0001-Modify-federation-storage-so-that-we-can-store-feder.patch

Benjamin Dauvergne, 18 mars 2015 15:46

Voir les différences: en ligne côte à côte

Subject: [PATCH] Modify federation storage so that we can store federation
relative to the provider model

If the content of name_id_qualifier or name_id_sp_name_qualifier is
equals to the issuer or service provider entity ID then we store a
sentinel value instead, meaning 'same as provider entity ID'. If we
change the provider entity, all federations are still correct.

 src/authentic2/idp/saml/saml2_endpoints.py         |  9 +++++++-
 src/authentic2/saml/common.py                      | 16 +++++++++++++--
 .../migrations/0002_ease_federation_migration.py   | 24 ++++++++++++++++++++++
 3 files changed, 46 insertions(+), 3 deletions(-)
 create mode 100644 src/authentic2/saml/migrations/0002_ease_federation_migration.py

         AUTHENTIC_STATUS_CODE_MISSING_NAMEID, \
         AUTHENTIC_STATUS_CODE_MISSING_SESSION_INDEX, \
         AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION, \
         AUTHENTIC_STATUS_CODE_INTERNAL_SERVER_ERROR, \
         AUTHENTIC_STATUS_CODE_UNAUTHORIZED, \
         send_soap_request, get_saml2_query_request, \
         get_saml2_request_message_async_binding, create_saml2_server, \
         get_saml2_metadata, get_sp_options_policy, \
         get_entity_id
         get_entity_id, AUTHENTIC_SAME_ID_SENTINEL
     import authentic2.saml.saml2utils as saml2utils
     from common import kill_django_sessions
     from authentic2.constants import NONCE_FIELD_NAME
     from authentic2.idp import signals as idp_signals
     # from authentic2.idp.models import *
     from authentic2.utils import (make_url, get_backends as get_idp_backends,
-...
             logger.debug("assertion after processing "
                 "%s" % assertion.dump())
     def build_assertion(request, login, nid_format='transient', attributes=None):
         """After a successfully validated authentication request, build an
            authentication assertion
         """
         entity_id = get_entity_id(request, reverse(metadata))
         now = datetime.datetime.utcnow()
         logger.info("building assertion at %s" % str(now))
         logger.debug('named Id format is %s' % nid_format)
         # 1 minute ago
         notBefore = now - datetime.timedelta(0, app_settings.SECONDS_TOLERANCE)
         # 1 minute in the future
         notOnOrAfter = now + datetime.timedelta(0, app_settings.SECONDS_TOLERANCE)
         ssl = 'HTTPS' in request.environ
-...
         logger.debug("fill assertion")
         fill_assertion(request, login.request, assertion, login.remoteProviderId,
             nid_format)
         # Save federation and new session
         if nid_format == 'persistent':
             logger.debug("nameID persistent, get or create "
                 "federation")
             kwargs = nameid2kwargs(login.assertion.subject.nameID)
             # if qualifiers can be inferred from providers entityID replace them by
             # placeholders
             if kwargs.get('name_id_qualifier') == entity_id:
                 kwargs['name_id_qualifier'] = AUTHENTIC_SAME_ID_SENTINEL
             if kwargs.get('name_id_sp_name_qualifier') == login.remoteProviderId:
                 kwargs['name_id_sp_name_qualifier'] = AUTHENTIC_SAME_ID_SENTINEL
             service_provider = LibertyServiceProvider.objects \
                     .get(liberty_provider__entity_id=login.remoteProviderId)
             federation, new = LibertyFederation.objects.get_or_create(
                     sp=service_provider,
                     user=request.user, **kwargs)
             if new:
                 logger.info("nameID persistent, new federation")
                 federation.save()

