selected=%s' \
             % (reverse(disco), idp_selected))
         return HttpResponseRedirect('%s?idp_selected=%s' % (reverse(disco), idp_selected))
     urlpatterns = [
         url(r'^disco$', disco),

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import time
     import logging
     import hashlib

+    #
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import math
     from django import forms
     from django.forms.models import modelform_factory as django_modelform_factory
     from django.utils.translation import ugettext_lazy as _
     from django.contrib.auth import REDIRECT_FIELD_NAME, forms as auth_forms
     from django.utils import html
     from django.contrib.auth import authenticate
     from django_rbac.utils import get_ou_model
     from authentic2.utils import lazy_label
     from authentic2.compat import get_user_model
     from authentic2.forms.fields import PasswordField
     from .. import app_settings
     from ..exponential_retry_timeout import ExponentialRetryTimeout
     OU = get_ou_model()
     class EmailChangeFormNoPassword(forms.Form):
         email = forms.EmailField(label=_('New email'))
         def __init__(self, user, *args, **kwargs):
             self.user = user
             super(EmailChangeFormNoPassword, self).__init__(*args, **kwargs)
     class EmailChangeForm(EmailChangeFormNoPassword):
         password = forms.CharField(label=_("Password"),
                                    widget=forms.PasswordInput)
         def clean_email(self):
             email = self.cleaned_data['email']
             if email == self.user.email:
                 raise forms.ValidationError(_('This is already your email address.'))
             return email
         def clean_password(self):
             password = self.cleaned_data["password"]
             if not self.user.check_password(password):
                 raise forms.ValidationError(
                     _('Incorrect password.'),
                     code='password_incorrect',
+                )
             return password
     class NextUrlFormMixin(forms.Form):
         next_url = forms.CharField(widget=forms.HiddenInput(), required=False)
         def __init__(self, *args, **kwargs):
             from authentic2.middleware import StoreRequestMiddleware
             next_url = kwargs.pop('next_url', None)
             request = StoreRequestMiddleware.get_request()
             if not next_url and request:
                 next_url = request.GET.get(REDIRECT_FIELD_NAME)
             super(NextUrlFormMixin, self).__init__(*args, **kwargs)
             if next_url:
                 self.fields['next_url'].initial = next_url
     class BaseUserForm(forms.ModelForm):
         error_messages = {
             'duplicate_username': _("A user with that username already exists."),
+        }
         def __init__(self, *args, **kwargs):
             from authentic2 import models
             self.attributes = models.Attribute.objects.all()
             initial = kwargs.setdefault('initial', {})
             if kwargs.get('instance'):
                 instance = kwargs['instance']
                 for av in models.AttributeValue.objects.with_owner(instance):
                     if av.attribute.name in self.declared_fields:
                         if av.verified:
                             self.declared_fields[av.attribute.name].widget.attrs['readonly'] = 'readonly'
                         initial[av.attribute.name] = av.to_python()
             super(BaseUserForm, self).__init__(*args, **kwargs)
         def clean(self):
             from authentic2 import models
             # make sure verified fields are not modified
             for av in models.AttributeValue.objects.with_owner(
                     self.instance).filter(verified=True):
                 self.cleaned_data[av.attribute.name] = av.to_python()
             super(BaseUserForm, self).clean()
         def save_attributes(self):
             # only save non verified attributes here
             verified_attributes = set(
                 self.instance.attribute_values.filter(verified=True).values_list('attribute__name', flat=True)
+            )
             for attribute in self.attributes:
                 name = attribute.name
                 if name in self.fields and name not in verified_attributes:
                     value = self.cleaned_data[name]
                     setattr(self.instance.attributes, name, value)
         def save(self, commit=True):
             result = super(BaseUserForm, self).save(commit=commit)
             if commit:
                 self.save_attributes()
             else:
                 old = self.save_m2m
                 def save_m2m(*args, **kwargs):
                     old(*args, **kwargs)
                     self.save_attributes()
                 self.save_m2m = save_m2m
             return result
     class EditProfileForm(NextUrlFormMixin, BaseUserForm):
         pass
     def modelform_factory(model, **kwargs):
         '''Build a modelform for the given model,
            For the user model also add attribute based fields.
         '''
         from authentic2 import models
         form = kwargs.pop('form', None)
         fields = kwargs.get('fields') or []
         required = list(kwargs.pop('required', []) or [])
         d = {}
         # KV attributes are only supported for the user model currently
         modelform = None
         if issubclass(model, get_user_model()):
             if not form:
                 form = BaseUserForm
             attributes = models.Attribute.objects.all()
             for attribute in attributes:
                 if attribute.name not in fields:
                     continue
                 d[attribute.name] = attribute.get_form_field()
             for field in app_settings.A2_REQUIRED_FIELDS:
                 if field not in required:
                     required.append(field)
         if not form or not hasattr(form, 'Meta'):
             meta_d = {'model': model, 'fields': '__all__'}
             meta = type('Meta', (), meta_d)
             d['Meta'] = meta
         if not form:  # fallback
             form = forms.ModelForm
         modelform = None
         if required:
             def __init__(self, *args, **kwargs):
                 super(modelform, self).__init__(*args, **kwargs)
                 for field in required:
                     if field in self.fields:
                         self.fields[field].required = True
             d['__init__'] = __init__
         modelform = type(model.__name__ + 'ModelForm', (form,), d)
         kwargs['form'] = modelform
         modelform.required_css_class = 'form-field-required'
         return django_modelform_factory(model, **kwargs)
     class AuthenticationForm(auth_forms.AuthenticationForm):
         password = PasswordField(label=_('Password'))
         remember_me = forms.BooleanField(
             initial=False,
             required=False,
             label=_('Remember me'),
             help_text=_('Do not ask for authentication next time'))
         ou = forms.ModelChoiceField(
             label=lazy_label(_('Organizational unit'), lambda: app_settings.A2_LOGIN_FORM_OU_SELECTOR_LABEL),
             required=True,
             queryset=OU.objects.all())
         def __init__(self, *args, **kwargs):
             super(AuthenticationForm, self).__init__(*args, **kwargs)
             self.exponential_backoff = ExponentialRetryTimeout(
                 key_prefix='login-exp-backoff-',
                 duration=app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION,
                 factor=app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR)
             if not app_settings.A2_USER_REMEMBER_ME:
                 del self.fields['remember_me']
             if not app_settings.A2_LOGIN_FORM_OU_SELECTOR:
                 del self.fields['ou']
             if self.request:
                 self.remote_addr = self.request.META['REMOTE_ADDR']
             else:
                 self.remote_addr = '0.0.0.0'
         def exp_backoff_keys(self):
             return self.cleaned_data['username'], self.remote_addr
         def clean(self):
             username = self.cleaned_data.get('username')
             password = self.cleaned_data.get('password')
             keys = None
             if username and password:
                 keys = self.exp_backoff_keys()
                 seconds_to_wait = self.exponential_backoff.seconds_to_wait(*keys)
                 if seconds_to_wait > app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION:
                     seconds_to_wait -= app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION
                     msg = _('You made too many login errors recently, you must '
                             'wait <span class="js-seconds-until">%s</span> seconds '
                             'to try again.')
                     msg = msg % int(math.ceil(seconds_to_wait))
                     msg = html.mark_safe(msg)
                     raise forms.ValidationError(msg)
             try:
                 self.clean_authenticate()
             except Exception:
                 if keys:
                     self.exponential_backoff.failure(*keys)
                 raise
             else:
                 if keys:
                     self.exponential_backoff.success(*keys)
             return self.cleaned_data
         def clean_authenticate(self):
             # copied from django.contrib.auth.forms.AuthenticationForm to add support for ou selector
             username = self.cleaned_data.get('username')
             password = self.cleaned_data.get('password')
             ou = self.cleaned_data.get('ou')
             if username is not None and password:
                 self.user_cache = authenticate(username=username, password=password, ou=ou, request=self.request)
                 if self.user_cache is None:
                     raise forms.ValidationError(
                         self.error_messages['invalid_login'],
                         code='invalid_login',
                         params={'username': self.username_field.verbose_name},
+                    )
                 else:
                     self.confirm_login_allowed(self.user_cache)
             return self.cleaned_data
         @property
         def media(self):
             media = super(AuthenticationForm, self).media
             media.add_js(['authentic2/js/js_seconds_until.js'])
             if app_settings.A2_LOGIN_FORM_OU_SELECTOR:
                 media.add_js(['authentic2/js/ou_selector.js'])
             return media
     class SiteImportForm(forms.Form):
         site_json = forms.FileField(label=_('Site Export File'))

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import math
     from django import forms
     from django.utils.translation import ugettext_lazy as _
     from django.contrib.auth import forms as auth_forms
     from django.utils import html
     from django.contrib.auth import authenticate
     from authentic2.forms.fields import PasswordField
     from ..a2_rbac.models import OrganizationalUnit as OU
     from .. import app_settings, utils
     from ..exponential_retry_timeout import ExponentialRetryTimeout
     class AuthenticationForm(auth_forms.AuthenticationForm):
         password = PasswordField(label=_('Password'))
         remember_me = forms.BooleanField(
             initial=False,
             required=False,
             label=_('Remember me'),
             help_text=_('Do not ask for authentication next time'))
         ou = forms.ModelChoiceField(
             label=utils.lazy_label(_('Organizational unit'), lambda: app_settings.A2_LOGIN_FORM_OU_SELECTOR_LABEL),
             required=True,
             queryset=OU.objects.all())
         def __init__(self, *args, **kwargs):
             super(AuthenticationForm, self).__init__(*args, **kwargs)
             self.exponential_backoff = ExponentialRetryTimeout(
                 key_prefix='login-exp-backoff-',
                 duration=app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_DURATION,
                 factor=app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_FACTOR)
             if not app_settings.A2_USER_REMEMBER_ME:
                 del self.fields['remember_me']
             if not app_settings.A2_LOGIN_FORM_OU_SELECTOR:
                 del self.fields['ou']
             if self.request:
                 self.remote_addr = self.request.META['REMOTE_ADDR']
             else:
                 self.remote_addr = '0.0.0.0'
         def exp_backoff_keys(self):
             return self.cleaned_data['username'], self.remote_addr
         def clean(self):
             username = self.cleaned_data.get('username')
             password = self.cleaned_data.get('password')
             keys = None
             if username and password:
                 keys = self.exp_backoff_keys()
                 seconds_to_wait = self.exponential_backoff.seconds_to_wait(*keys)
                 if seconds_to_wait > app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION:
                     seconds_to_wait -= app_settings.A2_LOGIN_EXPONENTIAL_RETRY_TIMEOUT_MIN_DURATION
                     msg = _('You made too many login errors recently, you must '
                             'wait <span class="js-seconds-until">%s</span> seconds '
                             'to try again.')
                     msg = msg % int(math.ceil(seconds_to_wait))
                     msg = html.mark_safe(msg)
                     raise forms.ValidationError(msg)
             try:
                 self.clean_authenticate()
             except Exception:
                 if keys:
                     self.exponential_backoff.failure(*keys)
                 raise
             else:
                 if keys:
                     self.exponential_backoff.success(*keys)
             return self.cleaned_data
         def clean_authenticate(self):
             # copied from django.contrib.auth.forms.AuthenticationForm to add support for ou selector
             username = self.cleaned_data.get('username')
             password = self.cleaned_data.get('password')
             ou = self.cleaned_data.get('ou')
             if username is not None and password:
                 self.user_cache = authenticate(username=username, password=password, ou=ou, request=self.request)
                 if self.user_cache is None:
                     raise forms.ValidationError(
                         self.error_messages['invalid_login'],
                         code='invalid_login',
                         params={'username': self.username_field.verbose_name},
+                    )
                 else:
                     self.confirm_login_allowed(self.user_cache)
             return self.cleaned_data
         @property
         def media(self):
             media = super(AuthenticationForm, self).media
             media.add_js(['authentic2/js/js_seconds_until.js'])
             if app_settings.A2_LOGIN_FORM_OU_SELECTOR:
                 media.add_js(['authentic2/js/ou_selector.js'])
             return media

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import warnings
     import io

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from collections import OrderedDict
     from django.contrib.auth import forms as auth_forms
     from django.core.exceptions import ValidationError
     from django.forms import Form
     from django import forms
     from django.utils.translation import ugettext_lazy as _
     from .. import models, hooks, app_settings, utils
     from ..backends import get_user_queryset
     from .fields import PasswordField, NewPasswordField, CheckPasswordField
     from .utils import NextUrlFormMixin
     logger = logging.getLogger(__name__)
     class PasswordResetForm(forms.Form):
         next_url = forms.CharField(widget=forms.HiddenInput, required=False)
         email = forms.EmailField(
             label=_("Email"), max_length=254)
         def save(self):
             """
             Generates a one-use only link for resetting password and sends to the
             user.
             """
             email = self.cleaned_data["email"].strip()
             users = get_user_queryset()
             active_users = users.filter(email__iexact=email, is_active=True)
             for user in active_users:
                 # we don't set the password to a random string, as some users should not have
                 # a password
                 set_random_password = (user.has_usable_password()
                                        and app_settings.A2_SET_RANDOM_PASSWORD_ON_RESET)
                 utils.send_password_reset_mail(
                     user,
                     set_random_password=set_random_password,
                     next_url=self.cleaned_data.get('next_url'))
             if not active_users:
                 logger.info(u'password reset requests for "%s", no user found')
             hooks.call_hooks('event', name='password-reset', email=email, users=active_users)
     class PasswordResetMixin(Form):
         '''Remove all password reset object for the current user when password is
            successfully changed.'''
         def save(self, commit=True):
             ret = super(PasswordResetMixin, self).save(commit=commit)
             if commit:
                 models.PasswordReset.objects.filter(user=self.user).delete()
             else:
                 old_save = self.user.save
                 def save(*args, **kwargs):
                     ret = old_save(*args, **kwargs)
                     models.PasswordReset.objects.filter(user=self.user).delete()
                     return ret
                 self.user.save = save
             return ret
     class NotifyOfPasswordChange(object):
         def save(self, commit=True):
             user = super(NotifyOfPasswordChange, self).save(commit=commit)
             if user.email:
                 ctx = {
                     'user': user,
                     'password': self.cleaned_data['new_password1'],
+                }
                 utils.send_templated_mail(user, "authentic2/password_change", ctx)
             return user
     class SetPasswordForm(NotifyOfPasswordChange, PasswordResetMixin, auth_forms.SetPasswordForm):
         new_password1 = NewPasswordField(label=_("New password"))
         new_password2 = CheckPasswordField(label=_("New password confirmation"))
         def clean_new_password1(self):
             new_password1 = self.cleaned_data.get('new_password1')
             if new_password1 and self.user.check_password(new_password1):
                 raise ValidationError(_('New password must differ from old password'))
             return new_password1
     class PasswordChangeForm(NotifyOfPasswordChange, NextUrlFormMixin, PasswordResetMixin,
                              auth_forms.PasswordChangeForm):
         old_password = PasswordField(label=_('Old password'))
         new_password1 = NewPasswordField(label=_('New password'))
         new_password2 = CheckPasswordField(label=_("New password confirmation"))
         def clean_new_password1(self):
             new_password1 = self.cleaned_data.get('new_password1')
             old_password = self.cleaned_data.get('old_password')
             if new_password1 and new_password1 == old_password:
                 raise ValidationError(_('New password must differ from old password'))
             return new_password1
     # make old_password the first field
     new_base_fields = OrderedDict()
     for k in ['old_password', 'new_password1', 'new_password2']:
         new_base_fields[k] = PasswordChangeForm.base_fields[k]
     for k in PasswordChangeForm.base_fields:
         if k not in ['old_password', 'new_password1', 'new_password2']:
             new_base_fields[k] = PasswordChangeForm.base_fields[k]
     PasswordChangeForm.base_fields = new_base_fields

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.forms.models import modelform_factory as dj_modelform_factory
     from django import forms
     from django.utils.translation import ugettext_lazy as _, ugettext
     from ..custom_user.models import User
     from .. import app_settings, models
     from .utils import NextUrlFormMixin
     class DeleteAccountForm(forms.Form):
         password = forms.CharField(widget=forms.PasswordInput, label=_("Password"))
         def __init__(self, *args, **kwargs):
             self.user = kwargs.pop('user')
             super(DeleteAccountForm, self).__init__(*args, **kwargs)
         def clean_password(self):
             password = self.cleaned_data.get('password')
             if password and not self.user.check_password(password):
                 raise forms.ValidationError(ugettext('Password is invalid'))
             return password
     class EmailChangeFormNoPassword(forms.Form):
         email = forms.EmailField(label=_('New email'))
         def __init__(self, user, *args, **kwargs):
             self.user = user
             super(EmailChangeFormNoPassword, self).__init__(*args, **kwargs)
     class EmailChangeForm(EmailChangeFormNoPassword):
         password = forms.CharField(label=_("Password"),
                                    widget=forms.PasswordInput)
         def clean_email(self):
             email = self.cleaned_data['email']
             if email == self.user.email:
                 raise forms.ValidationError(_('This is already your email address.'))
             return email
         def clean_password(self):
             password = self.cleaned_data["password"]
             if not self.user.check_password(password):
                 raise forms.ValidationError(
                     _('Incorrect password.'),
                     code='password_incorrect',
+                )
             return password
     class BaseUserForm(forms.ModelForm):
         error_messages = {
             'duplicate_username': _("A user with that username already exists."),
+        }
         def __init__(self, *args, **kwargs):
             from authentic2 import models
             self.attributes = models.Attribute.objects.all()
             initial = kwargs.setdefault('initial', {})
             if kwargs.get('instance'):
                 instance = kwargs['instance']
                 for av in models.AttributeValue.objects.with_owner(instance):
                     if av.attribute.name in self.declared_fields:
                         if av.verified:
                             self.declared_fields[av.attribute.name].widget.attrs['readonly'] = 'readonly'
                         initial[av.attribute.name] = av.to_python()
             super(BaseUserForm, self).__init__(*args, **kwargs)
         def clean(self):
             from authentic2 import models
             # make sure verified fields are not modified
             for av in models.AttributeValue.objects.with_owner(
                     self.instance).filter(verified=True):
                 self.cleaned_data[av.attribute.name] = av.to_python()
             super(BaseUserForm, self).clean()
         def save_attributes(self):
             # only save non verified attributes here
             verified_attributes = set(
                 self.instance.attribute_values.filter(verified=True).values_list('attribute__name', flat=True)
+            )
             for attribute in self.attributes:
                 name = attribute.name
                 if name in self.fields and name not in verified_attributes:
                     value = self.cleaned_data[name]
                     setattr(self.instance.attributes, name, value)
         def save(self, commit=True):
             result = super(BaseUserForm, self).save(commit=commit)
             if commit:
                 self.save_attributes()
             else:
                 old = self.save_m2m
                 def save_m2m(*args, **kwargs):
                     old(*args, **kwargs)
                     self.save_attributes()
                 self.save_m2m = save_m2m
             return result
     class EditProfileForm(NextUrlFormMixin, BaseUserForm):
         pass
     def modelform_factory(model, **kwargs):
         '''Build a modelform for the given model,
            For the user model also add attribute based fields.
         '''
         form = kwargs.pop('form', None)
         fields = kwargs.get('fields') or []
         required = list(kwargs.pop('required', []) or [])
         d = {}
         # KV attributes are only supported for the user model currently
         modelform = None
         if issubclass(model, User):
             if not form:
                 form = BaseUserForm
             attributes = models.Attribute.objects.all()
             for attribute in attributes:
                 if attribute.name not in fields:
                     continue
                 d[attribute.name] = attribute.get_form_field()
             for field in app_settings.A2_REQUIRED_FIELDS:
                 if field not in required:
                     required.append(field)
         if not form or not hasattr(form, 'Meta'):
             meta_d = {'model': model, 'fields': '__all__'}
             meta = type('Meta', (), meta_d)
             d['Meta'] = meta
         if not form:  # fallback
             form = forms.ModelForm
         modelform = None
         if required:
             def __init__(self, *args, **kwargs):
                 super(modelform, self).__init__(*args, **kwargs)
                 for field in required:
                     if field in self.fields:
                         self.fields[field].required = True
             d['__init__'] = __init__
         modelform = type(model.__name__ + 'ModelForm', (form,), d)
         kwargs['form'] = modelform
         modelform.required_css_class = 'form-field-required'
         return dj_modelform_factory(model, **kwargs)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import re
     import copy
     from collections import OrderedDict
     from django.conf import settings
     from django.contrib.auth import get_user_model
     from django.core.exceptions import ValidationError
     from django.utils.translation import ugettext_lazy as _, ugettext
     from django.forms import ModelForm, Form, CharField, PasswordInput, EmailField
     from django.db.models.fields import FieldDoesNotExist
     from django.forms.utils import ErrorList
     from django.forms import Form, EmailField
     from django.contrib.auth.models import BaseUserManager, Group
     from django.contrib.auth import forms as auth_forms, get_user_model, REDIRECT_FIELD_NAME
     from django.core.mail import send_mail
     from django.core import signing
     from django.template import RequestContext
     from django.template.loader import render_to_string
     from django.core.urlresolvers import reverse
     from django.core.validators import RegexValidator
     from authentic2.forms.fields import PasswordField, NewPasswordField, CheckPasswordField
     from .. import app_settings, compat, forms, utils, validators, models, middleware, hooks
     from authentic2.forms.fields import NewPasswordField, CheckPasswordField
     from authentic2.a2_rbac.models import OrganizationalUnit
     User = compat.get_user_model()
     from .. import app_settings, models
     from . import profile as profile_forms
     User = get_user_model()
     class RegistrationForm(Form):
-...
             return email
     class RegistrationCompletionFormNoPassword(forms.BaseUserForm):
     class RegistrationCompletionFormNoPassword(profile_forms.BaseUserForm):
         error_css_class = 'form-field-error'
         required_css_class = 'form-field-required'
-...
                     ou = OrganizationalUnit.objects.get(pk=self.data['ou'])
                     username_is_unique |= ou.username_is_unique
                 if username_is_unique:
                     User = get_user_model()
                     exist = False
                     try:
                         User.objects.get(username=username)
-...
             if self.cleaned_data.get('email'):
                 email = self.cleaned_data['email']
                 if app_settings.A2_REGISTRATION_EMAIL_IS_UNIQUE:
                     User = get_user_model()
                     exist = False
                     try:
                         User.objects.get(email__iexact=email)
-...
                     raise ValidationError(_("The two password fields didn't match."))
                 self.instance.set_password(self.cleaned_data['password1'])
             return self.cleaned_data
     class PasswordResetMixin(Form):
         '''Remove all password reset object for the current user when password is
            successfully changed.'''
         def save(self, commit=True):
             ret = super(PasswordResetMixin, self).save(commit=commit)
             if commit:
                 models.PasswordReset.objects.filter(user=self.user).delete()
             else:
                 old_save = self.user.save
                 def save(*args, **kwargs):
                     ret = old_save(*args, **kwargs)
                     models.PasswordReset.objects.filter(user=self.user).delete()
                     return ret
                 self.user.save = save
             return ret
     class NotifyOfPasswordChange(object):
         def save(self, commit=True):
             user = super(NotifyOfPasswordChange, self).save(commit=commit)
             if user.email:
                 ctx = {
                     'user': user,
                     'password': self.cleaned_data['new_password1'],
+                }
                 utils.send_templated_mail(user, "authentic2/password_change", ctx)
             return user
     class SetPasswordForm(NotifyOfPasswordChange, PasswordResetMixin, auth_forms.SetPasswordForm):
         new_password1 = NewPasswordField(label=_("New password"))
         new_password2 = CheckPasswordField(label=_("New password confirmation"))
         def clean_new_password1(self):
             new_password1 = self.cleaned_data.get('new_password1')
             if new_password1 and self.user.check_password(new_password1):
                 raise ValidationError(_('New password must differ from old password'))
             return new_password1
     class PasswordChangeForm(NotifyOfPasswordChange, forms.NextUrlFormMixin, PasswordResetMixin,
                              auth_forms.PasswordChangeForm):
         old_password = PasswordField(label=_('Old password'))
         new_password1 = NewPasswordField(label=_('New password'))
         new_password2 = CheckPasswordField(label=_("New password confirmation"))
         def clean_new_password1(self):
             new_password1 = self.cleaned_data.get('new_password1')
             old_password = self.cleaned_data.get('old_password')
             if new_password1 and new_password1 == old_password:
                 raise ValidationError(_('New password must differ from old password'))
             return new_password1
     # make old_password the first field
     PasswordChangeForm.base_fields = OrderedDict(
         [(k, PasswordChangeForm.base_fields[k])
         for k in ['old_password', 'new_password1', 'new_password2']] +
         [(k, PasswordChangeForm.base_fields[k])
         for k in PasswordChangeForm.base_fields if k not in ['old_password', 'new_password1',
                                                              'new_password2']]
+    )
     class DeleteAccountForm(Form):
         password = CharField(widget=PasswordInput, label=_("Password"))
         def __init__(self, *args, **kwargs):
             self.user = kwargs.pop('user')
             super(DeleteAccountForm, self).__init__(*args, **kwargs)
         def clean_password(self):
             password = self.cleaned_data.get('password')
             if password and not self.user.check_password(password):
                 raise ValidationError(ugettext('Password is invalid'))
             return password

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django import forms
     from django.contrib.auth import REDIRECT_FIELD_NAME
     from ..middleware import StoreRequestMiddleware
     class NextUrlFormMixin(forms.Form):
         next_url = forms.CharField(widget=forms.HiddenInput(), required=False)
         def __init__(self, *args, **kwargs):
             next_url = kwargs.pop('next_url', None)
             request = StoreRequestMiddleware.get_request()
             if not next_url and request:
                 next_url = request.GET.get(REDIRECT_FIELD_NAME)
             super(NextUrlFormMixin, self).__init__(*args, **kwargs)
             if next_url:
                 self.fields['next_url'].initial = next_url

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     # Bootstrap django-datetime-widget is a simple and clean widget for DateField,
     # Timefiled and DateTimeField in Django framework. It is based on Bootstrap
     # datetime picker, supports Bootstrap 2
-...
     import uuid
     import django
     from django.forms.widgets import DateTimeInput, DateInput, TimeInput, \
             ClearableFileInput
     from django.forms.widgets import DateTimeInput, DateInput, TimeInput, ClearableFileInput
     from django.forms.widgets import PasswordInput as BasePasswordInput
     from django.utils.formats import get_language, get_format
     from django.utils.safestring import mark_safe
-...
             date_format = self.options['format']
             self.format = DATE_FORMAT_TO_PYTHON_REGEX.sub(
                 lambda x: DATE_FORMAT_JS_PY_MAPPING[x.group()],
                 date_format
+                )
                 date_format)
             super(PickerWidgetMixin, self).__init__(attrs, format=self.format)
-...
             final_attrs['class'] = "controls input-append date"
             rendered_widget = super(PickerWidgetMixin, self).render(name, value, final_attrs)
             #if not set, autoclose have to be true.
             # if not set, autoclose have to be true.
             self.options.setdefault('autoclose', True)
             # Build javascript options out of python dictionary
-...
                 help_text = u'%s %s' % (_('Format:'), self.options['format'])
             return mark_safe(BOOTSTRAP_INPUT_TEMPLATE % dict(
                         id=id,
                         rendered_widget=rendered_widget,
                         clear_button=CLEAR_BTN_TEMPLATE if self.options.get('clearBtn') else '',
                         glyphicon=self.glyphicon,
                         options=js_options,
                         help_text=help_text,
+                        )
+            )
                 id=id,
                 rendered_widget=rendered_widget,
                 clear_button=CLEAR_BTN_TEMPLATE if self.options.get('clearBtn') else '',
                 glyphicon=self.glyphicon,
                 options=js_options,
                 help_text=help_text))
     class DateTimeWidget(PickerWidgetMixin, DateTimeInput):
-...
     class ProfileImageInput(ClearableFileInput):
         if django.VERSION < (1, 9):
             template_with_initial = (
             '%(initial_text)s: <a href="%(initial_url)s"><img src="%(initial_url)s"/></a> '
             '%(clear_template)s<br />%(input_text)s: %(input)s'
                 '%(initial_text)s: <a href="%(initial_url)s"><img src="%(initial_url)s"/></a> '
                 '%(clear_template)s<br />%(input_text)s: %(input)s'
+            )
         else:
             template_name = "authentic2/profile_image_input.html"

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import hashlib
     import math
     import base64
-...
             assert salt and '$' not in salt
             h = salt
             password = force_bytes(password)
             for i in xrange(iterations+1):
             for i in range(iterations + 1):
                 h = self.digest(h + password).digest()
             return "%s$%d$%s$%s" % (self.algorithm, iterations, salt, self.b64encode(h)[:43])
-...
     OPENLDAP_ALGO_MAPPING = {
              #        hasher? salt offset?  hex encode?
             'SHA':   ( 'sha-oldap',  0,  True),
             'SSHA':  ('ssha-oldap', 20,  True),
             'MD5':   ( 'md5-oldap',  0,  True),
             'SMD5':  ( 'md5-oldap', 16,  True),
         'SHA': (
             'sha-oldap',
 ,
             True
         ),
         'SSHA': (
             'ssha-oldap',
 ,
             True
         ),
         'MD5': (
             'md5-oldap',
 ,
             True
         ),
         'SMD5': (
             'md5-oldap',
 ,
             True
         ),
+    }

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.apps import apps
-...
         for hook in hooks:
             try:
                 yield hook(*args, **kwargs)
             except:
             except Exception:
                 logger.exception(u'exception while calling hook %s', hook)
-...
                 result = hook(*args, **kwargs)
                 if result is not None:
                     return result
             except:
             except Exception:
                 logger.exception(u'exception while calling hook %s', hook)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import requests
     from authentic2 import app_settings
     def get_url(url):
         '''Does a simple GET on an URL, check the certificate'''
         verify = app_settings.A2_VERIFY_SSL

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth.decorators import login_required
     from django.http import HttpResponseRedirect
     from django.shortcuts import render
     from authentic2.saml.models import LibertyProvider
     @login_required
     def consent_federation(request, nonce = '', next = None, provider_id = None):
     def consent_federation(request, nonce='', provider_id=None):
         '''On a GET produce a form asking for consentment,
            On a POST handle the form and redirect to next'''
         if request.method == "GET":
             return render(request, 'interaction/consent_federation.html',
                 {'provider_id': request.GET.get('provider_id', ''),
                  'nonce': request.GET.get('nonce', ''),
                  'next': request.GET.get('next', '')})
             return render(
                 request, 'interaction/consent_federation.html',
+                {
                     'provider_id': request.GET.get('provider_id', ''),
                     'nonce': request.GET.get('nonce', ''),
                     'next': request.GET.get('next', '')
                 })
         else:
             next = '/'
             next_url = '/'
             if 'next' in request.POST:
                 next = request.POST['next']
                 next_url = request.POST['next']
             if 'accept' in request.POST:
                 next = next + '&consent_answer=accepted'
                 return HttpResponseRedirect(next)
                 next_url = next_url + '&consent_answer=accepted'
                 return HttpResponseRedirect(next_url)
             else:
                 next = next + '&consent_answer=refused'
                 next_url = next_url + '&consent_answer=refused'
                 return HttpResponseRedirect(next)
     @login_required
     def consent_attributes(request, nonce = '', next = None, provider_id = None):
         '''On a GET produce a form asking for consentment,
            On a POST handle the form and redirect to next'''
         provider = None
         try:
             provider = LibertyProvider.objects.get(entity_id=request.GET.get('provider_id', ''))
         except:
             pass
         next = '/'
         if request.method == "GET":
             attributes = []
             next = request.GET.get('next', '')
             if 'attributes_to_send' in request.session:
                 i = 0
                 for key, values in request.session['attributes_to_send'].items():
                     name = None
                     if type(key) is tuple and len(key) == 3:
                         _, _, name = key
                     elif type(key) is tuple and len(key) == 2:
                         name, _, = key
                     else:
                         name = key
                     if name and values:
                         attributes.append((i, name, values))
                         i = i + 1
                 name = request.GET.get('provider_id', '')
                 if provider:
                     name = provider.name or name
                 return render(request, 'interaction/consent_attributes.html',
                     {'provider_id': name,
                      'attributes': attributes,
                      'allow_selection': request.session['allow_attributes_selection'],
                      'nonce': request.GET.get('nonce', ''),
                      'next': next})
         elif request.method == "POST":
             if request.session['allow_attributes_selection']:
                 vals = \
                     [int(value) for key, value in request.POST.items() \
                         if 'attribute_nb' in key]
                 attributes_to_send = dict()
                 i = 0
                 for k, v in request.session['attributes_to_send'].items():
                     if i in vals:
                         attributes_to_send[k] = v
                     i = i + 1
                 request.session['attributes_to_send'] = attributes_to_send
             if 'next' in request.POST:
                 next = request.POST['next']
             if 'accept' in request.POST:
                 next = next + '&consent_attribute_answer=accepted'
             else:
                 next = next + '&consent_attribute_answer=refused'
         return HttpResponseRedirect(next)

     import warnings
     from authentic2.idp.management.commands import cleanupauthentic
     class Command(cleanupauthentic.Command):
         def handle_noargs(self, **options):
             warnings.warn(
                 "The `cleanup` command has been deprecated in favor of `cleanupauthentic`.",
                 PendingDeprecationWarning)
             super(Command, self).handle_noargs(**options)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.apps import apps
     from django.core.management.base import BaseCommand
     logger = logging.getLogger(__name__)
     class Command(BaseCommand):
         help = 'Clean expired models of authentic2.'
         def handle(self, **options):
             log = logging.getLogger(__name__)
             for app in apps.get_app_configs():
                 for model in app.get_models():
                     # only models from authentic2
                     if model.__module__.startswith('authentic2'):
                         try:
                             self.cleanup_model(model)
                         except:
                             log.exception('cleanup of model %s failed', model)
                         except Exception:
                             logger.exception('cleanup of model %s failed', model)
         def cleanup_model(self, model):
             manager = getattr(model, 'objects', None)

     import traceback
     from django.conf import settings
     class DebugMiddleware:
         def process_exception(self, request, exception):
             if getattr(settings, 'DEBUG', False):
                 traceback.print_exc()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf import settings
     from django.utils.translation import ugettext_lazy as _
     from django.core.checks import register, Warning, Tags
     from django.apps import AppConfig
-...
         from . import app_settings
         errors = []
         if not settings.DEBUG and app_settings.ENABLE and \
             (app_settings.is_default('SIGNATURE_PUBLIC_KEY') or
              app_settings.is_default('SIGNATURE_PRIVATE_KEY')):
         if (not settings.DEBUG
                 and app_settings.ENABLE
                 and (app_settings.is_default('SIGNATURE_PUBLIC_KEY')
                      or app_settings.is_default('SIGNATURE_PRIVATE_KEY'))):
             errors.append(
                 Warning(
                     'You should not use default SAML keys in production',
-...
+            )
         return errors
     check_authentic2_config = register(Tags.security,
                                        deploy=True)(check_authentic2_config)
     check_authentic2_config = register(Tags.security, deploy=True)(check_authentic2_config)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     class AppSettings(object):
         __DEFAULTS = dict(
                 ENABLE=False,
                 METADATA_OPTIONS={},
                 SECONDS_TOLERANCE=60,
                 AUTHN_CONTEXT_FROM_SESSION=True,
                 SIGNATURE_PUBLIC_KEY = '''-----BEGIN CERTIFICATE-----
             ENABLE=False,
             METADATA_OPTIONS={},
             SECONDS_TOLERANCE=60,
             AUTHN_CONTEXT_FROM_SESSION=True,
             SIGNATURE_PUBLIC_KEY='''-----BEGIN CERTIFICATE-----
     MIIDIzCCAgugAwIBAgIJANUBoick1pDpMA0GCSqGSIb3DQEBBQUAMBUxEzARBgNV
     BAoTCkVudHJvdXZlcnQwHhcNMTAxMjE0MTUzMzAyWhcNMTEwMTEzMTUzMzAyWjAV
     MRMwEQYDVQQKEwpFbnRyb3V2ZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
-...
     JumlBc6IViKhJeo1wiBBrVRIIkKKevHKQzteK8pWm9CYWculxT26TZ4VWzGbo06j
     o2zbumirrLLqnt1gmBDvDvlOwC/zAAyL4chbz66eQHTiIYZZvYgy
     -----END CERTIFICATE-----''',
                 SIGNATURE_PRIVATE_KEY = '''-----BEGIN RSA PRIVATE KEY-----
             SIGNATURE_PRIVATE_KEY='''-----BEGIN RSA PRIVATE KEY-----
     MIIEpAIBAAKCAQEAvxFkfPdndlGgQPDZgFGXbrNAc/79PULZBuNdWFHDD9P5hNhZ
     n9Kqm4Cp06Pe/A6u+g5wLnYvbZQcFCgfQAEzziJtb3J55OOlB7iMEI/T2AX2WzrU
     H8QT8NGhABONKU2Gg4XiyeXNhH5R7zdHlUwcWq3ZwNbtbY0TVc+n665EbrfV/59x
-...
     wRiVcNacaP+BivkrMjr4BlsUM6yH4MOBsNhLURiiCL+tLJV7U0DWlCse/doWij4U
     TKX6tp6oI+7MIJE6ySZ0cBqOiydAkBePZhu57j6ToBkTa0dbHjn1WA==
     -----END RSA PRIVATE KEY-----''',
                 ADD_CERTIFICATE_TO_KEY_INFO=True,
                 SIGNATURE_METHOD='RSA-SHA256',
             ADD_CERTIFICATE_TO_KEY_INFO=True,
             SIGNATURE_METHOD='RSA-SHA256',
+        )
         def __init__(self, prefix):
-...
         @property
         def ENABLE(self):
             return self._setting_with_prefix('ENABLE',
                        self._setting('IDP_SAML2',
                            self.__DEFAULTS['ENABLE']))
                                              self._setting('IDP_SAML2',
                                                            self.__DEFAULTS['ENABLE']))
         @property
         def SIGNATURE_PUBLIC_KEY(self):
             return self._setting_with_prefix('SIGNATURE_PUBLIC_KEY',
                        self._setting('SAML_SIGNATURE_PUBLIC_KEY',
                            self.__DEFAULTS['SIGNATURE_PUBLIC_KEY']))
                                              self._setting('SAML_SIGNATURE_PUBLIC_KEY',
                                                            self.__DEFAULTS['SIGNATURE_PUBLIC_KEY']))
         @property
         def SIGNATURE_PRIVATE_KEY(self):
             return self._setting_with_prefix('SIGNATURE_PRIVATE_KEY',
                        self._setting('SAML_SIGNATURE_PRIVATE_KEY',
                            self.__DEFAULTS['SIGNATURE_PRIVATE_KEY']))
                                              self._setting('SAML_SIGNATURE_PRIVATE_KEY',
                                                            self.__DEFAULTS['SIGNATURE_PRIVATE_KEY']))
         @property
         def AUTHN_CONTEXT_FROM_SESSION(self):
             return self._setting_with_prefix('AUTHN_CONTEXT_FROM_SESSION',
                        self._setting('IDP_SAML2_AUTHN_CONTEXT_FROM_SESSION',
                            self.__DEFAULTS['AUTHN_CONTEXT_FROM_SESSION']))
                                              self._setting('IDP_SAML2_AUTHN_CONTEXT_FROM_SESSION',
                                                            self.__DEFAULTS['AUTHN_CONTEXT_FROM_SESSION']))
         def is_default(self, name):
             return getattr(self, name) == self.__DEFAULTS[name]
-...
                 raise AttributeError(name)
             return self._setting_with_prefix(name, self.__DEFAULTS[name])
     # Ugly? Guido recommends this himself ...
     # http://mail.python.org/pipermail/python-ideas/2012-May/014969.html
     import sys
     app_settings = AppSettings('A2_IDP_SAML2_')
     app_settings.__name__ = __name__
     sys.modules[__name__] = app_settings

