- BREAKAGE: idp app now is merged into uniauth

- BREAKAGE: uniauth.views.sso_init doesn't exist anymore, a ClassView instead

example/django_idp/idp_pysaml2.py

@@ -18,7 +18,7 @@
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
-LOGIN_URL = '/login/'
+LOGIN_URL = '/idp/login/'
 
 # idp protocol:fqdn:port
 HOST = 'idp1.testunical.it'
@@ -36,7 +36,8 @@
 
 # please check [Refactor datetime](https://github.com/IdentityPython/pysaml2/pull/518)
 # only used to parse issue_instant in a try...
-SAML2_DATETIME_FORMATS = ['%Y-%m-%dT%H:%M:%SZ','%Y%m%d%H%M%SZ']
+SAML2_DATETIME_FORMATS = ['%Y-%m-%dT%H:%M:%SZ', '%Y-%m-%dT%H:%M:%S.%fZ',
+                          '%Y%m%d%H%M%SZ']
 
 # this will keep xml signed/encrypted files in /tmp
 #os.environ['PYSAML2_DELETE_XMLSEC_TMP'] = "False"
@@ -136,15 +137,15 @@
             # this works if pysaml2 is installed from peppelinux's fork
             'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
             'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,
-            
+
             # saml.assertion #807
             "policy": {
                 "default": {
                     "lifetime": {'hours': 360},
-                    
+
                 }
             },
-            
+
             "release_policy": {
                 "default": {
                     "lifetime": {"minutes":15},
@@ -199,17 +200,17 @@
                     ('%s/sso/redirect' % BASE_URL, BINDING_HTTP_REDIRECT),
 
                     # TODO
-                    # ("%s/sso/art" % BASE, BINDING_HTTP_ARTIFACT),
+                    # ("%s/sso/art" % BASE_URL, BINDING_HTTP_ARTIFACT),
                 ],
                 "single_logout_service": [
-                    ("%s/slo/post" % BASE, BINDING_HTTP_POST),
+                    ("%s/slo/post" % BASE_URL, BINDING_HTTP_POST),
 
-                    #("%s/slo/redirect" % BASE, BINDING_HTTP_REDIRECT)
-                    # ("%s/slo/soap" % BASE, BINDING_SOAP),
+                    #("%s/slo/redirect" % BASE_URL, BINDING_HTTP_REDIRECT)
+                    # ("%s/slo/soap" % BASE_URL, BINDING_SOAP),
                 ],
-                
+
                # "attribute_service": [
-                    # ("%s/aap" % BASE, BINDING_HTTP_POST),
+                    # ("%s/aap" % BASE_URL, BINDING_HTTP_POST),
                 # ]
             },
             # transient per default, persistent if asked by sp
@@ -238,7 +239,6 @@
             # 'verify_encrypt_cert_assertion': None,
             # 'verify_encrypt_cert_advice': None,
 
-            # this works if pysaml2 is installed from peppelinux's fork
             'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
             'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,
 
@@ -349,7 +349,7 @@
 
 # This coniguration will be used by default for each newly created SP through admin backend.
 DEFAULT_SPCONFIG = {
-    'processor': 'idp.processors.LdapUnicalMultiAcademiaProcessor',
+    'processor': 'uniauth.processors.multildap.LdapUnicalMultiAcademiaProcessor',
     'attribute_mapping': {
         # refeds + edugain Entities
         "cn": "cn",

example/django_idp/idp_pysaml2.py.example

@@ -18,7 +18,7 @@ from saml2.sigver import get_xmlsec_binary
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
-LOGIN_URL = '/login/'
+LOGIN_URL = '/idp/login/'
 
 # idp protocol:fqdn:port
 HOST = 'idp1.testunical.it'
@@ -42,6 +42,130 @@ SAML2_DATETIME_FORMATS = ['%Y-%m-%dT%H:%M:%SZ', '%Y-%m-%dT%H:%M:%S.%fZ',
 # this will keep xml signed/encrypted files in /tmp
 #os.environ['PYSAML2_DELETE_XMLSEC_TMP'] = "False"
 