         LIBERTY_SESSION_DUMP_KIND_IDP
     from authentic2.saml import models
     from authentic2.saml import saml2utils
     from authentic2.http_utils import get_url
     from .. import nonce
     AUTHENTIC_STATUS_CODE_NS = "http://authentic.entrouvert.org/status_code/"
     AUTHENTIC_SAME_ID_SENTINEL = 'urn:authentic.entrouvert.org:same-as-provider-entity-id'
     AUTHENTIC_STATUS_CODE_UNKNOWN_PROVIDER = AUTHENTIC_STATUS_CODE_NS + \
         "UnknownProvider"
     AUTHENTIC_STATUS_CODE_MISSING_NAMEID= AUTHENTIC_STATUS_CODE_NS + \
         "MissingNameID"
     AUTHENTIC_STATUS_CODE_MISSING_SESSION_INDEX = AUTHENTIC_STATUS_CODE_NS + \
         "MissingSessionIndex"
     AUTHENTIC_STATUS_CODE_UNKNOWN_SESSION = AUTHENTIC_STATUS_CODE_NS + \
         "UnknownSession"
-...
     </lasso:Federation>
     '''
     END_IDENTITY_DUMP = '''</Identity>'''
     def federations_to_identity_dump(self_entity_id, federations):
         l = [ START_IDENTITY_DUMP ]
         for federation in federations:
             name_id_qualifier = federation.name_id_qualifier
             name_id_sp_name_qualifier = federation.name_id_sp_name_qualifier
             # ease migration of federations by making qualifiers relative to the linked idp or sp
             if federation.sp:
                 sp_id = federation.sp.liberty_provider.entity_id
                 if name_id_sp_name_qualifier == AUTHENTIC_SAME_ID_SENTINEL:
                     name_id_sp_name_qualifier = sp_id
                 if name_id_qualifier == AUTHENTIC_SAME_ID_SENTINEL:
                     name_id_qualifier = self_entity_id
             elif federation.idp:
                 sp_id = self_entity_id
                 if name_id_sp_name_qualifier == AUTHENTIC_SAME_ID_SENTINEL:
                     name_id_sp_name_qualifier = self_entity_id
                 if name_id_qualifier == AUTHENTIC_SAME_ID_SENTINEL:
                     name_id_qualifier = federation.idp.liberty_provider.entity_id
             qualifiers = []
             if federation.name_id_qualifier:
                 qualifiers.append('NameQualifier="%s"' % federation.name_id_qualifier)
                 qualifiers.append('NameQualifier="%s"' % name_id_qualifier)
             if federation.name_id_sp_name_qualifier:
                 qualifiers.append('SPNameQualifier="%s"' % federation.name_id_sp_name_qualifier)
                 qualifiers.append('SPNameQualifier="%s"' % name_id_sp_name_qualifier)
             l.append(MIDDLE_IDENTITY_DUMP.format(
                 content=federation.name_id_content,
                 format=federation.name_id_format,
                 sp_id=sp_id,
                 qualifiers=' '.join(qualifiers)))
         l.append(END_IDENTITY_DUMP)
         return ''.join(l)

     # -*- coding: utf-8 -*-
     from __future__ import unicode_literals
     from django.db import migrations, models
     from authentic2.saml.common import AUTHENTIC_SAME_ID_SENTINEL
     def use_id_sentinel(apps, schema_editor):
         LibertyFederation = apps.get_model('saml', 'LibertyFederation')
         # idp federations
         LibertyFederation.objects.filter(idp__isnull=True,
                 name_id_sp_name_qualifier=models.F('sp__liberty_provider__entity_id')) \
                 .update(name_id_sp_name_qualifier=AUTHENTIC_SAME_ID_SENTINEL)
         # If there is NameIDQualifier it must be ours
         LibertyFederation.objects.filter(idp__isnull=True, name_id_qualifier__isnull=False) \
                 .update(name_id_qualifier=AUTHENTIC_SAME_ID_SENTINEL)
     class Migration(migrations.Migration):
         dependencies = [
             ('saml', '0001_initial'),
+        ]
         operations = [
                 migrations.RunPython(use_id_sentinel),
+        ]
+    -

Projet

Général

Profil

Produits Entr'ouvert » Authentic 2

0001-Modify-federation-storage-so-that-we-can-store-feder.patch