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     import operator
     import random

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.contrib.auth import REDIRECT_FIELD_NAME, SESSION_KEY
     from django.contrib.auth import REDIRECT_FIELD_NAME
     from django.utils.http import urlencode
     from importlib import import_module
     from django.conf import settings
     from django.http import HttpResponseRedirect
     def redirect_to_login(next, login_url=None,
             redirect_field_name=REDIRECT_FIELD_NAME, other_keys = {}):
     def redirect_to_login(next_url, login_url=None, redirect_field_name=REDIRECT_FIELD_NAME, other_keys={}):
         "Redirects the user to the login page, passing the given 'next' page"
         if not login_url:
             login_url = settings.LOGIN_URL
         data = { redirect_field_name: next }
         data = {redirect_field_name: next_url}
         for k, v in other_keys.items():
             data[k] = v
         return HttpResponseRedirect('%s?%s' % (login_url, urlencode(data)))
     def kill_django_sessions(session_key):
         engine = import_module(settings.SESSION_ENGINE)
         try:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     """SAML2.0 IdP implementation
        It contains endpoints to receive:
-...
     from authentic2.compat_lasso import lasso
     from django.core.urlresolvers import reverse
     from django.contrib.auth import get_user_model
     from django.contrib.auth.decorators import login_required
     from django.core.exceptions import ObjectDoesNotExist
     from django.http import HttpResponse, HttpResponseRedirect, \
-...
     from django.contrib import messages
     from authentic2.compat import get_user_model
     import authentic2.views as a2_views
     from authentic2.saml.models import (LibertyArtifact,
         LibertySession, LibertyFederation,
         nameid2kwargs, saml2_urn_to_nidformat,
         nidformat_to_saml2_urn, save_key_values, get_and_delete_key_values,
         LibertyProvider, LibertyServiceProvider, SAMLAttribute, NAME_ID_FORMATS)
     from authentic2.saml.models import (
         LibertyArtifact, LibertySession, LibertyFederation, nameid2kwargs,
         saml2_urn_to_nidformat, nidformat_to_saml2_urn, save_key_values,
         get_and_delete_key_values, LibertyProvider, LibertyServiceProvider,
         SAMLAttribute, NAME_ID_FORMATS)
     from authentic2.saml.common import redirect_next, asynchronous_bindings, \
         soap_bindings, load_provider, get_saml2_request_message, \
         error_page, set_saml2_response_responder_status_code, \
-...
     from authentic2.idp import signals as idp_signals
     from authentic2.utils import (make_url, get_backends as get_idp_backends,
             get_username, login_require, find_authentication_event, datetime_to_xs_datetime)
     from authentic2.utils import (
         make_url, get_backends as get_idp_backends, get_username, login_require,
         find_authentication_event, datetime_to_xs_datetime)
     from authentic2 import utils
     from authentic2.attributes_ng.engine import get_attributes
     from authentic2 import hooks
-...
     from . import app_settings
     User = get_user_model()
     logger = logging.getLogger(__name__)
     def get_nonce():
         alphabet = string.ascii_letters+string.digits
         return '_'+''.join(random.SystemRandom().choice(alphabet) for i in xrange(20))
         alphabet = string.ascii_letters + string.digits
         return '_' + ''.join(random.SystemRandom().choice(alphabet) for i in range(20))
     metadata_map = (
             (saml2utils.Saml2Metadata.SINGLE_SIGN_ON_SERVICE,
                 asynchronous_bindings, '/sso'),
             (saml2utils.Saml2Metadata.SINGLE_LOGOUT_SERVICE,
                 asynchronous_bindings, '/slo', '/slo_return'),
             (saml2utils.Saml2Metadata.SINGLE_LOGOUT_SERVICE,
                 soap_bindings, '/slo/soap'),
             (saml2utils.Saml2Metadata.ARTIFACT_RESOLUTION_SERVICE,
                 lasso.SAML2_METADATA_BINDING_SOAP, '/artifact')
         (saml2utils.Saml2Metadata.SINGLE_SIGN_ON_SERVICE, asynchronous_bindings, '/sso'),
         (saml2utils.Saml2Metadata.SINGLE_LOGOUT_SERVICE, asynchronous_bindings, '/slo', '/slo_return'),
         (saml2utils.Saml2Metadata.SINGLE_LOGOUT_SERVICE, soap_bindings, '/slo/soap'),
         (saml2utils.Saml2Metadata.ARTIFACT_RESOLUTION_SERVICE, lasso.SAML2_METADATA_BINDING_SOAP, '/artifact')
+    )
     def metadata(request):
         '''Endpoint to retrieve the metadata file'''
         return HttpResponse(get_metadata(request, request.path),
                 content_type='text/xml')
         return HttpResponse(get_metadata(request, request.path), content_type='text/xml')
     def log_assert(func, exception_classes=(AssertionError,)):
         '''Convert assertion errors to warning logs and report them to the user
-...
     #####
     # SSO
     #####
     def register_new_saml2_session(request, login):
         '''Persist the newly created session for emitted assertion'''
         lib_session = LibertySession(provider_id=login.remoteProviderId,
                 saml2_assertion=login.assertion,
                 django_session_key=request.session.session_key)
         lib_session = LibertySession(
             provider_id=login.remoteProviderId,
             saml2_assertion=login.assertion,
             django_session_key=request.session.session_key)
         lib_session.save()
-...
             # Generate the transient identifier from the session key, to fix it for
             # a session duration, without that logout is broken as you can send
             # many session_index in a logout request but only one NameID
             keys = ''.join([request.session.session_key, provider_id,
                 settings.SECRET_KEY])
             keys = ''.join([request.session.session_key, provider_id, settings.SECRET_KEY])
             transient_id_content = '_' + hashlib.sha1(keys).hexdigest().upper()
             assertion.subject.nameID.content = transient_id_content
         if nid_format == 'email':
-...
             assertion.subject.nameID.content = request.user.uuid
         if nid_format == 'edupersontargetedid':
             assertion.subject.nameID.format = NAME_ID_FORMATS[nid_format]['samlv2']
             keys = ''.join([get_username(request.user),
                 provider_id, settings.SECRET_KEY])
             keys = ''.join([get_username(request.user), provider_id, settings.SECRET_KEY])
             edu_person_targeted_id = '_' + hashlib.sha1(keys).hexdigest().upper()
             assertion.subject.nameID.content = edu_person_targeted_id
             attribute_definition = ('urn:oid:1.3.6.1.4.1.5923.1.1.1.10',
                     lasso.SAML2_ATTRIBUTE_NAME_FORMAT_URI, 'eduPersonTargetedID')
                                     lasso.SAML2_ATTRIBUTE_NAME_FORMAT_URI,
                                     'eduPersonTargetedID')
             value = assertion.subject.nameID.exportToXml()
             value = ctree.fromstring(value)
             saml2_add_attribute_values(assertion,
                     { attribute_definition: [ value ]})
             saml2_add_attribute_values(assertion, {attribute_definition: [value]})
             logger.debug('adding an eduPersonTargetedID attribute with value %s', edu_person_targeted_id)
         assertion.subject.nameID.format = NAME_ID_FORMATS[nid_format]['samlv2']
     def get_attribute_definitions(provider):
         '''Query all attribute definitions for a providers'''
         qs = SAMLAttribute.objects.for_generic_object(provider) \
                 .filter(enabled=True)
         qs = SAMLAttribute.objects.for_generic_object(provider).filter(enabled=True)
         sp_options_policy = get_sp_options_policy(provider)
         if sp_options_policy:
             qs |= SAMLAttribute.objects.for_generic_object(sp_options_policy) \
                     .filter(enabled=True)
             qs |= SAMLAttribute.objects.for_generic_object(sp_options_policy).filter(enabled=True)
         return qs.distinct()
     def add_attributes(request, assertion, provider):
         qs = get_attribute_definitions(provider)
         wanted_attributes = [definition.attribute_name for definition in qs]
-...
                 elif how.startswith('oath-totp'):
                     authn_context = lasso.SAML2_AUTHN_CONTEXT_TIME_SYNC_TOKEN
                 else:
                     raise NotImplementedError('Unknown authentication method %s',
                             how)
                     raise NotImplementedError('Unknown authentication method %s', how)
             except ObjectDoesNotExist:
                 # TODO: previous session over secure transport (ssl) ?
                 authn_context = lasso.SAML2_AUTHN_CONTEXT_PREVIOUS_SESSION
         logger.debug('authn_context is %s', authn_context)
         login.buildAssertion(authn_context,
                 now.isoformat() + 'Z',
                 'unused',  # reauthenticateOnOrAfter is only for ID-FF 1.2
                 notBefore.isoformat() + 'Z',
                 notOnOrAfter.isoformat() + 'Z')
         login.buildAssertion(
             authn_context,
             now.isoformat() + 'Z',
             'unused',  # reauthenticateOnOrAfter is only for ID-FF 1.2
             notBefore.isoformat() + 'Z',
             notOnOrAfter.isoformat() + 'Z')
         assertion = login.assertion
         assertion.conditions.notOnOrAfter = notOnOrAfter.isoformat() + 'Z'
         # Set SessionNotOnOrAfter to expiry date of the current session, so we are sure no session on
-...
         expiry_date = request.session.get_expiry_date()
         assertion.authnStatement[0].sessionNotOnOrAfter = datetime_to_xs_datetime(expiry_date)
         logger.debug('assertion building in progress %s', assertion.dump())
         fill_assertion(request, login.request, assertion, login.remoteProviderId,
             nid_format)
         fill_assertion(request, login.request, assertion, login.remoteProviderId, nid_format)
         # Save federation and new session
         if nid_format == 'persistent':
             logger.debug('nameID persistent, get or create federation')
-...
                 kwargs['name_id_qualifier'] = AUTHENTIC_SAME_ID_SENTINEL
             if kwargs.get('name_id_sp_name_qualifier') == login.remoteProviderId:
                 kwargs['name_id_sp_name_qualifier'] = AUTHENTIC_SAME_ID_SENTINEL
             service_provider = LibertyServiceProvider.objects \
                     .get(liberty_provider__entity_id=login.remoteProviderId)
             service_provider = LibertyServiceProvider.objects.get(
                 liberty_provider__entity_id=login.remoteProviderId)
             federation, new = LibertyFederation.objects.get_or_create(
                     sp=service_provider,
                     user=request.user, **kwargs)
                 sp=service_provider,
                 user=request.user,
                 **kwargs)
             if new:
                 logger.debug('nameID persistent, new federation')
                 federation.save()
-...
         kwargs['entity_id'] = login.remoteProviderId
         kwargs['user'] = request.user
         logger.debug(u'sending nameID %(name_id_format)r: %(name_id_content)r to '
                     u'%(entity_id)s for user %(user)s' % kwargs)
                      u'%(entity_id)s for user %(user)s' % kwargs)
         register_new_saml2_session(request, login)
         return kwargs['name_id_content']
-...
                 logger.warning(
                     'invalid message for WebSSO profile with HTTP-Redirect binding: '
                     '%r exception: %s', message, e, extra={'request': request})
                 return HttpResponseBadRequest(_("SAMLv2 Single Sign On: "
                     "invalid message for WebSSO profile with HTTP-Redirect "
                     "binding: %r") % message, content_type='text/plain')
                 return HttpResponseBadRequest(
                     _("SAMLv2 Single Sign On: invalid message for WebSSO profile with HTTP-Redirect "
                       "binding: %r") % message, content_type='text/plain')
             except lasso.ProfileInvalidProtocolprofileError:
                 log_info_authn_request_details(login)
                 message = _("SAMLv2 Single Sign On: the request cannot be "
                 message = _(
                     "SAMLv2 Single Sign On: the request cannot be "
                     "answered because no valid protocol binding could be found")
                 logger.warning('the request cannot be answered because no '
                     'valid protocol binding could be found')
                 logger.warning(
                     'the request cannot be answered because no valid protocol binding could be found')
                 return HttpResponseBadRequest(message, content_type='text/plain')
             except lasso.ProviderMissingPublicKeyError as e:
                 log_info_authn_request_details(login)
-...
                 log_info_authn_request_details(login)
                 provider_id = login.remoteProviderId
                 logger.debug('loading provider %s' % provider_id)
                 provider_loaded = load_provider(request, provider_id,
                         server=login.server, autoload=True)
                 provider_loaded = load_provider(request, provider_id, server=login.server, autoload=True)
                 if not provider_loaded:
                     add_url = reverse('admin:saml_libertyprovider_add_from_url')
                     add_url += '?' + urlencode({ 'entity_id': provider_id })
                     return render(request,
                             'idp/saml/unknown_provider.html',
                             { 'entity_id': provider_id,
                               'add_url': add_url,
                             })
                     add_url += '?' + urlencode({'entity_id': provider_id})
                     return render(
                         request,
                         'idp/saml/unknown_provider.html',
+                        {
                             'entity_id': provider_id,
                             'add_url': add_url,
                         })
                 else:
                     policy = get_sp_options_policy(provider_loaded)
                     if not policy:
                         return error_page(request, _('sso: No SP policy defined'),
                         return error_page(
                             request,
                             _('sso: No SP policy defined'),
                             logger=logger, warning=True)
                     logger.debug('provider %s loaded with success', provider_id)
                 if policy.authn_request_signed:
-...
         if signed and not check_destination(request, login.request):
             logger.warning('wrong or absent destination')
             return return_login_error(request, login,
                     AUTHENTIC_STATUS_CODE_MISSING_DESTINATION)
             return return_login_error(
                 request, login,
                 AUTHENTIC_STATUS_CODE_MISSING_DESTINATION)
         # Check NameIDPolicy or force the NameIDPolicy
         name_id_policy = login.request.nameIdPolicy
         if name_id_policy and \
                 name_id_policy.format and \
                 name_id_policy.format != \
                     lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED:
         if (name_id_policy
                 and name_id_policy.format
                 and name_id_policy.format != lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED):
             logger.debug('nameID policy is %s', name_id_policy.dump())
             nid_format = saml2_urn_to_nidformat(name_id_policy.format,
                 accepted=policy.accepted_name_id_format)
             nid_format = saml2_urn_to_nidformat(name_id_policy.format, accepted=policy.accepted_name_id_format)
             logger.debug('nameID format %s', nid_format)
             default_nid_format = policy.default_name_id_format
             logger.debug('default nameID format %s', default_nid_format)
-...
             logger.debug('nameID format accepted %s', accepted_nid_format)
             if (not nid_format or nid_format not in accepted_nid_format) and \
                default_nid_format != nid_format:
                 set_saml2_response_responder_status_code(login.response,
                     lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
                 set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_INVALID_NAME_ID_POLICY)
                 logger.warning('NameID format required is not accepted')
                 return finish_sso(request, login)
         else:
-...
             logger.warning('nonce not found')
             return HttpResponseBadRequest()
         try:
             login_dump, consent_obtained, nid_format = \
                     get_and_delete_key_values(nonce)
             login_dump, consent_obtained, nid_format = get_and_delete_key_values(nonce)
         except KeyError:
             messages.warning(request, N_('request has expired'))
             return utils.redirect(request, 'auth_homepage')
         server = create_server(request)
         # Work Around for lasso < 2.3.6
         login_dump = login_dump.replace('<Login ', '<lasso:Login ') \
                 .replace('</Login>', '</lasso:Login>')
         login_dump = login_dump.replace('<Login ', '<lasso:Login ').replace('</Login>', '</lasso:Login>')
         login = lasso.Login.newFromDump(server, login_dump)
         logger.debug('login newFromDump done')
         if not login:
             return error_page(request, _('continue_sso: error loading login'),
                 logger=logger)
         if not load_provider(request, login.remoteProviderId, server=login.server,
                 autoload=True):
             return error_page(request, _('continue_sso: unknown provider %s') \
                 % login.remoteProviderId, logger=logger)
             return error_page(request, _('continue_sso: error loading login'), logger=logger)
         if not load_provider(request, login.remoteProviderId, server=login.server, autoload=True):
             return error_page(request, _('continue_sso: unknown provider %s') % login.remoteProviderId, logger=logger)
         if 'cancel' in request.GET:
             logger.debug('login canceled')
             set_saml2_response_responder_status_code(login.response,
                     lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             return finish_sso(request, login)
         if consent_answer == 'refused':
             logger.debug('consent answer treatment, the user refused, return request denied to the requester')
             set_saml2_response_responder_status_code(login.response,
                     lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             return finish_sso(request, login)
         if consent_answer == 'accepted':
             logger.debug('consent answer treatment, the user accepted, continue')
             consent_obtained = True
         return sso_after_process_request(request, login,
                 consent_obtained=consent_obtained,
                 consent_attribute_answer=consent_attribute_answer,
                 nid_format=nid_format)
         return sso_after_process_request(
             request,
             login,
             consent_obtained=consent_obtained,
             consent_attribute_answer=consent_attribute_answer,
             nid_format=nid_format)
     def needs_persistence(nid_format):
-...
     def sso_after_process_request(request, login, consent_obtained=False,
             consent_attribute_answer=False, user=None,
             nid_format='transient', return_profile=False):
                                   consent_attribute_answer=False, user=None,
                                   nid_format='transient', return_profile=False):
         """Common path for sso and idp_initiated_sso.
            consent_obtained: whether the user has given his consent to this
-...
         # No user is authenticated and passive is True, deny request
         if passive and user.is_anonymous():
             logger.debug('no user connected and passive request, returning NoPassive')
             set_saml2_response_responder_status_code(login.response,
                     lasso.SAML2_STATUS_CODE_NO_PASSIVE)
             set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_NO_PASSIVE)
             return finish_sso(request, login)
         service.authorize(request.user)
         hooks.call_hooks('event', name='sso-request', idp='saml2', service=service)
         #Do not ask consent for federation if a transient nameID is provided
         # Do not ask consent for federation if a transient nameID is provided
         transient = False
         if nid_format == 'transient':
             transient = True
         decisions = idp_signals.authorize_service.send(sender=None,
              request=request, user=request.user, audience=login.remoteProviderId,
              attributes={})
         decisions = idp_signals.authorize_service.send(
             sender=None,
             request=request, user=request.user,
             audience=login.remoteProviderId,
             attributes={})
         logger.debug('signal authorize_service sent')
         # You don't dream. By default, access granted.
         # We catch denied decisions i.e. dic['authz'] = False
         access_granted = True
         for decision in decisions:
             logger.debug('authorize_service connected '
                 'to function %s' % decision[0].__name__)
             logger.debug('authorize_service connected to function %s' % decision[0].__name__)
             dic = decision[1]
             if dic and 'authz' in dic:
                 logger.debug('decision is %s', dic['authz'])
-...
         if not access_granted:
             logger.debug('access denied, return answer to the requester')
             set_saml2_response_responder_status_code(login.response,
                     lasso.SAML2_STATUS_CODE_REQUEST_DENIED,
                     msg=six.text_type(dic['message']))
             set_saml2_response_responder_status_code(
                 login.response,
                 lasso.SAML2_STATUS_CODE_REQUEST_DENIED,
                 msg=six.text_type(dic['message']))
             return finish_sso(request, login)
         provider = load_provider(request, login.remoteProviderId,
             server=login.server)
         provider = load_provider(request, login.remoteProviderId, server=login.server)
         if not provider:
             return error_page(request,
             return error_page(
                 request,
                 _('Provider %s is unknown') % login.remoteProviderId,
                 logger=logger)
         saml_policy = get_sp_options_policy(provider)
         if not saml_policy:
             return error_page(request, _('No service provider policy defined'),
                 logger=logger)
             return error_page(request, _('No service provider policy defined'), logger=logger)
         '''User consent for federation management
-...
             consent_value = 'urn:oasis:names:tc:SAML:2.0:consent:unavailable'
         if not consent_obtained and not transient:
             consent_obtained = \
                     not saml_policy.ask_user_consent
             consent_obtained = not saml_policy.ask_user_consent
             logger.debug('the policy says %s', consent_obtained)
             if consent_obtained:
                 #The user consent is bypassed by the policy
                 # The user consent is bypassed by the policy
                 consent_value = 'urn:oasis:names:tc:SAML:2.0:consent:unspecified'
         if needs_persistence(nid_format):
             try:
                 LibertyFederation.objects.get(
                         user=request.user,
                         sp__liberty_provider__entity_id=login.remoteProviderId)
                     user=request.user,
                     sp__liberty_provider__entity_id=login.remoteProviderId)
                 logger.debug('consent already given (existing federation) for %s', login.remoteProviderId)
                 consent_obtained = True
                 '''This is abusive since a federation may exist even if we have
-...
         if not consent_obtained and not transient:
             logger.debug('signal avoid_consent sent')
             avoid_consent = idp_signals.avoid_consent.send(sender=None,
                  request=request, user=request.user,
                  audience=login.remoteProviderId)
                                                            request=request,
                                                            user=request.user,
                                                            audience=login.remoteProviderId)
             for c in avoid_consent:
                 logger.debug('avoid_consent connected to function %s', c[0].__name__)
                 if c[1] and 'avoid_consent' in c[1] and c[1]['avoid_consent']:
                     logger.debug('avoid consent by signal')
                     consent_obtained = True
                     #The user consent is bypassed by the signal
                     # The user consent is bypassed by the signal
                     consent_value = \
                         'urn:oasis:names:tc:SAML:2.0:consent:unspecified'
-...
             logger.debug('validateRequestMsg %s', login.dump())
         except lasso.LoginRequestDeniedError:
             logger.warning('access denied due to LoginRequestDeniedError')
             set_saml2_response_responder_status_code(login.response,
                 lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             return finish_sso(request, login, user=user)
         except lasso.LoginFederationNotFoundError:
             logger.warning('access denied due to LoginFederationNotFoundError')
             set_saml2_response_responder_status_code(login.response,
                     lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_REQUEST_DENIED)
             return finish_sso(request, login, user=user)
         login.response.consent = consent_value
-...
         else:
             raise NotImplementedError()
         provider = LibertyProvider.objects.get(entity_id=login.remoteProviderId)
         return return_saml2_response(request, login,
             title=_('You are being redirected to "%s"') % provider.name)
         return return_saml2_response(request, login, title=_('You are being redirected to "%s"') % provider.name)
     def finish_sso(request, login, user=None, return_profile=False):
-...
     def save_artifact(request, login):
         '''Remember an artifact message for later retrieving'''
         LibertyArtifact(artifact=login.artifact,
                 content=login.artifactMessage.decode('utf-8'),
                 provider_id=login.remoteProviderId).save()
         LibertyArtifact(
             artifact=login.artifact,
             content=login.artifactMessage.decode('utf-8'),
             provider_id=login.remoteProviderId).save()
         logger.debug('artifact saved')
-...
         try:
             login.processRequestMsg(soap_message)
         except (lasso.ProfileUnknownProviderError, lasso.ParamError):
             if not load_provider(request, login.remoteProviderId,
                     server=login.server):
             if not load_provider(request, login.remoteProviderId, server=login.server):
                 logger.warning('provider loading failure')
             try:
                 login.processRequestMsg(soap_message)
-...
             else:
                 logger.debug('reloading artifact')
                 reload_artifact(login)
         except:
         except Exception:
             logger.exception('resolve error')
         try:
             login.buildResponseMsg(None)
             logger.debug('resolve response %s' % login.msgBody)
         except:
         except Exception:
             logger.exception('resolve error')
             return soap_fault(request,
                     faultcode='soap:Server',
                     faultstring='Internal Server Error')
             return soap_fault(
                 request,
                 faultcode='soap:Server',
                 faultstring='Internal Server Error')
         logger.debug('treatment ended, return answer')
         return return_saml_soap_response(login)
-...
     def idp_sso(request, provider_id=None, return_profile=False):
         '''Initiate an SSO toward provider_id without a prior AuthnRequest
         '''
         User = get_user_model()
         if not provider_id:
             provider_id = request.POST.get('provider_id')
         if not provider_id:
             return error_redirect(request,
                     N_('missing provider identifier'))
             return error_redirect(request, N_('missing provider identifier'))
         logger.debug('start of an idp initiated sso toward %s', provider_id)
         server = create_server(request)
         login = lasso.Login(server)
         liberty_provider = load_provider(request, provider_id,
             server=login.server)
         liberty_provider = load_provider(request, provider_id, server=login.server)
         if not liberty_provider:
             return error_redirect(request, N_('provider %r is unknown'), provider_id)
         username = request.POST.get('username')
         if username:
             if not check_delegated_authentication_permission(request):
                 return error_redirect(request,
                         N_('%r tried to log as %r on %r but was forbidden'),
                        request.user, username, provider_id)
                 return error_redirect(
                     request,
                     N_('%r tried to log as %r on %r but was forbidden'),
                     request.user, username, provider_id)
             try:
                 user = User.objects.get_by_natural_key(username=username)
             except User.DoesNotExist:
                 return error_redirect(request,
                         N_('you cannot login as %r as it does not exist'), username)
                 return error_redirect(request, N_('you cannot login as %r as it does not exist'), username)
         else:
             user = request.user
         policy = get_sp_options_policy(liberty_provider)
         # Control assertion consumer binding
         if not policy:
             return error_redirect(request,
                     N_('missing service provider policy'))
             return error_redirect(request, N_('missing service provider policy'))
         nid_format = policy.default_name_id_format
         if needs_persistence(nid_format):
             load_federation(request, get_entity_id(request, reverse(metadata)), login, user)
-...
         elif binding == 'post':
             login.request.protocolBinding = lasso.SAML2_METADATA_BINDING_POST
         else:
             return error_redirect(request,
                     N_('unknown binding %r') % binding)
             return error_redirect(request, N_('unknown binding %r') % binding)
         # Control nid format policy
         # XXX: if a federation exist, we should use transient
         login.request.nameIdPolicy.format = nidformat_to_saml2_urn(nid_format)
-...
         logger.debug('binding %r', binding)
         logger.debug('authentication request initialized toward provider_id %r', provider_id)
         return sso_after_process_request(request, login,
                 consent_obtained=False, user=user,
                 nid_format=nid_format, return_profile=return_profile)
         return sso_after_process_request(request, login, consent_obtained=False,
                                          user=user, nid_format=nid_format,
                                          return_profile=return_profile)
     @never_cache
-...
             logger.warning('partial logout')
             logout.buildResponseMsg()
         provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
         return return_saml2_response(request, logout,
             title=_('You are being redirected to "%s"') % provider.name)
         return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
     def return_logout_error(request, logout, error):
-...
         logout.buildResponseMsg()
         logger.debug('returned an error message on logout: %s', error)
         provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
         return return_saml2_response(request, logout,
             title=_('You are being redirected to "%s"') % provider.name)
         return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
     def process_logout_request(request, message, binding):
-...
             except (lasso.ServerProviderNotFoundError,
                     lasso.ProfileUnknownProviderError):
                 logger.debug('loading provider %s', logout.remoteProviderId)
                 p = load_provider(request, logout.remoteProviderId,
                         server=logout.server)
                 p = load_provider(request, logout.remoteProviderId, server=logout.server)
                 if not p:
                     logger.warning('slo unknown provider %s', logout.remoteProviderId)
                     return logout, return_logout_error(request, logout,
                             AUTHENTIC_STATUS_CODE_UNKNOWN_PROVIDER)
                     return logout, return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNKNOWN_PROVIDER)
                 policy = get_sp_options_policy(p)
                 # we do not verify authn request, why verify logout requests...
                 if not policy.authn_request_signed:
-...
                 logout.processRequestMsg(message)
         except lasso.DsError:
             logger.warning('slo signature error')
             return logout, return_logout_error(request, logout,
                     lasso.LIB_STATUS_CODE_INVALID_SIGNATURE)
             return logout, return_logout_error(request, logout, lasso.LIB_STATUS_CODE_INVALID_SIGNATURE)
         except Exception as e:
             logger.warning('slo unknown error when processing a request: %s', e)
             return logout, HttpResponseBadRequest('Invalid logout request', content_type='text/plain')
         if binding != 'SOAP' and not check_destination(request, logout.request):
             logger.warning('slo wrong or absent destination')
             return logout, return_logout_error(request, logout,
                 AUTHENTIC_STATUS_CODE_MISSING_DESTINATION)
             return logout, return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_MISSING_DESTINATION)
         return logout, None
-...
         for backend in backends:
             ok = ok and backend.can_synchronous_logout(django_sessions_keys)
         if not ok:
             return return_logout_error(request, logout,
                     lasso.SAML2_STATUS_CODE_UNSUPPORTED_BINDING)
             return return_logout_error(request, logout, lasso.SAML2_STATUS_CODE_UNSUPPORTED_BINDING)
         logger.debug('treatments ended')
         return None
-...
            Enumerate all emitted assertions for the given session, and for each
            provider only keep the more recent one.
         """
         lib_session1 = LibertySession.get_for_nameid_and_session_indexes(
                 issuer_id, provider_id, name_id, session_indexes)
         lib_session1 = LibertySession.get_for_nameid_and_session_indexes(issuer_id, provider_id, name_id, session_indexes)
         django_session_keys = [s.django_session_key for s in lib_session1]
         lib_session = LibertySession.objects.filter(
                 django_session_key__in=django_session_keys)
         lib_session = LibertySession.objects.filter(django_session_key__in=django_session_keys)
         providers = set([s.provider_id for s in lib_session])
         result = []
         for provider in providers:
-...
     def build_session_dump(liberty_sessions):
         '''Build a session dump from a list of pairs
            (provider_id,assertion_content)'''
         session = [u'<Session xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2">']
         session = [
             u'<Session xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"'
             u' xmlns="http://www.entrouvert.org/namespaces/lasso/0.0" Version="2">',
+        ]
         for liberty_session in liberty_sessions:
             session.append(u'<NidAndSessionIndex ProviderID="{0.provider_id}" '
                            u'AssertionID="xxx" '
-...
                 LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
         except ObjectDoesNotExist:
             logger.warning('provider %r unknown', logout.remoteProviderId)
             return return_logout_error(request, logout,
                     AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
         policy = get_sp_options_policy(provider)
         if not policy:
             logger.warning('No policy found for %s', logout.remoteProviderId)
             return return_logout_error(request, logout,
                 AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
         if not policy.accept_slo:
             logger.warning('received slo from %s not authorized', logout.remoteProviderId)
             return return_logout_error(request, logout,
                 AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
         '''Find all active sessions on SPs but the SP initiating the SLO'''
         found, lib_sessions, django_session_keys = \
                 get_only_last_session(logout.server.providerId,
                         logout.remoteProviderId, logout.request.nameId,
                         logout.request.sessionIndexes)
         found, lib_sessions, django_session_keys = get_only_last_session(
             logout.server.providerId,
             logout.remoteProviderId,
             logout.request.nameId,
             logout.request.sessionIndexes)
         if not found:
             logger.debug('no third SP session found')
         else:
             logger.debug('begin SP sessions processing...')
             for lib_session in lib_sessions:
                 p = load_provider(request, lib_session.provider_id,
                         server=logout.server)
                 p = load_provider(request, lib_session.provider_id, server=logout.server)
                 if not p:
                     logger.debug('slo cannot logout provider %s, it is no more known.', lib_session.provider_id)
                     continue
-...
                         logger.debug('%s configured not to receive slo', lib_session.provider_id)
                     if not policy or not policy.forward_slo:
                         lib_sessions.remove(lib_session)
             set_session_dump_from_liberty_sessions(logout,
                 found[0:1] + lib_sessions)
             set_session_dump_from_liberty_sessions(logout, found[0:1] + lib_sessions)
             try:
                 logout.validateRequest()
             except lasso.LogoutUnsupportedProfileError:
-...
                 logger.warning('slo, unknown error %s', e)
                 logout.buildResponseMsg()
                 provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
                 return return_saml2_response(request, logout,
                     title=_('You are being redirected to "%s"') % provider.name)
                 return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
             for lib_session in lib_sessions:
                 try:
                     logger.debug('slo, relaying logout to provider %s', lib_session.provider_id)
                     '''
                         As we are in a synchronous binding, we need SOAP support
                     '''
                     logout.initRequest(lib_session.provider_id,
                         lasso.HTTP_METHOD_SOAP)
                     logout.initRequest(lib_session.provider_id, lasso.HTTP_METHOD_SOAP)
                     logout.buildRequestMsg()
                     if logout.msgBody:
                         logger.debug('slo by SOAP')
-...
         logger.debug('kill django sessions')
         kill_django_sessions(django_session_keys)
         provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
         return return_saml2_response(request, logout,
             title=_('You are being redirected to "%s"') % provider.name)
         return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
     @never_cache
-...
         """Endpoint for receiving SLO by POST, Redirect.
         """
         message = get_saml2_request_message_async_binding(request)
         logout, response = process_logout_request(request, message,
             request.method)
         logout, response = process_logout_request(request, message, request.method)
         if response:
             return response
-...
                 LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
         except ObjectDoesNotExist:
             logger.debug('provider %r unknown', logout.remoteProviderId)
             return return_logout_error(request, logout,
                     AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
         policy = get_sp_options_policy(provider)
         if not policy:
             logger.debug('No policy found for %s', logout.remoteProviderId)
             return return_logout_error(request, logout,
                 AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
         if not policy.accept_slo:
             logger.debug('received slo from %s not authorized', logout.remoteProviderId)
             return return_logout_error(request, logout,
                 AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNAUTHORIZED)
         try:
             try:
                 logout.processRequestMsg(message)
             except (lasso.ServerProviderNotFoundError,
                     lasso.ProfileUnknownProviderError) as e:
                 load_provider(request, logout.remoteProviderId,
                         server=logout.server)
             except (lasso.ServerProviderNotFoundError, lasso.ProfileUnknownProviderError):
                 load_provider(request, logout.remoteProviderId, server=logout.server)
                 logout.processRequestMsg(message)
         except lasso.DsError as e:
             logger.warning('signature error %s', e)
             logout.buildResponseMsg()
             provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
             return return_saml2_response(request, logout,
                 title=_('You are being redirected to "%s"') % provider.name)
         except (lasso.ProfileInvalidMsgError,
             lasso.ProfileMissingIssuerError) as e:
             return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
         except (lasso.ProfileInvalidMsgError, lasso.ProfileMissingIssuerError):
             return error_page(request, _('Invalid logout request'), logger=logger, warning=True)
         session_indexes = logout.request.sessionIndexes
         if len(session_indexes) == 0:
             logger.warning('slo received a request from %s without any SessionIndex, it is forbidden', logout.remoteProviderId)
             logger.warning('slo received a request from %s without any SessionIndex, it is forbidden',
                            logout.remoteProviderId)
             logout.buildResponseMsg()
             provider = LibertyProvider.objects.get(entity_id=logout.remoteProviderId)
             return return_saml2_response(request, logout,
                 title=_('You are being redirected to "%s"') % provider.name)
             return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name)
         logger.debug('asynchronous slo from %s', logout.remoteProviderId)
         # Filter sessions
         if not logout.request.nameId:
             logger.warning('slo refused, no NameID in the SLO request')
             return return_logout_error(request, logout,
                     AUTHENTIC_STATUS_CODE_MISSING_NAMEID)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_MISSING_NAMEID)
         all_sessions = LibertySession.get_for_nameid_and_session_indexes(
                 logout.server.providerId, logout.remoteProviderId,
                 logout.request.nameId, logout.request.sessionIndexes)
             logout.server.providerId,
             logout.remoteProviderId,
             logout.request.nameId,
             logout.request.sessionIndexes)
         if not all_sessions.exists():
             logger.warning('slo refused, since no session exists with the requesting provider')
             return return_logout_error(request, logout,
                     AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION)
         # Load session dump for the requesting provider
         last_session = all_sessions.latest('creation')
         set_session_dump_from_liberty_sessions(logout, [last_session])
-...
             logout.validateRequest()
         except lasso.Error as e:
             logger.warning('logout request validation failed: %s', e)
             return return_logout_error(request, logout,
                     AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR)
         except Exception as e:
             logger.warning('internal error: %s', e)
             return return_logout_error(request, logout,
                     AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR)
             return return_logout_error(request, logout, AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR)
         # Now clean sessions for this provider
         LibertySession.objects.filter(provider_id=logout.remoteProviderId,
                 django_session_key=request.session.session_key).delete()
         LibertySession.objects.filter(
             provider_id=logout.remoteProviderId,
             django_session_key=request.session.session_key).delete()
         # Save some values for cleaning up
         save_key_values(logout.request.id, logout.dump(),
                 request.session.session_key)
         save_key_values(logout.request.id, logout.dump(), request.session.session_key)
         # Use the logout view and come back to the finish slo view
         next_url = make_url(finish_slo, params={'id': logout.request.id})
-...
     def icon_url(name):
         return '%s/authentic2/images/%s.png' % (settings.STATIC_URL, name)
     def ko_icon(request):
         return HttpResponseRedirect(icon_url('ko'), status=307)
     def ok_icon(request):
         return HttpResponseRedirect(icon_url('ok'), status=307)
-...
             logout.request.sessionIndexes = []
         else:
             session_indexes = lib_sessions.values_list('session_index', flat=True)
             logout.request.sessionIndexes = tuple(map(lambda x: x.encode('utf8'),
                 session_indexes))
             logout.request.sessionIndexes = tuple(map(lambda x: x.encode('utf8'), session_indexes))
         logout.msgRelayState = logout.request.id
         try:
             logout.buildRequestMsg()
-...
             logger.warning('slo error: %s', e)
         else:
             LibertySession.objects.filter(
                         django_session_key=request.session.session_key,
                         provider_id=logout.remoteProviderId).delete()
                 django_session_key=request.session.session_key,
                 provider_id=logout.remoteProviderId).delete()
             logger.debug('deleted session to %s', logout.remoteProviderId)
         return redirect_next(request, next) or ok_icon(request)
-...
     def slo_return(request):
         relay_state = request.GET.get('RelayState')
         if not relay_state:
             return error_redirect(request, N_('slo no relay state in response'),
                     default_url=icon_url('ko'))
             return error_redirect(request, N_('slo no relay state in response'), default_url=icon_url('ko'))
         logger.debug('relay_state %r', relay_state)
         try:
             logout_dump, provider_id, next = \
                 get_and_delete_key_values(relay_state)
         except KeyError:
             return error_redirect(request,
                     N_('unknown relay state %r'),
                     relay_state,
                     default_url=icon_url('ko'))
             return error_redirect(request, N_('unknown relay state %r'), relay_state, default_url=icon_url('ko'))
         server = create_server(request)
         logout = lasso.Logout.newFromDump(server, logout_dump)
         provider_id = logout.remoteProviderId
-...
             logout.setSignatureVerifyHint(lasso.PROFILE_SIGNATURE_VERIFY_HINT_IGNORE)
         if not load_provider(request, provider_id, server=logout.server):
             logger.warning('failed to load provider %s', provider_id)
         return process_logout_response(request, logout,
             get_saml2_query_request(request), next)
         return process_logout_response(request, logout, get_saml2_query_request(request), next)
     # Helpers
     # Mapping to generate the metadata file, must be kept in sync with the url
     # dispatcher
     def get_provider_id_and_options(request, provider_id):
         if not provider_id:
             provider_id = reverse(metadata)
         options = {
                 'key': app_settings.SIGNATURE_PUBLIC_KEY,
                 'private_key': app_settings.SIGNATURE_PRIVATE_KEY,
             'key': app_settings.SIGNATURE_PUBLIC_KEY,
             'private_key': app_settings.SIGNATURE_PRIVATE_KEY,
+        }
         options.update(app_settings.METADATA_OPTIONS)
         return provider_id, options
-...
            settings.py.
         '''
         provider_id, options = get_provider_id_and_options(request, provider_id)
         return get_saml2_metadata(request, request.path, idp_map=metadata_map,
                 options=options)
         return get_saml2_metadata(request, request.path, idp_map=metadata_map, options=options)
     def create_server(request, provider_id=None):
-...
         multithreading is used, then thread local storage should be used.
         '''
         provider_id, options = get_provider_id_and_options(request, provider_id)
         __cached_server = create_saml2_server(request, provider_id,
                 idp_map=metadata_map, options=options)
         __cached_server = create_saml2_server(request, provider_id, idp_map=metadata_map, options=options)
         return __cached_server
     def log_info_authn_request_details(login):
         '''Push to logs details abour the received AuthnRequest'''
         request = login.request
         details = {'issuer': login.request.issuer and login.request.issuer.content,
                 'forceAuthn': login.request.forceAuthn,
                 'isPassive': login.request.isPassive,
                 'protocolBinding': login.request.protocolBinding}
         details = {
             'issuer': login.request.issuer and login.request.issuer.content,
             'forceAuthn': login.request.forceAuthn,
             'isPassive': login.request.isPassive,
             'protocolBinding': login.request.protocolBinding,
+        }
         nameIdPolicy = request.nameIdPolicy
         if nameIdPolicy:
             details['nameIdPolicy'] = {
                     'allowCreate': nameIdPolicy.allowCreate,
                     'format': nameIdPolicy.format,
                     'spNameQualifier': nameIdPolicy.spNameQualifier}
                 'allowCreate': nameIdPolicy.allowCreate,
                 'format': nameIdPolicy.format,
                 'spNameQualifier': nameIdPolicy.spNameQualifier,
+            }
         logger.debug('%r' % details)
-...
             logger.warning('failure, expected: %r got: %r ', destination, req_or_res.destination)
         return result
     def error_redirect(request, msg, *args, **kwargs):
         '''Log a warning message, register it with the messages framework, then
            redirect the user to the homepage.
-...
            It will redirect to Authentic2 homepage unless a next query parameter was used.
         '''
         default_kwargs = {
                 'log_level': logging.WARNING,
                 'msg_level': messages.WARNING,
                 'default_url': None,
             'log_level': logging.WARNING,
             'msg_level': messages.WARNING,
             'default_url': None,
+        }
         default_kwargs.update(kwargs)
         messages.add_message(request, default_kwargs['msg_level'], _(msg) % args)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from . import views

