IdentityPython
diff --git a/‎.travis.yml
Lines changed: 35 additions & 0 deletions b/‎.travis.yml
Lines changed: 35 additions & 0 deletions
diff --git a/‎CHANGES
Lines changed: 5 additions & 0 deletions b/‎CHANGES
Lines changed: 5 additions & 0 deletions
diff --git a/‎README.rst
Lines changed: 58 additions & 5 deletions b/‎README.rst
Lines changed: 58 additions & 5 deletions
diff --git a/‎djangosaml2/backends.py
Lines changed: 78 additions & 45 deletions b/‎djangosaml2/backends.py
Lines changed: 78 additions & 45 deletions
diff --git a/‎djangosaml2/settings.py
Lines changed: 6 additions & 0 deletions b/‎djangosaml2/settings.py
Lines changed: 6 additions & 0 deletions
diff --git a/‎djangosaml2/templates/djangosaml2/login_error.html
Lines changed: 13 additions & 0 deletions b/‎djangosaml2/templates/djangosaml2/login_error.html
Lines changed: 13 additions & 0 deletions
diff --git a/‎djangosaml2/templates/djangosaml2/permission_denied.html
Lines changed: 11 additions & 0 deletions b/‎djangosaml2/templates/djangosaml2/permission_denied.html
Lines changed: 11 additions & 0 deletions
diff --git a/‎djangosaml2/templates/djangosaml2/wayf.html
Lines changed: 1 addition & 1 deletion b/‎djangosaml2/templates/djangosaml2/wayf.html
Lines changed: 1 addition & 1 deletion
@@ -0,0 +1,35 @@
+language: python
+
+python:
+    - "2.7"
+
+sudo: false
+
+env:
+    - TOX_ENV=py27-django18
+    - TOX_ENV=py27-django19
+    - TOX_ENV=py27-django110
+    - TOX_ENV=py27-djangomaster
+
+matrix:
+    fast_finish: true
+    allow_failures:
+      - env: TOX_ENV=py27-djangomaster
+
+addons:
+  apt:
+    packages:
+    - xmlsec1
+
+install:
+    - pip install tox virtualenv
+
+script:
+    - tox -e $TOX_ENV
+
+after_success:
+    - pip install codecov
+    - codecov -e TOX_ENV
+
+notifications:
+    email: false
@@ -1,5 +1,10 @@
 Changes
 =======
+0.14.5 (2016-09-19)
+-------------------
+- Django 1.10 support. Thanks to inducer.
+- Various fixes and minor improvements. Thanks to ajsmilutin, ganiserb, inducer, grunichev, liquidpele and darbula
+
 0.14.4 (2016-03-29)
 -------------------
 - Fix compatibility issue with pysaml2-4.0.3+. Thanks to jimr and astoltz.
 
@@ -1,16 +1,20 @@
-.. contents::
-
 ===========
 djangosaml2
 ===========
 
+.. image:: https://travis-ci.org/knaperek/djangosaml2.svg?branch=master
+    :target: https://travis-ci.org/knaperek/djangosaml2
+    :align: left
+
+
 djangosaml2 is a Django application that integrates the PySAML2 library
 into your project. This mean that you can protect your Django based project
 with a service provider based on PySAML. This way it will talk SAML2 with
 your Identity Provider allowing you to use this authentication mechanism.
 This document will guide you through a few simple steps to accomplish
 such goal.
 
+.. contents::
 
 Installation
 ============
@@ -209,9 +213,15 @@ We will see a typical configuration for protecting a Django project::
     # set to 1 to output debugging information
     'debug': 1,
 
-    # certificate
+    # Signing
     'key_file': path.join(BASEDIR, 'mycert.key'),  # private part
     'cert_file': path.join(BASEDIR, 'mycert.pem'),  # public part
+    
+    # Encryption
+    'encryption_keypairs': [{
+        'key_file': path.join(BASEDIR, 'my_encryption_key.key'),  # private part
+        'cert_file': path.join(BASEDIR, 'my_encryption_cert.pem'),  # public part
+    }],
 
     # own metadata settings
     'contact_person': [
@@ -307,6 +317,14 @@ Please, use an unique attribute when setting this option. Otherwise
 the authentication process will fail because djangosaml2 does not know
 which Django user it should pick.
 
+If your main attribute is something inherently case-inensitive (such as
+an email address), you may set::
+
+  SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP = '__iexact'
+
+(This is simply appended to the main attribute name to form a Django
+query. Your main attribute must be unique even given this lookup.)
+
 Another option is to use the SAML2 name id as the username by setting::
 
