authentik/passbook/providers/saml/views.py

263 lines
9.8 KiB
Python
Raw Normal View History

2018-11-16 08:10:35 +00:00
"""passbook SAML IDP Views"""
from typing import Optional
2018-12-16 16:09:26 +00:00
from django.contrib.auth import logout
from django.contrib.auth.mixins import AccessMixin
2018-11-16 08:10:35 +00:00
from django.core.exceptions import ValidationError
from django.core.validators import URLValidator
from django.http import HttpRequest, HttpResponse, HttpResponseBadRequest
2018-12-16 16:09:26 +00:00
from django.shortcuts import get_object_or_404, redirect, render, reverse
2018-11-16 08:10:35 +00:00
from django.utils.datastructures import MultiValueDictKeyError
from django.utils.decorators import method_decorator
2019-03-08 20:43:33 +00:00
from django.utils.translation import gettext as _
2018-12-16 16:09:26 +00:00
from django.views import View
from django.views.decorators.csrf import csrf_exempt
from signxml.util import strip_pem_header
2019-10-01 09:24:10 +01:00
from structlog import get_logger
from passbook.audit.models import Event, EventAction
from passbook.core.models import Application
2018-12-16 16:09:26 +00:00
from passbook.lib.mixins import CSRFExemptMixin
2018-11-16 10:41:14 +00:00
from passbook.lib.utils.template import render_to_string
2019-10-07 15:33:48 +01:00
from passbook.policies.engine import PolicyEngine
from passbook.providers.saml import exceptions
from passbook.providers.saml.models import SAMLProvider
2018-11-16 08:10:35 +00:00
LOGGER = get_logger()
2019-12-31 11:51:16 +00:00
URL_VALIDATOR = URLValidator(schemes=("http", "https"))
2018-11-16 08:10:35 +00:00
2020-02-17 14:40:49 +00:00
def _generate_response(request: HttpRequest, provider: SAMLProvider) -> HttpResponse:
"""Generate a SAML response using processor_instance and return it in the proper Django
2018-11-16 10:41:14 +00:00
response."""
2018-11-16 08:10:35 +00:00
try:
2019-12-31 11:51:16 +00:00
provider.processor.init_deep_link(request, "")
ctx = provider.processor.generate_response()
2019-12-31 11:51:16 +00:00
ctx["remote"] = provider
ctx["is_login"] = True
2018-11-16 08:10:35 +00:00
except exceptions.UserNotAuthorized:
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/invalid_user.html")
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/login.html", ctx)
2018-11-16 08:10:35 +00:00
class AccessRequiredView(AccessMixin, View):
2018-12-26 20:56:08 +00:00
"""Mixin class for Views using a provider instance"""
_provider: Optional[SAMLProvider] = None
@property
def provider(self) -> SAMLProvider:
2018-12-26 20:56:08 +00:00
"""Get provider instance"""
if not self._provider:
2019-12-31 11:51:16 +00:00
application = get_object_or_404(
Application, slug=self.kwargs["application"]
)
self._provider = get_object_or_404(SAMLProvider, pk=application.provider_id)
return self._provider
def _has_access(self) -> bool:
"""Check if user has access to application"""
2020-02-17 14:40:49 +00:00
LOGGER.debug(
"_has_access", user=self.request.user, app=self.provider.application
)
2019-12-31 11:51:16 +00:00
policy_engine = PolicyEngine(
self.provider.application.policies.all(), self.request.user, self.request
)
policy_engine.build()
return policy_engine.passing
2020-02-17 14:40:49 +00:00
def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
if not request.user.is_authenticated:
return self.handle_no_permission()
if not self._has_access():
2019-12-31 11:51:16 +00:00
return render(
request,
"login/denied.html",
{
"title": _("You don't have access to this application"),
"is_login": True,
},
)
return super().dispatch(request, *args, **kwargs)
class LoginBeginView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Receives a SAML 2.0 AuthnRequest from a Service Provider and
stores it in the session prior to enforcing login."""
2018-11-16 08:10:35 +00:00
2019-02-27 10:20:52 +00:00
@method_decorator(csrf_exempt)
2020-02-17 14:40:49 +00:00
def dispatch(self, request: HttpRequest, application: str) -> HttpResponse:
2019-12-31 11:51:16 +00:00
if request.method == "POST":
2018-12-16 16:09:26 +00:00
source = request.POST
else:
source = request.GET
2018-11-16 08:10:35 +00:00
# Store these values now, because Django's login cycle won't preserve them.
2018-12-16 16:09:26 +00:00
try:
2019-12-31 11:51:16 +00:00
request.session["SAMLRequest"] = source["SAMLRequest"]
2018-12-16 16:09:26 +00:00
except (KeyError, MultiValueDictKeyError):
2019-12-31 11:51:16 +00:00
return HttpResponseBadRequest("the SAML request payload is missing")
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
request.session["RelayState"] = source.get("RelayState", "")
return redirect(
reverse(
"passbook_providers_saml:saml-login-process",
kwargs={"application": application},
)
)
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
class RedirectToSPView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Return autosubmit form"""
2018-11-16 08:10:35 +00:00
2020-02-17 14:40:49 +00:00
def get(
self, request: HttpRequest, acs_url: str, saml_response: str, relay_state: str
) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Return autosubmit form"""
2019-12-31 11:51:16 +00:00
return render(
request,
"core/autosubmit_form.html",
{
"url": acs_url,
"attrs": {"SAMLResponse": saml_response, "RelayState": relay_state},
},
)
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
class LoginProcessView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Processor-based login continuation.
Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
2018-12-16 16:09:26 +00:00
# pylint: disable=unused-argument
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Handle get request, i.e. render form"""
# User access gets checked in dispatch
2019-03-08 20:30:16 +00:00
if self.provider.application.skip_authorization:
ctx = self.provider.processor.generate_response()
2019-03-02 23:34:34 +00:00
# Log Application Authorization
2019-12-31 11:51:16 +00:00
Event.new(
EventAction.AUTHORIZE_APPLICATION,
authorized_application=self.provider.application,
2019-12-31 11:51:16 +00:00
skipped_authorization=True,
).from_http(request)
2018-12-16 16:09:26 +00:00
return RedirectToSPView.as_view()(
request=request,
2019-12-31 11:51:16 +00:00
acs_url=ctx["acs_url"],
saml_response=ctx["saml_response"],
relay_state=ctx["relay_state"],
)
try:
return _generate_response(request, self.provider)
except exceptions.CannotHandleAssertion as exc:
LOGGER.debug(exc)
return HttpResponseBadRequest()
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def post(self, request: HttpRequest, application: str) -> HttpResponse:
"""Handle post request, return back to ACS"""
# User access gets checked in dispatch
2019-12-31 11:51:16 +00:00
if request.POST.get("ACSUrl", None):
2018-12-16 16:09:26 +00:00
# User accepted request
2019-12-31 11:51:16 +00:00
Event.new(
EventAction.AUTHORIZE_APPLICATION,
authorized_application=self.provider.application,
2019-12-31 11:51:16 +00:00
skipped_authorization=False,
).from_http(request)
2018-12-16 16:09:26 +00:00
return RedirectToSPView.as_view()(
request=request,
2019-12-31 11:51:16 +00:00
acs_url=request.POST.get("ACSUrl"),
saml_response=request.POST.get("SAMLResponse"),
relay_state=request.POST.get("RelayState"),
)
2018-12-16 16:09:26 +00:00
try:
return _generate_response(request, self.provider)
2018-12-16 16:09:26 +00:00
except exceptions.CannotHandleAssertion as exc:
LOGGER.debug(exc)
return HttpResponseBadRequest()
2018-12-16 16:09:26 +00:00
class LogoutView(CSRFExemptMixin, AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Allows a non-SAML 2.0 URL to log out the user and
2018-11-16 08:10:35 +00:00
returns a standard logged-out page. (SalesForce and others use this method,
2018-11-16 10:41:14 +00:00
though it's technically not SAML 2.0)."""
2018-11-16 08:10:35 +00:00
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Perform logout"""
logout(request)
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
redirect_url = request.GET.get("redirect_to", "")
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
try:
URL_VALIDATOR(redirect_url)
except ValidationError:
pass
else:
return redirect(redirect_url)
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/logged_out.html")
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
class SLOLogout(CSRFExemptMixin, AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Receives a SAML 2.0 LogoutRequest from a Service Provider,
logs out the user and returns a standard logged-out page."""
2018-12-16 16:09:26 +00:00
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def post(self, request: HttpRequest, application: str) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Perform logout"""
2019-12-31 11:51:16 +00:00
request.session["SAMLRequest"] = request.POST["SAMLRequest"]
2018-12-16 16:09:26 +00:00
# TODO: Parse SAML LogoutRequest from POST data, similar to login_process().
# TODO: Modify the base processor to handle logouts?
# TODO: Combine this with login_process(), since they are so very similar?
# TODO: Format a LogoutResponse and return it to the browser.
# XXX: For now, simply log out without validating the request.
logout(request)
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/logged_out.html")
2018-12-16 16:09:26 +00:00
class DescriptorDownloadView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Replies with the XML Metadata IDSSODescriptor."""
2018-12-16 16:09:26 +00:00
2020-02-17 14:40:49 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Replies with the XML Metadata IDSSODescriptor."""
entity_id = self.provider.issuer
2019-12-31 11:51:16 +00:00
slo_url = request.build_absolute_uri(
reverse(
"passbook_providers_saml:saml-logout",
kwargs={"application": application},
)
)
sso_url = request.build_absolute_uri(
reverse(
"passbook_providers_saml:saml-login",
kwargs={"application": application},
)
)
pubkey = strip_pem_header(self.provider.signing_cert.replace("\r", "")).replace(
"\n", ""
)
2018-12-16 16:09:26 +00:00
ctx = {
2019-12-31 11:51:16 +00:00
"entity_id": entity_id,
"cert_public_key": pubkey,
"slo_url": slo_url,
"sso_url": sso_url,
2018-12-16 16:09:26 +00:00
}
2019-12-31 11:51:16 +00:00
metadata = render_to_string("saml/xml/metadata.xml", ctx)
response = HttpResponse(metadata, content_type="application/xml")
response["Content-Disposition"] = (
'attachment; filename="' '%s_passbook_meta.xml"' % self.provider.name
)
2018-12-16 16:09:26 +00:00
return response
2018-11-16 08:10:35 +00:00
class InitiateLoginView(AccessRequiredView):
2018-12-26 20:56:08 +00:00
"""IdP-initiated Login"""
2018-11-16 08:10:35 +00:00
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Initiates an IdP-initiated link to a simple SP resource/target URL."""
2019-12-31 11:51:16 +00:00
self.provider.processor.init_deep_link(request, "")
2019-04-29 20:39:41 +01:00
self.provider.processor.is_idp_initiated = True
2018-12-26 20:56:08 +00:00
return _generate_response(request, self.provider)