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import ugettext as _
     from django.core.urlresolvers import reverse
     from django.views.generic import DeleteView, View
-...
     from authentic2.saml.models import LibertyFederation
     class FederationCreateView(View):
         pass
     class FederationDeleteView(DeleteView):
         model = LibertyFederation
-...
             return HttpResponseRedirect(self.get_success_url())
         def get_success_url(self):
             return self.request.POST.get(REDIRECT_FIELD_NAME,
                     reverse('auth_homepage'))
             return self.request.POST.get(REDIRECT_FIELD_NAME, reverse('auth_homepage'))
     delete_federation = FederationDeleteView.as_view()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.dispatch import Signal
     '''authorize_decision
-...
      - the authorization decision e.g. dic['authz'] = True or False
      - optionnaly a message e.g. dic['message'] = message
     '''
     authorize_service = Signal(providing_args = ["request", "user", "audience",
             "attributes"])
     authorize_service = Signal(providing_args=["request", "user", "audience", "attributes"])
     '''avoid_consent
     Expect a boolean e.g. dic['avoid_consent'] = True or False
     '''
     avoid_consent = Signal(providing_args = ["request", "user", "audience"])
     avoid_consent = Signal(providing_args=["request", "user", "audience"])

     # This is a copy of http://djangosnippets.org/snippets/1289/
+    #
     # it provides two template tags to use in HTML templates: breadcrumb and
     # breadcrumb_url.
+    #
     # The first allows creating of simple url, with the text portion and url
     # portion. Or only unlinked text (as the last item in breadcrumb trail for
     # example). The second, can actually take the named url with arguments.
     # Additionally it takes a title as the first argument.
+    #
     # Initial Author: Andriy Drozdyuk
     from django import template
     from django.template import loader, Node, Variable
     from django.utils.encoding import smart_str, smart_unicode
     from django.template.defaulttags import url
     from django.template import VariableDoesNotExist
     register = template.Library()
     @register.tag
     def breadcrumb(parser, token):
         """
         Renders the breadcrumb.
         Examples:
             {% breadcrumb "Title of breadcrumb" url_var %}
             {% breadcrumb context_var  url_var %}
             {% breadcrumb "Just the title" %}
             {% breadcrumb just_context_var %}
         Parameters:
         -First parameter is the title of the crumb,
         -Second (optional) parameter is the url variable to link to, produced by url tag, i.e.:
             {% url 'person_detail' object.id as person_url %}
             then:
             {% breadcrumb person.name person_url %}
         @author Andriy Drozdyuk
         """
         return BreadcrumbNode(token.split_contents()[1:])
     @register.tag
     def breadcrumb_url(parser, token):
         """
         Same as breadcrumb
         but instead of url context variable takes in all the
         arguments URL tag takes.
             {% breadcrumb "Title of breadcrumb" person_detail person.id %}
             {% breadcrumb person.name person_detail person.id %}
         """
         bits = token.split_contents()
         if len(bits)==2:
             return breadcrumb(parser, token)
         # Extract our extra title parameter
         title = bits.pop(1)
         token.contents = ' '.join(bits)
         url_node = url(parser, token)
         return UrlBreadcrumbNode(title, url_node)
     class BreadcrumbNode(Node):
         def __init__(self, vars):
             """
             First var is title, second var is url context variable
             """
             self.vars = map(Variable,vars)
         def render(self, context):
             title = self.vars[0].var
             if title.find("'")==-1 and title.find('"')==-1:
                 try:
                     val = self.vars[0]
                     title = val.resolve(context)
                 except:
                     title = ''
             else:
                 title=title.strip("'").strip('"')
                 title=smart_unicode(title)
             url = None
             if len(self.vars)>1:
                 val = self.vars[1]
                 try:
                     url = val.resolve(context)
                 except VariableDoesNotExist:
                     url = None
             return create_crumb(title, url)
     class UrlBreadcrumbNode(Node):
         def __init__(self, title, url_node):
             self.title = Variable(title)
             self.url_node = url_node
         def render(self, context):
             title = self.title.var
             if title.find("'")==-1 and title.find('"')==-1:
                 try:
                     val = self.title
                     title = val.resolve(context)
                 except:
                     title = ''
             else:
                 title=title.strip("'").strip('"')
                 title=smart_unicode(title)
             url = self.url_node.render(context)
             return create_crumb(title, url)
     def create_crumb(title, url=None):
         """
         Helper function
         """
         crumb = """<span class="breadcrumbs-arrow">""" \
                 """ > """ \
                 """</span>"""
         if url:
             crumb = "%s <a href='%s'>%s</a>" % (crumb, url, title)
         else:
             crumb = "%s %s" % (crumb, title)
         return crumb

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from authentic2.idp.interactions import consent_federation, consent_attributes
     from authentic2.idp.interactions import consent_federation
     urlpatterns = [
         url(r'^consent_federation', consent_federation,
             name='a2-consent-federation'),
         url(r'^consent_attributes', consent_attributes,
             name='a2-consent-attributes')
+    ]

     # -*- coding: utf-8 -*-
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import string

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.utils import six
     class RequestContextFilter(logging.Filter):
         DEFAULT_USERNAME = '-'
         DEFAULT_IP = '-'
-...
             user = self.DEFAULT_USERNAME
             ip = self.DEFAULT_IP
             request_id = self.DEFAULT_REQUEST_ID
             if not request is None:
             if request is not None:
                 if hasattr(request, 'user') and request.user.is_authenticated():
                     user = six.text_type(request.user)
                 ip = request.META.get('REMOTE_ADDR', self.DEFAULT_IP)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     class SettingsLogLevel(int):
         def __new__(cls, default_log_level, debug_setting='DEBUG'):
             return super(SettingsLogLevel, cls).__new__(
-...
             self.debug_setting = debug_setting
             super(SettingsLogLevel, self).__init__()
     class DjangoLogger(logging.getLoggerClass()):
         def getEffectiveLevel(self):
             level = super(DjangoLogger, self).getEffectiveLevel()
-...
     logging.setLoggerClass(DjangoLogger)
     class DjangoRootLogger(DjangoLogger, logging.RootLogger):
         pass

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import print_function
     import logging
-...
     from django.conf import settings
     logger = logging.getLogger(__name__)
     def print_table(table):
         col_width = [max(len(x) for x in col) for col in zip(*table)]
         for line in table:
             line = u"| " + u" | ".join(u"{0:>{1}}".format(x, col_width[i])
                                     for i, x in enumerate(line)) + u" |"
             line = u"| " + u" | ".join(u"{0:>{1}}".format(x, col_width[i]) for i, x in enumerate(line)) + u" |"
             print(line)
     class Command(BaseCommand):
         help = '''Clean unused accounts'''
-...
+            )
         def handle(self, *args, **options):
             log = logging.getLogger(__name__)
             try:
                 self.clean_unused_acccounts(*args, **options)
             except:
                 log.exception('failure while cleaning unused accounts')
             except Exception:
                 logger.exception('failure while cleaning unused accounts')
         def clean_unused_acccounts(self, *args, **options):
             if options['period'] < 1:
-...
             elif options['verbosity'] == '3':
                 logging.basicConfig(level=logging.DEBUG)
             log = logging.getLogger(__name__)
             n = now().replace(hour=0, minute=0, second=0, microsecond=0)
             self.fake = options['fake']
             self.from_email = options['from_email']
             if self.fake:
                 log.info('fake call to clean-unused-accounts')
                 logger.info('fake call to clean-unused-accounts')
             users = get_user_model().objects.all()
             if options['filter']:
                 for f in options['filter']:
                     key, value = f.split('=', 1)
                     try:
                         users = users.filter(**{key: value})
                     except:
                     except Exception:
                         raise CommandError('invalid --filter %s' % f)
             if options['alert_thresholds']:
                 alert_thresholds = options['alert_thresholds']
-...
                 try:
                     alert_thresholds = map(int, alert_thresholds)
                 except ValueError:
                     raise CommandError('alert_thresholds must be a comma '
                             'separated list of integers')
                     raise CommandError('alert_thresholds must be a comma separated list of integers')
                 for threshold in alert_thresholds:
                     if not (0 < threshold < clean_threshold):
                         raise CommandError('alert-threshold must a positive integer '
                                 'inferior to clean-threshold: 0 < %d < %d' % (
                                     threshold, clean_threshold))
                         raise CommandError(
                             'alert-threshold must a positive integer inferior to clean-threshold: 0 < %d < %d' % (
                                 threshold, clean_threshold))
                 for threshold in alert_thresholds:
                     a = n - datetime.timedelta(days=threshold)
                     b = n - datetime.timedelta(days=threshold-options['period'])
                     b = n - datetime.timedelta(days=threshold - options['period'])
                     for user in users.filter(last_login__lt=b, last_login__gte=a):
                         log.info('%s last login %d days ago, sending alert', user, threshold)
                         self.send_alert(user, threshold, clean_threshold-threshold)
                         logger.info('%s last login %d days ago, sending alert', user, threshold)
                         self.send_alert(user, threshold, clean_threshold - threshold)
             threshold = n - datetime.timedelta(days=clean_threshold)
             for user in users.filter(last_login__lt=threshold):
                 d = n - user.last_login
                 log.info('%s last login %d days ago, deleting user', user, d.days)
                 logger.info('%s last login %d days ago, deleting user', user, d.days)
                 self.delete_user(user, clean_threshold)
         def send_alert(self, user, threshold, clean_threshold):
             ctx = { 'user': user, 'threshold': threshold,
                     'clean_threshold': clean_threshold }
             ctx = {
                 'user': user,
                 'threshold': threshold,
                 'clean_threshold': clean_threshold
+            }
             self.send_mail('authentic2/unused_account_alert', user, ctx)
         def send_mail(self, prefix, user, ctx):
             log = logging.getLogger(__name__)
             if not user.email:
                 log.debug('%s has no email, no mail sent', user)
                 logger.debug('%s has no email, no mail sent', user)
             subject = render_to_string(prefix + '_subject.txt', ctx).strip()
             body = render_to_string(prefix + '_body.txt', ctx)
             if not self.fake:
                 try:
                     log.debug('sending mail to %s', user.email)
                     logger.debug('sending mail to %s', user.email)
                     send_mail(subject, body, self.from_email, [user.email])
                 except:
                     log.exception('email sending failure')
                 except Exception:
                     logger.exception('email sending failure')
         def delete_user(self, user, threshold):
             ctx = { 'user': user, 'threshold': threshold }
             self.send_mail('authentic2/unused_account_delete', user,
                     ctx)
             ctx = {
                 'user': user,
                 'threshold': threshold
+            }
             self.send_mail('authentic2/unused_account_delete', user, ctx)
             if not self.fake:
                 DeletedUser.objects.delete_user(user)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import json
     import sys
     from django.core.management.base import BaseCommand
     from authentic2.data_transfer import export_site
     from django_rbac.utils import get_role_model
     class Command(BaseCommand):

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import contextlib
     import json
     import sys

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import argparse
     import logging
     import json
-...
     from django.core.management.base import BaseCommand
     from django.contrib.auth import get_user_model
     from django.db.transaction import atomic
     from authentic2.compat import atomic
     from authentic2.hashers import olap_password_to_dj
     from authentic2.models import Attribute
-...
                 self.callback = d.get('callback')
             ldif.LDIFParser.__init__(self, *args, **kwargs)
         def handle(self, dn, entry):
             User = get_user_model()
             if self.object_class not in entry['objectClass']:
-...
                 m.extend(self.callback(u, dn, entry, self.options, d))
             if 'username' not in d:
                 self.log.warning('cannot load dn %s, username cannot be initialized from the field %s',
                         dn, self.options['username'])
                                  dn, self.options['username'])
                 return
             try:
                 old = User.objects.get(username=d['username'])
-...
         def parse(self, *args, **kwargs):
             ldif.LDIFParser.parse(self, *args, **kwargs)
             if self.options['result']:
                 with file(self.options['result'], 'w') as f:
                 with open(self.options['result'], 'w') as f:
                     json.dump(self.json, f)
-...
         def __call__(self, parser, namespace, values, option_string=None):
             ldap_attribute, django_attribute = values
             try:
                 attribute = Attribute.objects.get(name=django_attribute)
                 Attribute.objects.get(name=django_attribute)
             except Attribute.DoesNotExist:
                 raise argparse.ArgumentTypeError(
                     'django attribute %s does not exist' % django_attribute)
                 raise argparse.ArgumentTypeError('django attribute %s does not exist' % django_attribute)
             res = getattr(namespace, self.dest, {})
             res[ldap_attribute] = django_attribute
             setattr(namespace, self.dest, res)
-...
             options['verbosity'] = int(options['verbosity'])
             ldif_files = options.pop('ldif_file')
             for arg in ldif_files:
                 f = file(arg)
                 f = open(arg)
                 parser = DjangoUserLDIFParser(f, options=options, command=self)
                 parser.parse()
                 if not options['fake']:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import getpass
     from django.contrib.auth import get_user_model
-...
     from authentic2.utils import generate_password
     from authentic2.models import PasswordReset
     User = get_user_model()
     class Command(BaseCommand):
         help = "Reset a user's password for django.contrib.auth."
-...
             if not username:
                 username = getpass.getuser()
             UserModel = get_user_model()
             try:
                 u = UserModel._default_manager.using(options.get('database')).get(**{
                         UserModel.USERNAME_FIELD: username
                     })
             except UserModel.DoesNotExist:
                 u = User._default_manager.using(options.get('database')).get(**{
                     User.USERNAME_FIELD: username
                 })
             except User.DoesNotExist:
                 raise CommandError("user '%s' does not exist" % username)
             p1 = generate_password()
-...
             u.set_password(p1)
             u.save()
             PasswordReset.objects.get_or_create(user=u)
             return "Password changed successfully for user '%s', on next login he will be forced to change its password." % u
             return (
                 'Password changed successfully for user "%s", on next login he '
                 'will be forced to change its password.' % u)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import print_function
     import logging
-...
     from django.contrib.auth import get_user_model
     from django.core.management.base import BaseCommand
     from django.utils import six
     from optparse import make_option
     COMMAND = 1
     ATTR = 2
-...
         'email': 'mail',
+    }
     def unescape_filter_chars(s):
         return re.sub(r'\\..', lambda s: s.group()[1:].decode('hex'), s)
     class Command(BaseCommand):
         help = 'OpenLDAP shell backend'
         def ldap(self, command, attrs):
             self.logger.debug('received command %s %s', command, attrs)
             if command == 'SEARCH':

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     try:
         import ldap
         from ldap.filter import filter_format
         from ldap.filter import filter_format  # noqa: F401
     except ImportError:
         ldap = None
     from django.core.management.base import BaseCommand, CommandError
     from django.core.management.base import BaseCommand
     from authentic2.backends.ldap_backend import LDAPBackend
     class Command(BaseCommand):
     class Command(BaseCommand):
         def handle(self, *args, **kwargs):
             list(LDAPBackend.get_users())

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     default_app_config = 'authentic2.manager.apps.AppConfig'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.apps import AppConfig
-...
         def ready(self):
             from django.db.models.signals import post_save
             from django_rbac.utils import get_ou_model
             from django_select2 import conf
             post_save.connect(
                 self.post_save_ou,

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django import forms
     from . import widgets

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import hashlib
     import smtplib
     import logging
-...
     from django.utils.translation import ugettext_lazy as _, pgettext
     from django import forms
     from django.contrib.contenttypes.models import ContentType
     from django.contrib.auth import get_user_model
     from django.db.models.query import Q
     from django.utils import six
     from django.utils.text import slugify
     from django.core.exceptions import ValidationError
     from authentic2.compat import get_user_model
     from authentic2.passwords import generate_password
     from authentic2.utils import send_templated_mail
     from authentic2.forms.fields import NewPasswordField, CheckPasswordField
-...
     from django_rbac.utils import get_ou_model, get_role_model, get_permission_model
     from django_rbac.backends import DjangoRBACBackend
     from authentic2.forms import BaseUserForm
     from authentic2.forms.profile import BaseUserForm
     from authentic2.models import PasswordReset
     from authentic2.utils import import_module_or_class
     from authentic2.a2_rbac.utils import get_default_ou
-...
     from . import fields, app_settings, utils
     User = get_user_model()
     logger = logging.getLogger(__name__)
-...
                     self.data._mutable = False
         def clean(self):
             if (self.instance.has_usable_password() and (
                     'username' in self.fields or
                     'email' in self.fields)):
             if (self.instance.has_usable_password()
                     and ('username' in self.fields
                          or 'email' in self.fields)):
                 if not self.cleaned_data.get('username') and \
                    not self.cleaned_data.get('email'):
                     raise forms.ValidationError(
                         _('You must set a username or an email.'))
             User = get_user_model()
             if self.cleaned_data.get('email'):
                 qs = User.objects.all()
                 ou = getattr(self, 'ou', None)
-...
                     })
         class Meta:
             model = get_user_model()
             model = User
             exclude = ('is_staff', 'groups', 'user_permissions', 'last_login',
                        'date_joined', 'password')
-...
         def clean(self):
             super(UserChangePasswordForm, self).clean()
             if (self.require_password and
                     not self.cleaned_data.get('generate_password') and
                     not self.cleaned_data.get('password1') and
                     not self.cleaned_data.get('send_password_reset')):
             if (self.require_password
                     and not self.cleaned_data.get('generate_password')
                     and not self.cleaned_data.get('password1')
                     and not self.cleaned_data.get('send_password_reset')):
                 raise forms.ValidationError(
                     _('You must choose password generation or type a new'
                       '  one or send a password reset mail'))
             if (not self.has_email() and
                 (self.cleaned_data.get('send_mail') or
                  self.cleaned_data.get('generate_password' or
                  self.cleaned_data.get('send_password_reset')))):
             if (not self.has_email()
                     and (self.cleaned_data.get('send_mail')
                          or self.cleaned_data.get('generate_password')
                          or self.cleaned_data.get('send_password_reset'))):
                 raise forms.ValidationError(
                     _('User does not have a mail, we cannot send the '
                       'informations to him.'))
-...
             required=False)
         class Meta:
             model = get_user_model()
             model = User
             fields = ()
-...
             # check if this account is going to be real online account, i.e. with a
             # password, it it's the case complain that there is no identifiers.
             has_password = (
                 self.cleaned_data.get('new_password1') or
                 self.cleaned_data.get('generate_password') or
                 self.cleaned_data.get('send_password_reset'))
                 self.cleaned_data.get('new_password1')
                 or self.cleaned_data.get('generate_password')
                 or self.cleaned_data.get('send_password_reset'))
             if (has_password and
                     not self.cleaned_data.get('username') and
                     not self.cleaned_data.get('email')):
             if (has_password
                     and not self.cleaned_data.get('username')
                     and not self.cleaned_data.get('email')):
                 raise forms.ValidationError(
                     _('You must set a username or an email to set a password or send an activation link.'))
-...
             return user
         class Meta:
             model = get_user_model()
             model = User
             fields = '__all__'
             exclude = ('ou',)
-...
         class Meta:
             fields = ()
     class SiteImportForm(forms.Form):
         site_json = forms.FileField(
             label=_('Site Export File'))

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import json
     from django_rbac.utils import get_ou_model

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth import get_user_model
     from django.utils import six
     from import_export.resources import ModelResource
     from import_export.fields import Field
     from import_export.widgets import Widget
     from authentic2.compat import get_user_model
     from authentic2.a2_rbac.models import Role
     User = get_user_model()
     class ListWidget(Widget):
         def clean(self, value):
-...
             return ', '.join(map(six.text_type, result))
         class Meta:
             model = get_user_model()
             model = User
             exclude = ('password', 'user_permissions', 'is_staff',
                        'is_superuser', 'groups')
             export_order = ('ou', 'uuid', 'id', 'username', 'email',

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import json
     from django.core.exceptions import PermissionDenied
     from django.utils.translation import ugettext_lazy as _
     from django.views.generic import ListView, FormView, TemplateView
     from django.views.generic.edit import FormMixin, DeleteView
     from django.views.generic import FormView, TemplateView
     from django.views.generic.detail import SingleObjectMixin
     from django.contrib import messages
     from django.contrib.contenttypes.models import ContentType
     from django.db.models.query import Q
     from django.db.models import Count
     from django.core.urlresolvers import reverse
     from django.http import Http404
     from django.contrib.auth import get_user_model
     from django_rbac.utils import get_role_model, get_permission_model, \
         get_role_parenting_model, get_ou_model
     from django_rbac.utils import get_role_model, get_permission_model, get_ou_model
     from authentic2.utils import redirect
     from authentic2 import hooks, data_transfer
-...
             # only non role-admin roles, they are accessed through the
             # RoleManager views
             if not self.admin_roles:
                 qs = qs.filter(Q(admin_scope_ct__isnull=True) |
                                Q(admin_scope_ct=permission_ct,
                                  admin_scope_id__in=permission_qs))
                 qs = qs.filter(
                     Q(admin_scope_ct__isnull=True) | Q(admin_scope_ct=permission_ct, admin_scope_id__in=permission_qs))
             if not self.service_roles:
                 qs = qs.filter(service__isnull=True)
             return qs
-...
         def get_context_data(self, **kwargs):
             ctx = super(RoleMembersView, self).get_context_data(**kwargs)
             ctx['children'] = views.filter_view(self.request,
                                                 self.object.children(include_self=False,
                                                 annotate=True))
             ctx['parents'] = views.filter_view(self.request,
                                                self.object.parents(include_self=False,
                                                annotate=True))
                                                 self.object.children(include_self=False, annotate=True))
             ctx['parents'] = views.filter_view(self.request, self.object.parents(include_self=False, annotate=True))
             ctx['admin_roles'] = views.filter_view(self.request,
                                                    self.object.get_admin_role().children(
                                                        include_self=False, annotate=True))
                                                    self.object.get_admin_role().children(include_self=False,
                                                                                          annotate=True))
             return ctx
     members = RoleMembersView.as_view()
-...
     class RoleAddAdminRoleView(views.AjaxFormViewMixin, views.TitleMixin,
                            views.PermissionMixin, SingleObjectMixin, FormView):
                                views.PermissionMixin, SingleObjectMixin, FormView):
         title = _('Add admin role')
         model = get_role_model()
         form_class = forms.RolesForm
-...
     add_admin_role = RoleAddAdminRoleView.as_view()
     class RoleRemoveAdminRoleView(views.TitleMixin, views.AjaxFormViewMixin, SingleObjectMixin,
                               views.PermissionMixin, TemplateView):
     class RoleRemoveAdminRoleView(views.TitleMixin, views.AjaxFormViewMixin,
                                   SingleObjectMixin, views.PermissionMixin,
                                   TemplateView):
         title = _('Remove admin role')
         model = get_role_model()
         success_url = '../..'
-...
     class RoleAddAdminUserView(views.AjaxFormViewMixin, views.TitleMixin,
                            views.PermissionMixin, SingleObjectMixin, FormView):
                                views.PermissionMixin, SingleObjectMixin, FormView):
         title = _('Add admin user')
         model = get_role_model()
         form_class = forms.UsersForm
-...
     add_admin_user = RoleAddAdminUserView.as_view()
     class RoleRemoveAdminUserView(views.TitleMixin, views.AjaxFormViewMixin, SingleObjectMixin,
                               views.PermissionMixin, TemplateView):
     class RoleRemoveAdminUserView(views.TitleMixin, views.AjaxFormViewMixin,
                                   SingleObjectMixin, views.PermissionMixin,
                                   TemplateView):
         title = _('Remove admin user')
         model = get_role_model()
         success_url = '../..'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils import six
     from django.utils.translation import ugettext as _
     from django.contrib import messages
     from django.shortcuts import get_object_or_404
     from authentic2.models import Service

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib.auth import get_user_model
     from django.utils.translation import ugettext_lazy as _
     from django.utils.safestring import mark_safe
     from django.contrib.auth.models import Group
     import django_tables2 as tables
     from django_tables2.utils import A
-...
         get_ou_model
     from authentic2.models import Service
     from authentic2.compat import get_user_model
     from authentic2.middleware import StoreRequestMiddleware
     User = get_user_model()
     class PermissionLinkColumn(tables.LinkColumn):
         def __init__(self, viewname, **kwargs):
-...
         ou = tables.Column()
         class Meta:
             model = get_user_model()
             model = User
             attrs = {'class': 'main', 'id': 'user-table'}
             fields = ('username', 'email', 'first_name',
                       'last_name', 'is_active', 'email_verified', 'ou')
-...
         via = tables.TemplateColumn(
             '''{% for rel in record.via %}{{ rel.child }} {% if not forloop.last %}, {% endif %}{% endfor %}''',
             verbose_name=_('Inherited from'), orderable=False)
         member = tables.TemplateColumn('''{% load i18n %}<input class="role-member{% if not record.member and record.via %} indeterminate{% endif %}" name='role-{{ record.pk }}' type='checkbox' {% if record.member %}checked{% endif %} {% if not record.has_perm %}disabled title="{% trans "You are not authorized to manage this role" %}"{% endif %}/>''',
                                       verbose_name=_('Member'), order_by=('member', 'via', 'name'))
         member = tables.TemplateColumn(
             '{% load i18n %}<input class="role-member{% if not record.member and record.via %} '
             'indeterminate{% endif %}"'
             ' name="role-{{ record.pk }}" type="checkbox" {% if record.member %}checked{% endif %} '
             '{% if not record.has_perm %}disabled '
             'title="{% trans "You are not authorized to manage this role" %}"{% endif %}/>',
             verbose_name=_('Member'),
             order_by=('member', 'via', 'name'))
         class Meta:
             models = get_role_model()
-...
                                  accessor='name', verbose_name=_('label'))
         ou = tables.Column()
         via = tables.TemplateColumn(
             '''{% if not record.member %}{% for rel in record.child_relation.all %}{{ rel.child }} {% if not forloop.last %}, {% endif %}{% endfor %}{% endif %}''',
             verbose_name=_('Inherited from'), orderable=False)
             '{% if not record.member %}{% for rel in record.child_relation.all %}'
             '{{ rel.child }} {% if not forloop.last %}, {% endif %}{% endfor %}'
             '{% endif %}',
             verbose_name=_('Inherited from'),
             orderable=False)
         class Meta:
             models = get_role_model()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from django.views.i18n import javascript_catalog
-...
+    )
     urlpatterns += [
             url(r'^jsi18n/$', javascript_catalog,
                 {'packages': ('authentic2.manager',)},
                 name='a2-manager-javascript-catalog'),
         url(r'^jsi18n/$',
             javascript_catalog,
             {'packages': ('authentic2.manager',)},
             name='a2-manager-javascript-catalog'),
         url(r'^select2.json$', views.select2, name='django_select2-json'),
+    ]

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import datetime
     import uuid
     import collections
     from django.db import models
     from django.utils.translation import ugettext_lazy as _, ugettext
     from django.utils.http import urlsafe_base64_encode
     from django.utils.encoding import force_bytes
     from django.utils.html import format_html
     from django.core.mail import EmailMultiAlternatives
     from django.template import loader
-...
     from django.contrib.auth import get_user_model
     from django.contrib.contenttypes.models import ContentType
     from django.contrib import messages
     from django.http import HttpResponseRedirect, QueryDict
     from django.views.generic.detail import SingleObjectMixin
     from django.views.generic import View
     from import_export.fields import Field
     import tablib
     from authentic2.constants import SWITCH_USER_SESSION_KEY
     from authentic2.models import Attribute, AttributeValue, PasswordReset
     from authentic2.utils import switch_user, send_password_reset_mail, redirect, select_next_url
     from authentic2.a2_rbac.utils import get_default_ou
-...
     def user_add_default_ou(request):
         ou = get_default_ou()
         return redirect(request, 'a2-manager-user-add', kwargs={'ou_pk': ou.id},
                 keep_params=True)
         return redirect(request, 'a2-manager-user-add', kwargs={'ou_pk': ou.id}, keep_params=True)
     class UserDetailView(OtherActionsMixin, BaseDetailView):
-...
             response = super(UserChangeEmailView, self).form_valid(form)
             new_email = form.cleaned_data['new_email']
             hooks.call_hooks(
                     'event',
                     name='manager-change-email-request',
                     user=self.request.user,
                     instance=form.instance,
                     form=form,
                     email=new_email)
                 'event',
                 name='manager-change-email-request',
                 user=self.request.user,
                 instance=form.instance,
                 form=form,
                 email=new_email)
             return response
     user_change_email = UserChangeEmailView.as_view()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django_rbac.utils import get_ou_model

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import json
     import inspect
-...
     from django_rbac.utils import get_ou_model
     from authentic2.data_transfer import export_site, import_site, DataImportError, ImportContext
     from authentic2.forms import modelform_factory, SiteImportForm
     from authentic2.forms.profile import modelform_factory
     from authentic2.utils import redirect, batch_queryset
     from authentic2.decorators import json as json_view
     from authentic2 import hooks
     from . import app_settings, utils
     from . import app_settings, utils, forms
     # https://github.com/MongoEngine/django-mongoengine/blob/master/django_mongoengine/views/edit.py
-...
         def get_table(self, **kwargs):
             OU = get_ou_model()
             exclude_ou = False
             if (hasattr(self, 'search_form') and self.search_form.is_valid() and
                     self.search_form.cleaned_data.get('ou') is not None):
             if (hasattr(self, 'search_form')
                     and self.search_form.is_valid()
                     and self.search_form.cleaned_data.get('ou') is not None):
                 exclude_ou = True
             if OU.objects.count() < 2:
                 exclude_ou = True
-...
     class SiteImportView(MediaMixin, FormView):
         form_class = SiteImportForm
         form_class = forms.SiteImportForm
         template_name = 'authentic2/manager/site_import.html'
         success_url = reverse_lazy('a2-manager-homepage')

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import operator
     from django_select2.forms import ModelSelect2Widget, ModelSelect2MultipleWidget

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from datetime import timedelta
     import logging
-...
     from django.db import models
     from django.db.models.query import QuerySet
     from django.utils.timezone import now
     from django.utils.http import urlquote
     from django.conf import settings
     from django.contrib.contenttypes.models import ContentType

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     import datetime
     import random
-...
     from . import app_settings, utils, plugins
     class ThreadCollector(object):
         def __init__(self):
             if threading is None:
-...
     MESSAGE_IF_STRING_REPRESENTATION_INVALID = '[Could not get log message]'
     class ThreadTrackingHandler(logging.Handler):
         def __init__(self, collector):
             logging.Handler.__init__(self)
-...
     logging_handler = ThreadTrackingHandler(collector)
     logging.root.addHandler(logging_handler)
     class LoggingCollectorMiddleware(object):
         def process_request(self, request):
             collector.clear_collection()
-...
                 request.logs = collector.get_collection()
                 request.exception = exception
     class CollectIPMiddleware(object):
         def process_response(self, request, response):
             # only collect IP if session is used
-...
                 request.session.modified = True
             return response
     class OpenedSessionCookieMiddleware(object):
         def process_response(self, request, response):
             # do not emit cookie for API requests
-...
                 response.delete_cookie(name, domain=domain)
             return response
     class RequestIdMiddleware(object):
         def process_request(self, request):
             if not hasattr(request, 'request_id'):
-...
                         hexlify(struct.pack('I', random_id)),
                         encoding='ascii')
     class StoreRequestMiddleware(object):
         collection = {}
-...
         def get_request(cls):
             return cls.collection.get(threading.currentThread())
     class ViewRestrictionMiddleware(object):
         RESTRICTION_SESSION_KEY = 'view-restriction'
-...
                 messages.warning(request, _('You must change your password to continue'))
             return utils.redirect_and_come_back(request, view)
     class XForwardedForMiddleware(object):
         '''Copy the first address from X-Forwarded-For header to the REMOTE_ADDR meta.
-...
                 request.META['REMOTE_ADDR'] = request.META['HTTP_X_FORWARDED_FOR'].split(",")[0].strip()
                 return None
     class DisplayMessageBeforeRedirectMiddleware(object):
         '''Verify if messages are currently stored and if there is a redirection to another domain, in
            this case show an intermediate page.
-...
     class ServiceAccessControlMiddleware(object):
         def process_exception(self, request, exception):
             if not isinstance(exception, (utils.ServiceAccessDenied,)):
                 return None