+
+SAML_METADATA = {
+        'local': [
+                 # (os.path.join(IDP_SP_METADATA_PATH, 'sp_metadata.xml'),),
+                 # (os.path.join(IDP_SP_METADATA_PATH, 'sp_shib_metadata.xml'),),
+                 # (os.path.join(IDP_SP_METADATA_PATH, 'satosa_backend.xml'),),
+                 ],
+        #
+        # "remote": [{
+            # "url": 'https://satosa.testunical.it/Saml2/metadata',
+            # "cert": "/opt/satosa-saml2/pki/frontend.cert",
+
+            # working only with pplx-dev fork:
+            # "disable_ssl_certificate_validation": True,
+             # }],
+
+        # "mdq": [{
+            # "url": "http://localhost:8001",
+            ## "url": "https://ds.testunical.it",
+            # "cert": "certficates/others/ds.testunical.it.cert",
+
+            # working only with pplx-dev fork:
+            # "disable_ssl_certificate_validation": True,
+            # }]
+
+}
+
+
+SAML_CONTACTS = [
+      {'given_name': 'Giuseppe',
+       'sur_name': 'De Marco',
+       'company': 'Universita della Calabria',
+       'email_address': 'giuseppe.demarco@unical.it',
+       'contact_type': 'administrative'},
+      {'given_name': 'Giuseppe',
+       'sur_name': 'De Marco',
+       'company': 'Universita della Calabria',
+       'email_address': 'giuseppe.demarco@unical.it',
+       'contact_type': 'technical'},
+]
+
+
+SAML_ORG_INFO = {
+      'name': [('Unical', 'it'), ('Unical', 'en')],
+      'display_name': [('Unical', 'it'), ('Unical', 'en')],
+      'url': [('http://www.unical.it', 'it'),
+              ('http://www.unical.it', 'en')],
+}
+
+
+SAML_AA_CONFIG = {
+    'debug' : True,
+    'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin/xmlsec1']),
+    'entityid': '%s/aa/metadata' % BASE_URL,
+
+    'entity_category_support': [edugain.COCO, # "http://www.geant.net/uri/dataprotection-code-of-conduct/v1"
+                                refeds.RESEARCH_AND_SCHOLARSHIP],
+
+    'attribute_map_dir': 'data/attribute-maps',
+    'description': 'SAML2 IDP',
+
+    'service': {
+        "aa": {
+            "endpoints": {
+                "attribute_service": [
+                    ("%s/aap" % BASE, BINDING_HTTP_POST),
+                ]
+            },
+            # transient per default, persistent if asked by sp
+            'name_id_format': [NAMEID_FORMAT_TRANSIENT,
+                               NAMEID_FORMAT_PERSISTENT],
+
+            'validate_certificate': True,
+            # this is default
+            'only_use_keys_in_metadata': True,
+
+            # these needs to change a standard shibboleth sp configuration
+            # because in GET binding the signature is in the url and not in the XML ...
+            # solution: disable HTTP-REDIRECT bind
+            # this needs the certificate in the authn request, not implemented in every sp ...
+            "want_authn_requests_only_with_valid_cert": False,
+            # HTTP-REDIRECT and many SP still not sign the authnRequest....
+            'want_authn_requests_signed': False,
+
+            'sign_response': True,
+            'sign_assertion': True,
+
+            # the following if set should be a cert filename, not a boolean
+            # 'verify_ssl_cert': None,
+            # 'verify_encrypt_cert_assertion': None,
+            # 'verify_encrypt_cert_advice': None,
+
+            # this works if pysaml2 is installed from peppelinux's fork
+            'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
+            'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,
+
+            # saml.assertion #807
+            "policy": {
+                "default": {
+                    "lifetime": {'hours': 360},
+
+                }
+            },
+
+            "release_policy": {
+                "default": {
+                    "lifetime": {"minutes":15},
+                    "attribute_restrictions": None, # means all I have
+                    "name_form": NAME_FORMAT_URI,
+                },
+            },
+        },
+    },
+
+    'metadata': SAML_METADATA,
+    'key_file': BASE_DIR + '/certificates/private.key',
+    'cert_file': BASE_DIR + '/certificates/public.cert',
+    'contact_person': SAML_CONTACTS,
+    'organization': SAML_ORG_INFO,
+
+}
+
+
+
 SAML_IDP_CONFIG = {
     'debug' : True,
     'xmlsec_binary': get_xmlsec_binary(['/opt/local/bin', '/usr/bin/xmlsec1']),
@@ -76,14 +200,18 @@ SAML_IDP_CONFIG = {
                     ('%s/sso/redirect' % BASE_URL, BINDING_HTTP_REDIRECT),
 