   SAML_USE_NAME_ID_AS_USERNAME = True
@@ -347,7 +365,42 @@ If you are using Django user profile objects to store extra attributes
 about your user you can add those attributes to the SAML_ATTRIBUTE_MAPPING
 dictionary. For each (key, value) pair, djangosaml2 will try to store the
 attribute in the User model if there is a matching field in that model.
-Otherwise it will try to do the same with your profile custom model.
+Otherwise it will try to do the same with your profile custom model. For 
+multi-valued attributes only the first value is assigned to the destination field.
+
+Alternatively, custom processing of attributes can be achieved by setting the
+value(s) in the SAML_ATTRIBUTE_MAPPING, to name(s) of method(s) defined on a
+custom django User object. In this case, each method is called by djangosaml2,
+passing the full list of attribute values extracted from the <saml:AttributeValue>
+elements of the <saml:Attribute>. Among other uses, this is a useful way to process
+multi-valued attributes such as lists of user group names.
+
+For example::
+
+Saml assertion snippet::
+
+  <saml:Attribute Name="groups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
+        <saml:AttributeValue>group1</saml:AttributeValue>
+        <saml:AttributeValue>group2</saml:AttributeValue>
+        <saml:AttributeValue>group3</saml:AttributeValue>
+  </saml:Attribute>
+
+Custom User object::
+
+  from django.contrib.auth.models import AbstractUser
+
+  class User(AbstractUser):
+
+    def process_groups(self, groups):
+      // process list of group names in argument 'groups' 
+      pass;
+
+settings.py::
+
+  SAML_ATTRIBUTE_MAPPING = {
+      'groups': ('process_groups', ),
+  }
+
 
 Learn more about Django profile models at:
 
@@ -362,7 +415,7 @@ following code to your app::
 
   from djangosaml2.signals import pre_user_save
 
-  def custom_update_user(sender=user, attributes=attributes, user_modified=user_modified)
+  def custom_update_user(sender=User, instance, attributes, user_modified, **kargs)
      ...
      return True  # I modified the user object
 
 
@@ -23,6 +23,8 @@
 
 from djangosaml2.signals import pre_user_save
 
+from . import settings as saml_settings
+
 try:
     from django.contrib.auth.models import SiteProfileNotAvailable
 except ImportError:
@@ -83,8 +85,8 @@ def authenticate(self, session_info=None, attribute_mapping=None,
         use_name_id_as_username = getattr(
             settings, 'SAML_USE_NAME_ID_AS_USERNAME', False)
 
-        django_user_main_attribute = getattr(
-            settings, 'SAML_DJANGO_USER_MAIN_ATTRIBUTE', 'username')
+        django_user_main_attribute = saml_settings.SAML_DJANGO_USER_MAIN_ATTRIBUTE
+        django_user_main_attribute_lookup = saml_settings.SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP
 
         logger.debug('attributes: %s', attributes)
         saml_user = None
@@ -95,11 +97,7 @@ def authenticate(self, session_info=None, attribute_mapping=None,
             else:
                 logger.error('The nameid is not available. Cannot find user without a nameid.')
         else:
-            logger.debug('attribute_mapping: %s', attribute_mapping)
-            for saml_attr, django_fields in attribute_mapping.items():
-                if (django_user_main_attribute in django_fields
-                    and saml_attr in attributes):
-                    saml_user = attributes[saml_attr][0]
+            saml_user = self.get_attribute_value(django_user_main_attribute, attributes, attribute_mapping)
 
         if saml_user is None:
             logger.error('Could not find saml_user value')
@@ -108,46 +106,21 @@ def authenticate(self, session_info=None, attribute_mapping=None,
         if not self.is_authorized(attributes, attribute_mapping):
             return None
 
-        user = None
-
         main_attribute = self.clean_user_main_attribute(saml_user)
 
-        user_query_args = {django_user_main_attribute: main_attribute}
-
         # Note that this could be accomplished in one try-except clause, but
         # instead we use get_or_create when creating unknown users since it has
         # built-in safeguards for multiple threads.
-        User = get_saml_user_model()
-        if create_unknown_user:
-            logger.debug('Check if the user "%s" exists or create otherwise',
-                         main_attribute)
-            try:
-                user, created = User.objects.get_or_create(**user_query_args)
-            except MultipleObjectsReturned:
-                logger.error("There are more than one user with %s = %s",
-                             django_user_main_attribute, main_attribute)
-                return None
-
-            if created:
-                logger.debug('New user created')
-                user = self.configure_user(user, attributes, attribute_mapping)
-            else:
-                logger.debug('User updated')
-                user = self.update_user(user, attributes, attribute_mapping)
-        else:
-            logger.debug('Retrieving existing user "%s"', main_attribute)
-            try:
-                user = User.objects.get(**user_query_args)
-                user = self.update_user(user, attributes, attribute_mapping)
-            except User.DoesNotExist:
-                logger.error('The user "%s" does not exist', main_attribute)
-                return None
-            except MultipleObjectsReturned:
-                logger.error("There are more than one user with %s = %s",
-                             django_user_main_attribute, main_attribute)
-                return None
+        return self.get_saml2_user(
+            create_unknown_user, main_attribute, attributes, attribute_mapping)
 
-        return user
+    def get_attribute_value(self, django_field, attributes, attribute_mapping):
+        saml_user = None
+        logger.debug('attribute_mapping: %s', attribute_mapping)
+        for saml_attr, django_fields in attribute_mapping.items():
+            if django_field in django_fields and saml_attr in attributes:
+                saml_user = attributes[saml_attr][0]
+        return saml_user
 
     def is_authorized(self, attributes, attribute_mapping):
         """Hook to allow custom authorization policies based on
@@ -164,6 +137,65 @@ def clean_user_main_attribute(self, main_attribute):
         """
         return main_attribute
 