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import time
     import uuid
     from django.utils.http import urlquote
-...
     from django.utils import six
     from django.utils.translation import ugettext_lazy as _
     from django.utils.six.moves.urllib import parse as urlparse
     from django.core.exceptions import ValidationError, FieldDoesNotExist
     from django.core.exceptions import ValidationError
     from django.contrib.contenttypes.models import ContentType
     from model_utils.managers import QueryManager
     from authentic2.a2_rbac.models import Role
     from authentic2.a2_rbac.utils import get_default_ou
     from django_rbac.utils import get_role_model_name
     try:
         from django.contrib.contenttypes.fields import GenericForeignKey
     except ImportError:
         from django.contrib.contenttypes.generic import GenericForeignKey
     from django.contrib.contenttypes.models import ContentType
     from . import managers
     # install our natural_key implementation
     from . import natural_key
     from . import natural_key as unused_natural_key  # noqa: F401
     from .utils import ServiceAccessDenied
-...
         objects = managers.DeletedUserManager()
         user = models.ForeignKey(settings.AUTH_USER_MODEL,
                 verbose_name=_('user'))
         creation = models.DateTimeField(auto_now_add=True,
                 verbose_name=_('creation date'))
         user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name=_('user'))
         creation = models.DateTimeField(auto_now_add=True, verbose_name=_('creation date'))
         class Meta:
             verbose_name = _('user to delete')
             verbose_name_plural = _('users to delete')
     @six.python_2_unicode_compatible
     class UserExternalId(models.Model):
         user = models.ForeignKey(settings.AUTH_USER_MODEL,
                 verbose_name=_('user'))
         source = models.CharField(max_length=256,
                 verbose_name=_('source'))
         external_id = models.CharField(max_length=256,
                 verbose_name=_('external id'))
         created = models.DateTimeField(auto_now_add=True,
                 verbose_name=_('creation date'))
         updated = models.DateTimeField(auto_now=True,
                 verbose_name=_('last update date'))
         user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name=_('user'))
         source = models.CharField(max_length=256, verbose_name=_('source'))
         external_id = models.CharField(max_length=256, verbose_name=_('external id'))
         created = models.DateTimeField(auto_now_add=True, verbose_name=_('creation date'))
         updated = models.DateTimeField(auto_now=True, verbose_name=_('last update date'))
         def __str__(self):
             return u'{0} is {1} on {2}'.format(
                     self.user, self.external_id, self.source)
             return u'{0} is {1} on {2}'.format(self.user, self.external_id, self.source)
         def __repr__(self):
             return '<UserExternalId user: {0!r} source: {1!r} ' \
-...
             verbose_name = _('user external id')
             verbose_name_plural = _('user external ids')
     @six.python_2_unicode_compatible
     class AuthenticationEvent(models.Model):
         '''Record authentication events whatever the source'''
         when = models.DateTimeField(auto_now=True,
                 verbose_name=_('when'))
         who = models.CharField(max_length=80,
                 verbose_name=_('who'))
         how = models.CharField(max_length=32,
                 verbose_name=_('how'))
         nonce = models.CharField(max_length=255,
                 verbose_name=_('nonce'))
         when = models.DateTimeField(auto_now=True, verbose_name=_('when'))
         who = models.CharField(max_length=80, verbose_name=_('who'))
         how = models.CharField(max_length=32, verbose_name=_('how'))
         nonce = models.CharField(max_length=255, verbose_name=_('nonce'))
         objects = managers.AuthenticationEventManager()
-...
             return _('Authentication of %(who)s by %(how)s at %(when)s') % \
                 self.__dict__
     class LogoutUrlAbstract(models.Model):
         logout_url = models.URLField(verbose_name=_('url'), help_text=_('you can use a {} '
             'to pass the URL of the success icon, ex.: '
             'http://example.com/logout?next={}'), max_length=255, blank=True, null=True)
         logout_url = models.URLField(
             verbose_name=_('url'),
             help_text=_('you can use a {} to pass the URL of the success icon, '
                         'ex.: http://example.com/logout?next={}'),
             max_length=255,
             blank=True,
             null=True)
         logout_use_iframe = models.BooleanField(
                 verbose_name=_('use an iframe instead of an img tag for logout'),
                 default=False)
             verbose_name=_('use an iframe instead of an img tag for logout'),
             default=False)
         logout_use_iframe_timeout = models.PositiveIntegerField(
                 verbose_name=_('iframe logout timeout (ms)'),
                 help_text=_('if iframe logout is used, it\'s the time between the '
                     'onload event for this iframe and the moment we consider its '
                     'loading to be really finished'),
                 default=300)
             verbose_name=_('iframe logout timeout (ms)'),
             help_text=_('if iframe logout is used, it\'s the time between the '
                         'onload event for this iframe and the moment we consider its '
                         'loading to be really finished'),
             default=300)
         def get_logout_url(self, request):
             ok_icon_url = request.build_absolute_uri(urlparse.urljoin(settings.STATIC_URL,
                     'authentic2/images/ok.png')) + '?nonce=%s' % time.time()
             ok_icon_url = (
                 request.build_absolute_uri(urlparse.urljoin(settings.STATIC_URL, 'authentic2/images/ok.png'))
                 + '?nonce=%s' % time.time())
             return self.logout_url.format(urlquote(ok_icon_url))
         class Meta:
-...
     class LogoutUrl(LogoutUrlAbstract):
         content_type = models.ForeignKey(ContentType,
                 verbose_name=_('content type'))
         object_id = models.PositiveIntegerField(
                 verbose_name=_('object identifier'))
         content_type = models.ForeignKey(ContentType, verbose_name=_('content type'))
         object_id = models.PositiveIntegerField(verbose_name=_('object identifier'))
         provider = GenericForeignKey('content_type', 'object_id')
         class Meta:
-...
     @six.python_2_unicode_compatible
     class Attribute(models.Model):
         label = models.CharField(verbose_name=_('label'), max_length=63,
                 unique=True)
         label = models.CharField(verbose_name=_('label'), max_length=63, unique=True)
         description = models.TextField(verbose_name=_('description'), blank=True)
         name = models.SlugField(verbose_name=_('name'), max_length=256,
                 unique=True)
         required = models.BooleanField(
                 verbose_name=_('required'),
                 blank=True, default=False)
         asked_on_registration = models.BooleanField(
                 verbose_name=_('asked on registration'),
                 blank=True, default=False)
         user_editable = models.BooleanField(
                 verbose_name=_('user editable'),
                 blank=True, default=False)
         user_visible = models.BooleanField(
                 verbose_name=_('user visible'),
                 blank=True, default=False)
         multiple = models.BooleanField(
                 verbose_name=_('multiple'),
                 blank=True, default=False)
         kind = models.CharField(max_length=16,
                 verbose_name=_('kind'))
         disabled = models.BooleanField(verbose_name=_('disabled'),
                                        blank=True, default=False)
         searchable = models.BooleanField(
             verbose_name=_('searchable'),
             blank=True, default=False)
         name = models.SlugField(verbose_name=_('name'), max_length=256, unique=True)
         required = models.BooleanField(verbose_name=_('required'), blank=True, default=False)
         asked_on_registration = models.BooleanField(verbose_name=_('asked on registration'), blank=True, default=False)
         user_editable = models.BooleanField(verbose_name=_('user editable'), blank=True, default=False)
         user_visible = models.BooleanField(verbose_name=_('user visible'), blank=True, default=False)
         multiple = models.BooleanField(verbose_name=_('multiple'), blank=True, default=False)
         kind = models.CharField(max_length=16, verbose_name=_('kind'))
         disabled = models.BooleanField(verbose_name=_('disabled'), blank=True, default=False)
         searchable = models.BooleanField(verbose_name=_('searchable'), blank=True, default=False)
         scopes = models.CharField(
             verbose_name=_('scopes'),
-...
                 for value in values:
                     content = serialize(value)
                     av, created = AttributeValue.objects.get_or_create(
                             content_type=ContentType.objects.get_for_model(owner),
                             object_id=owner.pk,
                             attribute=self,
                             multiple=True,
                             content=content,
                             defaults={'verified': verified})
                         content_type=ContentType.objects.get_for_model(owner),
                         object_id=owner.pk,
                         attribute=self,
                         multiple=True,
                         content=content,
                         defaults={'verified': verified})
                     if not created:
                         av.verified = verified
                         av.save()
-...
                     av, created = attribute_value, False
                 else:
                     av, created = AttributeValue.objects.get_or_create(
                             content_type=ContentType.objects.get_for_model(owner),
                             object_id=owner.pk,
                             attribute=self,
                             multiple=False,
                             defaults={'content': content, 'verified': verified})
                         content_type=ContentType.objects.get_for_model(owner),
                         object_id=owner.pk,
                         attribute=self,
                         multiple=False,
                         defaults={'content': content, 'verified': verified})
                 if not created and (av.content != content or av.verified != verified):
                     av.content = content
                     av.verified = verified
-...
     class AttributeValue(models.Model):
         content_type = models.ForeignKey('contenttypes.ContentType',
                 verbose_name=_('content type'))
         object_id = models.PositiveIntegerField(
                 verbose_name=_('object identifier'),
                 db_index=True)
         content_type = models.ForeignKey('contenttypes.ContentType', verbose_name=_('content type'))
         object_id = models.PositiveIntegerField(verbose_name=_('object identifier'), db_index=True)
         owner = GenericForeignKey('content_type', 'object_id')
         attribute = models.ForeignKey('Attribute',
                 verbose_name=_('attribute'))
         attribute = models.ForeignKey(
             'Attribute',
             verbose_name=_('attribute'))
         multiple = models.BooleanField(default=False)
         content = models.TextField(verbose_name=_('content'), db_index=True)
-...
     @six.python_2_unicode_compatible
     class PasswordReset(models.Model):
         user = models.OneToOneField(settings.AUTH_USER_MODEL,
                 verbose_name=_('user'))
         user = models.OneToOneField(settings.AUTH_USER_MODEL, verbose_name=_('user'))
         def save(self, *args, **kwargs):
             if self.user_id and not self.user.has_usable_password():
-...
             verbose_name = _('base service model')
             verbose_name_plural = _('base service models')
             unique_together = (
                     ('slug', 'ou'),
                 ('slug', 'ou'),
+            )
         def natural_key(self):
-...
         def to_json(self, roles=None):
             if roles is None:
                 roles = Role.objects.all()
             roles = roles.filter(Q(service=self)|Q(ou=self.ou, service__isnull=True))
             roles = roles.filter(Q(service=self) | Q(ou=self.ou, service__isnull=True))
             return {
                 'name': self.name,
                 'slug': self.slug,

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db import models
     from django.contrib.contenttypes.models import ContentType

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from authentic2.nonce.utils import accept_nonce, cleanup_nonces
     __all__ = ('accept_nonce', 'cleanup_nonces')

     import datetime as dt
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db import models
     from django.utils import timezone, six
-...
     _NONCE_LENGTH_CONSTANT = 256
     class NonceManager(models.Manager):
         def cleanup(self, now=None):
             now = now or timezone.now()
             self.filter(not_on_or_after__lt=now).delete()
     @six.python_2_unicode_compatible
     class Nonce(models.Model):
         value = models.CharField(max_length=_NONCE_LENGTH_CONSTANT)
         context = models.CharField(max_length=_NONCE_LENGTH_CONSTANT, blank=True,
                 null=True)
         context = models.CharField(max_length=_NONCE_LENGTH_CONSTANT, blank=True, null=True)
         not_on_or_after = models.DateTimeField(blank=True, null=True)
         objects  = NonceManager()
         objects = NonceManager()
         def __str__(self):
             return self.value

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import os.path
     import datetime as dt
     from calendar import timegm
-...
     STORAGE_MODEL = 'model'
     STORAGE_FILESYSTEM = 'fs:'
     def compute_not_on_or_after(now, not_on_or_after):
         try: # first try integer semantic
         try:  # first try integer semantic
             seconds = int(not_on_or_after)
             not_on_or_after = now + dt.timedelta(seconds=seconds)
         except ValueError:
             try: # try timedelta semantic
             try:  # try timedelta semantic
                 not_on_or_after = now + not_on_or_after
             except TypeError: # datetime semantic
             except TypeError:  # datetime semantic
                 pass
         return not_on_or_after
-...
     # condition errors.  But any other OSError is problematic and should be
     # reported to the administrator by mail and so we let it unroll the stack
     def unlink_if_exists(path):
         try:
             os.unlink(path)
-...
             if e.errno != errno.ENOENT:
                 raise
     def accept_nonce_file_storage(path, now, value, context=None,
             not_on_or_after=None):
     def accept_nonce_file_storage(path, now, value, context=None, not_on_or_after=None):
         '''
            Use a directory as a storage for nonce-context values. The last
            modification time is used to store the expiration timestamp.
-...
             return False
         return True
     def accept_nonce_model(now, value, context=None, not_on_or_after=None):
         import models
         if not_on_or_after:
             not_on_or_after = compute_not_on_or_after(now, not_on_or_after)
         nonce, created = models.Nonce.objects.get_or_create(value=value,
                 context=context)
         nonce, created = models.Nonce.objects.get_or_create(value=value, context=context)
         if created or (nonce.not_on_or_after and nonce.not_on_or_after < now):
             nonce.not_on_or_after = not_on_or_after
             nonce.save()
-...
         else:
             return False
     def cleanup_nonces_file_storage(dir_path, now):
         for nonce_path in glob.iglob(os.path.join(dir_path, '*')):
             now_time = timegm(now.utctimetuple())
-...
                         continue
                     raise
     def cleanup_nonces(now=None):
         '''
            Cleanup stored nonce whose timestamp has expired, i.e.
-...
         else:
             raise ValueError('Invalid NONCE_STORAGE setting: %r' % mode)
     def accept_nonce(value, context=None, not_on_or_after=None, now=None):
         '''
            Verify that the given nonce value has not already been seen in the
-...
         now = now or dt.datetime.now()
         mode = getattr(settings, 'NONCE_STORAGE', STORAGE_MODEL)
         if mode == STORAGE_MODEL:
             return accept_nonce_model(now, value, context=context,
                     not_on_or_after=not_on_or_after)
             return accept_nonce_model(now, value, context=context, not_on_or_after=not_on_or_after)
         elif mode.startswith(STORAGE_FILESYSTEM):
             dir_path = mode[len(STORAGE_FILESYSTEM):]
             return accept_nonce_file_storage(dir_path, now, value,
                     context=context, not_on_or_after=not_on_or_after)
             return accept_nonce_file_storage(dir_path, now, value, context=context, not_on_or_after=not_on_or_after)
         else:
             raise ValueError('Invalid NONCE_STORAGE setting: %r' % mode)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import string
     import random
     import re
-...
     from django.utils.translation import ugettext as _
     from django.utils.module_loading import import_string
     from django.utils.functional import lazy
     from django.utils.safestring import mark_safe
     from django.utils import six
     from django.core.exceptions import ValidationError
     from . import app_settings

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     """
         Use setuptools entrypoints to find plugins
-...
     PLUGIN_CACHE = {}
     class PluginError(Exception):
         pass
     DEFAULT_GROUP_NAME = 'authentic2.plugin'
     def get_plugins(group_name=DEFAULT_GROUP_NAME, use_cache=True, *args, **kwargs):
         '''Traverse all entry points for group_name and instantiate them using args
            and kwargs.
-...
         PLUGIN_CACHE[group_name] = plugins
         return plugins
     def register_plugins_urls(urlpatterns,
             group_name=DEFAULT_GROUP_NAME):
     def register_plugins_urls(urlpatterns, group_name=DEFAULT_GROUP_NAME):
         '''Call get_before_urls and get_after_urls on all plugins providing them
            and add those urls to the given urlpatterns.
-...
         return before_urls + urlpatterns + after_urls
     def register_plugins_installed_apps(installed_apps, group_name=DEFAULT_GROUP_NAME):
         '''Call get_apps() on all plugins of group_name and add the returned
            applications path to the installed_apps sequence.
-...
                         installed_apps.append(app)
         return installed_apps
     def register_plugins_middleware(middleware_classes,
             group_name=DEFAULT_GROUP_NAME):
     def register_plugins_middleware(middleware_classes, group_name=DEFAULT_GROUP_NAME):
         middleware_classes = list(middleware_classes)
         for plugin in get_plugins(group_name):
             if hasattr(plugin, 'get_before_middleware'):
-...
                         middleware_classes.append(app)
         return tuple(middleware_classes)
     def register_plugins_authentication_backends(authentication_backends,
             group_name=DEFAULT_GROUP_NAME):
     def register_plugins_authentication_backends(authentication_backends, group_name=DEFAULT_GROUP_NAME):
         authentication_backends = list(authentication_backends)
         for plugin in get_plugins(group_name):
             if hasattr(plugin, 'get_authentication_backends'):
-...
                         authentication_backends.append(cls)
         return tuple(authentication_backends)
     def register_plugins_authenticators(authenticators=(),
             group_name=DEFAULT_GROUP_NAME):
     def register_plugins_authenticators(authenticators=(), group_name=DEFAULT_GROUP_NAME):
         authenticators = list(authenticators)
         for plugin in get_plugins(group_name):
             if hasattr(plugin, 'get_authenticators'):
-...
                         authenticators.append(cls)
         return tuple(authenticators)
     def register_plugins_idp_backends(idp_backends,
             group_name=DEFAULT_GROUP_NAME):
     def register_plugins_idp_backends(idp_backends, group_name=DEFAULT_GROUP_NAME):
         idp_backends = list(idp_backends)
         for plugin in get_plugins(group_name):
             if hasattr(plugin, 'get_idp_backends'):

     import logging
     from django import forms
     from django.utils.translation import ugettext as _
     from django.contrib.auth import get_user_model
     from .backends import get_user_queryset
     from .utils import send_password_reset_mail
     from . import hooks, app_settings
     logger = logging.getLogger(__name__)
     class PasswordResetForm(forms.Form):
         next_url = forms.CharField(widget=forms.HiddenInput, required=False)
         email = forms.EmailField(
             label=_("Email"), max_length=254)
         def save(self):
             """
             Generates a one-use only link for resetting password and sends to the
             user.
             """
             email = self.cleaned_data["email"].strip()
             users = get_user_queryset()
             active_users = users.filter(email__iexact=email, is_active=True)
             for user in active_users:
                 # we don't set the password to a random string, as some users should not have
                 # a password
                 set_random_password = (user.has_usable_password()
                                        and app_settings.A2_SET_RANDOM_PASSWORD_ON_RESET)
                 send_password_reset_mail(user, set_random_password=set_random_password,
                                          next_url=self.cleaned_data.get('next_url'))
             if not active_users:
                 logger.info(u'password reset requests for "%s", no user found')
             hooks.call_hooks('event', name='password-reset', email=email, users=active_users)

     from django.conf.urls import url
     from django.contrib.auth import views as auth_views, REDIRECT_FIELD_NAME
     from django.contrib.auth.decorators import login_required
     from django.core.urlresolvers import reverse
     from django.http import HttpResponseRedirect
     from django.contrib import messages
     from django.utils.translation import ugettext as _
     from django.views.decorators.debug import sensitive_post_parameters
     from authentic2.utils import import_module_or_class, redirect, user_can_change_password
     from . import app_settings, decorators, profile_views, hooks
     from .views import (logged_in, edit_profile, email_change, email_change_verify, profile)
     SET_PASSWORD_FORM_CLASS = import_module_or_class(
             app_settings.A2_REGISTRATION_SET_PASSWORD_FORM_CLASS)
     CHANGE_PASSWORD_FORM_CLASS = import_module_or_class(
             app_settings.A2_REGISTRATION_CHANGE_PASSWORD_FORM_CLASS)
     @sensitive_post_parameters()
     @login_required
     @decorators.setting_enabled('A2_REGISTRATION_CAN_CHANGE_PASSWORD')
     def password_change_view(request, *args, **kwargs):
         post_change_redirect = kwargs.pop('post_change_redirect', None)
         if 'next_url' in request.POST and request.POST['next_url']:
             post_change_redirect = request.POST['next_url']
         elif REDIRECT_FIELD_NAME in request.GET:
             post_change_redirect = request.GET[REDIRECT_FIELD_NAME]
         elif post_change_redirect is None:
             post_change_redirect = reverse('account_management')
         if not user_can_change_password(request=request):
             messages.warning(request, _('Password change is forbidden'))
             return redirect(request, post_change_redirect)
         if 'cancel' in request.POST:
             return redirect(request, post_change_redirect)
         kwargs['post_change_redirect'] = post_change_redirect
         extra_context = kwargs.setdefault('extra_context', {})
         extra_context['view'] = password_change_view
         extra_context[REDIRECT_FIELD_NAME] = post_change_redirect
         if not request.user.has_usable_password():
             kwargs['password_change_form'] = SET_PASSWORD_FORM_CLASS
         response = auth_views.password_change(request, *args, **kwargs)
         if isinstance(response, HttpResponseRedirect):
             hooks.call_hooks('event', name='change-password', user=request.user, request=request)
             messages.info(request, _('Password changed'))
         return response
     password_change_view.title = _('Password Change')
     password_change_view.do_not_call_in_templates = True
     urlpatterns = [
         url(r'^logged-in/$', logged_in, name='logged-in'),
         url(r'^edit/$', edit_profile, name='profile_edit'),
         url(r'^edit/(?P<scope>[-\w]+)/$', edit_profile, name='profile_edit_with_scope'),
         url(r'^change-email/$', email_change, name='email-change'),
         url(r'^change-email/verify/$', email_change_verify,
             name='email-change-verify'),
         url(r'^$', profile, name='account_management'),
         url(r'^password/change/$',
             password_change_view,
             {'password_change_form': CHANGE_PASSWORD_FORM_CLASS},
             name='password_change'),
         url(r'^password/change/done/$',
             auth_views.password_change_done,
             name='password_change_done'),
         # Password reset
         url(r'^password/reset/confirm/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
             profile_views.password_reset_confirm,
             name='password_reset_confirm'),
         url(r'^password/reset/$',
             profile_views.password_reset,
             name='password_reset'),
         # Legacy
         url(r'^password/change/$',
             password_change_view,
             {'password_change_form': CHANGE_PASSWORD_FORM_CLASS},
             name='auth_password_change'),
         url(r'^password/change/done/$',
             auth_views.password_change_done,
             name='auth_password_change_done'),
         url(r'^password/reset/confirm/(?P<uidb36>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
             auth_views.password_reset_confirm,
             {'set_password_form': SET_PASSWORD_FORM_CLASS},
             name='auth_password_reset_confirm'),
         url(r'^password/reset/$',
             auth_views.password_reset,
             name='auth_password_reset'),
         url(r'^password/reset/complete/$',
             auth_views.password_reset_complete,
             name='auth_password_reset_complete'),
         url(r'^password/reset/done/$',
             auth_views.password_reset_done,
             name='auth_password_reset_done'),
         url(r'^switch-back/$', profile_views.switch_back, name='a2-switch-back'),
+    ]

     import logging
     from django.views.generic import FormView
     from django.contrib import messages
     from django.contrib.auth import get_user_model, REDIRECT_FIELD_NAME, authenticate
     from django.http import Http404
     from django.utils.translation import ugettext as _
     from django.utils.http import urlsafe_base64_decode
     from .compat import default_token_generator
     from .registration_backend.forms import SetPasswordForm
     from . import app_settings, cbv, profile_forms, utils, hooks
     class PasswordResetView(cbv.NextURLViewMixin, FormView):
         '''Ask for an email and send a password reset link by mail'''
         form_class = profile_forms.PasswordResetForm
         title = _('Password Reset')
         def get_template_names(self):
             return [
                 'authentic2/password_reset_form.html',
                 'registration/password_reset_form.html',
+            ]
         def get_form_kwargs(self, **kwargs):
             kwargs = super(PasswordResetView, self).get_form_kwargs(**kwargs)
             initial = kwargs.setdefault('initial', {})
             initial['next_url'] = self.request.GET.get(REDIRECT_FIELD_NAME, '')
             return kwargs
         def get_context_data(self, **kwargs):
             ctx = super(PasswordResetView, self).get_context_data(**kwargs)
             if app_settings.A2_USER_CAN_RESET_PASSWORD is False:
                 raise Http404('Password reset is not allowed.')
             ctx['title'] = _('Password reset')
             return ctx
         def form_valid(self, form):
             form.save()
             # return to next URL
             messages.info(self.request, _('If your email address exists in our '
                                           'database, you will receive an email '
                                           'containing instructions to reset '
                                           'your password'))
             return super(PasswordResetView, self).form_valid(form)
     password_reset = PasswordResetView.as_view()
     class PasswordResetConfirmView(cbv.RedirectToNextURLViewMixin, FormView):
         '''Validate password reset link, show a set password form and login
            the user.
         '''
         form_class = SetPasswordForm
         title = _('Password Reset')
         def get_template_names(self):
             return [
                 'registration/password_reset_confirm.html',
                 'authentic2/password_reset_confirm.html',
+            ]
         def dispatch(self, request, *args, **kwargs):
             validlink = True
             uidb64 = kwargs['uidb64']
             self.token = token = kwargs['token']
             UserModel = get_user_model()
             # checked by URLconf
             assert uidb64 is not None and token is not None
             try:
                 uid = urlsafe_base64_decode(uidb64)
                 # use authenticate to eventually get an LDAPUser
                 self.user = authenticate(user=UserModel._default_manager.get(pk=uid))
             except (TypeError, ValueError, OverflowError,
                     UserModel.DoesNotExist):
                 validlink = False
                 messages.warning(request, _('User not found'))
             if validlink and not default_token_generator.check_token(self.user, token):
                 validlink = False
                 messages.warning(request, _('You reset password link is invalid '
                                             'or has expired'))
             if not validlink:
                 return utils.redirect(request, self.get_success_url())
             can_reset_password = utils.get_user_flag(user=self.user,
                                                      name='can_reset_password',
                                                      default=self.user.has_usable_password())
             if not can_reset_password:
                 messages.warning(request, _('It\'s not possible to reset your password. Please '
                                             'contact an administrator.'))
                 return utils.redirect(request, self.get_success_url())
             return super(PasswordResetConfirmView, self).dispatch(request, *args,
                                                                   **kwargs)
         def get_context_data(self, **kwargs):
             ctx = super(PasswordResetConfirmView, self).get_context_data(**kwargs)
             # compatibility with existing templates !
             ctx['title'] = _('Enter new password')
             ctx['validlink'] = True
             return ctx
         def get_form_kwargs(self):
             kwargs = super(PasswordResetConfirmView, self).get_form_kwargs()
             kwargs['user'] = self.user
             return kwargs
         def form_valid(self, form):
             # Changing password by mail validate the email
             form.user.email_verified = True
             form.save()
             hooks.call_hooks('event', name='password-reset-confirm', user=form.user, token=self.token,
                              form=form)
             logging.getLogger(__name__).info(u'user %s resetted its password with '
                                              'token %r...', self.user,
                                              self.token[:9])
             return self.finish()
         def finish(self):
             return utils.simulate_authentication(self.request, self.user, 'email')
     password_reset_confirm = PasswordResetConfirmView.as_view()
     def switch_back(request):
         return utils.switch_back(request)

     from django.conf.urls import url
     from django.views.generic.base import TemplateView
     from django.contrib.auth.decorators import login_required
     from .views import RegistrationView, registration_completion, DeleteView, registration_complete
     urlpatterns = [
         url(r'^activate/(?P<registration_token>[\w: -]+)/$',
             registration_completion, name='registration_activate'),
         url(r'^register/$',
             RegistrationView.as_view(),
             name='registration_register'),
         url(r'^register/complete/$',
             registration_complete,
             name='registration_complete'),
         url(r'^register/closed/$',
             TemplateView.as_view(template_name='registration/registration_closed.html'),
             name='registration_disallowed'),
         url(r'^delete/$',
             login_required(DeleteView.as_view()),
             name='delete_account'),
+    ]

     import collections
     import logging
     import random
     from django.conf import settings
     from django.shortcuts import get_object_or_404
     from django.utils.translation import ugettext as _
     from django.utils.http import urlquote
     from django.contrib import messages
     from django.contrib.auth import REDIRECT_FIELD_NAME
     from django.core import signing
     from django.views.generic.base import TemplateView
     from django.views.generic.edit import FormView, CreateView
     from django.contrib.auth import get_user_model
     from django.forms import CharField, Form
     from django.core.urlresolvers import reverse_lazy
     from django.http import Http404, HttpResponseBadRequest
     from authentic2.utils import (import_module_or_class, redirect, make_url, get_fields_and_labels,
                                   simulate_authentication)
     from authentic2.a2_rbac.utils import get_default_ou
     from authentic2 import hooks
     from django_rbac.utils import get_ou_model
     from .. import models, app_settings, compat, cbv, forms, validators, utils, constants
     from .forms import RegistrationCompletionForm, DeleteAccountForm
     from .forms import RegistrationCompletionFormNoPassword
     from authentic2.a2_rbac.models import OrganizationalUnit
     logger = logging.getLogger(__name__)
     User = compat.get_user_model()
     def valid_token(method):
         def f(request, *args, **kwargs):
             try:
                 request.token = signing.loads(kwargs['registration_token'].replace(' ', ''),
                                               max_age=settings.ACCOUNT_ACTIVATION_DAYS * 3600 * 24)
             except signing.SignatureExpired:
                 messages.warning(request, _('Your activation key is expired'))
                 return redirect(request, 'registration_register')
             except signing.BadSignature:
                 messages.warning(request, _('Activation failed'))
                 return redirect(request, 'registration_register')
             return method(request, *args, **kwargs)
         return f
     class BaseRegistrationView(FormView):
         form_class = import_module_or_class(app_settings.A2_REGISTRATION_FORM_CLASS)
         template_name = 'registration/registration_form.html'
         title = _('Registration')
         def dispatch(self, request, *args, **kwargs):
             if not getattr(settings, 'REGISTRATION_OPEN', True):
                 raise Http404('Registration is not open.')
             self.token = {}
             self.ou = get_default_ou()
             # load pre-filled values
             if request.GET.get('token'):
                 try:
                     self.token = signing.loads(
                         request.GET.get('token'),
                         max_age=settings.ACCOUNT_ACTIVATION_DAYS * 3600 * 24)
                 except (TypeError, ValueError, signing.BadSignature) as e:
                     logger.warning(u'registration_view: invalid token: %s', e)
                     return HttpResponseBadRequest('invalid token', content_type='text/plain')
                 if 'ou' in self.token:
                     self.ou = OrganizationalUnit.objects.get(pk=self.token['ou'])
             self.next_url = self.token.pop(REDIRECT_FIELD_NAME, utils.select_next_url(request, None))
             return super(BaseRegistrationView, self).dispatch(request, *args, **kwargs)
         def form_valid(self, form):
             email = form.cleaned_data.pop('email')
             for field in form.cleaned_data:
                 self.token[field] = form.cleaned_data[field]
             # propagate service to the registration completion view
             if constants.SERVICE_FIELD_NAME in self.request.GET:
                 self.token[constants.SERVICE_FIELD_NAME] = \
                     self.request.GET[constants.SERVICE_FIELD_NAME]
             self.token.pop(REDIRECT_FIELD_NAME, None)
             self.token.pop('email', None)
             utils.send_registration_mail(self.request, email, next_url=self.next_url,
                                          ou=self.ou, **self.token)
             self.request.session['registered_email'] = email
             return redirect(self.request, 'registration_complete', params={REDIRECT_FIELD_NAME: self.next_url})
         def get_context_data(self, **kwargs):
             context = super(BaseRegistrationView, self).get_context_data(**kwargs)
             parameters = {'request': self.request,
                           'context': context}
             blocks = [utils.get_authenticator_method(authenticator, 'registration', parameters)
                       for authenticator in utils.get_backends('AUTH_FRONTENDS')]
             context['frontends'] = collections.OrderedDict((block['id'], block)
                                                            for block in blocks if block)
             return context
     class RegistrationView(cbv.ValidateCSRFMixin, BaseRegistrationView):
         pass
     class RegistrationCompletionView(CreateView):
         model = get_user_model()
         success_url = 'auth_homepage'
         def get_template_names(self):
             if self.users and not 'create' in self.request.GET:
                 return ['registration/registration_completion_choose.html']
             else:
                 return ['registration/registration_completion_form.html']
         def get_success_url(self):
             try:
                 redirect_url, next_field = app_settings.A2_REGISTRATION_REDIRECT
             except Exception:
                 redirect_url = app_settings.A2_REGISTRATION_REDIRECT
                 next_field = REDIRECT_FIELD_NAME
             if self.token and self.token.get(REDIRECT_FIELD_NAME):
                 url = self.token[REDIRECT_FIELD_NAME]
                 if redirect_url:
                     url = make_url(redirect_url, params={next_field: url})
             else:
                 if redirect_url:
                     url = redirect_url
                 else:
                     url = make_url(self.success_url)
             return url
         def dispatch(self, request, *args, **kwargs):
             self.token = request.token
             self.authentication_method = self.token.get('authentication_method', 'email')
             self.email = request.token['email']
             if 'ou' in self.token:
                 self.ou = OrganizationalUnit.objects.get(pk=self.token['ou'])
             else:
                 self.ou = get_default_ou()
             self.users = User.objects.filter(email__iexact=self.email) \
                 .order_by('date_joined')
             if self.ou:
                 self.users = self.users.filter(ou=self.ou)
             self.email_is_unique = app_settings.A2_EMAIL_IS_UNIQUE \
                 or app_settings.A2_REGISTRATION_EMAIL_IS_UNIQUE
             if self.ou:
                 self.email_is_unique |= self.ou.email_is_unique
             self.init_fields_labels_and_help_texts()
             # if registration is done during an SSO add the service to the registration event
             self.service = self.token.get(constants.SERVICE_FIELD_NAME)
             return super(RegistrationCompletionView, self) \
                 .dispatch(request, *args, **kwargs)
         def init_fields_labels_and_help_texts(self):
             attributes = models.Attribute.objects.filter(
                 asked_on_registration=True)
             default_fields = attributes.values_list('name', flat=True)
             required_fields = models.Attribute.objects.filter(required=True) \
                 .values_list('name', flat=True)
             fields, labels = get_fields_and_labels(
                 app_settings.A2_REGISTRATION_FIELDS,
                 default_fields,
                 app_settings.A2_REGISTRATION_REQUIRED_FIELDS,
                 app_settings.A2_REQUIRED_FIELDS,
                 models.Attribute.objects.filter(required=True).values_list('name', flat=True))
             help_texts = {}
             if app_settings.A2_REGISTRATION_FORM_USERNAME_LABEL:
                 labels['username'] = app_settings.A2_REGISTRATION_FORM_USERNAME_LABEL
             if app_settings.A2_REGISTRATION_FORM_USERNAME_HELP_TEXT:
                 help_texts['username'] = \
                     app_settings.A2_REGISTRATION_FORM_USERNAME_HELP_TEXT
             required = list(app_settings.A2_REGISTRATION_REQUIRED_FIELDS) + \
                 list(required_fields)
             if 'email' in fields:
                 fields.remove('email')
             for field in self.token.get('skip_fields') or []:
                 if field in fields:
                     fields.remove(field)
             self.fields = fields
             self.labels = labels
             self.required = required
             self.help_texts = help_texts
         def get_form_class(self):
             if not self.token.get('valid_email', True):
                 self.fields.append('email')
                 self.required.append('email')
             form_class = RegistrationCompletionForm
             if self.token.get('no_password', False):
                 form_class = RegistrationCompletionFormNoPassword
             form_class = forms.modelform_factory(self.model,
                                                  form=form_class,
                                                  fields=self.fields,
                                                  labels=self.labels,
                                                  required=self.required,
                                                  help_texts=self.help_texts)
             if 'username' in self.fields and app_settings.A2_REGISTRATION_FORM_USERNAME_REGEX:
                 # Keep existing field label and help_text
                 old_field = form_class.base_fields['username']
                 field = CharField(
                     max_length=256,
                     label=old_field.label,
                     help_text=old_field.help_text,
                     validators=[validators.UsernameValidator()])
                 form_class = type('RegistrationForm', (form_class,), {'username': field})
             return form_class
         def get_form_kwargs(self, **kwargs):
             '''Initialize mail from token'''
             kwargs = super(RegistrationCompletionView, self).get_form_kwargs(**kwargs)
             if 'ou' in self.token:
                 OU = get_ou_model()
                 ou = get_object_or_404(OU, id=self.token['ou'])
             else:
                 ou = get_default_ou()
             attributes = {'email': self.email, 'ou': ou}
             for key in self.token:
                 if key in app_settings.A2_PRE_REGISTRATION_FIELDS:
                     attributes[key] = self.token[key]
             logger.debug(u'attributes %s', attributes)
             prefilling_list = utils.accumulate_from_backends(self.request, 'registration_form_prefill')
             logger.debug(u'prefilling_list %s', prefilling_list)
             # Build a single meaningful prefilling with sets of values
             prefilling = {}
             for p in prefilling_list:
                 for name, values in p.items():
                     if name in self.fields:
                         prefilling.setdefault(name, set()).update(values)
             logger.debug(u'prefilling %s', prefilling)
             for name, values in prefilling.items():
                 attributes[name] = ' '.join(values)
             logger.debug(u'attributes with prefilling %s', attributes)
             if self.token.get('user_id'):
                 kwargs['instance'] = User.objects.get(id=self.token.get('user_id'))
             else:
                 init_kwargs = {}
                 for key in ('email', 'first_name', 'last_name', 'ou'):
                     if key in attributes:
                         init_kwargs[key] = attributes[key]
                 kwargs['instance'] = get_user_model()(**init_kwargs)
             return kwargs
         def get_form(self, form_class=None):
             form = super(RegistrationCompletionView, self).get_form(form_class=form_class)
             hooks.call_hooks('front_modify_form', self, form)
             return form
         def get_context_data(self, **kwargs):
             ctx = super(RegistrationCompletionView, self).get_context_data(**kwargs)
             ctx['token'] = self.token
             ctx['users'] = self.users
             ctx['email'] = self.email
             ctx['email_is_unique'] = self.email_is_unique
             ctx['create'] = 'create' in self.request.GET
             return ctx
         def get(self, request, *args, **kwargs):
             if len(self.users) == 1 and self.email_is_unique:
                 # Found one user, EMAIL is unique, log her in
                 simulate_authentication(request, self.users[0],
                                         method=self.authentication_method,
                                         service_slug=self.service)
                 return redirect(request, self.get_success_url())
             confirm_data = self.token.get('confirm_data', False)
             if confirm_data == 'required':
                 fields_to_confirm = self.required
             else:
                 fields_to_confirm = self.fields
             if (all(field in self.token for field in fields_to_confirm)
                     and (not confirm_data or confirm_data == 'required')):
                 # We already have every fields
                 form_kwargs = self.get_form_kwargs()
                 form_class = self.get_form_class()
                 data = self.token
                 if 'password' in data:
                     data['password1'] = data['password']
                     data['password2'] = data['password']
                     del data['password']
                 form_kwargs['data'] = data
                 form = form_class(**form_kwargs)
                 if form.is_valid():
                     user = form.save()
                     return self.registration_success(request, user, form)
                 self.get_form = lambda *args, **kwargs: form
             return super(RegistrationCompletionView, self).get(request, *args, **kwargs)
         def post(self, request, *args, **kwargs):
             if self.users and self.email_is_unique:
                 # email is unique, users already exist, creating a new one is forbidden !
                 return redirect(request, request.resolver_match.view_name, args=self.args,
                                 kwargs=self.kwargs)
             if 'uid' in request.POST:
                 uid = request.POST['uid']
                 for user in self.users:
                     if str(user.id) == uid:
                         simulate_authentication(request, user,
                                                 method=self.authentication_method,
                                                 service_slug=self.service)
                         return redirect(request, self.get_success_url())
             return super(RegistrationCompletionView, self).post(request, *args, **kwargs)
         def form_valid(self, form):
             # remove verified fields from form, this allows an authentication
             # method to provide verified data fields and to present it to the user,
             # while preventing the user to modify them.
             for av in models.AttributeValue.objects.with_owner(form.instance):
                 if av.verified and av.attribute.name in form.fields:
                     del form.fields[av.attribute.name]
             if ('email' in self.request.POST
                     and (not 'email' in self.token or self.request.POST['email'] != self.token['email'])
                     and not self.token.get('skip_email_check')):
                 # If an email is submitted it must be validated or be the same as in the token
                 data = form.cleaned_data
                 data['no_password'] = self.token.get('no_password', False)
                 utils.send_registration_mail(
                     self.request,
                     ou=self.ou,
                     next_url=self.get_success_url(),
                     **data)
                 self.request.session['registered_email'] = form.cleaned_data['email']
                 return redirect(self.request, 'registration_complete')
             super(RegistrationCompletionView, self).form_valid(form)
             return self.registration_success(self.request, form.instance, form)
         def registration_success(self, request, user, form):
             hooks.call_hooks('event', name='registration', user=user, form=form, view=self,
                              authentication_method=self.authentication_method,
                              token=request.token, service=self.service)
             simulate_authentication(request, user, method=self.authentication_method,
                                     service_slug=self.service)
             messages.info(self.request, _('You have just created an account.'))
             self.send_registration_success_email(user)
             return redirect(request, self.get_success_url())
         def send_registration_success_email(self, user):
             if not user.email:
                 return
             template_names = [
                 'authentic2/registration_success'
+            ]
             login_url = self.request.build_absolute_uri(settings.LOGIN_URL)
             utils.send_templated_mail(user, template_names=template_names,
                                       context={
                                           'user': user,
                                           'email': user.email,
                                           'site': self.request.get_host(),
                                           'login_url': login_url,
                                       },
                                       request=self.request)
     class DeleteView(FormView):
         template_name = 'authentic2/accounts_delete.html'
         success_url = reverse_lazy('auth_logout')
         title = _('Delete account')
         def dispatch(self, request, *args, **kwargs):
             if not app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT:
                 return redirect(request, '..')
             return super(DeleteView, self).dispatch(request, *args, **kwargs)
         def post(self, request, *args, **kwargs):
             if 'cancel' in request.POST:
                 return redirect(request, 'account_management')
             return super(DeleteView, self).post(request, *args, **kwargs)
         def get_form_class(self):
             if self.request.user.has_usable_password():
                 return DeleteAccountForm
             return Form
         def get_form_kwargs(self, **kwargs):
             kwargs = super(DeleteView, self).get_form_kwargs(**kwargs)
             if self.request.user.has_usable_password():
                 kwargs['user'] = self.request.user
             return kwargs
         def form_valid(self, form):
             utils.send_account_deletion_mail(self.request, self.request.user)
             models.DeletedUser.objects.delete_user(self.request.user)
             self.request.user.email += '#%d' % random.randint(1, 10000000)
             self.request.user.email_verified = False
             self.request.user.save(update_fields=['email', 'email_verified'])
             logger.info(u'deletion of account %s requested', self.request.user)
             hooks.call_hooks('event', name='delete-account', user=self.request.user)
             messages.info(self.request,
                           _('Your account has been scheduled for deletion. You cannot use it anymore.'))
             return super(DeleteView, self).form_valid(form)
     registration_completion = valid_token(RegistrationCompletionView.as_view())
     class RegistrationCompleteView(TemplateView):
         template_name = 'registration/registration_complete.html'
         def get_context_data(self, **kwargs):
             kwargs['next_url'] = utils.select_next_url(self.request, settings.LOGIN_REDIRECT_URL)
             return super(RegistrationCompleteView, self).get_context_data(
                 account_activation_days=settings.ACCOUNT_ACTIVATION_DAYS,
                 **kwargs)
     registration_complete = RegistrationCompleteView.as_view()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.apps import AppConfig
     default_app_config = 'authentic2.saml.A2SAMLAppConfig'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.contrib import admin
-...
                                         SPOptionsIdPPolicy, LibertyFederation,
                                         KeyValue, LibertySession, SAMLAttribute)
     from authentic2.decorators import to_iter
     from authentic2.attributes_ng.engine import get_service_attributes
     from . import admin_views
     logger = logging.getLogger(__name__)
     class LibertyServiceProviderInline(admin.StackedInline):
         model = LibertyServiceProvider
     class TextAndFileWidget(forms.widgets.MultiWidget):
         def __init__(self, attrs=None):
             widgets = (forms.widgets.Textarea(),
                     forms.widgets.FileInput(),)
             widgets = (forms.widgets.Textarea(), forms.widgets.FileInput())
             super(TextAndFileWidget, self).__init__(widgets, attrs)
         def decompress(self, value):
-...
     class LibertyProviderForm(ModelForm):
         metadata = forms.CharField(required=True, widget=TextAndFileWidget,
                 label=_('Metadata'))
         public_key = forms.CharField(required=False, widget=TextAndFileWidget,
                 label=_('Public key'))
         ssl_certificate = forms.CharField(required=False, widget=TextAndFileWidget,
                 label=_('SSL certificate'))
         ca_cert_chain = forms.CharField(required=False, widget=TextAndFileWidget,
                 label=_('Certificate chain'))
         metadata = forms.CharField(required=True, widget=TextAndFileWidget, label=_('Metadata'))
         public_key = forms.CharField(required=False, widget=TextAndFileWidget, label=_('Public key'))
         ssl_certificate = forms.CharField(required=False, widget=TextAndFileWidget, label=_('SSL certificate'))
         ca_cert_chain = forms.CharField(required=False, widget=TextAndFileWidget, label=_('Certificate chain'))
         class Meta:
             model = LibertyProvider
             fields = [
                     'name',
                     'slug',
                     'ou',
                     'entity_id',
                     'entity_id_sha1',
                     'federation_source',
                     'metadata_url',
                     'metadata',
                     'public_key',
                     'ssl_certificate',
                     'ca_cert_chain',
                 'name',
                 'slug',
                 'ou',
                 'entity_id',
                 'entity_id_sha1',
                 'federation_source',
                 'metadata_url',
                 'metadata',
                 'public_key',
                 'ssl_certificate',
                 'ca_cert_chain',
+            ]
-...
                 provider.update_metadata()
             except ValidationError as e:
                 params = {
                         'name': provider,
                         'error_msg': u', '.join(e.messages)
                     'name': provider,
                     'error_msg': u', '.join(e.messages)
+                }
                 messages.error(request, _('Updating SAML provider %(name)s failed: '
                     '%(error_msg)s') % params)
                 messages.error(request, _('Updating SAML provider %(name)s failed: ' '%(error_msg)s') % params)
             else:
                 count += 1
         messages.info(request, _('%(count)d on %(total)d SAML providers updated') % {
             'count': count, 'total': total})
         messages.info(request, _('%(count)d on %(total)d SAML providers updated') % {'count': count, 'total': total})
     class SAMLAttributeInlineForm(forms.ModelForm):
-...
         class Meta:
             model = SAMLAttribute
             fields = [
                     'name_format',
                     'name',
                     'friendly_name',
                     'attribute_name',
                     'enabled',
                 'name_format',
                 'name',
                 'friendly_name',
                 'attribute_name',
                 'enabled',
+            ]
     class SAMLAttributeInlineAdmin(GenericTabularInline):
         model = SAMLAttribute
         form = SAMLAttributeInlineForm
-...
             kwargs['form'] = NewForm
             return super(SAMLAttributeInlineAdmin, self).get_formset(request, obj=obj, **kwargs)
     class LibertyProviderAdmin(admin.ModelAdmin):
         form = LibertyProviderForm
         list_display = ('name', 'ou', 'slug', 'entity_id')
         search_fields = ('name', 'entity_id')
         readonly_fields = ('entity_id','protocol_conformance','entity_id_sha1','federation_source')
         readonly_fields = ('entity_id', 'protocol_conformance', 'entity_id_sha1', 'federation_source')
         fieldsets = (
                 (None, {
                     'fields' : ('name', 'slug', 'ou', 'entity_id', 'entity_id_sha1','federation_source')
                 }),
                 (_('Metadata files'), {
                     'fields': ('metadata_url', 'metadata', 'public_key', 'ssl_certificate', 'ca_cert_chain')
                 }),
             (None, {
                 'fields': ('name', 'slug', 'ou', 'entity_id', 'entity_id_sha1', 'federation_source')
             }),
             (_('Metadata files'), {
                 'fields': ('metadata_url', 'metadata', 'public_key', 'ssl_certificate', 'ca_cert_chain')
             }),
+        )
         inlines = [
                 LibertyServiceProviderInline,
                 SAMLAttributeInlineAdmin,
             LibertyServiceProviderInline,
             SAMLAttributeInlineAdmin,
+        ]
         actions = [ update_metadata ]
         actions = [update_metadata]
         prepopulated_fields = {'slug': ('name',)}
         list_filter = (
                 'service_provider__sp_options_policy',
                 'service_provider__enabled',
             'service_provider__sp_options_policy',
             'service_provider__enabled',
+        )
         def get_urls(self):
-...
                 url(r'^add-from-url/$',
                     self.admin_site.admin_view(admin_views.AddLibertyProviderFromUrlView.as_view(model_admin=self)),
                     name='saml_libertyprovider_add_from_url'),
                 ] + urls
             ] + urls
             return urls
     class LibertyFederationAdmin(admin.ModelAdmin):
         search_fields = ('name_id_content', 'user__username')
         list_display = ('user', 'creation', 'last_modification', 'name_id_content', 'format', 'sp')
-...
                 name_id_format = u'\u2026' + name_id_format[-12:]
             return name_id_format
     class SPOptionsIdPPolicyAdmin(admin.ModelAdmin):
         inlines = [ SAMLAttributeInlineAdmin ]
         inlines = [SAMLAttributeInlineAdmin]
         fields = (
                 'name',
                 'enabled',
                 'prefered_assertion_consumer_binding',
                 'encrypt_nameid',
                 'encrypt_assertion',
                 'authn_request_signed',
                 'idp_initiated_sso',
                 'default_name_id_format',
                 'accepted_name_id_format',
                 'ask_user_consent',
                 'accept_slo',
                 'forward_slo',
                 'needs_iframe_logout',
                 'iframe_logout_timeout',
                 'http_method_for_slo_request',
             'name',
             'enabled',
             'prefered_assertion_consumer_binding',
             'encrypt_nameid',
             'encrypt_assertion',
             'authn_request_signed',
             'idp_initiated_sso',
             'default_name_id_format',
             'accepted_name_id_format',
             'ask_user_consent',
             'accept_slo',
             'forward_slo',
             'needs_iframe_logout',
             'iframe_logout_timeout',
             'http_method_for_slo_request',
+        )
     admin.site.register(SPOptionsIdPPolicy, SPOptionsIdPPolicyAdmin)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.core.urlresolvers import reverse
     from django.views.generic import FormView
     from .forms import AddLibertyProviderFromUrlForm
     class AdminAddFormViewMixin(object):
         model_admin = None
-...
             ctx.update({
                 'app_label': self.model_admin.model._meta.app_label,
                 'has_change_permission': self.model_admin.has_change_permission(self.request),
                 'opts': self.model_admin.model._meta })
                 'opts': self.model_admin.model._meta
             })
             return ctx
     class AddLibertyProviderFromUrlView(AdminAddFormViewMixin, FormView):
         form_class = AddLibertyProviderFromUrlForm
         template_name = 'admin/saml/libertyprovider/add_from_url.html'
-...
         def form_valid(self, form):
             form.save()
             self.success_url = reverse(
                     'admin:saml_libertyprovider_change',
                     args=(form.instance.id,))
             self.success_url = reverse('admin:saml_libertyprovider_change', args=(form.instance.id,))
             return super(AddLibertyProviderFromUrlView, self).form_valid(form)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     from django.conf import settings
     from django.core.exceptions import ImproperlyConfigured
     from django.utils.translation import ugettext_lazy as _
     class AppSettings(object):
         __PREFIX = 'SAML_'
         __NAMES = ('ALLOWED_FEDERATION_MODE', 'DEFAULT_FEDERATION_MODE')
-...
             @classmethod
             def get_choices(cls, app_settings):
                 l = []
                 choices = []
                 for choice in cls.choices:
                     if choice[0] in app_settings.ALLOWED_FEDERATION_MODE:
                         l.append(choice)
                 return l
                         choices.append(choice)
                 return choices
             @classmethod
             def get_default(cls, app_settings):
                 return app_settings.DEFAULT_FEDERATION_MODE
         __DEFAULTS = {
                 'ALLOWED_FEDERATION_MODE': (FEDERATION_MODE.EXPLICIT,
                     FEDERATION_MODE.IMPLICIT),
                 'DEFAULT_FEDERATION_MODE': FEDERATION_MODE.EXPLICIT,
             'ALLOWED_FEDERATION_MODE': (FEDERATION_MODE.EXPLICIT, FEDERATION_MODE.IMPLICIT),
             'DEFAULT_FEDERATION_MODE': FEDERATION_MODE.EXPLICIT,
+        }
         def __settings(self, name):
             full_name = self.__PREFIX + name
             if name not in self.__NAMES:
                 raise AttributeError('unknown settings '+full_name)
                 raise AttributeError('unknown settings ' + full_name)
             try:
                 if name in self.__DEFAULTS:
                     return getattr(settings, full_name, self.__DEFAULTS[name])
                 else:
                     return getattr(settings, full_name)
             except AttributeError:
                 raise ImproperlyConfigured('missing settings '+full_name)
                 raise ImproperlyConfigured('missing settings ' + full_name)
         def __getattr__(self, name):
             return self.__settings(name)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import os.path
     import logging
     import re
-...
     from .. import nonce
     AUTHENTIC_STATUS_CODE_NS = "http://authentic.entrouvert.org/status_code/"
     AUTHENTIC_SAME_ID_SENTINEL = \
         'urn:authentic.entrouvert.org:same-as-provider-entity-id'
     AUTHENTIC_STATUS_CODE_UNKNOWN_PROVIDER = AUTHENTIC_STATUS_CODE_NS + \
         "UnknownProvider"
     AUTHENTIC_STATUS_CODE_MISSING_NAMEID = AUTHENTIC_STATUS_CODE_NS + \
         "MissingNameID"
     AUTHENTIC_STATUS_CODE_MISSING_SESSION_INDEX = AUTHENTIC_STATUS_CODE_NS + \
         "MissingSessionIndex"
     AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION = AUTHENTIC_STATUS_CODE_NS + \
         "UnknownSession"
     AUTHENTIC_STATUS_CODE_MISSING_DESTINATION = AUTHENTIC_STATUS_CODE_NS + \
         "MissingDestination"
     AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR = AUTHENTIC_STATUS_CODE_NS + \
         "InternalServerError"
     AUTHENTIC_STATUS_CODE_UNAUTHORIZED = AUTHENTIC_STATUS_CODE_NS + \
         "Unauthorized"
     AUTHENTIC_SAME_ID_SENTINEL = 'urn:authentic.entrouvert.org:same-as-provider-entity-id'
     AUTHENTIC_STATUS_CODE_UNKNOWN_PROVIDER = AUTHENTIC_STATUS_CODE_NS + "UnknownProvider"
     AUTHENTIC_STATUS_CODE_MISSING_NAMEID = AUTHENTIC_STATUS_CODE_NS + "MissingNameID"
     AUTHENTIC_STATUS_CODE_MISSING_SESSION_INDEX = AUTHENTIC_STATUS_CODE_NS + "MissingSessionIndex"
     AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION = AUTHENTIC_STATUS_CODE_NS + "UnknownSession"
     AUTHENTIC_STATUS_CODE_MISSING_DESTINATION = AUTHENTIC_STATUS_CODE_NS + "MissingDestination"
     AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR = AUTHENTIC_STATUS_CODE_NS + "InternalServerError"
     AUTHENTIC_STATUS_CODE_UNAUTHORIZED = AUTHENTIC_STATUS_CODE_NS + "Unauthorized"
     logger = logging.getLogger(__name__)
-...
             delta = datetime.timedelta(seconds=NONCE_TIMEOUT)
             if not (now - delta <= issue_instant < now + delta):
                 logger.warning('IssueInstant %s not in the interval [%s, %s[',
                                issue_instant, now-delta, now+delta)
                                issue_instant, now - delta, now+delta)
                 return False
         except ValueError:
             logger.error('Unable to parse an IssueInstant: %r', issue_instant)
-...
             if _id is None:
                 logger.warning('missing ID')
                 return False
             if not nonce.accept_nonce(_id, 'SAML', 2*NONCE_TIMEOUT):
             if not nonce.accept_nonce(_id, 'SAML', 2 * NONCE_TIMEOUT):
                 logger.warning("ID '%r' already used, request/response/assertion "
                                "refused", _id)
                 return False
-...
     def federations_to_identity_dump(self_entity_id, federations):
         l = [START_IDENTITY_DUMP]
         l = [START_IDENTITY_DUMP]  # noqa: E741
         for federation in federations:
             name_id_qualifier = federation.name_id_qualifier
             name_id_sp_name_qualifier = federation.name_id_sp_name_qualifier
-...
             return None
         logger.debug('loaded %d bytes', len(metadata))
         try:
             metadata = six.text_type(metadata, 'utf8')
         except:
             logging.error('SAML metadata autoload: retrieved metadata for entity '
                           'id %s is not UTF-8', provider_id)
             metadata = six.text_type(metadata, 'utf-8')
         except UnicodeDecodeError:
             logging.error('SAML metadata autoload: retrieved metadata for entity id %s is not UTF-8', provider_id)
             return None
         p = LibertyProvider(metadata=metadata)
         try:
-...
             logging.error('SAML metadata autoload: retrieved metadata for entity '
                           'id %s are invalid, %s', provider_id, e.args)
             return None
         except:
         except Exception:
             logging.exception('SAML metadata autoload: retrieved metadata '
                               'validation raised an unknown exception')
             return None
-...
         kwargs = models.nameid2kwargs(name_id)
         try:
             return LibertyFederation.objects.get(**kwargs)
         except:
         except LibertyFederation.DoesNotExist:
             return None
-...
             .identity_provider
         try:
             return LibertyFederation.objects.get(user__isnull=False, **kwargs)
         except:
         except LibertyFederation.DoesNotExist:
             return None