                     # TODO
-                    # ("%s/sso/art" % BASE, BINDING_HTTP_ARTIFACT),
+                    # ("%s/sso/art" % BASE_URL, BINDING_HTTP_ARTIFACT),
                 ],
                 "single_logout_service": [
-                    ("%s/slo/post" % BASE, BINDING_HTTP_POST),
+                    ("%s/slo/post" % BASE_URL, BINDING_HTTP_POST),
 
-                    #("%s/slo/redirect" % BASE, BINDING_HTTP_REDIRECT)
-                    # ("%s/slo/soap" % BASE, BINDING_SOAP),
+                    #("%s/slo/redirect" % BASE_URL, BINDING_HTTP_REDIRECT)
+                    # ("%s/slo/soap" % BASE_URL, BINDING_SOAP),
                 ],
+
+               # "attribute_service": [
+                    # ("%s/aap" % BASE_URL, BINDING_HTTP_POST),
+                # ]
             },
             # transient per default, persistent if asked by sp
             'name_id_format': [NAMEID_FORMAT_TRANSIENT,
@@ -96,7 +224,9 @@ SAML_IDP_CONFIG = {
             # these needs to change a standard shibboleth sp configuration
             # because in GET binding the signature is in the url and not in the XML ...
             # solution: disable HTTP-REDIRECT bind
+            # this needs the certificate in the authn request, not implemented in every sp ...
             "want_authn_requests_only_with_valid_cert": False,
+            # HTTP-REDIRECT and many SP still not sign the authnRequest....
             'want_authn_requests_signed': False,
 
             'logout_requests_signed': True,
@@ -109,9 +239,8 @@ SAML_IDP_CONFIG = {
             # 'verify_encrypt_cert_assertion': None,
             # 'verify_encrypt_cert_advice': None,
 
-            # this works if pysaml2 is installed from peppelinux's fork
-            # 'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
-            # 'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,
+            'signing_algorithm':  saml2.xmldsig.SIG_RSA_SHA256,
+            'digest_algorithm':  saml2.xmldsig.DIGEST_SHA256,
 
             "policy": {
                 "default": {
@@ -161,31 +290,7 @@ SAML_IDP_CONFIG = {
     },
 
     # Quite useless, you can even configure metadata store through admin backend!
-    'metadata': {
-        'local': [
-                 # (os.path.join(IDP_SP_METADATA_PATH, 'sp_metadata.xml'),),
-                 # (os.path.join(IDP_SP_METADATA_PATH, 'sp_shib_metadata.xml'),),
-                 # (os.path.join(IDP_SP_METADATA_PATH, 'satosa_backend.xml'),),
-                 ],
-        #
-        # "remote": [{
-            # "url": 'https://satosa.testunical.it/Saml2/metadata',
-            # "cert": "/opt/satosa-saml2/pki/frontend.cert",
-
-            # working only with pplx-dev fork:
-            # "disable_ssl_certificate_validation": True,
-             # }],
-
-        # "mdq": [{
-            # "url": "http://localhost:8001",
-            ## "url": "https://ds.testunical.it",
-            # "cert": "certficates/others/ds.testunical.it.cert",
-
-            # working only with pplx-dev fork:
-            # "disable_ssl_certificate_validation": True,
-            # }]
-
-    },
+    'metadata': SAML_METADATA,
 