+    def get_user_query_args(self, main_attribute):
+        django_user_main_attribute = getattr(
+            settings, 'SAML_DJANGO_USER_MAIN_ATTRIBUTE', 'username')
+        django_user_main_attribute_lookup = getattr(
+            settings, 'SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP', '')
+
+        return {
+            django_user_main_attribute + django_user_main_attribute_lookup: main_attribute
+        }
+
+    def get_saml2_user(self, create, main_attribute, attributes, attribute_mapping):
+        if create:
+            return self._get_or_create_saml2_user(main_attribute, attributes, attribute_mapping)
+
+        return self._get_saml2_user(main_attribute, attributes, attribute_mapping)
+
+    def _get_or_create_saml2_user(self, main_attribute, attributes, attribute_mapping):
+        logger.debug('Check if the user "%s" exists or create otherwise',
+                     main_attribute)
+        django_user_main_attribute = saml_settings.SAML_DJANGO_USER_MAIN_ATTRIBUTE
+        django_user_main_attribute_lookup = saml_settings.SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP
+        user_query_args = self.get_user_query_args(main_attribute)
+        user_create_defaults = {django_user_main_attribute: main_attribute}
+
+        User = get_saml_user_model()
+        try:
+            user, created = User.objects.get_or_create(
+                defaults=user_create_defaults, **user_query_args)
+        except MultipleObjectsReturned:
+            logger.error("There are more than one user with %s = %s",
+                         django_user_main_attribute, main_attribute)
+            return None
+
+        if created:
+            logger.debug('New user created')
+            user = self.configure_user(user, attributes, attribute_mapping)
+        else:
+            logger.debug('User updated')
+            user = self.update_user(user, attributes, attribute_mapping)
+        return user
+
+    def _get_saml2_user(self, main_attribute, attributes, attribute_mapping):
+        User = get_saml_user_model()
+        django_user_main_attribute = saml_settings.SAML_DJANGO_USER_MAIN_ATTRIBUTE
+        user_query_args = self.get_user_query_args(main_attribute)
+
+        logger.debug('Retrieving existing user "%s"', main_attribute)
+        try:
+            user = User.objects.get(**user_query_args)
+            user = self.update_user(user, attributes, attribute_mapping)
+        except User.DoesNotExist:
+            logger.error('The user "%s" does not exist', main_attribute)
+            return None
+        except MultipleObjectsReturned:
+            logger.error("There are more than one user with %s = %s",
+                         django_user_main_attribute, main_attribute)
+            return None
+        return user
+
     def configure_user(self, user, attributes, attribute_mapping):
         """Configures a user after creation and returns the updated user.
 
@@ -217,7 +249,8 @@ def update_user(self, user, attributes, attribute_mapping,
         logger.debug('Sending the pre_save signal')
         signal_modified = any(
             [response for receiver, response
-             in pre_user_save.send_robust(sender=user,
+             in pre_user_save.send_robust(sender=user.__class__,
+                                          instance=user,
                                           attributes=attributes,
                                           user_modified=user_modified)]
             )
@@ -236,9 +269,9 @@ def _set_attribute(self, obj, attr, value):
 
         Return True if the attribute was changed and False otherwise.
         """
-        field = obj._meta.get_field_by_name(attr)
-        if len(value) > field[0].max_length:
-            cleaned_value = value[:field[0].max_length]
+        field = obj._meta.get_field(attr)
+        if len(value) > field.max_length:
+            cleaned_value = value[:field.max_length]
             logger.warn('The attribute "%s" was trimmed from "%s" to "%s"',
                         attr, value, cleaned_value)
         else:
 
@@ -0,0 +1,6 @@
+from django.conf import settings
+
+SAML_DJANGO_USER_MAIN_ATTRIBUTE = getattr(
+    settings, 'SAML_DJANGO_USER_MAIN_ATTRIBUTE', 'username')
+SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP = getattr(
+    settings, 'SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP', '')
@@ -0,0 +1,13 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+  </head>
+  <body>
+    <h1>Authentication Error.</h1>
+
+    <h2>Access Denied.</h2>
+
+  </body>
+</html>
@@ -0,0 +1,11 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+  </head>
+  <body>
+    <h1>Permission Denied.</h1>
+
+  </body>
+</html>
@@ -9,7 +9,7 @@ <h1>Where are you from?</h1>
     <p>Please select your <strong>Identity Provider</strong> from the following list:</p>
     <ul>
       {% for url, name in available_idps %}
-      <li><a href="{% url 'djangosaml2.views.login' %}?idp={{ url }}{% if came_from %}&next={{ came_from }}{% endif %}">{{ name }}</a></li>
+      <li><a href="{% url 'saml2_login' %}?idp={{ url }}{% if came_from %}&next={{ came_from }}{% endif %}">{{ name }}</a></li>
       {% endfor %}
     </ul>
   </body>