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     try:
         import cPickle as pickle
     except ImportError:
         import pickle
     import six
     import django
     from django import forms
     from django.db import models
     from django.db.models.lookups import Exact, In
     from django.core.exceptions import ValidationError
     from django.utils.text import capfirst
     from django.contrib.humanize.templatetags.humanize \
             import apnumber
     from django.contrib.humanize.templatetags.humanize import apnumber
     from django.template.defaultfilters import pluralize
     # This is a copy of http://djangosnippets.org/snippets/513/
-...
+    #
     # Initial author: Oliver Beattie
     class PickledObject(six.binary_type):
         """A subclass of string so it can be told whether a string is
            a pickled object or not (if the object is an instance of this class
-...
             else:
                 try:
                     return pickle.loads(six.binary_type(value))
                 except:
                 except Exception:
                     # If an error was raised, just return the plain value
                     return value
-...
+    #
     # Initial author: Daniel Roseman
     class MultiSelectFormField(forms.MultipleChoiceField):
         widget = forms.CheckboxSelectMultiple
-...
             if not value and self.required:
                 raise forms.ValidationError(self.error_messages['required'])
             if value and self.max_choices and len(value) > self.max_choices:
                 raise forms.ValidationError('You must select a maximum of %s choice%s.'
                         % (apnumber(self.max_choices), pluralize(self.max_choices)))
                 raise forms.ValidationError('You must select a maximum of %s choice %s.' % (
                     apnumber(self.max_choices), pluralize(self.max_choices)))
             return value
     class MultiSelectField(models.Field):
     class MultiSelectField(models.Field):
         def get_internal_type(self):
             return "CharField"
-...
         def formfield(self, **kwargs):
             # don't call super, as that overrides default widget if it has choices
             defaults = {'required': not self.blank, 'label': capfirst(self.verbose_name),
                         'help_text': self.help_text, 'choices':self.choices}
             defaults = {
                 'required': not self.blank,
                 'label': capfirst(self.verbose_name),
                 'help_text': self.help_text,
                 'choices': self.choices,
+            }
             if self.has_default():
                 defaults['initial'] = self.get_default()
             defaults.update(kwargs)
-...
         def validate(self, value, model_instance):
             out = set()
             if self.choices:
                 out |= set([option_key for option_key,_ in self.choices])
             out = set(value)-out
                 out |= set([option_key for option_key, _ in self.choices])
             out = set(value) - out
             if out:
                 raise ValidationError(self.error_messages['invalid_choice'] % ','.join(list(out)))
             if not value and not self.blank:
-...
         def contribute_to_class(self, cls, name):
             super(MultiSelectField, self).contribute_to_class(cls, name)
             if self.choices:
                 func = lambda self, fieldname = name, choicedict = dict(self.choices):",".join([choicedict.get(value,value) for value in getattr(self,fieldname)])
                 def func(self, fieldname=name, choicedict=dict(self.choices)):
                     return ",".join([choicedict.get(value, value) for value in getattr(self, fieldname)])
                 setattr(cls, 'get_%s_display' % self.name, func)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import xml.etree.ElementTree as ET
     import requests
-...
             return cleaned_data
         def save(self):
             if not self.instance is None:
             if self.instance is not None:
                 self.instance.save()
                 for child in self.childs:
                     child.liberty_provider = self.instance

     import xml.etree.ElementTree as etree
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import xml.etree.ElementTree as etree
     LASSO_NS = 'http://www.entrouvert.org/namespaces/lasso/0.0'
     SAML_ASSERTION_NS = 'urn:oasis:names:tc:SAML:2.0:assertion'
     def lasso_elt(name):
         return '{{{0}}}{1}'.format(LASSO_NS, name)
     def samla_elt(name):
         return '{{{0}}}{1}'.format(SAML_ASSERTION_NS, name)
     SESSION_ELT = lasso_elt('Session')
     NID_AND_SESSION_INDEX = lasso_elt('NidAndSessionIndex')
     VERSION_AT = 'Version'
-...
     NAME_QUALIFIER_AT = 'NameQualifier'
     SP_NAME_QUALIFIER_AT = 'SPNameQualifier'
     def build_name_id(name_id, treebuilder=None):
         if treebuilder is None:
             tb = etree.TreeBuilder()
         else:
             tb = treebuilder
         attrs = { FORMAT_AT: name_id['name_id_format'] }
         attrs = {FORMAT_AT: name_id['name_id_format']}
         if 'name_id_qualifier' in name_id:
             attrs[NAME_QUALIFIER_AT] = name_id['name_id_qualifier']
         if 'name_id_sp_name_qualifier' in name_id:
-...
         if treebuilder is None:
             return tb.close()
     def buid_session_dump(sessions):
         tb = etree.TreeBuilder()
         tb.start(SESSION_ELT, {VERSION_AT: '2'})

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     '''
         Authentic 2 - Versatile Identity Server

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import print_function
     import sys
-...
     import warnings
     from django.core.management.base import BaseCommand, CommandError
     from django.db.transaction import atomic
     from django.template.defaultfilters import slugify
     from django.utils import six
     from django.utils.translation import gettext as _
     from django.contrib.contenttypes.models import ContentType
     from authentic2.compat import commit_on_success
     from authentic2.compat_lasso import lasso
     from authentic2.saml.shibboleth.afp_parser import parse_attribute_filters_file
     from authentic2.saml.models import (LibertyProvider, SAMLAttribute, LibertyServiceProvider,
-...
     def text_child(tree, tag, default=''):
         elt = tree.find(tag)
         return elt.text if not elt is None else default
         return elt.text if elt is not None else default
     def load_acs(tree, provider, pks, verbosity):
-...
                     attribute, created = SAMLAttribute.objects.get_or_create(
                         defaults=defaults, **kwargs)
                     if created and verbosity > 1:
                         print(_('Created new attribute %(name)s for %(provider)s') % \
                             {'name': oid, 'provider': provider})
                         print(_('Created new attribute %(name)s for %(provider)s') % {
                             'name': oid,
                             'provider': provider
                         })
                     pks.append(attribute.pk)
                 except SAMLAttribute.MultipleObjectsReturned:
                     pks.extend(SAMLAttribute.objects.filter(**kwargs).values_list('pk', flat=True))
-...
                         kwargs, defaults = build_saml_attribute_kwargs(provider, name)
                         if not kwargs:
                             if verbosity > 1:
                                 print(_('Unable to find an LDAP definition for attribute %(name)s on %(provider)s') % \
                                     {'name': name, 'provider': provider}, file=sys.stderr)
                                 print(_('Unable to find an LDAP definition for attribute %(name)s on %(provider)s') % {
                                     'name': name,
                                     'provider': provider
                                 }, file=sys.stderr)
                             continue
                         # create object with default attribute mapping to the same name
                         # as the attribute if no SAMLAttribute model already exists,
-...
                             attribute, created = SAMLAttribute.objects.get_or_create(
                                 defaults=defaults, **kwargs)
                             if created and verbosity > 1:
                                 print(_('Created new attribute %(name)s for %(provider)s')
                                        % {'name': name, 'provider': provider})
                                 print(_('Created new attribute %(name)s for %(provider)s') % {
                                     'name': name,
                                     'provider': provider
                                 })
                             pks.append(attribute.pk)
                         except SAMLAttribute.MultipleObjectsReturned:
                             pks.extend(SAMLAttribute.objects.filter(
-...
                 help='When creating a new provider, make it disabled by default.'
+            )
         @commit_on_success
         @atomic
         def handle(self, *args, **options):
             verbosity = int(options['verbosity'])
             source = options['source']
-...
             try:
                 if source is not None:
                     source.decode('ascii')
             except:
             except UnicodeDecodeError:
                 raise CommandError('--source MUST be an ASCII string value')
             if metadata_file_path.startswith('http://') or metadata_file_path.startswith('https://'):
                 response = requests.get(metadata_file_path)
-...
                 metadata_file = six.BytesIO(response.content)
             else:
                 try:
                     metadata_file = file(metadata_file_path)
                 except:
                     metadata_file = open(metadata_file_path)
                 except IOError:
                     raise CommandError('Unable to open file %s' % metadata_file_path)
             try:
-...
                         if verbosity > 1:
                             print('Service providers are set with the following SAML2 \
                                 options policy: %s' % sp_policy)
                     except:
                     except SPOptionsIdPPolicy.DoesNoextExist:
                         if verbosity > 0:
                             print(_('SAML2 service provider options '
                                   'policy with name %s not found') % sp_policy_name,
-...
                             sp_policy=sp_policy,
                             afp=afp)
                         loaded.append(entity_descriptor.get(ENTITY_ID))
                     except Exception as e:
                     except Exception:
                         if not options['ignore-errors']:
                             raise
                         if verbosity > 0:
                             print((_('Failed to load entity descriptor for %s')
                                      % entity_descriptor.get(ENTITY_ID)),
                                      file=sys.stderr)
                             print(_('Failed to load entity descriptor for %s') % entity_descriptor.get(ENTITY_ID),
                                   file=sys.stderr)
                         raise CommandError()
                 if options['source']:
                     if options['delete']:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import base64
     import binascii
     import datetime
-...
     federation_delete = Signal()
     class SessionLinkedQuerySet(QuerySet):
         def cleanup(self):
             engine = import_module(settings.SESSION_ENGINE)
-...
     SessionLinkedManager = models.Manager.from_queryset(SessionLinkedQuerySet)
     class LibertyFederationManager(models.Manager):
         def cleanup(self):
             for federation in self.filter(user__isnull=True):
-...
     class LibertyArtifactManager(models.Manager):
         def cleanup(self):
             expire = getattr(settings, 'SAML2_ARTIFACT_EXPIRATION', 600)
             before = now()-datetime.timedelta(seconds=expire)
             before = now() - datetime.timedelta(seconds=expire)
             self.filter(creation__lt=before).delete()
-...
 -th byte of the given artifact'''
             try:
                 artifact = base64.b64decode(artifact)
             except:
             except (TypeError, ValueError):
                 raise ValueError('artifact %r is not a base64 encoded value')
             entity_id_sha1 = artifact[4:24]
             entity_id_sha1 = binascii.hexlify(entity_id_sha1)
-...
     LibertyProviderManager = models.Manager.from_queryset(LibertyProviderQueryset)
     class LibertySessionQuerySet(SessionLinkedQuerySet):
         def to_session_dump(self):
             sessions = self.values('provider_id',
                     'session_index',
                     'name_id_qualifier',
                     'name_id_format',
                     'name_id_content',
                     'name_id_sp_name_qualifier')
             sessions = self.values(
                 'provider_id',
                 'session_index',
                 'name_id_qualifier',
                 'name_id_format',
                 'name_id_content',
                 'name_id_sp_name_qualifier')
             return lasso_helper.build_session_dump(sessions)
     LibertySessionManager = models.Manager.from_queryset(LibertySessionQuerySet)
     class GetByLibertyProviderManager(models.Manager):
         def get_by_natural_key(self, slug):
             from .models import LibertyProvider
-...
                     raise self.model.DoesNotExist
                 return self.create(liberty_provider=liberty_provider)
     class SAMLAttributeManager(GenericManager):
         def get_by_natural_key(self, ct_nk, provider_nk, name_format, name, friendly_name, attribute_name):
             from .models import SAMLAttribute

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import xml.etree.ElementTree as etree
     import hashlib
     import numbers
     import datetime
     import requests
     from authentic2.compat_lasso import lasso
-...
     from .. import managers as a2_managers
     from ..models import Service
     def metadata_validator(meta):
         provider=lasso.Provider.newFromBuffer(lasso.PROVIDER_ROLE_ANY, meta.encode('utf8'))
         provider = lasso.Provider.newFromBuffer(lasso.PROVIDER_ROLE_ANY, meta.encode('utf8'))
         if not provider:
             raise ValidationError(_('Invalid metadata file'))
     XML_NS = 'http://www.w3.org/XML/1998/namespace'
     def get_lang(etree):
         return etree.get('{%s}lang' % XML_NS)
     def ls_find(ls, value):
         try:
             return ls.index(value)
         except ValueError:
             return -1
     def get_prefered_content(etrees, languages = [None, 'en']):
     def get_prefered_content(etrees, languages=[None, 'en']):
         '''Sort XML nodes by their xml:lang attribute using languages as the
         ascending partial order of language identifiers
-...
                 best_score = ls_find(languages, get_lang(tree))
         return best.text
     def organization_name(provider):
         '''Extract an organization name from a SAMLv2 metadata organization XML
            fragment.
-...
         try:
             organization_xml = provider.organization
             organization = etree.XML(organization_xml)
             o_display_name = organization.findall('{%s}OrganizationDisplayName' %
                     lasso.SAML2_METADATA_HREF)
             o_display_name = organization.findall('{%s}OrganizationDisplayName' % lasso.SAML2_METADATA_HREF)
             if o_display_name:
                 return get_prefered_content(o_display_name)
             o_name = organization.findall('{%s}OrganizationName' %
                     lasso.SAML2_METADATA_HREF)
             o_name = organization.findall('{%s}OrganizationName' % lasso.SAML2_METADATA_HREF)
             if o_name:
                 return get_prefered_content(o_name)
         except:
         except Exception:
             return provider.providerId
         else:
             return provider.providerId
     # TODO: Remove this in LibertyServiceProvider
     ASSERTION_CONSUMER_PROFILES = (
             ('meta', _('Use the default from the metadata file')),
             ('art', _('Artifact binding')),
             ('post', _('POST binding')))
         ('meta', _('Use the default from the metadata file')),
         ('art', _('Artifact binding')),
         ('post', _('POST binding')))
     DEFAULT_NAME_ID_FORMAT = 'none'
     # Supported name id formats
     NAME_ID_FORMATS = {
             'none': { 'caption': _('None'),
                 'samlv2': None,},
             'persistent': { 'caption': _('Persistent'),
                 'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,},
             'transient': { 'caption': _("Transient"),
                 'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT,},
             'email': { 'caption': _("Email"),
                 'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL,},
             'username': { 'caption': _("Username (use with Google Apps)"),
                 'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,},
             'uuid': { 'caption': _("UUID"),
                 'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,},
             'edupersontargetedid': { 'caption': _("Use eduPersonTargetedID attribute"),
                 'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,}
         'none': {
             'caption': _('None'),
             'samlv2': None,
         },
         'persistent': {
             'caption': _('Persistent'),
             'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
         },
         'transient': {
             'caption': _("Transient"),
             'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT,
         },
         'email': {
             'caption': _("Email"),
             'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL,
         },
         'username': {
             'caption': _("Username (use with Google Apps)"),
             'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
         },
         'uuid': {
             'caption': _("UUID"),
             'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_UNSPECIFIED,
         },
         'edupersontargetedid': {
             'caption': _("Use eduPersonTargetedID attribute"),
             'samlv2': lasso.SAML2_NAME_IDENTIFIER_FORMAT_PERSISTENT,
+        }
+    }
     NAME_ID_FORMATS_CHOICES = \
             tuple([(x, y['caption']) for x, y in NAME_ID_FORMATS.items()])
     NAME_ID_FORMATS_CHOICES = tuple([(x, y['caption']) for x, y in NAME_ID_FORMATS.items()])
     ACCEPTED_NAME_ID_FORMAT_LENGTH = sum([len(x) for x, y in NAME_ID_FORMATS.items()]) + len(NAME_ID_FORMATS) - 1
     ACCEPTED_NAME_ID_FORMAT_LENGTH = \
             sum([len(x) for x, y in NAME_ID_FORMATS.items()]) + \
             len(NAME_ID_FORMATS) - 1
     def saml2_urn_to_nidformat(urn, accepted=()):
         for x, y in NAME_ID_FORMATS.items():
             if accepted and not x in accepted:
             if accepted and x not in accepted:
                 continue
             if y['samlv2'] == urn:
                 return x
         return None
     def nidformat_to_saml2_urn(key):
         return NAME_ID_FORMATS.get(key, {}).get('samlv2')
     # According to: saml-profiles-2.0-os
     # The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
     # The HTTP Redirect binding MUST NOT be used, as the response will typically
     # exceed the URL length permitted by most user agents.
     BINDING_SSO_IDP = (
         (lasso.SAML2_METADATA_BINDING_ARTIFACT, _('Artifact binding')),
         (lasso.SAML2_METADATA_BINDING_POST, _('POST binding'))
-...
     SIGNATURE_VERIFY_HINT = {
             lasso.PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: _('Let authentic decides which signatures to check'),
             lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE: _('Always check signatures'),
             lasso.PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: _('Does not check signatures') }
         lasso.PROFILE_SIGNATURE_VERIFY_HINT_MAYBE: _('Let authentic decides which signatures to check'),
         lasso.PROFILE_SIGNATURE_VERIFY_HINT_FORCE: _('Always check signatures'),
         lasso.PROFILE_SIGNATURE_VERIFY_HINT_IGNORE: _('Does not check signatures') }
     AUTHSAML2_UNAUTH_PERSISTENT = (
         ('AUTHSAML2_UNAUTH_PERSISTENT_ACCOUNT_LINKING_BY_AUTH',
-...
             Used to define SAML2 parameters employed with service providers.
         '''
         name = models.CharField(_('name'), max_length=80, unique=True)
         enabled = models.BooleanField(verbose_name = _('Enabled'),
                 default=False, db_index=True)
         enabled = models.BooleanField(verbose_name=_('Enabled'), default=False, db_index=True)
         prefered_assertion_consumer_binding = models.CharField(
                 verbose_name = _("Prefered assertion consumer binding"),
                 default = 'meta',
                 max_length = 4, choices = ASSERTION_CONSUMER_PROFILES)
         encrypt_nameid = models.BooleanField(verbose_name = _("Encrypt NameID"),
                 default=False)
             verbose_name=_("Prefered assertion consumer binding"),
             default='meta',
             max_length=4,
             choices=ASSERTION_CONSUMER_PROFILES)
         encrypt_nameid = models.BooleanField(verbose_name=_("Encrypt NameID"), default=False)
         encrypt_assertion = models.BooleanField(
                 verbose_name = _("Encrypt Assertion"),
                 default=False)
             verbose_name=_("Encrypt Assertion"),
             default=False)
         authn_request_signed = models.BooleanField(
                 verbose_name = _("Authentication request signed"),
                 default=False)
             verbose_name=_("Authentication request signed"),
             default=False)
         idp_initiated_sso = models.BooleanField(
                 verbose_name = _("Allow IdP initiated SSO"),
                 default=False, db_index=True)
             verbose_name=_("Allow IdP initiated SSO"),
             default=False, db_index=True)
         # XXX: format in the metadata file, should be suffixed with a star to mark
         # them as special
         default_name_id_format = models.CharField(max_length = 256,
                 default = DEFAULT_NAME_ID_FORMAT,
                 choices = NAME_ID_FORMATS_CHOICES)
         default_name_id_format = models.CharField(
             max_length=256,
             default=DEFAULT_NAME_ID_FORMAT,
             choices=NAME_ID_FORMATS_CHOICES)
         accepted_name_id_format = MultiSelectField(
                 verbose_name = _("NameID formats accepted"),
                 max_length=1024,
                 blank=True, choices=NAME_ID_FORMATS_CHOICES)
             verbose_name=_("NameID formats accepted"),
             max_length=1024,
             blank=True,
             choices=NAME_ID_FORMATS_CHOICES)
         # TODO: add clean method which checks that the LassoProvider we can create
         # with the metadata file support the SP role
         # i.e. provider.roles & lasso.PROVIDER_ROLE_SP != 0
         ask_user_consent = models.BooleanField(
             verbose_name = _('Ask user for consent when creating a federation'), default = False)
         accept_slo = models.BooleanField(\
                 verbose_name = _("Accept to receive Single Logout requests"),
                 default=True, db_index=True)
         forward_slo = models.BooleanField(\
                 verbose_name = _("Forward Single Logout requests"),
                 default=True)
             verbose_name=_('Ask user for consent when creating a federation'), default=False)
         accept_slo = models.BooleanField(
             verbose_name=_("Accept to receive Single Logout requests"),
             default=True,
             db_index=True)
         forward_slo = models.BooleanField(
             verbose_name=_("Forward Single Logout requests"),
             default=True)
         needs_iframe_logout = models.BooleanField(
                 verbose_name=_('needs iframe logout'),
                 help_text=_('logout URL are normally loaded inside an <img> HTML tag, some service provider need to use an iframe'),
                 default=False)
             verbose_name=_('needs iframe logout'),
             help_text=_(
                 'logout URL are normally loaded inside an <img> HTML tag, some service provider need to use an iframe'),
             default=False)
         iframe_logout_timeout = models.PositiveIntegerField(
                 verbose_name=_('iframe logout timeout'),
                 help_text=_('if iframe logout is used, it\'s the time between the '
                     'onload event for this iframe and the moment we consider its '
                     'loading to be really finished'),
                 default=300)
             verbose_name=_('iframe logout timeout'),
             help_text=_(
                 'if iframe logout is used, it\'s the time between the '
                 'onload event for this iframe and the moment we consider its '
                 'loading to be really finished'),
             default=300)
         http_method_for_slo_request = models.IntegerField(
                 verbose_name = _("HTTP binding for the SLO requests"),
                 choices = HTTP_METHOD, default = lasso.HTTP_METHOD_REDIRECT)
         federation_mode = models.PositiveIntegerField(_('federation mode'),
                 choices=app_settings.FEDERATION_MODE.get_choices(app_settings),
                 default=app_settings.FEDERATION_MODE.get_default(app_settings))
             verbose_name=_("HTTP binding for the SLO requests"),
             choices=HTTP_METHOD,
             default=lasso.HTTP_METHOD_REDIRECT)
         federation_mode = models.PositiveIntegerField(
             _('federation mode'),
             choices=app_settings.FEDERATION_MODE.get_choices(app_settings),
             default=app_settings.FEDERATION_MODE.get_default(app_settings))
         attributes = GenericRelation('SAMLAttribute')
         objects = a2_managers.GetByNameManager()
-...
         def __str__(self):
             return self.name
     @six.python_2_unicode_compatible
     class SAMLAttribute(models.Model):
         ATTRIBUTE_NAME_FORMATS = (
                 ('basic', 'Basic'),
                 ('uri', 'URI'),
                 ('unspecified', 'Unspecified'),
             ('basic', 'Basic'),
             ('uri', 'URI'),
             ('unspecified', 'Unspecified'),
+        )
         objects = managers.SAMLAttributeManager()
         content_type = models.ForeignKey(ContentType,
                 verbose_name=_('content type'))
         object_id = models.PositiveIntegerField(
                 verbose_name=_('object identifier'))
         content_type = models.ForeignKey(ContentType, verbose_name=_('content type'))
         object_id = models.PositiveIntegerField(verbose_name=_('object identifier'))
         provider = GenericForeignKey('content_type', 'object_id')
         name_format = models.CharField(
                 max_length=64,
                 verbose_name=_('name format'),
                 default='basic',
                 choices=ATTRIBUTE_NAME_FORMATS)
             max_length=64,
             verbose_name=_('name format'),
             default='basic',
             choices=ATTRIBUTE_NAME_FORMATS)
         name = models.CharField(
                 max_length=128,
                 verbose_name=_('name'),
                 blank=True,
                 help_text=_('the local attribute name is used if left blank'))
             max_length=128,
             verbose_name=_('name'),
             blank=True,
             help_text=_('the local attribute name is used if left blank'))
         friendly_name = models.CharField(
                 max_length=64,
                 verbose_name=_('friendly name'),
                 blank=True)
         attribute_name = models.CharField(max_length=64,
                 verbose_name=_('attribute name'))
             max_length=64,
             verbose_name=_('friendly name'),
             blank=True)
         attribute_name = models.CharField(max_length=64, verbose_name=_('attribute name'))
         enabled = models.BooleanField(
                 verbose_name=_('enabled'),
                 default=True,
                 blank=True)
             verbose_name=_('enabled'),
             default=True,
             blank=True)
         def clean(self):
             super(SAMLAttribute, self).clean()
-...
                 raise NotImplementedError
         def to_tuples(self, ctx):
             if not self.attribute_name in ctx:
             if self.attribute_name not in ctx:
                 return
             name_format = self.name_format_uri()
             name = self.name
-...
         def natural_key(self):
             if not hasattr(self.provider, 'natural_key'):
                 return self.id
             return (self.content_type.natural_key(), self.provider.natural_key(), self.name_format, self.name, self.friendly_name, self.attribute_name)
             return (self.content_type.natural_key(),
                     self.provider.natural_key(),
                     self.name_format,
                     self.name,
                     self.friendly_name,
                     self.attribute_name)
         class Meta:
             unique_together = (('content_type', 'object_id', 'name_format', 'name',
                 'friendly_name', 'attribute_name'),)
             unique_together = (
                 ('content_type', 'object_id', 'name_format', 'name', 'friendly_name', 'attribute_name'),
+            )
     @six.python_2_unicode_compatible
     class LibertyProvider(Service):
         entity_id = models.URLField(max_length=256, unique=True,
                 verbose_name=_('Entity ID'))
         entity_id_sha1 = models.CharField(max_length=40, blank=True,
                 verbose_name=_('Entity ID SHA1'))
         metadata_url = models.URLField(max_length=256, blank=True,
                 verbose_name=_('Metadata URL'))
         entity_id = models.URLField(max_length=256, unique=True, verbose_name=_('Entity ID'))
         entity_id_sha1 = models.CharField(max_length=40, blank=True, verbose_name=_('Entity ID SHA1'))
         metadata_url = models.URLField(max_length=256, blank=True, verbose_name=_('Metadata URL'))
         protocol_conformance = models.IntegerField(
                 choices=((lasso.PROTOCOL_SAML_2_0, 'SAML 2.0'),),
                 verbose_name=_('Protocol conformance'))
         metadata = models.TextField(validators = [ metadata_validator ])
             choices=((lasso.PROTOCOL_SAML_2_0, 'SAML 2.0'),),
             verbose_name=_('Protocol conformance'))
         metadata = models.TextField(validators=[metadata_validator])
         # All following field must be PEM formatted textual data
         public_key = models.TextField(blank=True)
         ssl_certificate = models.TextField(blank=True)
         ca_cert_chain = models.TextField(blank=True)
         federation_source = models.CharField(max_length=64, blank=True, null=True,
                 verbose_name=_('Federation source'))
         federation_source = models.CharField(
             max_length=64,
             blank=True,
             null=True,
             verbose_name=_('Federation source'))
         attributes = GenericRelation(SAMLAttribute)
-...
         def save(self, *args, **kwargs):
             '''Update the SHA1 hash of the entity_id when saving'''
             if self.protocol_conformance == 3:
                 self.entity_id_sha1 = hashlib.sha1(self.entity_id.encode('ascii')) \
                         .hexdigest()
                 self.entity_id_sha1 = hashlib.sha1(self.entity_id.encode('ascii')).hexdigest()
             super(LibertyProvider, self).save(*args, **kwargs)
         def clean(self):
-...
             verbose_name = _('SAML provider')
             verbose_name_plural = _('SAML providers')
     def get_all_custom_or_default(instance, name):
         model = instance._meta.get_field(name).rel.to
         try:
-...
         except ObjectDoesNotExist:
             raise RuntimeError('Default %s is missing' % model)
     # TODO: The IdP must look to the preferred binding order for sso in the SP metadata (AssertionConsumerService)
     # expect if the protocol for response is defined in the request (ProtocolBinding attribute)
     @six.python_2_unicode_compatible
     class LibertyServiceProvider(models.Model):
         liberty_provider = models.OneToOneField(LibertyProvider,
                 primary_key = True, related_name = 'service_provider')
         enabled = models.BooleanField(verbose_name = _('Enabled'),
                 default=False, db_index=True)
         enable_following_sp_options_policy = models.BooleanField(verbose_name = \
             _('The following options policy will apply except if a policy for all service provider is defined.'),
         liberty_provider = models.OneToOneField(LibertyProvider, primary_key=True, related_name='service_provider')
         enabled = models.BooleanField(verbose_name=_('Enabled'), default=False, db_index=True)
         enable_following_sp_options_policy = models.BooleanField(
             verbose_name=_('The following options policy will apply except '
                            'if a policy for all service provider is defined.'),
             default=False)
         sp_options_policy = models.ForeignKey(SPOptionsIdPPolicy,
                 related_name="sp_options_policy",
                 verbose_name=_('service provider options policy'), blank=True,
                 null=True,
                 on_delete=models.SET_NULL)
         sp_options_policy = models.ForeignKey(
             SPOptionsIdPPolicy,
             related_name="sp_options_policy",
             verbose_name=_('service provider options policy'), blank=True,
             null=True,
             on_delete=models.SET_NULL)
         users_can_manage_federations = models.BooleanField(
                 verbose_name=_('users can manage federation'),
                 default=True,
                 blank=True,
                 db_index=True)
             verbose_name=_('users can manage federation'),
             default=True,
             blank=True,
             db_index=True)
         objects = managers.GetByLibertyProviderManager()
-...
     LIBERTY_SESSION_DUMP_KIND_SP = 0
     LIBERTY_SESSION_DUMP_KIND_IDP = 1
     LIBERTY_SESSION_DUMP_KIND = { LIBERTY_SESSION_DUMP_KIND_SP: 'sp',
             LIBERTY_SESSION_DUMP_KIND_IDP: 'idp' }
     LIBERTY_SESSION_DUMP_KIND = {
         LIBERTY_SESSION_DUMP_KIND_SP: 'sp',
         LIBERTY_SESSION_DUMP_KIND_IDP: 'idp',
+    }
     class LibertySessionDump(models.Model):
         '''Store lasso session object dump.
            Should be replaced in the future by direct references to known
            assertions through the LibertySession object'''
         django_session_key = models.CharField(max_length = 128)
         session_dump = models.TextField(blank = True)
         kind = models.IntegerField(choices = LIBERTY_SESSION_DUMP_KIND.items())
         django_session_key = models.CharField(max_length=128)
         session_dump = models.TextField(blank=True)
         kind = models.IntegerField(choices=LIBERTY_SESSION_DUMP_KIND.items())
         objects = managers.SessionLinkedManager()
-...
             verbose_name_plural = _('SAML session dumps')
             unique_together = (('django_session_key', 'kind'),)
     class LibertyArtifact(models.Model):
         """Store an artifact and the associated XML content"""
         creation = models.DateTimeField(auto_now_add=True)
         artifact = models.CharField(max_length = 128, primary_key = True)
         artifact = models.CharField(max_length=128, primary_key=True)
         content = models.TextField()
         provider_id = models.CharField(max_length = 256)
         provider_id = models.CharField(max_length=256)
         objects = managers.LibertyArtifactManager()
-...
             verbose_name = _('SAML artifact')
             verbose_name_plural = _('SAML artifacts')
     def nameid2kwargs(name_id):
         return {
             'name_id_qualifier': name_id.nameQualifier,
             'name_id_sp_name_qualifier': name_id.spNameQualifier,
             'name_id_content': name_id.content,
             'name_id_format': name_id.format }
             'name_id_format': name_id.format,
+        }
     # XXX: for retrocompatibility
     federation_delete = managers.federation_delete
     @six.python_2_unicode_compatible
     class LibertyFederation(models.Model):
         """Store a federation, i.e. an identifier shared with another provider, be
            it IdP or SP"""
         user = models.ForeignKey(settings.AUTH_USER_MODEL, null=True, blank=True,
                 on_delete=models.SET_NULL)
         user = models.ForeignKey(
             settings.AUTH_USER_MODEL,
             null=True,
             blank=True,
             on_delete=models.SET_NULL)
         sp = models.ForeignKey('LibertyServiceProvider', null=True, blank=True)
         name_id_format = models.CharField(max_length = 100,
                 verbose_name = "NameIDFormat", blank=True, null=True)
         name_id_content = models.CharField(max_length = 100,
                 verbose_name = "NameID")
         name_id_qualifier = models.CharField(max_length = 256,
                 verbose_name = "NameQualifier", blank=True, null=True)
         name_id_sp_name_qualifier = models.CharField(max_length = 256,
                 verbose_name = "SPNameQualifier", blank=True, null=True)
         name_id_format = models.CharField(max_length=100, verbose_name="NameIDFormat", blank=True, null=True)
         name_id_content = models.CharField(max_length=100, verbose_name="NameID")
         name_id_qualifier = models.CharField(max_length=256, verbose_name="NameQualifier", blank=True, null=True)
         name_id_sp_name_qualifier = models.CharField(max_length=256, verbose_name="SPNameQualifier", blank=True, null=True)
         termination_notified = models.BooleanField(blank=True, default=False)
         creation = models.DateTimeField(auto_now_add=True)
         last_modification = models.DateTimeField(auto_now=True)
-...
                 key += (None,)
             return key
         def is_unique(self, for_format=True):
             '''Return whether a federation already exist for this user and this provider.
                By default the check is made by name_id_format, if you want to check
                whatever the format, set for_format to False.
             '''
             qs = LibertyFederation.objects.exclude(id=self.id) \
                     .filter(user=self.user, idp=self.idp, sp=self.sp)
             qs = LibertyFederation.objects.exclude(id=self.id).filter(user=self.user, idp=self.idp, sp=self.sp)
             if for_format:
                 qs = qs.filter(name_id_format=self.name_id_format)
             return not qs.exists()
-...
     @six.python_2_unicode_compatible
     class LibertySession(models.Model):
         """Store the link between a Django session and a SAML session"""
         django_session_key = models.CharField(max_length = 128)
         session_index = models.CharField(max_length = 80)
         provider_id = models.CharField(max_length = 256)
         federation = models.ForeignKey(LibertyFederation, blank=True,
                 null = True)
         name_id_qualifier = models.CharField(max_length = 256,
                 verbose_name = _("Qualifier"), null = True)
         name_id_format = models.CharField(max_length = 100,
                 verbose_name = _("NameIDFormat"), null = True)
         name_id_content = models.CharField(max_length = 100,
                 verbose_name = _("NameID"))
         name_id_sp_name_qualifier = models.CharField(max_length = 256,
                 verbose_name = _("SPNameQualifier"), null = True)
         django_session_key = models.CharField(max_length=128)
         session_index = models.CharField(max_length=80)
         provider_id = models.CharField(max_length=256)
         federation = models.ForeignKey(LibertyFederation, blank=True, null=True)
         name_id_qualifier = models.CharField(max_length=256, verbose_name=_("Qualifier"), null=True)
         name_id_format = models.CharField(max_length=100, verbose_name=_("NameIDFormat"), null=True)
         name_id_content = models.CharField(max_length=100, verbose_name=_("NameID"))
         name_id_sp_name_qualifier = models.CharField(max_length=256, verbose_name=_("SPNameQualifier"), null=True)
         creation = models.DateTimeField(auto_now_add=True)
         objects = managers.LibertySessionManager()
-...
                 return LibertySession.objects.none()
             kwargs = nameid2kwargs(name_id)
             name_id_qualifier = kwargs['name_id_qualifier']
             qs = LibertySession.objects.filter(provider_id=provider_id,
                     session_index__in=session_indexes)
             qs = LibertySession.objects.filter(provider_id=provider_id, session_index__in=session_indexes)
             if name_id_qualifier and name_id_qualifier != issuer_id:
                 qs = qs.filter(**kwargs)
             else:
                 kwargs.pop('name_id_qualifier')
                 qs = qs.filter(**kwargs) \
                         .filter(Q(name_id_qualifier__isnull=True)|Q(name_id_qualifier=issuer_id))
             qs = qs.filter(Q(name_id_sp_name_qualifier__isnull=True)|Q(name_id_sp_name_qualifier=provider_id))
                 qs = qs.filter(**kwargs).filter(Q(name_id_qualifier__isnull=True) | Q(name_id_qualifier=issuer_id))
             qs = qs.filter(Q(name_id_sp_name_qualifier__isnull=True) | Q(name_id_sp_name_qualifier=provider_id))
             return qs
         def __str__(self):
-...
             verbose_name = _("SAML session")
             verbose_name_plural = _("SAML sessions")
     @six.python_2_unicode_compatible
     class KeyValue(models.Model):
         key = models.CharField(max_length=128, primary_key=True)
-...
             verbose_name = _("key value association")
             verbose_name_plural = _("key value associations")
     def save_key_values(key, *values):
         # never update an existing key, key are nonces
         kv, created = KeyValue.objects.get_or_create(key=key, defaults={'value': values})
-...
             kv.value = values
             kv.save()
     def get_and_delete_key_values(key):
         try:
             kv = KeyValue.objects.get(key=key)

