Merge branch 'master' into unsolicited_response

Author: knaperek

CHANGES

@@ -4,9 +4,16 @@ Changes
 UNRELEASED
 ----------
 - A 403 (permission denied) is now raised if a SAMLResponse is replayed, instead of 500.
+
+0.16.11 (2017-12-25)
+----------
+- Dropped compatibility for Python < 2.7 and Django < 1.8.
+- Added a clean_attributes hook allowing backends to restructure attributes extracted from SAML response.
 - Log when fields are missing in a SAML response.
 - Log when attribute_mapping maps to nonexistent User fields.
-- Dropped compatibility for Python < 2.7 and Django < 1.8.
+- Multiple compatibility fixes and other minor improvements and code cleanups
+
+Thanks to francoisfreitag, mhindery, charn, jdufresne
 
 0.16.10 (2017-10-02)
 -------------------

djangosaml2/backends.py

@@ -64,14 +64,14 @@ class Saml2Backend(ModelBackend):
     def authenticate(self, request, session_info=None, attribute_mapping=None,
                      create_unknown_user=True, **kwargs):
         if session_info is None or attribute_mapping is None:
-            logger.error('Session info or attribute mapping are None')
+            logger.info('Session info or attribute mapping are None')
             return None
 
-        if not 'ava' in session_info:
+        if 'ava' not in session_info:
             logger.error('"ava" key not found in session_info')
             return None
 
-        attributes = session_info['ava']
+        attributes = self.clean_attributes(session_info['ava'])
         if not attributes:
             logger.error('The attributes dictionary is empty')
 
@@ -120,6 +120,10 @@ def is_authorized(self, attributes, attribute_mapping):
         """
         return True
 
+    def clean_attributes(self, attributes):
+        """Hook to clean attributes from the SAML response."""
+        return attributes
+
     def clean_user_main_attribute(self, main_attribute):
         """Performs any cleaning on the user main attribute (which
         usually is "username") prior to using it to get or

djangosaml2/tests/auth_response.py

@@ -16,17 +16,87 @@
 import datetime
 
 
-def auth_response(session_id, uid):
-    """Generates a fresh signed authentication response"""
+def auth_response(session_id,
+                  uid,
+                  audience='http://sp.example.com/saml2/metadata/',
+                  acs_url='http://sp.example.com/saml2/acs/',
+                  metadata_url='http://sp.example.com/saml2/metadata/',
+                  attribute_statements=None):
+    """Generates a fresh signed authentication response
+
+    Params:
+        session_id: The session ID to generate the reponse for. Login set an
+            outstanding session ID, i.e. djangosaml2 waits for a response for
+            that session.
+        uid: Unique identifier for a User (will be present as an attribute in
+            the answer). Ignored when attribute_statements is not ``None``.
+        audience: SP entityid (used when PySAML validates the response
+            audience).
+        acs_url: URL where the response has been posted back.
+        metadata_url: URL where the SP metadata can be queried.
+        attribute_statements: An alternative XML AttributeStatement to use in
+            lieu of the default (uid). The uid argument is ignored when
+            attribute_statements is not ``None``.
+    """
     timestamp = datetime.datetime.now() - datetime.timedelta(seconds=10)
     tomorrow = datetime.datetime.now() + datetime.timedelta(days=1)
     yesterday = datetime.datetime.now() - datetime.timedelta(days=1)
 