     # Signing
     'key_file': BASE_DIR + '/certificates/private.key',
@@ -200,25 +305,9 @@ SAML_IDP_CONFIG = {
     #'valid_for': 24 * 10,
 
     # own metadata settings
-    'contact_person': [
-      {'given_name': 'Giuseppe',
-       'sur_name': 'De Marco',
-       'company': 'Universita della Calabria',
-       'email_address': 'giuseppe.demarco@unical.it',
-       'contact_type': 'administrative'},
-      {'given_name': 'Giuseppe',
-       'sur_name': 'De Marco',
-       'company': 'Universita della Calabria',
-       'email_address': 'giuseppe.demarco@unical.it',
-       'contact_type': 'technical'},
-      ],
+    'contact_person': SAML_CONTACTS,
     # you can set multilanguage information here
-    'organization': {
-      'name': [('Unical', 'it'), ('Unical', 'en')],
-      'display_name': [('Unical', 'it'), ('Unical', 'en')],
-      'url': [('http://www.unical.it', 'it'),
-              ('http://www.unical.it', 'en')],
-      },
+    'organization': SAML_ORG_INFO,
 
     # TODO: put idp logs in a separate file too
     # "logger": {
@@ -260,7 +349,7 @@ SAML_DISALLOW_UNDEFINED_SP = False
 
 # This coniguration will be used by default for each newly created SP through admin backend.
 DEFAULT_SPCONFIG = {
-    'processor': 'idp.processors.LdapUnicalMultiAcademiaProcessor',
+    'processor': 'uniauth.processors.multildap.LdapUnicalMultiAcademiaProcessor',
     'attribute_mapping': {
         # refeds + edugain Entities
         "cn": "cn",

example/django_idp/settings.py

@@ -17,13 +17,6 @@
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/2.0/howto/deployment/checklist/
 
-# use settingslocal
-#DEBUG = True
-#SESSION_EXPIRE_AT_BROWSER_CLOSE=True
-#SESSION_COOKIE_AGE = 60 * 10 # minutes
-#SECRET_KEY = settingslocal.SECRET_KEY
-#ALLOWED_HOSTS = settingslocal.ALLOWED_HOSTS
-
 if not DEBUG:
     SESSION_COOKIE_SECURE = True
     CSRF_COOKIE_SECURE = True
@@ -138,10 +131,10 @@
      }
 
     DATABASE_ROUTERS = ['ldapdb.router.Router']
-    AUTHENTICATION_BACKENDS.append('idp.ldap_auth.LdapAcademiaAuthBackend')
+    AUTHENTICATION_BACKENDS.append('uniauth.auth.ldap_peoples.LdapAcademiaAuthBackend')
 
 if 'multildap' in INSTALLED_APPS:
-    AUTHENTICATION_BACKENDS.append('idp.multildap_auth.LdapUnicalMultiAcademiaAuthBackend')
+    AUTHENTICATION_BACKENDS.append('uniauth.auth.multildap.LdapUnicalMultiAcademiaAuthBackend')
 
 
 # Password validation

example/django_idp/settingslocal.py

@@ -29,7 +29,8 @@
     'bootstrap_italia_template',
     'django_unical_bootstrap_italia',
     'uniauth',
-    'idp',
+    'uniauth_unical_template',
+
     # 'ldap_peoples',
     'multildap',
     'rangefilter']
@@ -134,11 +135,6 @@
             'level': 'DEBUG',
             'propagate': False,
         },
-        'idp': {
-            'handlers': ['console', 'mail_admins'],
-            'level': 'DEBUG',
-            'propagate': False,
-        },
     }
 }
 #####################