     from __future__ import print_function
     import xml.etree.ElementTree as etree
     from authentic2.compat_lasso import lasso
     from authentic2.saml import x509utils
     from authentic2.saml.saml2utils import bool2xs, NamespacedTreeBuilder, keyinfo
     class Saml11Metadata(object):
         ENTITY_DESCRIPTOR = 'EntityDescriptor'
         SP_SSO_DESCRIPTOR = 'SPDescriptor'
         IDP_SSO_DESCRIPTOR = 'IDPDescriptor'
         PROTOCOL_SUPPORT_ENUMERATION = 'protocolSupportEnumeration'
         SOAP_ENDPOINT = 'SoapEndpoint'
         PROVIDER_ID = 'providerID'
         VALID_UNTIL = 'validUntil'
         CACHE_DURATION = 'cacheDuration'
         ENCRYPTION_METHOD = 'EncryptionMethod'
         KEY_SIZE = 'KeySize'
         KEY_DESCRIPTOR = 'KeyDescriptor'
         SERVICE_URL = "ServiceURL"
         SERVICE_RETURN_URL = "ServiceReturnURL"
         USE = 'use'
         PROTOCOL_PROFILE = 'ProtocolProfile'
         FEDERATION_TERMINATION_NOTIFICATION_PROTOCOL_PROFILE = \
             'FederationTerminationNotificationProtocolProfile'
         AUTHN_REQUESTS_SIGNED = 'AuthnRequestsSigned'
         # Service prefixes
         SINGLE_LOGOUT = 'SingleLogout'
         FEDERATION_TERMINATION = 'FederationTermination'
         REGISTER_NAME_IDENTIFIER = 'RegisterNameIdentifier'
         # SP Services prefixes
         ASSERTION_CONSUMER = 'AssertionConsumer'
         # IDP Services prefixes
         SINGLE_SIGN_ON = 'SingleSignOn'
         AUTHN = 'Authn'
         sso_services = ( SOAP_ENDPOINT, SINGLE_LOGOUT, FEDERATION_TERMINATION,
                 REGISTER_NAME_IDENTIFIER )
         idp_services = ( SINGLE_SIGN_ON, AUTHN)
         sp_services = ( ASSERTION_CONSUMER, AUTHN_REQUESTS_SIGNED)
         def __init__(self, entity_id, url_prefix = '', valid_until = None,
                 cache_duration = None, protocol_support_enumeration = []):
             '''Initialize a new generator for a metadata file.
                Entity id is the name of the provider
             '''
             self.entity_id = entity_id
             self.url_prefix = url_prefix
             self.role_descriptors = {}
             self.valid_until = valid_until
             self.cache_duration = cache_duration
             self.tb = NamespacedTreeBuilder()
             self.tb.pushNamespace(lasso.METADATA_HREF)
             if not protocol_support_enumeration:
                 raise TypeError('Protocol Support Enumeration is mandatory')
             self.protocol_support_enumeration = protocol_support_enumeration
         def add_role_descriptor(self, role, map, options):
             '''Add a role descriptor, map is a sequence of tuples formatted as
                   (endpoint_type, (bindings, ..) , url [, return_url])'''
             if not self.SOAP_ENDPOINT in map:
                 raise TypeError('SoapEndpoint is mandatory in SAML 1.1 role descriptors')
             self.role_descriptors[role] = (map, options)
         def add_sp_descriptor(self, map, options):
             if not self.ASSERTION_CONSUMER in map:
                 raise TypeError('AssertionConsumer is mandarotyr in SAML 1.1 SP role descriptors')
             for row in map:
                 if row not in self.sp_services + self.sso_services:
                     raise TypeError(row)
             self.add_role_descriptor('sp', map, options)
         def add_idp_descriptor(self, map, options):
             if not self.SINGLE_SIGN_ON in map:
                 raise TypeError('SingleSignOn is mandarotyr in SAML 1.1 SP role descriptors')
             for row in map:
                 if row not in self.idp_services + self.sso_services:
                     raise TypeError(row)
             self.add_role_descriptor('idp', map, options)
         def add_keyinfo(self, key, use, encryption_method = None, key_size = None):
             attrib = {}
             if use:
                 attrib = { self.USE: use }
             self.tb.start(self.KEY_DESCRIPTOR, attrib)
             if encryption_method:
                 self.tb.simple_content(self.ENCRYPTION_METHOD, encryption_method)
             if key_size:
                 self.tb.simple_content(self.KEY_SIZE, str(key_size))
             keyinfo(self.tb, key)
             self.tb.end(self.KEY_DESCRIPTOR)
         def add_service_url(self, name, map):
             service = map.get(name)
             if service:
                 service_urls = service[0]
                 self.tb.simple_content(name + self.SERVICE_URL,
                     self.url_prefix + service_urls[0])
                 if len(service_urls) == 2:
                     self.tb.simple_content(name + self.SERVICE_RETURN_URL,
                         self.url_prefix + service_urls[1])
         def add_profile(self, name, map, tag = None):
             if not tag:
                 tag = name + self.PROTOCOL_PROFILE
             service = map.get(name)
             if service:
                 service_profiles = service[1]
                 for profile in service_profiles:
                     self.tb.simple_content(tag, profile)
         def generate_sso_descriptor(self, name, map, options):
             attrib = {}
             if options.get('valid_until'):
                 attrib[self.VALID_UNTIL] = options['valid_until']
             if options.get('cached_duration'):
                 attrib[self.CACHE_DURATION] = options['cache_duration']
             attrib[self.PROTOCOL_SUPPORT_ENUMERATION] = options[self.PROTOCOL_SUPPORT_ENUMERATION]
             self.tb.start(name, attrib)
             # Add KeyDescriptor(s)
             if options.get('signing_key'):
                 self.add_keyinfo(options['signing_key'], 'signing',)
             if options.get('encryption_key'):
                 self.add_keyinfo(options['encryption_key'], 'encryption',
                         encryption_method = options.get('encryption_method'),
                         key_size = options.get('key_size'))
             if options.get('key'):
                 self.add_keyinfo(options['encryption_key'], 'signing encryption',
                         encryption_method = options.get('encryption_method'),
                         key_size = options.get('key_size'))
             # Add SOAP Endpoint
             self.tb.simple_content(self.SOAP_ENDPOINT,
                     self.url_prefix + map[self.SOAP_ENDPOINT])
             # Add SingleLogoutService
             self.add_service_url(self.SINGLE_LOGOUT, map)
             # Add FederationTerminationService URL
             self.add_service_url(self.FEDERATION_TERMINATION, map)
             self.add_profile(self.FEDERATION_TERMINATION, map,
                  tag = self.FEDERATION_TERMINATION_NOTIFICATION_PROTOCOL_PROFILE)
             # Add SingleLogoutProtocolProfile
             self.add_profile(self.SINGLE_LOGOUT, map)
             # Add RegisterNameIdentifier
             self.add_profile(self.REGISTER_NAME_IDENTIFIER, map)
             self.add_service_url(self.REGISTER_NAME_IDENTIFIER, map)
         def generate_idp_descriptor(self, map, options):
             self.generate_sso_descriptor(self.IDP_SSO_DESCRIPTOR, map, options)
             # Add SingleSignOnServiceURL
             self.add_service_url(self.SINGLE_SIGN_ON, map)
             self.add_profile(self.SINGLE_SIGN_ON, map)
             # Add AuthnServiceURL
             self.add_service_url(self.AUTHN, map)
             self.tb.end(self.IDP_SSO_DESCRIPTOR)
         def generate_sp_descriptor(self, map, options):
             self.generate_sso_descriptor(self.SP_SSO_DESCRIPTOR, map, options)
             # Add AssertionConsumerServiceURL
             self.add_service_url(self.ASSERTION_CONSUMER)
             self.simple_content(self.AUTHN_REQUESTS_SIGNED,
                     bool2xs(options.get(self.AUTHN_REQUESTS_SIGNED, False)))
             self.tb.end(self.SP_SSO_DESCRIPTOR)
         def root_element(self):
             attrib = { self.PROVIDER_ID : self.entity_id}
             if self.cache_duration:
                 attrib['cacheDuration'] = self.cache_duration
             if self.valid_until:
                 attrib['validUntil'] = self.valid_until
             self.entity_descriptor = self.tb.start(self.ENTITY_DESCRIPTOR, attrib)
             # Generate sso descriptor
             attrib =  { self.PROTOCOL_SUPPORT_ENUMERATION: ' '.join(self.protocol_support_enumeration) }
             if self.role_descriptors.get('idp'):
                 map, options = self.role_descriptors['idp']
                 options.update(attrib)
                 self.generate_idp_descriptor(map, options)
             if self.role_descriptors.get('sp'):
                 map, options = self.role_descriptors['sp']
                 options.update(attrib)
                 self.generate_idp_sso_descriptor(map, options)
             self.tb.end(self.ENTITY_DESCRIPTOR)
             return self.tb.close()
         def __str__(self):
             return '<?xml version="1.0"?>\n' + etree.tostring(self.root_element())
     if __name__ == '__main__':
         pkey, _ = x509utils.generate_rsa_keypair()
         meta = Saml11Metadata('http://example.com/saml',
                 'http://example.com/saml/prefix/',
                 protocol_support_enumeration = [ lasso.LIB_HREF ])
         sso_protocol_profiles = [
             lasso.LIB_PROTOCOL_PROFILE_BRWS_ART,
             lasso.LIB_PROTOCOL_PROFILE_BRWS_POST,
             lasso.LIB_PROTOCOL_PROFILE_BRWS_LECP ]
         slo_protocol_profiles = [
             lasso.LIB_PROTOCOL_PROFILE_SLO_SP_HTTP,
             lasso.LIB_PROTOCOL_PROFILE_SLO_SP_SOAP,
             lasso.LIB_PROTOCOL_PROFILE_SLO_IDP_HTTP,
             lasso.LIB_PROTOCOL_PROFILE_SLO_IDP_SOAP ]
         options = { 'signing_key': pkey }
         meta.add_idp_descriptor({
                 'SoapEndpoint': 'soap',
                 'SingleLogout': (('slo', 'sloReturn'), slo_protocol_profiles),
                 'SingleSignOn': (('sso',), sso_protocol_profiles),
             }, options)
         root = meta.root_element()
         print(etree.tostring(root))

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import print_function
     import xml.etree.ElementTree as etree
-...
     def filter_element_private_key(message):
         if isinstance(message, six.string_types):
             return re.sub(r'(<saml)(p)?(:PrivateKeyFile>-----BEGIN RSA PRIVATE KEY-----)'
                 '([&#;\w/+=\s])+'
                 '(-----END RSA PRIVATE KEY-----</saml)(p)?(:PrivateKeyFile>)',
             return re.sub(
                 r'(<saml)(p)?(:PrivateKeyFile>-----BEGIN RSA PRIVATE KEY-----)'
                 r'([&#;\w/+=\s])+'
                 r'(-----END RSA PRIVATE KEY-----</saml)(p)?(:PrivateKeyFile>)',
                 '', message)
         else:
             return message
-...
             return 'false'
         raise TypeError()
     def int_to_b64(i):
         h = hex(i)[2:].strip('L')
         if len(h) % 2 == 1:
             h = '0' + h
         return base64.b64encode(binascii.unhexlify(h))
     def keyinfo(tb, key):
         tb.pushNamespace(lasso.DS_HREF)
         tb.start('KeyInfo', {})
-...
         tb.end('KeyInfo')
         tb.popNamespace()
     class NamespacedTreeBuilder(etree.TreeBuilder):
         def __init__(self, *args, **kwargs):
             self.__old_ns = []
-...
             self.data(data)
             self.end()
         def end(self, tag = None):
         def end(self, tag=None):
             if tag:
                 self.__opened.pop()
                 tag = '{%s}%s' % (self.__ns, tag)
-...
                 tag = self.__opened.pop()
             return etree.TreeBuilder.end(self, tag)
     class Saml2Metadata(object):
         ENTITY_DESCRIPTOR = 'EntityDescriptor'
         SP_SSO_DESCRIPTOR = 'SPSSODescriptor'
-...
         DISCOVERY_NS = 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol'
         DISCOVERY_BINDING = 'urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol'
         sso_services = ( ARTIFACT_RESOLUTION_SERVICE, SINGLE_LOGOUT_SERVICE,
                 MANAGE_NAME_ID_SERVICE )
         idp_services = ( SINGLE_SIGN_ON_SERVICE, NAME_ID_MAPPING_SERVICE,
                 ASSERTION_ID_REQUEST_SERVICE )
         sp_services = ( ASSERTION_CONSUMER_SERVICE, )
         indexed_endpoints = ( ARTIFACT_RESOLUTION_SERVICE,
                 ASSERTION_CONSUMER_SERVICE )
         sso_services = (ARTIFACT_RESOLUTION_SERVICE, SINGLE_LOGOUT_SERVICE, MANAGE_NAME_ID_SERVICE)
         idp_services = (SINGLE_SIGN_ON_SERVICE, NAME_ID_MAPPING_SERVICE, ASSERTION_ID_REQUEST_SERVICE)
         sp_services = (ASSERTION_CONSUMER_SERVICE,)
         indexed_endpoints = (ARTIFACT_RESOLUTION_SERVICE, ASSERTION_CONSUMER_SERVICE)
         def __init__(self, entity_id, url_prefix = '', valid_until = None,
                 cache_duration = None):
         def __init__(self, entity_id, url_prefix='', valid_until=None, cache_duration=None):
             '''Initialize a new generator for a metadata file.
                Entity id is the name of the provider
-...
                     self.add_keyinfo(options['key'], None)
                 if 'disco' in options:
                     self.add_disco_extension(options['disco'])
             endpoint_idx = collections.defaultdict(lambda:0)
             endpoint_idx = collections.defaultdict(lambda: 0)
             for service in listing:
                 selected = [ row for row in map if row[0] == service ]
                 selected = [row for row in map if row[0] == service]
                 for row in selected:
                     if isinstance(row[1], str):
                         bindings = [ row[1] ]
                         bindings = [row[1]]
                     else:
                         bindings = row[1]
                     for binding in bindings:
                         attribs = { 'Binding' : binding,
                                 'Location': self.url_prefix + row[2] }
                         attribs = {
                             'Binding': binding,
                             'Location': self.url_prefix + row[2]
+                        }
                         if len(row) == 4:
                             attribs['ResponseLocation'] = self.url_prefix + row[3]
                         if service in self.indexed_endpoints:
-...
         def add_keyinfo(self, key, use):
             attrib = {}
             if use:
                 attrib = { 'use': use }
                 attrib = {'use': use}
             self.tb.start(self.KEY_DESCRIPTOR, attrib)
             keyinfo(self.tb, key)
             self.tb.end(self.KEY_DESCRIPTOR)
         def root_element(self):
             attrib = { 'entityID' : self.entity_id}
             attrib = {'entityID': self.entity_id}
             if self.cache_duration:
                 attrib['cacheDuration'] = self.cache_duration
             if self.valid_until:
-...
             self.entity_descriptor = self.tb.start(self.ENTITY_DESCRIPTOR, attrib)
             # Generate sso descriptor
             attrib =  { self.PROTOCOL_SUPPORT_ENUMERATION: lasso.SAML2_PROTOCOL_HREF }
             attrib =  {self.PROTOCOL_SUPPORT_ENUMERATION: lasso.SAML2_PROTOCOL_HREF}
             if self.role_descriptors.get('sp'):
                 map, options = self.role_descriptors['sp']
                 self.sp_descriptor = self.tb.start(self.SP_SSO_DESCRIPTOR, attrib)
-...
             self.tb.pushNamespace(self.DISCOVERY_NS)
             index = 0
             for url in disco_return_url:
                 attrib = {'Binding': self.DISCOVERY_BINDING,
                 attrib = {
                     'Binding': self.DISCOVERY_BINDING,
                     'Location': self.url_prefix + url,
                     'index': str(index)}
                     'index': str(index)
+                }
                 self.tb.start(self.DISCOVERY_RESPONSE, attrib)
                 self.tb.end(self.DISCOVERY_RESPONSE)
                 index += 1
-...
         def __str__(self):
             return '<?xml version="1.0"?>\n' + etree.tostring(self.root_element())
     def iso8601_to_datetime(date_string):
         '''Convert a string formatted as an ISO8601 date into a time_t value.
-...
         m = re.match(r'(\d+-\d+-\d+T\d+:\d+:\d+)(?:\.\d+)?Z$', date_string)
         if not m:
             raise ValueError('Invalid ISO8601 date')
         tm = time.strptime(m.group(1)+'Z', "%Y-%m-%dT%H:%M:%SZ")
         tm = time.strptime(m.group(1) + 'Z', "%Y-%m-%dT%H:%M:%SZ")
         return datetime.datetime.fromtimestamp(time.mktime(tm))
     def authnresponse_checking(login, subject_confirmation, logger, saml_request_id=None):
-...
         try:
             irt = assertion.subject. \
                 subjectConfirmation.subjectConfirmationData.inResponseTo
         except:
         except Exception:
             pass
         logger.debug('inResponseTo: %s' % irt)
-...
         try:
             if assertion.subject.subjectConfirmation.method != \
                     'urn:oasis:names:tc:SAML:2.0:cm:bearer':
                 logger.error('Unknown \
                     SubjectConfirmation Method')
                 logger.error('Unknown SubjectConfirmation Method')
                 return False
         except:
             logger.error('Error checking \
                 SubjectConfirmation Method')
         except Exception:
             logger.error('Error checking SubjectConfirmation Method')
             return False
         logger.debug('subjectConfirmation method known')
-...
             if assertion.subject. \
                     subjectConfirmation.subjectConfirmationData.recipient != \
                     subject_confirmation:
                 logger.error('SubjectConfirmation \
                     Recipient Mismatch, %s is not %s' % (assertion.subject. \
                     subjectConfirmation.subjectConfirmationData.recipient,
                     subject_confirmation))
                 logger.error('SubjectConfirmation Recipient Mismatch, %s is not %s',
                              assertion.subject.subjectConfirmation.subjectConfirmationData.recipient,
                              subject_confirmation)
                 return False
         except:
             logger.error('Error checking \
                 SubjectConfirmation Recipient')
         except Exception:
             logger.error('Error checking SubjectConfirmation Recipient')
             return False
         logger.debug('\
             the url is the same as in the assertion')
         logger.debug('the url is the same as in the assertion')
         # Check: AudienceRestriction
         try:
-...
             if not audience_ok:
                 logger.error('Incorrect AudienceRestriction')
                 return False
         except:
         except Exception:
             logger.error('Error checking AudienceRestriction')
             return False
         logger.debug('audience restriction respected')
-...
         try:
             not_before = assertion.subject. \
                 subjectConfirmation.subjectConfirmationData.notBefore
         except:
         except Exception:
             logger.error('missing subjectConfirmationData')
             return False
-...
             if not_before and now < iso8601_to_datetime(not_before):
                 logger.error('Assertion received too early')
                 return False
         except:
         except Exception:
             logger.error('invalid notBefore value ' + not_before)
             return False
         try:
             if not_on_or_after and now > iso8601_to_datetime(not_on_or_after):
                 logger.error('Assertion expired')
                 return False
         except:
         except Exception:
             logger.error('invalid notOnOrAfter value')
             return False
         logger.debug('assertion validity timeslice respected \
             %s <= %s < %s ' % (not_before, str(now), not_on_or_after))
         return True
     def get_attributes_from_assertion(assertion, logger):
         attributes = dict()
         if not assertion:
-...
                 nickname = None
                 try:
                     name = attribute.name.decode('ascii')
                 except:
                 except Exception:
                     logger.warning('get_attributes_from_assertion: error decoding name of \
                         attribute %s' % attribute.dump())
                 else:
-...
                         for value in values:
                             content = [any.exportToXml() for any in value.any]
                             content = ''.join(content)
                             attributes[(name, format)].append(content.\
                                 decode('utf8'))
                             attributes[(name, format)].append(content.decode('utf8'))
                     except Exception as e:
                         message = 'get_attributes_from_assertion: value of an \
                             attribute failed to decode as ascii: %s due to %s'
-...
     if __name__ == '__main__':
         pkey, _ = x509utils.generate_rsa_keypair()
         meta = Saml2Metadata('http://example.com/saml', 'http://example.com/saml/prefix/')
         bindings2 = [ lasso.SAML2_METADATA_BINDING_SOAP,
                 lasso.SAML2_METADATA_BINDING_REDIRECT,
                 lasso.SAML2_METADATA_BINDING_POST ]
         options = { 'signing_key': pkey }
         bindings2 = [
             lasso.SAML2_METADATA_BINDING_SOAP,
             lasso.SAML2_METADATA_BINDING_REDIRECT,
             lasso.SAML2_METADATA_BINDING_POST,
+        ]
         options = {'signing_key': pkey}
         meta.add_sp_descriptor((
             ('SingleLogoutService',
                 lasso.SAML2_METADATA_BINDING_SOAP, 'logout', 'logoutReturn' ),
             ('ManageNameIDService',
                 bindings2, 'manageNameID', 'manageNameIDReturn' ),
             ('AssertionConsumerService',
                 [ lasso.SAML2_METADATA_BINDING_POST ], 'acs'),),
                 [lasso.SAML2_METADATA_BINDING_POST ], 'acs'),),
             options)
         root = meta.root_element()
         print(etree.tostring(root))

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import print_function
     import xml.etree.ElementTree as ET
     from authentic2.saml.shibboleth.utils import FancyTreeBuilder
     class NS(object):
         AFP = 'urn:mace:shibboleth:2.0:afp'
         BASIC = 'urn:mace:shibboleth:2.0:afp:mf:basic'
-...
         ATTRIBUTE_ID = 'attributeID'
         ID = 'id'
     def parse_attribute_filters_file(path):
         tree = ET.parse(path, FancyTreeBuilder(target=ET.TreeBuilder()))
         root = tree.getroot()
         return parse_attribute_filter_et(root)
     def fixqname(element, qname):
         prefix, local = qname.split(":")
         try:
-...
         except KeyError:
             raise SyntaxError("unknown namespace prefix (%s)" % prefix)
     def parse_attribute_filter_et(root):
         assert root.tag == NS.AF_POLICY_GROUP
         d = {}

     import xml.etree.ElementTree as ET
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from xml.etree.ElementTree import XMLTreeBuilder
-...
             self._namespaces = {}
             self._parser.StartNamespaceDeclHandler = self._start_ns
         def _start(self, *args):
             elem = super(FancyTreeBuilder, self)._start(*args)
             elem.namespaces = self._namespaces.copy()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from authentic2.decorators import GlobalCache

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import base64
     import binascii
     import tempfile
-...
     _openssl = 'openssl'
     def decapsulate_pem_file(file_or_string):
         '''Remove PEM header lines'''
         if not isinstance(file_or_string, six.string_types):
-...
         i = content.find('--BEGIN')
         j = content.find('\n', i)
         k = content.find('--END', j)
         l = content.rfind('\n', 0, k)
         return content[j+1:l]
         l = content.rfind('\n', 0, k)  # noqa: E741
         return content[j + 1:l]
     def _call_openssl(args):
         '''Use subprocees to spawn an openssl process
-...
         Return a tuple made of the return code and the stdout output
         '''
         try:
             process = subprocess.Popen(args=[_openssl]+args,stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
             process = subprocess.Popen(args=[_openssl] + args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
             output = process.communicate()[0]
             return process.returncode, output
         except OSError:
             return 1, None
     def _protect_file(fd,filepath):
     def _protect_file(fd, filepath):
         '''Make a file targeted by a file descriptor readable only by the current user
            It's needed to be sure nobody can read the private key file we manage.
         '''
         if hasattr(os, 'fchmod'):
             os.fchmod(fd, stat.S_IRUSR | stat.S_IWUSR)
         else: # handle python <2.6
             os.chmod(filepath, stat.S_IRUSR | stat.S_IWUSR)
         os.fchmod(fd, stat.S_IRUSR | stat.S_IWUSR)
     def check_key_pair_consistency(publickey=None,privatekey=None):
     def check_key_pair_consistency(publickey=None, privatekey=None):
         '''Check if two PEM key pair whether they are publickey or certificate, are
         well formed and related.
         '''
-...
                 publickey_file_fd, publickey_fn = tempfile.mkstemp()
                 _protect_file(privatekey_file_fd, privatekey_fn)
                 _protect_file(publickey_file_fd, publickey_fn)
                 os.fdopen(privatekey_file_fd,'w').write(privatekey)
                 os.fdopen(publickey_file_fd,'w').write(publickey)
                 os.fdopen(privatekey_file_fd, 'w').write(privatekey)
                 os.fdopen(publickey_file_fd, 'w').write(publickey)
                 if 'BEGIN CERTIFICATE' in publickey:
                     rc1, modulus1 = _call_openssl(['x509', '-in', publickey_fn,'-noout','-modulus'])
                     rc1, modulus1 = _call_openssl(['x509', '-in', publickey_fn, '-noout', '-modulus'])
                 else:
                     rc1, modulus1 = _call_openssl(['rsa', '-pubin', '-in', publickey_fn,'-noout','-modulus'])
                     rc1, modulus1 = _call_openssl(['rsa', '-pubin', '-in', publickey_fn, '-noout', '-modulus'])
                     if rc1 != 0:
                         rc1, modulus1 = _call_openssl(['dsa', '-pubin', '-in', publickey_fn,'-noout','-modulus'])
                         rc1, modulus1 = _call_openssl(['dsa', '-pubin', '-in', publickey_fn, '-noout', '-modulus'])
                 if rc1 != 0:
                     return False
                 rc2, modulus2 = _call_openssl(['rsa', '-in', privatekey_fn,'-noout','-modulus'])
                 rc2, modulus2 = _call_openssl(['rsa', '-in', privatekey_fn, '-noout', '-modulus'])
                 if rc2 != 0:
                     rc2, modulus2 = _call_openssl(['dsa', '-in', privatekey_fn,'-noout','-modulus'])
                     rc2, modulus2 = _call_openssl(['dsa', '-in', privatekey_fn, '-noout', '-modulus'])
                 if rc1 == 0 and rc2 == 0 and modulus1 == modulus2:
                     return True
-...
                 os.unlink(publickey_fn)
         return None
     def generate_rsa_keypair(numbits=1024):
         '''Generate simple RSA public and private key files
         '''
-...
             publickey_file_fd, publickey_fn = tempfile.mkstemp()
             _protect_file(privatekey_file_fd, privatekey_fn)
             _protect_file(publickey_file_fd, publickey_fn)
             rc1, _ = _call_openssl(['genrsa','-out', privatekey_fn,'-passout', 'pass:',str(numbits)])
             rc2, _ = _call_openssl(['rsa','-in', privatekey_fn,'-pubout','-out', publickey_fn])
             rc1, _ = _call_openssl(['genrsa', '-out', privatekey_fn, '-passout', 'pass:', str(numbits)])
             rc2, _ = _call_openssl(['rsa', '-in', privatekey_fn, '-pubout', '-out', publickey_fn])
             if rc1 != 0 or rc2 != 0:
                 raise Exception('Failed to generate a key')
             return (os.fdopen(publickey_file_fd).read(), os.fdopen(privatekey_file_fd).read())
-...
             os.unlink(privatekey_fn)
             os.unlink(publickey_fn)
     def get_rsa_public_key_modulus(publickey):
         try:
             publickey_file_fd, publickey_fn = tempfile.mkstemp()
             os.fdopen(publickey_file_fd,'w').write(publickey)
             os.fdopen(publickey_file_fd, 'w').write(publickey)
             if 'BEGIN PUBLIC' in publickey:
                 rc, modulus = _call_openssl(['rsa', '-pubin', '-in', publickey_fn,'-noout','-modulus'])
                 rc, modulus = _call_openssl(['rsa', '-pubin', '-in', publickey_fn, '-noout', '-modulus'])
             elif 'BEGIN RSA PRIVATE KEY' in publickey:
                 rc, modulus = _call_openssl(['rsa', '-in', publickey_fn, '-noout', '-modulus'])
             elif 'BEGIN CERTIFICATE' in publickey:
                 rc, modulus = _call_openssl(['x509', '-in', publickey_fn,'-noout','-modulus'])
                 rc, modulus = _call_openssl(['x509', '-in', publickey_fn, '-noout', '-modulus'])
             else:
                 return None
             i = modulus.find('=')
             if rc == 0 and i:
                 return int(modulus[i+1:].strip(),16)
                 return int(modulus[i + 1:].strip(), 16)
         finally:
             os.unlink(publickey_fn)
         return None
     def get_rsa_public_key_exponent(publickey):
         try:
             publickey_file_fd, publickey_fn = tempfile.mkstemp()
             os.fdopen(publickey_file_fd,'w').write(publickey)
             os.fdopen(publickey_file_fd, 'w').write(publickey)
             _exponent = 'Exponent: '
             if 'BEGIN PUBLIC' in publickey:
                 rc, modulus = _call_openssl(['rsa', '-pubin', '-in', publickey_fn,'-noout','-text'])
                 rc, modulus = _call_openssl(['rsa', '-pubin', '-in', publickey_fn, '-noout', '-text'])
             elif 'BEGIN RSA PRIVATE' in publickey:
                 rc, modulus = _call_openssl(['rsa', '-in', publickey_fn, '-noout', '-text'])
                 _exponent = 'publicExponent: '
             elif 'BEGIN CERTIFICATE' in publickey:
                 rc, modulus = _call_openssl(['x509', '-in', publickey_fn,'-noout','-text'])
                 rc, modulus = _call_openssl(['x509', '-in', publickey_fn, '-noout', '-text'])
             else:
                 return None
             i = modulus.find(_exponent)
             j = modulus.find('(', i)
             if rc == 0 and i and j:
                 return int(modulus[i+len(_exponent):j].strip())
                 return int(modulus[i + len(_exponent):j].strip())
         finally:
             os.unlink(publickey_fn)
         return None
     def can_generate_rsa_key_pair():
         syspath = os.environ.get('PATH')
         if syspath:
             for base in syspath.split(':'):
                 if os.path.exists(os.path.join(base,'openssl')):
                 if os.path.exists(os.path.join(base, 'openssl')):
                     return True
         else:
             return False
     def get_xmldsig_rsa_key_value(publickey):
         def int_to_bin(i):
             h = hex(i)[2:].strip('L')
-...
         mod = get_rsa_public_key_modulus(publickey)
         exp = get_rsa_public_key_exponent(publickey)
         return '<RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">\n\t<Modulus>%s</Modulus>\n\t<Exponent>%s</Exponent>\n</RSAKeyValue>' % (base64.b64encode(int_to_bin(mod)), base64.b64encode(int_to_bin(exp)))
         return (
             '<RSAKeyValue xmlns="http://www.w3.org/2000/09/xmldsig#">\n\t'
             '<Modulus>%s</Modulus>\n\t'
             '<Exponent>%s</Exponent>\n</RSAKeyValue>' % (
                 base64.b64encode(int_to_bin(mod)), base64.b64encode(int_to_bin(exp))))
     if __name__ == '__main__':
-...
     -----END RSA PRIVATE KEY-----'''
         assert(check_key_pair_consistency(cert, key))
         assert(get_xmldsig_rsa_key_value(cert))
         assert(len(decapsulate_pem_file(key).splitlines()) == len(key.splitlines())-2)
         assert(len(decapsulate_pem_file(key).splitlines()) == len(key.splitlines()) - 2)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import json
     import sys
-...
                 self._current[vfield.name] = (ct.natural_key(), sub_obj.natural_key())
             super(Serializer, self).end_object(obj)
     def PreDeserializer(objects, **options):
         db = options.pop('using', DEFAULT_DB_ALIAS)
-...
             for vfield in Model._meta.virtual_fields:
                 if not isinstance(vfield, GenericForeignKey):
                     continue
                 if not vfield.name in d['fields']:
                 if vfield.name not in d['fields']:
                     continue
                 ct_natural_key, fk_natural_key = d['fields'][vfield.name]
                 ct = ContentType.objects.get_by_natural_key(*ct_natural_key)
-...
                 del d['fields'][vfield.name]
             yield d
     def Deserializer(stream_or_string, **options):
         """
         Deserialize a stream or string of JSON data.