-    saml_response_tpl = """<?xml version='1.0' encoding='UTF-8'?>
-<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="http://sp.example.com/saml2/acs/" ID="id-88b9f586a2a3a639f9327485cc37c40a" InResponseTo="%(session_id)s" IssueInstant="%(timestamp)s" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/simplesaml/saml2/idp/metadata.php</saml:Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><saml:Assertion ID="id-093952102ceb73436e49cb91c58b0578" IssueInstant="%(timestamp)s" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/simplesaml/saml2/idp/metadata.php</saml:Issuer><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="http://sp.example.com/saml2/metadata/">1f87035b4c1325b296a53d92097e6b3fa36d7e30ee82e3fcb0680d60243c1f03</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="%(session_id)s" NotOnOrAfter="%(tomorrow)s" Recipient="http://sp.example.com/saml2/acs/" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="%(yesterday)s" NotOnOrAfter="%(tomorrow)s"><saml:AudienceRestriction><saml:Audience>http://sp.example.com/saml2/metadata/</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="%(timestamp)s" SessionIndex="%(session_id)s"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml:AttributeValue xsi:nil="true" xsi:type="xs:string">%(uid)s</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response>"""
+    if attribute_statements is None:
+        attribute_statements = (
+            '<saml:AttributeStatement>'
+                '<saml:Attribute FriendlyName="uid" Name="urn:oid:0.9.2342.19200300.100.1.1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">'
+                    '<saml:AttributeValue xsi:nil="true" xsi:type="xs:string">'
+                        '%(uid)s'
+                    '</saml:AttributeValue>'
+                '</saml:Attribute>'
+            '</saml:AttributeStatement>'
+        ) % {'uid': uid}
+
+    saml_response_tpl = (
+        "<?xml version='1.0' encoding='UTF-8'?>"
+        '<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="%(acs_url)s" ID="id-88b9f586a2a3a639f9327485cc37c40a" InResponseTo="%(session_id)s" IssueInstant="%(timestamp)s" Version="2.0">'
+            '<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">'
+                'https://idp.example.com/simplesaml/saml2/idp/metadata.php'
+            '</saml:Issuer>'
+            '<samlp:Status>'
+                '<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />'
+            '</samlp:Status>'
+            '<saml:Assertion ID="id-093952102ceb73436e49cb91c58b0578" IssueInstant="%(timestamp)s" Version="2.0">'
+                '<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">'
+                    'https://idp.example.com/simplesaml/saml2/idp/metadata.php'
+                '</saml:Issuer>'
+                '<saml:Subject>'
+                    '<saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="" SPNameQualifier="%(metadata_url)s">'
+                        '1f87035b4c1325b296a53d92097e6b3fa36d7e30ee82e3fcb0680d60243c1f03'
+                    '</saml:NameID>'
+                    '<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">'
+                        '<saml:SubjectConfirmationData InResponseTo="%(session_id)s" NotOnOrAfter="%(tomorrow)s" Recipient="%(acs_url)s" />'
+                    '</saml:SubjectConfirmation>'
+                '</saml:Subject>'
+                '<saml:Conditions NotBefore="%(yesterday)s" NotOnOrAfter="%(tomorrow)s">'
+                    '<saml:AudienceRestriction>'
+                        '<saml:Audience>'
+                            '%(audience)s'
+                        '</saml:Audience>'
+                    '</saml:AudienceRestriction>'
+                '</saml:Conditions>'
+                '<saml:AuthnStatement AuthnInstant="%(timestamp)s" SessionIndex="%(session_id)s">'
+                    '<saml:AuthnContext>'
+                        '<saml:AuthnContextClassRef>'
+                            'urn:oasis:names:tc:SAML:2.0:ac:classes:Password'
+                        '</saml:AuthnContextClassRef>'
+                    '</saml:AuthnContext>'
+                '</saml:AuthnStatement>'
+                '%(attribute_statements)s'
+            '</saml:Assertion>'
+        '</samlp:Response>')
     return saml_response_tpl % {
-        'uid': uid,
         'session_id': session_id,
+        'audience': audience,
+        'acs_url': acs_url,
+        'metadata_url': metadata_url,
+        'attribute_statements': attribute_statements,
         'timestamp': timestamp.strftime('%Y-%m-%dT%H:%M:%SZ'),
         'tomorrow': tomorrow.strftime('%Y-%m-%dT%H:%M:%SZ'),
         'yesterday': yesterday.strftime('%Y-%m-%dT%H:%M:%SZ'),

setup.py

@@ -31,7 +31,7 @@ def read(*rnames):
 
 setup(
     name='djangosaml2',
-    version='0.16.10',
+    version='0.16.11',
     description='pysaml2 integration for Django',
     long_description='\n\n'.join([read('README.rst'), read('CHANGES')]),
     classifiers=[

tests/testprofiles/tests.py

@@ -166,3 +166,33 @@ def test_django_user_main_attribute_lookup(self):
             self.assertEqual(
                 backend.get_django_user_main_attribute_lookup(),
                 '__iexact')
+
+
+class LowerCaseSaml2Backend(Saml2Backend):
+    def clean_attributes(self, attributes):
+        return dict([k.lower(), v] for k, v in attributes.items())
+
+
+class LowerCaseSaml2BackendTest(TestCase):
+    def test_update_user_clean_attributes(self):
+        user = User.objects.create(username='john')
+        attribute_mapping = {
+            'uid': ('username', ),
+            'mail': ('email', ),
+            'cn': ('first_name', ),
+            'sn': ('last_name', ),
+            }
+        attributes = {
+            'UID': ['john'],
+            'MAIL': ['[email protected]'],
+            'CN': ['John'],
+            'SN': [],
+        }
+
+        backend = LowerCaseSaml2Backend()
+        user = backend.authenticate(
+            None,
+            session_info={'ava': attributes},
+            attribute_mapping=attribute_mapping,
+        )
+        self.assertIsNotNone(user)

tox.ini

@@ -18,6 +18,5 @@ deps =
     djangomaster: https://github.com/django/django/archive/master.tar.gz
     .[test]
 
-# Waiting on upstream fix for https://code.djangoproject.com/ticket/28679
 ignore_outcome =
     djangomaster: True