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     import logging.config
     # Load default from Django
-...
     CACHES = global_settings.CACHES
     BASE_DIR = os.path.dirname(__file__)
     ### Quick-start development settings - unsuitable for production
     # Quick-start development settings - unsuitable for production
     # See https://docs.djangoproject.com/en/dev/howto/deployment/checklist/
     # SECURITY WARNING: keep the secret key used in production secret!
-...
+        }
+    }
     ### End of "Quick-start development settings"
     # Hey Entr'ouvert is in France !!
     TIME_ZONE = 'Europe/Paris'
     LANGUAGE_CODE = 'fr'
-...
     MIDDLEWARE_CLASSES += (
         'authentic2.middleware.DisplayMessageBeforeRedirectMiddleware',
         'authentic2.idp.middleware.DebugMiddleware',
         'authentic2.middleware.CollectIPMiddleware',
         'authentic2.middleware.ViewRestrictionMiddleware',
         'authentic2.middleware.OpenedSessionCookieMiddleware',
-...
     STATICFILES_FINDERS = list(global_settings.STATICFILES_FINDERS) + ['gadjo.finders.XStaticFinder']
     LOCALE_PATHS = ( os.path.join(BASE_DIR, 'locale'), )
     LOCALE_PATHS = (os.path.join(BASE_DIR, 'locale'), )
     INSTALLED_APPS = (
         'django.contrib.staticfiles',
-...
         'authentic2.backends.models_backend.DummyModelBackend',
         'django_rbac.backends.DjangoRBACBackend',
+    )
     AUTHENTICATION_BACKENDS = plugins.register_plugins_authentication_backends(
             AUTHENTICATION_BACKENDS)
     AUTHENTICATION_BACKENDS = plugins.register_plugins_authentication_backends(AUTHENTICATION_BACKENDS)
     CSRF_FAILURE_VIEW = 'authentic2.views.csrf_failure_view'
-...
     # Can be none, sp, idp or both
     PASSWORD_HASHERS = list(global_settings.PASSWORD_HASHERS) + [
             'authentic2.hashers.Drupal7PasswordHasher',
             'authentic2.hashers.SHA256PasswordHasher',
             'authentic2.hashers.SSHA1PasswordHasher',
             'authentic2.hashers.SMD5PasswordHasher',
             'authentic2.hashers.SHA1OLDAPPasswordHasher',
             'authentic2.hashers.MD5OLDAPPasswordHasher',
             'authentic2.hashers.PloneSHA1PasswordHasher',
         'authentic2.hashers.Drupal7PasswordHasher',
         'authentic2.hashers.SHA256PasswordHasher',
         'authentic2.hashers.SSHA1PasswordHasher',
         'authentic2.hashers.SMD5PasswordHasher',
         'authentic2.hashers.SHA1OLDAPPasswordHasher',
         'authentic2.hashers.MD5OLDAPPasswordHasher',
         'authentic2.hashers.PloneSHA1PasswordHasher',
+    ]
     # Admin tools
-...
     # Serialization module to support natural keys in generic foreign keys
     SERIALIZATION_MODULES = {
             'json': 'authentic2.serializers',
         'json': 'authentic2.serializers',
+    }
     LOGGING_CONFIG = None
-...
         'disable_existing_loggers': True,
         'filters': {
             'cleaning': {
                 '()':  'authentic2.utils.CleanLogMessage',
                 '()': 'authentic2.utils.CleanLogMessage',
             },
             'request_context': {
                 '()':  'authentic2.log_filters.RequestContextFilter',
                 '()': 'authentic2.log_filters.RequestContextFilter',
             },
             'force_debug': {
                 '()': 'authentic2.log_filters.ForceDebugFilter',
-...
         'handlers': {
             'console': {
                 'level': 'DEBUG',
                 'class':'logging.StreamHandler',
                 'class': 'logging.StreamHandler',
                 'formatter': 'verbose',
                 'filters': ['cleaning', 'request_context'],
             },
     	# remove request_context filter for db log to prevent infinite loop
     	# when logging sql query to retrieve the session user
             # remove request_context filter for db log to prevent infinite loop
             # when logging sql query to retrieve the session user
             'console_db': {
                 'level': 'DEBUG',
                 'class':'logging.StreamHandler',
                 'class': 'logging.StreamHandler',
                 'formatter': 'verbose_db',
                 'filters': ['cleaning'],
             },
-...
             # even when debugging seeing SQL queries is too much, activate it
             # explicitly using DEBUG_DB
             'django.db': {
                     'handlers': ['console_db'],
                     'level': logger.SettingsLogLevel('INFO', debug_setting='DEBUG_DB'),
                     'propagate': False,
                 'handlers': ['console_db'],
                 'level': logger.SettingsLogLevel('INFO', debug_setting='DEBUG_DB'),
                 'propagate': False,
             },
             'django': {
                     'level': 'INFO',
                 'level': 'INFO',
             },
             # django_select2 outputs debug message at level INFO
             'django_select2': {
                     'level': 'WARNING',
                 'level': 'WARNING',
             },
             # lasso has the bad habit of logging everything as errors
             'Lasso': {
-...
                 'filters': ['force_debug'],
             },
             '': {
                     'handlers': ['console'],
                     'level': logger.SettingsLogLevel('INFO'),
                 'handlers': ['console'],
                 'level': logger.SettingsLogLevel('INFO'),
             },
         },
+    }
     MIGRATION_MODULES = {
             'auth': 'authentic2.auth_migrations',
             'menu': 'authentic2.menu_migrations',
             'dashboard': 'authentic2.dashboard_migrations',
         'auth': 'authentic2.auth_migrations',
         'menu': 'authentic2.menu_migrations',
         'dashboard': 'authentic2.dashboard_migrations',
+    }
     MIGRATION_MODULES['auth'] = 'authentic2.auth_migrations_18'

     {% extends "authentic2/base-page.html" %}
     {% load i18n %}
     {% load breadcrumbs %}
     {% block title %}
         {% trans "Registration" %}
     {% endblock %}
     {% block breadcrumbs %}
         {{ block.super }}
         {% breadcrumb_url 'Register' %}
     {% endblock %}
     {% block content %}
             <h2>{% trans "Login" %}</h2>
             <p>

     {% extends "authentic2/base-page.html" %}
     {% load i18n %}
     {% load breadcrumbs %}
     {% block title %}
         {% trans "Registration" %}
     {% endblock %}
     {% block breadcrumbs %}
         {{ block.super }}
         {% breadcrumb_url 'Register' %}
     {% endblock %}
     {% block content %}
           <h2>{% trans "Registration" %}</h2>
           <p>{% trans "Please fill the form to complete your registration" %}</p>

     {{ view.title }}
     {% endblock %}
     {% load breadcrumbs %}
     {% block breadcrumbs %}
     {{ block.super }}
     {% breadcrumb_url 'Register' %}
     {% endblock %}
     {% block content %}
     <h2>{{ view.title }}</h2>

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url, include
     from django.conf import settings
     from django.contrib import admin
     from django.contrib.auth.decorators import login_required
     from django.contrib.auth import views as dj_auth_views
     from django.contrib.staticfiles.views import serve
     from django.views.generic.base import TemplateView
     from django.views.static import serve as media_serve
     from . import app_settings, plugins, views
     from . import plugins, views
     admin.autodiscover()
     handler500 = 'authentic2.views.server_error'
     urlpatterns = [
         url(r'^$', views.homepage, name='auth_homepage'),
         url(r'test_redirect/$', views.test_redirect)
     accounts_urlpatterns = [
         url(r'^activate/(?P<registration_token>[\w: -]+)/$',
             views.registration_completion, name='registration_activate'),
         url(r'^register/$',
             views.RegistrationView.as_view(),
             name='registration_register'),
         url(r'^register/complete/$',
             views.registration_complete,
             name='registration_complete'),
         url(r'^register/closed/$',
             TemplateView.as_view(template_name='registration/registration_closed.html'),
             name='registration_disallowed'),
         url(r'^delete/$',
             login_required(views.DeleteView.as_view()),
             name='delete_account'),
         url(r'^logged-in/$',
             views.logged_in,
             name='logged-in'),
         url(r'^edit/$',
             views.edit_profile,
             name='profile_edit'),
         url(r'^edit/(?P<scope>[-\w]+)/$',
             views.edit_profile,
             name='profile_edit_with_scope'),
         url(r'^change-email/$',
             views.email_change,
             name='email-change'),
         url(r'^change-email/verify/$',
             views.email_change_verify,
             name='email-change-verify'),
         url(r'^$',
             views.profile,
             name='account_management'),
         # Password change
         url(r'^password/change/$',
             views.password_change,
             name='password_change'),
         url(r'^password/change/done/$',
             dj_auth_views.password_change_done,
             name='password_change_done'),
         # Password reset
         url(r'^password/reset/confirm/(?P<uidb64>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
             views.password_reset_confirm,
             name='password_reset_confirm'),
         url(r'^password/reset/$',
             views.password_reset,
             name='password_reset'),
         url(r'^switch-back/$',
             views.switch_back,
             name='a2-switch-back'),
         # Legacy, only there to provide old view names to resolver
         url(r'^password/change/$',
             views.notimplemented_view,
             name='auth_password_change'),
         url(r'^password/change/done/$',
             views.notimplemented_view,
             name='auth_password_change_done'),
         url(r'^password/reset/confirm/(?P<uidb36>[0-9A-Za-z_\-]+)/(?P<token>[0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/$',
             views.notimplemented_view,
             name='auth_password_reset_confirm'),
         url(r'^password/reset/$',
             views.notimplemented_view,
             name='auth_password_reset'),
         url(r'^password/reset/complete/$',
             views.notimplemented_view,
             name='auth_password_reset_complete'),
         url(r'^password/reset/done/$',
             views.notimplemented_view,
             name='auth_password_reset_done'),
+    ]
     not_homepage_patterns = [
     urlpatterns = [
         url(r'^$', views.homepage, name='auth_homepage'),
         url(r'^login/$', views.login, name='auth_login'),
         url(r'^logout/$', views.logout, name='auth_logout'),
         url(r'^redirect/(.*)', views.redirect, name='auth_redirect'),
         url(r'^accounts/', include('authentic2.profile_urls'))
+    ]
     not_homepage_patterns += [
         url(r'^accounts/', include(app_settings.A2_REGISTRATION_URLCONF)),
         url(r'^accounts/', include(accounts_urlpatterns)),
         url(r'^admin/', include(admin.site.urls)),
         url(r'^idp/', include('authentic2.idp.urls')),
         url(r'^manage/', include('authentic2.manager.urls')),
         url(r'^api/', include('authentic2.api_urls'))
         url(r'^api/', include('authentic2.api_urls')),
+    ]
     urlpatterns += not_homepage_patterns
     try:
         if getattr(settings, 'DISCO_SERVICE', False):
             urlpatterns += [
                 (r'^disco_service/', include('disco_service.disco_responder')),
+            ]
     except:
     except Exception:
         pass
     if settings.DEBUG:
-...
             url(r'^static/(?P<path>.*)$', serve)
+        ]
         urlpatterns += [
             url(r'^media/(?P<path>.*)$', media_serve, {
             'document_root': settings.MEDIA_ROOT})
             url(r'^media/(?P<path>.*)$', media_serve,
+                {
                     'document_root': settings.MEDIA_ROOT
                 })
+        ]
     if settings.DEBUG and 'debug_toolbar' in settings.INSTALLED_APPS:

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     import hashlib
-...
     from . import app_settings
     def key(identifier):
         return 'user-login-failure-%s' % hashlib.md5(smart_bytes(identifier)).hexdigest()
     def user_login_success(identifier):
         cache.delete(key(identifier))
     def user_login_failure(identifier):
         cache.add(key(identifier), 0)
         count = cache.incr(key(identifier))
         logger = logging.getLogger('authentic2.user_login_failure')
         logger.info(u'user %s failed to login', identifier)
         if app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING and count >= app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING:
             logger.warning(u'user %s failed to login more than %d times in a row',
                            identifier, count)
         if (app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING
                 and count >= app_settings.A2_LOGIN_FAILURE_COUNT_BEFORE_WARNING):
             logger.warning(u'user %s failed to login more than %d times in a row', identifier, count)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import inspect
     import random
     import time
-...
     from django import forms
     from django.forms.utils import ErrorList, to_current_timezone
     from django.utils import timezone
     from django.utils import html, http, six, encoding
     from django.utils import html, six, encoding
     from django.utils.translation import ugettext as _, ungettext
     from django.utils.six.moves.urllib import parse as urlparse
     from django.shortcuts import resolve_url
     from django.template.loader import render_to_string, TemplateDoesNotExist
     from django.core.mail import send_mail
     from django.core import signing
     from django.core.urlresolvers import reverse, NoReverseMatch
     from django.core.urlresolvers import reverse
     from django.utils.formats import localize
     from django.contrib import messages
     from django.utils import six
     from django.utils.functional import empty, allow_lazy
     from django.utils.http import urlsafe_base64_encode
     from django.utils.encoding import iri_to_uri, force_bytes, uri_to_iri
     from django.utils import six
     from django.shortcuts import render
-...
             mod = import_module(module)
         except ImportError as e:
             raise ImproperlyConfigured('Error importing idp backend %s: "%s"' % (module, e))
         except ValueError as e:
         except ValueError:
             raise ImproperlyConfigured('Error importing idp backends. Is IDP_BACKENDS a correctly '
                                        'defined list or tuple?')
         try:
-...
             content = response.content
             status_code = response.status_code
         return {
                 'id': authenticator.id,
                 'name': authenticator.name,
                 'content': content,
                 'response': response,
                 'status_code': status_code,
                 'authenticator': authenticator,
             'id': authenticator.id,
             'name': authenticator.name,
             'content': content,
             'response': response,
             'status_code': status_code,
             'authenticator': authenticator,
+        }
-...
             parsed = urlparse.urlparse(url)
             if parsed.scheme in ('http', 'https', ''):
                 return True
         except:
         except Exception:
             return False
-...
                        (6, 'ABCDEFGHJKLMNPQRSTUVWXYZ'),
                        (1, '%$/\\#@!'))
         parts = []
         for count, alphabet in composition:
             for i in range(count):
         for cnt, alphabet in composition:
             for i in range(cnt):
                 parts.append(random.SystemRandom().choice(alphabet))
         random.shuffle(parts, random.SystemRandom().random)
         return ''.join(parts)
-...
                 if isinstance(field, (list, tuple)):
                     field, label = field
                     labels[field] = label
                 if not field in fields:
                 if field not in fields:
                     fields.append(field)
         return fields, labels
-...
     def select_next_url(request, default, field_name=None, include_post=False, replace=None):
         '''Select the first valid next URL'''
         next_url = (include_post and get_next_url(request.POST, field_name=field_name)) or get_next_url(request.GET, field_name=field_name)
         next_url = (
             (include_post and get_next_url(request.POST, field_name=field_name))
             or get_next_url(request.GET, field_name=field_name)
+        )
         if good_next_url(request, next_url):
             if replace:
                 for key, value in replace.items():

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import unicode_literals
     import smtplib
-...
     from . import app_settings
     # keep those symbols here for retrocompatibility
     from .passwords import password_help_text, validate_password
     from .passwords import password_help_text, validate_password  # noqa: F401
     # copied from http://www.djangotips.com/real-email-validation

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import collections
     import logging
     from authentic2.compat_lasso import lasso
     import requests
     import random
     import re
     import collections
     from django.conf import settings
     from django.shortcuts import render_to_response, render
     from django.template.loader import render_to_string, select_template
     from django.shortcuts import render, get_object_or_404
     from django.template.loader import render_to_string
     from django.views.generic.edit import UpdateView, FormView
     from django.views.generic import RedirectView, TemplateView
     from django.views.generic import TemplateView
     from django.views.generic.base import View
     from django.contrib.auth import SESSION_KEY
     from django import http, shortcuts
     from django.core import mail, signing
     from django.core import signing
     from django.core.urlresolvers import reverse
     from django.core.exceptions import ValidationError
     from django.contrib import messages
-...
     from django.utils.translation import ugettext as _
     from django.contrib.auth import logout as auth_logout
     from django.contrib.auth import REDIRECT_FIELD_NAME
     from django.http import (HttpResponseRedirect, HttpResponseForbidden,
         HttpResponse)
     from django.core.exceptions import PermissionDenied
     from django.contrib.auth.views import password_change as dj_password_change
     from django.http import (HttpResponseRedirect, HttpResponseForbidden, HttpResponse)
     from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
     from django.views.decorators.cache import never_cache
     from django.views.decorators.debug import sensitive_post_parameters
     from django.contrib.auth.decorators import login_required
     from django.db.models.fields import FieldDoesNotExist
     from django.db.models.query import Q
     # FIXME: this decorator has nothing to do with an idp, should be moved in the
     # a2 package
     # FIXME: this constant should be moved in the a2 package
     from . import (utils, app_settings, forms, compat, decorators, constants, models, cbv, hooks)
     from django.contrib.auth import get_user_model, authenticate
     from django.http import Http404
     from django.utils.http import urlsafe_base64_decode
     from django.views.generic.edit import CreateView
     from django.forms import CharField, Form
     from django.core.urlresolvers import reverse_lazy
     from django.http import HttpResponseBadRequest
     from . import (utils, app_settings, compat, decorators, constants,
                    models, cbv, hooks, validators)
     from .a2_rbac.utils import get_default_ou
     from .a2_rbac.models import OrganizationalUnit as OU
     from .forms import (
         passwords as passwords_forms,
         registration as registration_forms,
         profile as profile_forms)
     User = get_user_model()
     logger = logging.getLogger(__name__)
     def redirect(request, next, template_name='redirect.html'):
         '''Show a simple page which does a javascript redirect, closing any popup
            enclosing us'''
         if not next.startswith('http'):
             next = '/%s%s' % (request.get_host(), next)
         logging.info('Redirect to %r' % next)
         return render_to_response(template_name, { 'next': next })
     def server_error(request, template_name='500.html'):
         """
 error handler.
-...
     class EditProfile(cbv.HookMixin, cbv.TemplateNamesMixin, UpdateView):
         model = compat.get_user_model()
         model = User
         template_names = ['profiles/edit_profile.html',
                           'authentic2/accounts_edit.html']
         title = _('Edit account data')
-...
             else:
                 default_fields = list(attributes.values_list('name', flat=True))
             fields, labels = utils.get_fields_and_labels(
                     editable_profile_fields,
                     default_fields)
                 editable_profile_fields, default_fields)
             if scopes:
                 # restrict fields to those in the scopes
                 fields = [field for field in fields if field in default_fields]
-...
             fields, labels = self.get_fields(scopes=scopes)
             # Email must be edited through the change email view, as it needs validation
             fields = [field for field in fields if field != 'email']
             return forms.modelform_factory(compat.get_user_model(), fields=fields,
                                            labels=labels,
                                            form=forms.EditProfileForm)
             return profile_forms.modelform_factory(
                 User, fields=fields,
                 labels=labels,
                 form=profile_forms.EditProfileForm)
         def get_object(self):
             return self.request.user
-...
            url(r'^su/(?P<username>.*)/$', 'authentic2.views.su', {'redirect_url': '/'}),
         '''
         if request.user.is_superuser or request.session.get('has_superuser_power'):
             su_user = shortcuts.get_object_or_404(compat.get_user_model(), username=username)
             su_user = shortcuts.get_object_or_404(User, username=username)
             if su_user.is_active:
                 request.session[SESSION_KEY] = su_user.id
                 request.session['has_superuser_power'] = True
-...
         def get_form_class(self):
             if self.request.user.has_usable_password():
                 return forms.EmailChangeForm
             return forms.EmailChangeFormNoPassword
                 return profile_forms.EmailChangeForm
             return profile_forms.EmailChangeFormNoPassword
         def get_form_kwargs(self):
             kwargs = super(EmailChangeView, self).get_form_kwargs()
-...
                   'is received. An email of validation '
                   'was sent to you. Please click on the '
                   'link contained inside.'))
             logging.getLogger(__name__).info('email change request')
             logger.info('email change request')
             return super(EmailChangeView, self).form_valid(form)
     email_change = decorators.setting_enabled('A2_PROFILE_CAN_CHANGE_EMAIL')(
-...
     class EmailChangeVerifyView(TemplateView):
         def get(self, request, *args, **kwargs):
             if 'token' in request.GET:
                 User = compat.get_user_model()
                 try:
                     token = signing.loads(request.GET['token'],
                                           max_age=app_settings.A2_EMAIL_CHANGE_TOKEN_LIFETIME)
-...
                     user.email = email
                     user.email_verified = True
                     user.save()
                     messages.info(request, _('your request for changing your email for {0} '
                         'is successful').format(email))
                     logging.getLogger(__name__).info('user %s changed its email '
                                                      'from %s to %s', user,
                                                      old_email, email)
                     messages.info(request,
                                   _('your request for changing your email for {0} is successful').format(email))
                     logger.info('user %s changed its email from %s to %s', user, old_email, email)
                     hooks.call_hooks('event', name='change-email-confirm', user=user, email=email)
                 except signing.SignatureExpired:
                     messages.error(request, _('your request for changing your email is too '
                         'old, try again'))
                     messages.error(request,
                                    _('your request for changing your email is too old, try again'))
                 except signing.BadSignature:
                     messages.error(request, _('your request for changing your email is '
                         'invalid, try again'))
                     messages.error(request,
                                    _('your request for changing your email is invalid, try again'))
                 except ValueError:
                     messages.error(request, _('your request for changing your email was not '
                         'on this site, try again'))
                     messages.error(request,
                                    _('your request for changing your email was not on this site, try again'))
                 except User.DoesNotExist:
                     messages.error(request, _('your request for changing your email is for '
                         'an unknown user, try again'))
                     messages.error(request,
                                    _('your request for changing your email is for an unknown user, try again'))
                 except ValidationError as e:
                     messages.error(request, e.message)
                 else:
-...
     email_change_verify = EmailChangeVerifyView.as_view()
     logger = logging.getLogger('authentic2.idp.views')
     @csrf_exempt
     @ensure_csrf_cookie
-...
         # redirect user to homepage if already connected, if setting
         # A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE is True
         if (request.user.is_authenticated() and
                 app_settings.A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE):
         if (request.user.is_authenticated()
                 and app_settings.A2_LOGIN_REDIRECT_AUTHENTICATED_USERS_TO_HOMEPAGE):
             return utils.redirect(request, 'auth_homepage')
         redirect_to = request.GET.get(redirect_field_name)
-...
                 form_class = authenticator.form()
                 submit_name = 'submit-%s' % fid
                 block = {
                         'id': fid,
                         'name': name,
                         'authenticator': authenticator
                     'id': fid,
                     'name': name,
                     'authenticator': authenticator
+                }
                 if request.method == 'POST' and submit_name in request.POST:
                     form = form_class(data=request.POST)
-...
                 else:
                     block['form'] = form_class()
                 blocks.append(block)
             else: # New frontends API
             else:  # New frontends API
                 parameters = {'request': request,
                               'context': context}
                 block = utils.get_authenticator_method(authenticator, 'login', parameters)
-...
             else:
                 blocks[-1]['is_hidden'] = False
         # Old frontends API
         for block in blocks:
             fid = block['id']
             if not 'form' in block:
             if 'form' not in block:
                 continue
             authenticator = block['authenticator']
             context.update({
                     'submit_name': 'submit-%s' % fid,
                     redirect_field_name: redirect_to,
                     'form': block['form']
                 'submit_name': 'submit-%s' % fid,
                 redirect_field_name: redirect_to,
                 'form': block['form']
             })
             if hasattr(authenticator, 'get_context'):
                 context.update(authenticator.get_context())
             sub_template_name = authenticator.template()
             block['content'] = render_to_string(
                     sub_template_name, context,
                     request=request)
             block['content'] = render_to_string(sub_template_name, context, request=request)
         request.session.set_test_cookie()
-...
                 for field_name in getattr(request.user, 'USER_PROFILE', []):
                     if field_name not in field_names:
                         field_names.append(field_name)
                 qs = models.Attribute.objects.filter(Q(user_editable=True)|Q(user_visible=True))
                 qs = models.Attribute.objects.filter(Q(user_editable=True) | Q(user_visible=True))
                 qs = qs.values_list('name', flat=True)
                 for field_name in qs:
                     if field_name not in field_names:
-...
             # Credentials management
             parameters = {'request': request,
                           'context': context}
             profiles = [utils.get_authenticator_method(frontend, 'profile', parameters)
                                 for frontend in frontends]
             profiles = [utils.get_authenticator_method(frontend, 'profile', parameters) for frontend in frontends]
             # Old frontends data structure for templates
             blocks = [block['content'] for block in profiles if block]
             # New frontends data structure for templates
-...
     profile = login_required(ProfileView.as_view())
     def logout_list(request):
         '''Return logout links from idp backends'''
         return utils.accumulate_from_backends(request, 'logout_list')
     def redirect_logout_list(request):
         '''Return redirect logout links from idp backends'''
         return utils.accumulate_from_backends(request, 'redirect_logout_list')
     def logout(request, next_url=None, default_next_url='auth_homepage',
             redirect_field_name=REDIRECT_FIELD_NAME,
             template='authentic2/logout.html', do_local=True, check_referer=True):
     def logout(request,
                next_url=None,
                default_next_url='auth_homepage',
                redirect_field_name=REDIRECT_FIELD_NAME,
                template='authentic2/logout.html',
                do_local=True,
                check_referer=True):
         '''Logout first check if a logout request is authorized, i.e.
            that logout was done using a POST with CSRF token or with a GET
            from the same site.
-...
            Logout endpoints of IdP module must re-user the view by setting
            check_referer and do_local to False.
         '''
         logger = logging.getLogger(__name__)
         default_next_url = utils.make_url(default_next_url)
         next_url = next_url or request.GET.get(redirect_field_name,
                 default_next_url)
         next_url = next_url or request.GET.get(redirect_field_name, default_next_url)
         ctx = {}
         ctx['next_url'] = next_url
         ctx['redir_timeout'] = 60
-...
                 return render(request, 'authentic2/logout_confirm.html', ctx)
             do_local = do_local and 'local' in request.GET
             if not do_local:
                 l = logout_list(request)
                 if l:
                 fragments = logout_list(request)
                 if fragments:
                     # Full logout with iframes
                     next_url = utils.make_url('auth_logout', params={
                         'local': 'ok',
                         REDIRECT_FIELD_NAME: next_url})
                     ctx['next_url'] = next_url
                     ctx['logout_list'] = l
                     ctx['logout_list'] = fragments
                     ctx['message'] = _('Logging out from all your services')
                     return render(request, template, ctx)
             # Get redirection targets for full logout with redirections
-...
     logged_in = never_cache(LoggedInView.as_view())
     def csrf_failure_view(request, reason=""):
         messages.warning(request, _('The page is out of date, it was reloaded for you'))
         return HttpResponseRedirect(request.get_full_path())
     def test_redirect(request):
         next_url = request.GET.get(REDIRECT_FIELD_NAME, settings.LOGIN_REDIRECT_URL)
         messages.info(request, 'Une info')
         messages.warning(request, 'Un warning')
         messages.error(request, 'Une erreur')
         return HttpResponseRedirect(next_url)
     class PasswordResetView(cbv.NextURLViewMixin, FormView):
         '''Ask for an email and send a password reset link by mail'''
         form_class = passwords_forms.PasswordResetForm
         title = _('Password Reset')
         def get_template_names(self):
             return [
                 'authentic2/password_reset_form.html',
                 'registration/password_reset_form.html',
+            ]
         def get_form_kwargs(self, **kwargs):
             kwargs = super(PasswordResetView, self).get_form_kwargs(**kwargs)
             initial = kwargs.setdefault('initial', {})
             initial['next_url'] = self.request.GET.get(REDIRECT_FIELD_NAME, '')
             return kwargs
         def get_context_data(self, **kwargs):
             ctx = super(PasswordResetView, self).get_context_data(**kwargs)
             if app_settings.A2_USER_CAN_RESET_PASSWORD is False:
                 raise Http404('Password reset is not allowed.')
             ctx['title'] = _('Password reset')
             return ctx
         def form_valid(self, form):
             form.save()
             # return to next URL
             messages.info(self.request, _('If your email address exists in our '
                                           'database, you will receive an email '
                                           'containing instructions to reset '
                                           'your password'))
             return super(PasswordResetView, self).form_valid(form)
     password_reset = PasswordResetView.as_view()
     class PasswordResetConfirmView(cbv.RedirectToNextURLViewMixin, FormView):
         '''Validate password reset link, show a set password form and login
            the user.
         '''
         form_class = passwords_forms.SetPasswordForm
         title = _('Password Reset')
         def get_template_names(self):
             return [
                 'registration/password_reset_confirm.html',
                 'authentic2/password_reset_confirm.html',
+            ]
         def dispatch(self, request, *args, **kwargs):
             validlink = True
             uidb64 = kwargs['uidb64']
             self.token = token = kwargs['token']
             UserModel = get_user_model()
             # checked by URLconf
             assert uidb64 is not None and token is not None
             try:
                 uid = urlsafe_base64_decode(uidb64)
                 # use authenticate to eventually get an LDAPUser
                 self.user = authenticate(user=UserModel._default_manager.get(pk=uid))
             except (TypeError, ValueError, OverflowError,
                     UserModel.DoesNotExist):
                 validlink = False
                 messages.warning(request, _('User not found'))
             if validlink and not compat.default_token_generator.check_token(self.user, token):
                 validlink = False
                 messages.warning(request, _('You reset password link is invalid or has expired'))
             if not validlink:
                 return utils.redirect(request, self.get_success_url())
             can_reset_password = utils.get_user_flag(user=self.user,
                                                      name='can_reset_password',
                                                      default=self.user.has_usable_password())
             if not can_reset_password:
                 messages.warning(
                     request,
                     _('It\'s not possible to reset your password. Please contact an administrator.'))
                 return utils.redirect(request, self.get_success_url())
             return super(PasswordResetConfirmView, self).dispatch(request, *args,
                                                                   **kwargs)
         def get_context_data(self, **kwargs):
             ctx = super(PasswordResetConfirmView, self).get_context_data(**kwargs)
             # compatibility with existing templates !
             ctx['title'] = _('Enter new password')
             ctx['validlink'] = True
             return ctx
         def get_form_kwargs(self):
             kwargs = super(PasswordResetConfirmView, self).get_form_kwargs()
             kwargs['user'] = self.user
             return kwargs
         def form_valid(self, form):
             # Changing password by mail validate the email
             form.user.email_verified = True
             form.save()
             hooks.call_hooks('event', name='password-reset-confirm', user=form.user, token=self.token,
                              form=form)
             logger.info(u'user %s resetted its password with token %r...',
                         self.user, self.token[:9])
             return self.finish()
         def finish(self):
             return utils.simulate_authentication(self.request, self.user, 'email')
     password_reset_confirm = PasswordResetConfirmView.as_view()
     def switch_back(request):
         return utils.switch_back(request)
     def valid_token(method):
         def f(request, *args, **kwargs):
             try:
                 request.token = signing.loads(kwargs['registration_token'].replace(' ', ''),
                                               max_age=settings.ACCOUNT_ACTIVATION_DAYS * 3600 * 24)
             except signing.SignatureExpired:
                 messages.warning(request, _('Your activation key is expired'))
                 return utils.redirect(request, 'registration_register')
             except signing.BadSignature:
                 messages.warning(request, _('Activation failed'))
                 return utils.redirect(request, 'registration_register')
             return method(request, *args, **kwargs)
         return f
     class BaseRegistrationView(FormView):
         form_class = registration_forms.RegistrationForm
         template_name = 'registration/registration_form.html'
         title = _('Registration')
         def dispatch(self, request, *args, **kwargs):
             if not getattr(settings, 'REGISTRATION_OPEN', True):
                 raise Http404('Registration is not open.')
             self.token = {}
             self.ou = get_default_ou()
             # load pre-filled values
             if request.GET.get('token'):
                 try:
                     self.token = signing.loads(
                         request.GET.get('token'),
                         max_age=settings.ACCOUNT_ACTIVATION_DAYS * 3600 * 24)
                 except (TypeError, ValueError, signing.BadSignature) as e:
                     logger.warning(u'registration_view: invalid token: %s', e)
                     return HttpResponseBadRequest('invalid token', content_type='text/plain')
                 if 'ou' in self.token:
                     self.ou = OU.objects.get(pk=self.token['ou'])
             self.next_url = self.token.pop(REDIRECT_FIELD_NAME, utils.select_next_url(request, None))
             return super(BaseRegistrationView, self).dispatch(request, *args, **kwargs)
         def form_valid(self, form):
             email = form.cleaned_data.pop('email')
             for field in form.cleaned_data:
                 self.token[field] = form.cleaned_data[field]
             # propagate service to the registration completion view
             if constants.SERVICE_FIELD_NAME in self.request.GET:
                 self.token[constants.SERVICE_FIELD_NAME] = \
                     self.request.GET[constants.SERVICE_FIELD_NAME]
             self.token.pop(REDIRECT_FIELD_NAME, None)
             self.token.pop('email', None)
             utils.send_registration_mail(self.request, email, next_url=self.next_url,
                                          ou=self.ou, **self.token)
             self.request.session['registered_email'] = email
             return utils.redirect(self.request, 'registration_complete', params={REDIRECT_FIELD_NAME: self.next_url})
         def get_context_data(self, **kwargs):
             context = super(BaseRegistrationView, self).get_context_data(**kwargs)
             parameters = {'request': self.request,
                           'context': context}
             blocks = [utils.get_authenticator_method(authenticator, 'registration', parameters)
                       for authenticator in utils.get_backends('AUTH_FRONTENDS')]
             context['frontends'] = collections.OrderedDict((block['id'], block)
                                                            for block in blocks if block)
             return context
     class RegistrationView(cbv.ValidateCSRFMixin, BaseRegistrationView):
         pass
     class RegistrationCompletionView(CreateView):
         model = get_user_model()
         success_url = 'auth_homepage'
         def get_template_names(self):
             if self.users and 'create' not in self.request.GET:
                 return ['registration/registration_completion_choose.html']
             else:
                 return ['registration/registration_completion_form.html']
         def get_success_url(self):
             try:
                 redirect_url, next_field = app_settings.A2_REGISTRATION_REDIRECT
             except Exception:
                 redirect_url = app_settings.A2_REGISTRATION_REDIRECT
                 next_field = REDIRECT_FIELD_NAME
             if self.token and self.token.get(REDIRECT_FIELD_NAME):
                 url = self.token[REDIRECT_FIELD_NAME]
                 if redirect_url:
                     url = utils.make_url(redirect_url, params={next_field: url})
             else:
                 if redirect_url:
                     url = redirect_url
                 else:
                     url = utils.make_url(self.success_url)
             return url
         def dispatch(self, request, *args, **kwargs):
             self.token = request.token
             self.authentication_method = self.token.get('authentication_method', 'email')
             self.email = request.token['email']
             if 'ou' in self.token:
                 self.ou = OU.objects.get(pk=self.token['ou'])
             else:
                 self.ou = get_default_ou()
             self.users = User.objects.filter(email__iexact=self.email) \
                 .order_by('date_joined')
             if self.ou:
                 self.users = self.users.filter(ou=self.ou)
             self.email_is_unique = app_settings.A2_EMAIL_IS_UNIQUE \
                 or app_settings.A2_REGISTRATION_EMAIL_IS_UNIQUE
             if self.ou:
                 self.email_is_unique |= self.ou.email_is_unique
             self.init_fields_labels_and_help_texts()
             # if registration is done during an SSO add the service to the registration event
             self.service = self.token.get(constants.SERVICE_FIELD_NAME)
             return super(RegistrationCompletionView, self) \
                 .dispatch(request, *args, **kwargs)
         def init_fields_labels_and_help_texts(self):
             attributes = models.Attribute.objects.filter(
                 asked_on_registration=True)
             default_fields = attributes.values_list('name', flat=True)
             required_fields = models.Attribute.objects.filter(required=True) \
                 .values_list('name', flat=True)
             fields, labels = utils.get_fields_and_labels(
                 app_settings.A2_REGISTRATION_FIELDS,
                 default_fields,
                 app_settings.A2_REGISTRATION_REQUIRED_FIELDS,
                 app_settings.A2_REQUIRED_FIELDS,
                 models.Attribute.objects.filter(required=True).values_list('name', flat=True))
             help_texts = {}
             if app_settings.A2_REGISTRATION_FORM_USERNAME_LABEL:
                 labels['username'] = app_settings.A2_REGISTRATION_FORM_USERNAME_LABEL
             if app_settings.A2_REGISTRATION_FORM_USERNAME_HELP_TEXT:
                 help_texts['username'] = \
                     app_settings.A2_REGISTRATION_FORM_USERNAME_HELP_TEXT
             required = list(app_settings.A2_REGISTRATION_REQUIRED_FIELDS) + \
                 list(required_fields)
             if 'email' in fields:
                 fields.remove('email')
             for field in self.token.get('skip_fields') or []:
                 if field in fields:
                     fields.remove(field)
             self.fields = fields
             self.labels = labels
             self.required = required
             self.help_texts = help_texts
         def get_form_class(self):
             if not self.token.get('valid_email', True):
                 self.fields.append('email')
                 self.required.append('email')
             form_class = registration_forms.RegistrationCompletionForm
             if self.token.get('no_password', False):
                 form_class = registration_forms.RegistrationCompletionFormNoPassword
             form_class = profile_forms.modelform_factory(
                 self.model,
                 form=form_class,
                 fields=self.fields,
                 labels=self.labels,
                 required=self.required,
                 help_texts=self.help_texts)
             if 'username' in self.fields and app_settings.A2_REGISTRATION_FORM_USERNAME_REGEX:
                 # Keep existing field label and help_text
                 old_field = form_class.base_fields['username']
                 field = CharField(
                     max_length=256,
                     label=old_field.label,
                     help_text=old_field.help_text,
                     validators=[validators.UsernameValidator()])
                 form_class = type('RegistrationForm', (form_class,), {'username': field})
             return form_class
         def get_form_kwargs(self, **kwargs):
             '''Initialize mail from token'''
             kwargs = super(RegistrationCompletionView, self).get_form_kwargs(**kwargs)
             if 'ou' in self.token:
                 ou = get_object_or_404(OU, id=self.token['ou'])
             else:
                 ou = get_default_ou()
             attributes = {'email': self.email, 'ou': ou}
             for key in self.token:
                 if key in app_settings.A2_PRE_REGISTRATION_FIELDS:
                     attributes[key] = self.token[key]
             logger.debug(u'attributes %s', attributes)
             prefilling_list = utils.accumulate_from_backends(self.request, 'registration_form_prefill')
             logger.debug(u'prefilling_list %s', prefilling_list)
             # Build a single meaningful prefilling with sets of values
             prefilling = {}
             for p in prefilling_list:
                 for name, values in p.items():
                     if name in self.fields:
                         prefilling.setdefault(name, set()).update(values)
             logger.debug(u'prefilling %s', prefilling)
             for name, values in prefilling.items():
                 attributes[name] = ' '.join(values)
             logger.debug(u'attributes with prefilling %s', attributes)
             if self.token.get('user_id'):
                 kwargs['instance'] = User.objects.get(id=self.token.get('user_id'))
             else:
                 init_kwargs = {}
                 for key in ('email', 'first_name', 'last_name', 'ou'):
                     if key in attributes:
                         init_kwargs[key] = attributes[key]
                 kwargs['instance'] = get_user_model()(**init_kwargs)
             return kwargs
         def get_form(self, form_class=None):
             form = super(RegistrationCompletionView, self).get_form(form_class=form_class)
             hooks.call_hooks('front_modify_form', self, form)
             return form
         def get_context_data(self, **kwargs):
             ctx = super(RegistrationCompletionView, self).get_context_data(**kwargs)
             ctx['token'] = self.token
             ctx['users'] = self.users
             ctx['email'] = self.email
             ctx['email_is_unique'] = self.email_is_unique
             ctx['create'] = 'create' in self.request.GET
             return ctx
         def get(self, request, *args, **kwargs):
             if len(self.users) == 1 and self.email_is_unique:
                 # Found one user, EMAIL is unique, log her in
                 utils.simulate_authentication(
                     request, self.users[0],
                     method=self.authentication_method,
                     service_slug=self.service)
                 return utils.redirect(request, self.get_success_url())
             confirm_data = self.token.get('confirm_data', False)
             if confirm_data == 'required':
                 fields_to_confirm = self.required
             else:
                 fields_to_confirm = self.fields
             if (all(field in self.token for field in fields_to_confirm)
                     and (not confirm_data or confirm_data == 'required')):
                 # We already have every fields
                 form_kwargs = self.get_form_kwargs()
                 form_class = self.get_form_class()
                 data = self.token
                 if 'password' in data:
                     data['password1'] = data['password']
                     data['password2'] = data['password']
                     del data['password']
                 form_kwargs['data'] = data
                 form = form_class(**form_kwargs)
                 if form.is_valid():
                     user = form.save()
                     return self.registration_success(request, user, form)
                 self.get_form = lambda *args, **kwargs: form
             return super(RegistrationCompletionView, self).get(request, *args, **kwargs)
         def post(self, request, *args, **kwargs):
             if self.users and self.email_is_unique:
                 # email is unique, users already exist, creating a new one is forbidden !
                 return utils.redirect(
                     request, request.resolver_match.view_name, args=self.args,
                     kwargs=self.kwargs)
             if 'uid' in request.POST:
                 uid = request.POST['uid']
                 for user in self.users:
                     if str(user.id) == uid:
                         utils.simulate_authentication(
                             request, user,
                             method=self.authentication_method,
                             service_slug=self.service)
                         return utils.redirect(request, self.get_success_url())
             return super(RegistrationCompletionView, self).post(request, *args, **kwargs)
         def form_valid(self, form):
             # remove verified fields from form, this allows an authentication
             # method to provide verified data fields and to present it to the user,
             # while preventing the user to modify them.
             for av in models.AttributeValue.objects.with_owner(form.instance):
                 if av.verified and av.attribute.name in form.fields:
                     del form.fields[av.attribute.name]
             if ('email' in self.request.POST
                     and ('email' not in self.token or self.request.POST['email'] != self.token['email'])
                     and not self.token.get('skip_email_check')):
                 # If an email is submitted it must be validated or be the same as in the token
                 data = form.cleaned_data
                 data['no_password'] = self.token.get('no_password', False)
                 utils.send_registration_mail(
                     self.request,
                     ou=self.ou,
                     next_url=self.get_success_url(),
                     **data)
                 self.request.session['registered_email'] = form.cleaned_data['email']
                 return utils.redirect(self.request, 'registration_complete')
             super(RegistrationCompletionView, self).form_valid(form)
             return self.registration_success(self.request, form.instance, form)
         def registration_success(self, request, user, form):
             hooks.call_hooks('event', name='registration', user=user, form=form, view=self,
                              authentication_method=self.authentication_method,
                              token=request.token, service=self.service)
             utils.simulate_authentication(
                 request, user,
                 method=self.authentication_method,
                 service_slug=self.service)
             messages.info(self.request, _('You have just created an account.'))
             self.send_registration_success_email(user)
             return utils.redirect(request, self.get_success_url())
         def send_registration_success_email(self, user):
             if not user.email:
                 return
             template_names = [
                 'authentic2/registration_success'
+            ]
             login_url = self.request.build_absolute_uri(settings.LOGIN_URL)
             utils.send_templated_mail(user, template_names=template_names,
                                       context={
                                           'user': user,
                                           'email': user.email,
                                           'site': self.request.get_host(),
                                           'login_url': login_url,
                                       },
                                       request=self.request)
     class DeleteView(FormView):
         template_name = 'authentic2/accounts_delete.html'
         success_url = reverse_lazy('auth_logout')
         title = _('Delete account')
         def dispatch(self, request, *args, **kwargs):
             if not app_settings.A2_REGISTRATION_CAN_DELETE_ACCOUNT:
                 return utils.redirect(request, '..')
             return super(DeleteView, self).dispatch(request, *args, **kwargs)
         def post(self, request, *args, **kwargs):
             if 'cancel' in request.POST:
                 return utils.redirect(request, 'account_management')
             return super(DeleteView, self).post(request, *args, **kwargs)
         def get_form_class(self):
             if self.request.user.has_usable_password():
                 return profile_forms.DeleteAccountForm
             return Form
         def get_form_kwargs(self, **kwargs):
             kwargs = super(DeleteView, self).get_form_kwargs(**kwargs)
             if self.request.user.has_usable_password():
                 kwargs['user'] = self.request.user
             return kwargs
         def form_valid(self, form):
             utils.send_account_deletion_mail(self.request, self.request.user)
             models.DeletedUser.objects.delete_user(self.request.user)
             self.request.user.email += '#%d' % random.randint(1, 10000000)
             self.request.user.email_verified = False
             self.request.user.save(update_fields=['email', 'email_verified'])
             logger.info(u'deletion of account %s requested', self.request.user)
             hooks.call_hooks('event', name='delete-account', user=self.request.user)
             messages.info(self.request,
                           _('Your account has been scheduled for deletion. You cannot use it anymore.'))
             return super(DeleteView, self).form_valid(form)
     registration_completion = valid_token(RegistrationCompletionView.as_view())
     class RegistrationCompleteView(TemplateView):
         template_name = 'registration/registration_complete.html'
         def get_context_data(self, **kwargs):
             kwargs['next_url'] = utils.select_next_url(self.request, settings.LOGIN_REDIRECT_URL)
             return super(RegistrationCompleteView, self).get_context_data(
                 account_activation_days=settings.ACCOUNT_ACTIVATION_DAYS,
                 **kwargs)
     registration_complete = RegistrationCompleteView.as_view()
     @sensitive_post_parameters()
     @login_required
     @decorators.setting_enabled('A2_REGISTRATION_CAN_CHANGE_PASSWORD')
     def password_change(request, *args, **kwargs):
         kwargs['password_change_form'] = passwords_forms.PasswordChangeForm
         post_change_redirect = kwargs.pop('post_change_redirect', None)
         if 'next_url' in request.POST and request.POST['next_url']:
             post_change_redirect = request.POST['next_url']
         elif REDIRECT_FIELD_NAME in request.GET:
             post_change_redirect = request.GET[REDIRECT_FIELD_NAME]
         elif post_change_redirect is None:
             post_change_redirect = reverse('account_management')
         if not utils.user_can_change_password(request=request):
             messages.warning(request, _('Password change is forbidden'))
             return utils.redirect(request, post_change_redirect)
         if 'cancel' in request.POST:
             return utils.redirect(request, post_change_redirect)
         kwargs['post_change_redirect'] = post_change_redirect
         extra_context = kwargs.setdefault('extra_context', {})
         extra_context['view'] = password_change
         extra_context[REDIRECT_FIELD_NAME] = post_change_redirect
         if not request.user.has_usable_password():
             kwargs['password_change_form'] = passwords_forms.SetPasswordForm
         response = dj_password_change(request, *args, **kwargs)
         if isinstance(response, HttpResponseRedirect):
             hooks.call_hooks('event', name='change-password', user=request.user, request=request)
             messages.info(request, _('Password changed'))
         return response
     password_change.title = _('Password Change')
     password_change.do_not_call_in_templates = True
     def notimplemented_view(request):
         raise NotImplementedError

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     # legacy module, please use authentic2.forms.widgets now.
     from .forms.widgets import *
     from .forms.widgets import *  # noqa: F403,F401

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     """
     WSGI config for a authentic2 project.
-...
     """
     import os
     from . import logger
     # XXX: monkeypatch logging
     from . import logger  # noqa: F401
     from django.core.wsgi import get_wsgi_application
     os.environ.setdefault("DJANGO_SETTINGS_MODULE", "authentic2.settings")
     # This application object is used by any WSGI server configured to use this
     # file. This includes Django's development server, if the WSGI_APPLICATION
     # setting points here.
     from django.core.wsgi import get_wsgi_application
     application = get_wsgi_application()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from django.utils.translation import ugettext_lazy as _
     from django.core.urlresolvers import reverse
     from authentic2.utils import make_url

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.contrib import admin
     from . import models

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     class AppSettings(object):
         '''Thanks django-allauth'''
         __SENTINEL = object()
-...
         def ENABLE(self):
             return self._setting('ENABLE', True)
     import sys
     app_settings = AppSettings('A2_AUTH_OIDC_')
     app_settings.__name__ = __name__
     sys.modules[__name__] = app_settings

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import gettext_noop
     from django.shortcuts import render

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     import datetime

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from __future__ import print_function
     import json
-...
     from django.core.management.base import BaseCommand, CommandError
     from django.core.exceptions import ValidationError
     from django.utils.six import text_type
     from django.db.transaction import atomic
     from authentic2.compat import atomic
     from authentic2_auth_oidc.utils import register_issuer
     from authentic2_auth_oidc.models import OIDCClaimMapping, OIDCProvider

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db.models.query import QuerySet

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import uuid
     import json

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from . import views

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import datetime
     import base64
     import json
-...
     def parse_id_token(id_token):
         try:
             id_token = str(id_token)
         except UnicodeDecodeError as e:
         except UnicodeDecodeError:
             raise ValueError('invalid characters in id_token')
         payload = id_token.split('.')
         if len(payload) == 5:
-...
             raise ValueError('header is not base64 decodable: %s' % e)
         try:
             headers = json.loads(headers)
         except ValueError as e:
         except ValueError:
             raise ValueError('cannot JSON decode headers')
         if not isinstance(headers, dict):
             raise ValueError('JOSE header is not a dict %r' % headers)
-...
             old_pk = models.OIDCProvider.objects.get(issuer=openid_configuration['issuer']).pk
         except models.OIDCProvider.DoesNotExist:
             old_pk = None
         if (set(['RS256', 'RS384', 'RS512']) &
                 set(openid_configuration['id_token_signing_alg_values_supported'])):
         if (set(['RS256', 'RS384', 'RS512'])
                 & set(openid_configuration['id_token_signing_alg_values_supported'])):
             idtoken_algo = models.OIDCProvider.ALGO_RSA
         elif (set(['HS256', 'HS384', 'HS512']) &
               set(openid_configuration['id_token_signing_alg_values_supported'])):
         elif (set(['HS256', 'HS384', 'HS512'])
               & set(openid_configuration['id_token_signing_alg_values_supported'])):
             idtoken_algo = models.OIDCProvider.ALGO_HMAC
         else:
             raise ValueError(_('no common algorithm found for signing idtokens: %s') %

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import uuid
     import logging
     import json

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     class Plugin(object):
         def get_before_urls(self):
             from . import urls

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from mellon.adapters import DefaultAdapter

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     class AppSettings(object):
         '''Thanks django-allauth'''
-...
         def enable(self):
             return self._setting('ENABLE', False)
     import sys
     app_settings = AppSettings('A2_AUTH_SAML_')
     app_settings.__name__ = __name__
     sys.modules[__name__] = app_settings

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.utils.translation import gettext_noop
     from django.template.loader import render_to_string
     from django.shortcuts import render

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from mellon.backends import SAMLBackend
     from authentic2.middleware import StoreRequestMiddleware

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url, include
     urlpatterns = [url(r'^accounts/saml/', include('mellon.urls'))]

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.template.loader import render_to_string
     from django.utils.translation import ugettext_lazy as _
     from .constants import SESSION_CAS_LOGOUTS
     class Plugin(object):
         def get_before_urls(self):
             from . import app_settings
-...
             from authentic2.decorators import setting_enabled, required
             return required(
+                    (
                         setting_enabled('ENABLE', settings=app_settings),
                     ),
                     [url(r'^idp/cas/', include(__name__ + '.urls'))])
+                (
                     setting_enabled('ENABLE', settings=app_settings),
                 ),
                 [url(r'^idp/cas/', include(__name__ + '.urls'))])
         def get_apps(self):
             return [__name__]
-...
+                }
                 content = render_to_string('authentic2_idp_cas/logout_fragment.html', ctx)
                 fragments.append(content)
             return fragments
             return fragments

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django import forms
     from django.contrib import admin
     from django.utils.translation import ugettext as _
-...
     from . import models
     class ServiceForm(forms.ModelForm):
         def __init__(self, *args, **kwargs):
             super(ServiceForm, self).__init__(*args, **kwargs)
-...
             model = models.Service
             fields = '__all__'
     class AttributeInlineForm(forms.ModelForm):
         def __init__(self, *args, **kwargs):
             service = kwargs.pop('service', None)
             super(AttributeInlineForm, self).__init__(*args, **kwargs)
             choices = self.choices({
                     'user': None,
                     'request': None,
                     'service': service
                 'user': None,
                 'request': None,
                 'service': service
             })
             self.fields['attribute_name'].choices = choices
             self.fields['attribute_name'].widget = forms.Select(choices=choices)
-...
         class Meta:
             model = models.Attribute
             fields = [
                     'slug',
                     'attribute_name',
                     'enabled',
                 'slug',
                 'attribute_name',
                 'enabled',
+            ]
     class AttributeInlineAdmin(admin.TabularInline):
         model = models.Attribute
         form = AttributeInlineForm
-...
             kwargs['form'] = NewForm
             return super(AttributeInlineAdmin, self).get_formset(request, obj=obj, **kwargs)
     class ServiceAdmin(admin.ModelAdmin):
         form = ServiceForm
         list_display = ('name', 'ou', 'slug', 'urls', 'identifier_attribute')
         prepopulated_fields = {"slug": ("name",)}
         fieldsets = (
                 (None, {
                     'fields': [
                         'name',
                         'slug',
                         'ou',
                         'urls',
                         'identifier_attribute',
                         'proxy',
+                    ]
                  }),
                 (_('Logout'), {
                     'fields': [
                         'logout_url',
                         'logout_use_iframe',
                         'logout_use_iframe_timeout',
                     ],
                  }))
             (None, {
                 'fields': [
                     'name',
                     'slug',
                     'ou',
                     'urls',
                     'identifier_attribute',
                     'proxy',
                 ]}),
             (_('Logout'), {
                 'fields': [
                     'logout_url',
                     'logout_use_iframe',
                     'logout_use_iframe_timeout',
                 ]}))
         inlines = [AttributeInlineAdmin]
     class TicketAdmin(CleanupAdminMixin, admin.ModelAdmin):
         list_display = (
                 'ticket_id',
                 'validity',
                 'renew',
                 'service',
                 'service_url',
                 'user',
                 'creation',
                 'expire'
             'ticket_id',
             'validity',
             'renew',
             'service',
             'service_url',
             'user',
             'creation',
             'expire'
+        )
     admin.site.register(models.Service, ServiceAdmin)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     class AppSettings(object):
         __DEFAULTS = {
                 'ENABLE': False,
                 # allow do tisable check of pgt url for testing purpose
                 'CHECK_PGT_URL': True,
             'ENABLE': False,
             # allow do tisable check of pgt url for testing purpose
             'CHECK_PGT_URL': True,
+        }
         def __init__(self, prefix):
-...
     # Ugly? Guido recommends this himself ...
     # http://mail.python.org/pipermail/python-ideas/2012-May/014969.html
     import sys
     app_settings = AppSettings('A2_IDP_CAS_')
     app_settings.__name__ = __name__
     sys.modules[__name__] = app_settings

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     # Constants #
     CAS_NAMESPACE    = 'http://www.yale.edu/tp/cas'
     RENEW_PARAM      = 'renew'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from datetime import timedelta
     from django.db import models
-...
         def cleanup(self):
             '''Delete old tickets'''
             qs = self.filter(expire__lt=now())
             qs |= self.filter(expire__isnull=True,
                     creation__lt=now()-timedelta(seconds=300))
             qs |= self.filter(expire__isnull=True, creation__lt=now() - timedelta(seconds=300))
             qs.delete()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db import models
     from django.utils import six
     from django.utils.translation import ugettext_lazy as _
-...
     from django.core.exceptions import ValidationError
     from authentic2.models import LogoutUrlAbstract, Service
     from authentic2 import compat
     from authentic2.utils import check_session_key
     from . import managers, utils, constants
     url_validator = URLValidator(schemes=['http', 'https', 'ftp', 'ftps', 'imap', 'imaps', 'sieve', 'smtp', 'smtps', 'ssh'])
     @six.python_2_unicode_compatible
     class Service(LogoutUrlAbstract, Service):
         urls = models.TextField(max_length=128,
                 verbose_name=_('urls'))
         identifier_attribute = models.CharField(max_length=64,
                 verbose_name=_('attribute name'), blank=False)
         proxy = models.ManyToManyField('self',
                 blank=True,
                 verbose_name=_('proxy'),
                 help_text=_('services who can request proxy tickets for this service'))
         urls = models.TextField(max_length=128, verbose_name=_('urls'))
         identifier_attribute = models.CharField(max_length=64, verbose_name=_('attribute name'), blank=False)
         proxy = models.ManyToManyField(
             'self',
             blank=True,
             verbose_name=_('proxy'),
             help_text=_('services who can request proxy tickets for this service'))
         objects = managers.ServiceManager()
-...
     @six.python_2_unicode_compatible
     class Attribute(models.Model):
         service = models.ForeignKey(Service, verbose_name=_('service'))
         slug    = models.SlugField(verbose_name=_('slug'))
         attribute_name = models.CharField(max_length=64,
             verbose_name=_('attribute name'), blank=False)
         enabled = models.BooleanField(
                 verbose_name=_('enabled'),
                 default=True)
         slug = models.SlugField(verbose_name=_('slug'))
         attribute_name = models.CharField(max_length=64, verbose_name=_('attribute name'), blank=False)
         enabled = models.BooleanField(verbose_name=_('enabled'), default=True)
         def __str__(self):
             return u'%s <- %s' % (self.slug, self.attribute_name)
-...
             verbose_name_plural = _('CAS attributes')
             unique_together = (('service', 'slug', 'attribute_name',),)
     def make_uuid():
         return utils.make_id(constants.SERVICE_TICKET_PREFIX)
     @six.python_2_unicode_compatible
     class Ticket(models.Model):
         '''Session ticket with a CAS 1.0 or 2.0 consumer'''
         ticket_id   = models.CharField(max_length=64,
                         verbose_name=_('ticket id'),
                         unique=True,
                         default=make_uuid)
         renew       = models.BooleanField(default=False,
                 verbose_name=_('fresh authentication'))
         validity    = models.BooleanField(default=False,
                 verbose_name=_('valid'))
         service     = models.ForeignKey(Service, verbose_name=_('service'))
         ticket_id = models.CharField(max_length=64, verbose_name=_('ticket id'), unique=True, default=make_uuid)
         renew = models.BooleanField(default=False, verbose_name=_('fresh authentication'))
         validity = models.BooleanField(default=False, verbose_name=_('valid'))
         service = models.ForeignKey(Service, verbose_name=_('service'))
         service_url = models.TextField(verbose_name=_('service URL'), blank=True, default='')
         user        = models.ForeignKey(compat.user_model_label, max_length=128,
                 blank=True, null=True, verbose_name=_('user'))
         creation    = models.DateTimeField(auto_now_add=True,
                 verbose_name=_('creation'))
         expire      = models.DateTimeField(
                 verbose_name=_('expire'), blank=True, null=True)
         session_key = models.CharField(max_length=64, db_index=True, blank=True,
                 verbose_name=_('django session key'), default='')
         proxies = models.TextField(
                 verbose_name=_('proxies'), blank=True, default='')
         user = models.ForeignKey('custom_user.User', max_length=128, blank=True, null=True, verbose_name=_('user'))
         creation = models.DateTimeField(auto_now_add=True, verbose_name=_('creation'))
         expire = models.DateTimeField(verbose_name=_('expire'), blank=True, null=True)
         session_key = models.CharField(
             max_length=64, db_index=True, blank=True, verbose_name=_('django session key'), default='')
         proxies = models.TextField(verbose_name=_('proxies'), blank=True, default='')
         objects = managers.TicketManager()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from . import views

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import random
     import string
     ALPHABET = string.ascii_letters+string.digits+'-'
     ALPHABET = string.ascii_letters + string.digits + '-'
     def make_id(prefix='', length=29):
         '''Generate CAS tickets identifiers'''
         l = length-len(prefix)
         content = ( random.SystemRandom().choice(ALPHABET) for x in range(l) )
         c = length - len(prefix)
         content = (random.SystemRandom().choice(ALPHABET) for x in range(c) )
         return prefix + ''.join(content)

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import logging
     from datetime import timedelta
     from xml.etree import ElementTree as ET
-...
     from django.utils.timezone import now
     from authentic2.utils import (get_user_from_session_key, make_url,
             login_require, find_authentication_event, redirect, normalize_attribute_values,
             attribute_values_to_identifier)
                                   login_require, find_authentication_event,
                                   redirect, normalize_attribute_values,
                                   attribute_values_to_identifier)
     from authentic2.attributes_ng.engine import get_attributes
     from authentic2.constants import NONCE_FIELD_NAME
     from authentic2.views import logout as logout_view
-...
     from authentic2_idp_cas.models import Ticket, Service
     from authentic2_idp_cas.utils import make_id
     from authentic2_idp_cas.constants import (SERVICE_PARAM, RENEW_PARAM, GATEWAY_PARAM,
             TICKET_PARAM, CANCEL_PARAM, SERVICE_TICKET_PREFIX,
             INVALID_REQUEST_ERROR, INVALID_TICKET_SPEC_ERROR,
             INVALID_SERVICE_ERROR, INVALID_TICKET_ERROR,
             CAS10_VALIDATION_FAILURE, CAS20_VALIDATION_FAILURE,
             SERVICE_RESPONSE_ELT, AUTHENTICATION_SUCCESS_ELT, USER_ELT,
             PGT_URL_PARAM, PGT_IOU_PARAM, SESSION_CAS_LOGOUTS,
             CAS10_VALIDATION_SUCCESS, PGT_ELT, PROXIES_ELT, PROXY_ELT,
             PGT_PREFIX, PGT_IOU_PREFIX, PT_PREFIX, TARGET_SERVICE_PARAM,
             BAD_PGT_ERROR, INVALID_TARGET_SERVICE_ERROR, PROXY_UNAUTHORIZED_ERROR,
             PGT_PARAM, PGT_ID_PARAM, CAS20_PROXY_FAILURE, PROXY_SUCCESS_ELT,
             PROXY_TICKET_ELT, INTERNAL_ERROR, CAS_NAMESPACE, ATTRIBUTES_ELT)
     from authentic2_idp_cas.constants import (
         SERVICE_PARAM, RENEW_PARAM, GATEWAY_PARAM, TICKET_PARAM, CANCEL_PARAM,
         SERVICE_TICKET_PREFIX, INVALID_REQUEST_ERROR, INVALID_TICKET_SPEC_ERROR,
         INVALID_SERVICE_ERROR, INVALID_TICKET_ERROR, CAS10_VALIDATION_FAILURE,
         CAS20_VALIDATION_FAILURE, SERVICE_RESPONSE_ELT, AUTHENTICATION_SUCCESS_ELT,
         USER_ELT, PGT_URL_PARAM, PGT_IOU_PARAM, SESSION_CAS_LOGOUTS,
         CAS10_VALIDATION_SUCCESS, PGT_ELT, PROXIES_ELT, PROXY_ELT, PGT_PREFIX,
         PGT_IOU_PREFIX, PT_PREFIX, TARGET_SERVICE_PARAM, BAD_PGT_ERROR,
         INVALID_TARGET_SERVICE_ERROR, PROXY_UNAUTHORIZED_ERROR, PGT_PARAM,
         PGT_ID_PARAM, CAS20_PROXY_FAILURE, PROXY_SUCCESS_ELT, PROXY_TICKET_ELT,
         INTERNAL_ERROR, CAS_NAMESPACE, ATTRIBUTES_ELT)
     from . import app_settings
     try:
-...
         def redirect_to_service(self, request, st):
             if not st.valid():
                 return self.failure(request, st.service_url, 'service ticket id is '
                         'not valid')
                 return self.failure(request, st.service_url, 'service ticket id is not valid')
             else:
                 return self.return_ticket(request, st)
-...
             st.save()
             if st.service.logout_url:
                 request.session.setdefault(SESSION_CAS_LOGOUTS, []).append((
                         st.service.name,
                         st.service.get_logout_url(request),
                         st.service.logout_use_iframe,
                         st.service.logout_use_iframe_timeout))
                     st.service.name,
                     st.service.get_logout_url(request),
                     st.service.logout_use_iframe,
                     st.service.logout_use_iframe_timeout))
         def authenticate(self, request, st):
             '''
-...
             nonce = st.ticket_id
             next_url = make_url('a2-idp-cas-continue', params={
                 SERVICE_PARAM: st.service_url, NONCE_FIELD_NAME: nonce})
             return login_require(request, next_url=next_url,
                     params={NONCE_FIELD_NAME: nonce})
             return login_require(request, next_url=next_url, params={NONCE_FIELD_NAME: nonce})
     class LoginView(CasMixin, View):
-...
             if not model:
                 return self.failure(request, service, 'service unknown')
             if renew and gateway:
                 return self.failure(request, service, 'renew and gateway cannot be requested '
                         'at the same time')
                 return self.failure(request, service, 'renew and gateway cannot be requested at the same time')
             hooks.call_hooks('event', name='sso-request', service=model)
-...
             service = service[:4096]
             st.service_url = service
             st.renew = renew
             self.logger.debug('login request from %r renew: %s gateway: %s',
                     service, renew, gateway)
             self.logger.debug('login request from %r renew: %s gateway: %s', service, renew, gateway)
             if self.must_authenticate(request, renew, gateway):
                 st.save()
                 return self.authenticate(request, st)
-...
             if st.valid():
                 hooks.call_hooks('event', name='sso-success', service=st.service, user=st.user)
                 return redirect(request, service, params={'ticket': st.ticket_id})
             # Should not happen
             # Should not happen
             assert False
-...
                 attributes = self.get_attributes(request, st)
                 if st.service.identifier_attribute not in attributes:
                     self.logger.error('unable to compute an identifier for user %r and service %s',
                             six.text_type(st.user), st.service_url)
                                       six.text_type(st.user), st.service_url)
                     return self.validation_failure(request, service, INTERNAL_ERROR)
                 # Compute user identifier
                 identifier = attribute_values_to_identifier(
                         attributes[st.service.identifier_attribute])
                 identifier = attribute_values_to_identifier(attributes[st.service.identifier_attribute])
                 return self.validation_success(request, st, identifier)
             except:
                 raise
             except Exception:
                 self.logger.exception('internal server error')
                 return self.validation_failure(request, service, INTERNAL_ERROR)
-...
             if not hasattr(st, 'attributes'):
                 wanted_attributes = st.service.get_wanted_attributes()
                 user = get_user_from_session_key(st.session_key)
                 assert user.pk # not an annymous user
                 assert st.user_id == user.pk # session user matches ticket user
                 assert user.pk  # not an annymous user
                 assert st.user_id == user.pk  # session user matches ticket user
                 st.attributes = get_attributes({
                     'request': request,
                     'user': user,
-...
             return self.real_validation_failure(request, service, code)
         def validation_success(self, request, st, identifier):
             self.logger.info('validation success service: %r ticket: %s '
                     'user: %r identifier: %r', st.service_url, st.ticket_id, six.text_type(st.user), identifier)
             self.logger.info('validation success service: %r ticket: %s user: %r identifier: %r',
                              st.service_url, st.ticket_id, six.text_type(st.user), identifier)
             return self.real_validation_success(request, st, identifier)
     class ValidateView(ValidateBaseView):
         def real_validation_failure(self, request, service, code):
             return HttpResponse(CAS10_VALIDATION_FAILURE,
                     content_type='text/plain')
             return HttpResponse(CAS10_VALIDATION_FAILURE, content_type='text/plain')
         def real_validation_success(self, request, st, identifier):
             return HttpResponse(CAS10_VALIDATION_SUCCESS % identifier,
                     content_type='text/plain')
             return HttpResponse(CAS10_VALIDATION_SUCCESS % identifier, content_type='text/plain')
     class ServiceValidateView(ValidateBaseView):
-...
         def real_validation_failure(self, request, service, code, message=''):
             message = message or self.get_cas20_error_message(code)
             return HttpResponse(CAS20_VALIDATION_FAILURE % (code, message),
                     content_type='text/xml')
             return HttpResponse(CAS20_VALIDATION_FAILURE % (code, message), content_type='text/xml')
         def get_cas20_error_message(self, code):
             return '' # FIXME
             return ''  # FIXME
         def real_validation_success(self, request, st, identifier):
             root = ET.Element(SERVICE_RESPONSE_ELT)
-...
             user.text = six.text_type(identifier)
             self.provision_pgt(request, st, success)
             self.provision_attributes(request, st, success)
             return HttpResponse(ET.tostring(root, encoding='utf-8'),
                     content_type='text/xml')
             return HttpResponse(ET.tostring(root, encoding='utf-8'), content_type='text/xml')
         def provision_attributes(self, request, st, success):
             '''Add attributes to the CAS 2.0 ticket'''
-...
                     attribute_elt = ET.SubElement(attributes_elt, '{%s}%s' % (CAS_NAMESPACE, key))
                     attribute_elt.text = six.text_type(value)
         def provision_pgt(self, request, st, success):
             '''Provision a PGT ticket if requested
             '''
-...
                 return
             # PGT URL must be declared
             if not st.service.match_service(pgt_url):
                 self.logger.warning('pgtUrl %r does not match service %r',
                     pgt_url, st.service.slug)
                 self.logger.warning('pgtUrl %r does not match service %r', pgt_url, st.service.slug)
             pgt = make_id(PGT_PREFIX)
             pgt_iou = make_id(PGT_IOU_PREFIX)
             # Skip PGT_URL check for testing purpose
             # instead store PGT_IOU / PGT association in session
             if app_settings.CHECK_PGT_URL:
                 response = requests.get(pgt_url, params={
                    PGT_ID_PARAM: pgt,
                    PGT_IOU_PARAM: pgt_iou})
                 response = requests.get(pgt_url,
                                         params={
                                             PGT_ID_PARAM: pgt,
                                             PGT_IOU_PARAM: pgt_iou})
                 if response.status_code != 200:
                     self.logger.warning('pgtUrl %r returned non 200 code: %d',
                         pgt_url, response.status_code)
                     self.logger.warning('pgtUrl %r returned non 200 code: %d', pgt_url, response.status_code)
                     return
             else:
                 request.session[pgt_iou] = pgt
             proxies = ('%s %s' % (pgt_url, st.proxies)).strip()
             # Save the PGT ticket
             Ticket.objects.create(
                     ticket_id=pgt,
                     expire=None,
                     service=st.service,
                     service_url=st.service_url,
                     validity=True,
                     user=st.user,
                     session_key=st.session_key,
                     proxies=proxies)
                 ticket_id=pgt,
                 expire=None,
                 service=st.service,
                 service_url=st.service_url,
                 validity=True,
                 user=st.user,
                 session_key=st.session_key,
                 proxies=proxies)
             user = ET.SubElement(success, PGT_ELT)
             user.text = pgt_iou
             if self.add_proxies:
-...
     class ProxyView(View):
         http_method_names = ['get']
         def get(self, request):
             pgt = request.GET.get(PGT_PARAM)
             target_service_url = request.GET.get(TARGET_SERVICE_PARAM)
             if not pgt or not target_service_url:
                 return self.validation_failure(INVALID_REQUEST_ERROR,
                         "'pgt' and 'targetService' parameters are both required")
                                                "'pgt' and 'targetService' parameters are both required")
             if not pgt.startswith(PGT_PREFIX):
                 return self.validation_failure(BAD_PGT_ERROR,
                         'a proxy granting ticket must start with PGT-')
                                                'a proxy granting ticket must start with PGT-')
             try:
                 pgt = Ticket.objects.get(ticket_id=pgt)
             except Ticket.DoesNotExist:
                 pgt = None
             if pgt is None:
                 return self.validation_failure(BAD_PGT_ERROR, 'pgt does not '
                         'exist')
                 return self.validation_failure(BAD_PGT_ERROR, 'pgt does not exist')
             if not pgt.valid():
                 pgt.delete()
                 return self.validation_failure(BAD_PGT_ERROR, 'session has expired')
-...
             # No target service exists for this url, maybe the URL is missing from
             # the urls field
             if not target_service:
                 return self.validation_failure(INVALID_TARGET_SERVICE_ERROR,
                         'target service is invalid')
                 return self.validation_failure(INVALID_TARGET_SERVICE_ERROR, 'target service is invalid')
             # Verify that the requested service is authorized to get proxy tickets
             # for the target service
             if not target_service.proxy.filter(pk=pgt.service_id).exists():
                 return self.validation_failure(PROXY_UNAUTHORIZED_ERROR,
                         'proxying to the target service is forbidden')
                 return self.validation_failure(PROXY_UNAUTHORIZED_ERROR, 'proxying to the target service is forbidden')
             pt = Ticket.objects.create(
                 ticket_id=make_id(PT_PREFIX),
                 validity=True,
                 expire=now()+timedelta(seconds=60),
                 expire=now() + timedelta(seconds=60),
                 service=target_service,
                 service_url=target_service_url,
                 user=pgt.user,
-...
             return self.validation_success(request, pt)
         def validation_failure(self, code, reason):
             return HttpResponse(CAS20_PROXY_FAILURE % (code, reason),
                     content_type='text/xml')
             return HttpResponse(CAS20_PROXY_FAILURE % (code, reason), content_type='text/xml')
         def validation_success(self, request, pt):
             root = ET.Element(SERVICE_RESPONSE_ELT)
             success = ET.SubElement(root, PROXY_SUCCESS_ELT)
             proxy_ticket = ET.SubElement(success, PROXY_TICKET_ELT)
             proxy_ticket.text = pt.ticket_id
             return HttpResponse(ET.tostring(root, encoding='utf-8'),
                     content_type='text/xml')
             return HttpResponse(ET.tostring(root, encoding='utf-8'), content_type='text/xml')
     class ProxyValidateView(ServiceValidateView):
-...
             if referrer:
                 model = Service.objects.for_service(referrer)
                 if model:
                     return logout_view(request, next_url=next_url,
                             check_referer=False, do_local=False)
                     return logout_view(request, next_url=next_url, check_referer=False, do_local=False)
             return redirect(request, next_url)
     login = LoginView.as_view()

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.template.loader import render_to_string
     from django.utils.translation import ugettext_lazy as _
     default_app_config = 'authentic2_idp_oidc.apps.AppConfig'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django import forms
     from django.contrib import admin
     from django.utils.functional import curry

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import sys
     class AppSettings(object):
         '''Thanks django-allauth'''
         __SENTINEL = object()
-...
         def IDTOKEN_DURATION(self):
             return self._setting('IDTOKEN_DURATION', 30)
     import sys
     app_settings = AppSettings('A2_IDP_OIDC_')
     app_settings.__name__ = __name__
     sys.modules[__name__] = app_settings

     # authentic2_idp_oidc - Authentic2 OIDC IdP plugin
     # Copyright (C) 2017 Entr'ouvert
     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
-...
     import django.apps
     from django.utils.encoding import smart_bytes
     from rest_framework.exceptions import APIException
     class AppConfig(django.apps.AppConfig):
             name = 'authentic2_idp_oidc'

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.db.models import Manager
     from django.utils.timezone import now

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import uuid
     from importlib import import_module
     from django.db import models
     from django.contrib.contenttypes.models import ContentType
     from django.core.validators import URLValidator
     from django.core.exceptions import ValidationError, ImproperlyConfigured
     from django.utils.translation import ugettext_lazy as _
-...
     from django.utils.timezone import now
     from django.contrib.contenttypes.fields import GenericForeignKey, GenericRelation
     from authentic2.managers import GenericManager
     from authentic2.a2_rbac.models import OrganizationalUnit
     from authentic2.models import Service
     from authentic2.utils import to_iter
-...
                 self.scopes)
     # Add generic field to a2_rbac.OrganizationalUnit
     from authentic2.a2_rbac.models import OrganizationalUnit
     GenericRelation('authentic2_idp_oidc.OIDCAuthorization',
                     content_type_field='client_ct',
                     object_id_field='client_id').contribute_to_class(

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     from django.conf.urls import url
     from . import views

     # authentic2 - versatile identity manager
     # Copyright (C) 2010-2019 Entr'ouvert
+    #
     # This program is free software: you can redistribute it and/or modify it
     # under the terms of the GNU Affero General Public License as published
     # by the Free Software Foundation, either version 3 of the License, or
     # (at your option) any later version.
+    #
     # This program is distributed in the hope that it will be useful,
     # but WITHOUT ANY WARRANTY; without even the implied warranty of
     # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     # GNU Affero General Public License for more details.
+    #
     # You should have received a copy of the GNU Affero General Public License
     # along with this program.  If not, see <http://www.gnu.org/licenses/>.
     import json
     import hashlib
     import base64
-...
     from django.conf import settings
     from django.utils import six
     from django.utils.encoding import force_bytes, force_text
     from django.utils import six

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2