authentik/passbook/providers/saml/views.py

294 lines
11 KiB
Python
Raw Normal View History

2018-11-16 08:10:35 +00:00
"""passbook SAML IDP Views"""
from typing import Optional
2018-12-16 16:09:26 +00:00
from django.contrib.auth import logout
from django.contrib.auth.mixins import AccessMixin
2018-11-16 08:10:35 +00:00
from django.core.exceptions import ValidationError
from django.core.validators import URLValidator
from django.http import HttpRequest, HttpResponse
2018-12-16 16:09:26 +00:00
from django.shortcuts import get_object_or_404, redirect, render, reverse
2018-11-16 08:10:35 +00:00
from django.utils.datastructures import MultiValueDictKeyError
from django.utils.decorators import method_decorator
from django.utils.html import mark_safe
2019-03-08 20:43:33 +00:00
from django.utils.translation import gettext as _
2018-12-16 16:09:26 +00:00
from django.views import View
from django.views.decorators.csrf import csrf_exempt
from signxml.util import strip_pem_header
2019-10-01 09:24:10 +01:00
from structlog import get_logger
from passbook.audit.models import Event, EventAction
from passbook.core.models import Application, Provider
2018-11-16 10:41:14 +00:00
from passbook.lib.utils.template import render_to_string
from passbook.lib.views import bad_request_message
2019-10-07 15:33:48 +01:00
from passbook.policies.engine import PolicyEngine
from passbook.providers.saml.exceptions import CannotHandleAssertion
2019-10-07 15:33:48 +01:00
from passbook.providers.saml.models import SAMLProvider
from passbook.providers.saml.processors.types import SAMLResponseParams
2018-11-16 08:10:35 +00:00
LOGGER = get_logger()
2019-12-31 11:51:16 +00:00
URL_VALIDATOR = URLValidator(schemes=("http", "https"))
SESSION_KEY_SAML_REQUEST = "SAMLRequest"
SESSION_KEY_SAML_RESPONSE = "SAMLResponse"
SESSION_KEY_RELAY_STATE = "RelayState"
SESSION_KEY_PARAMS = "SAMLParams"
2018-11-16 08:10:35 +00:00
class AccessRequiredView(AccessMixin, View):
2018-12-26 20:56:08 +00:00
"""Mixin class for Views using a provider instance"""
_provider: Optional[SAMLProvider] = None
@property
def provider(self) -> SAMLProvider:
2018-12-26 20:56:08 +00:00
"""Get provider instance"""
if not self._provider:
2019-12-31 11:51:16 +00:00
application = get_object_or_404(
Application, slug=self.kwargs["application"]
)
provider: SAMLProvider = get_object_or_404(
SAMLProvider, pk=application.provider_id
)
self._provider = provider
return self._provider
return self._provider
def _has_access(self) -> bool:
"""Check if user has access to application"""
2019-12-31 11:51:16 +00:00
policy_engine = PolicyEngine(
self.provider.application.policies.all(), self.request.user, self.request
)
policy_engine.build()
passing = policy_engine.passing
LOGGER.debug(
"saml_has_access",
user=self.request.user,
app=self.provider.application,
passing=passing,
)
return passing
2020-02-17 14:40:49 +00:00
def dispatch(self, request: HttpRequest, *args, **kwargs) -> HttpResponse:
if not request.user.is_authenticated:
return self.handle_no_permission()
if not self._has_access():
2019-12-31 11:51:16 +00:00
return render(
request,
"login/denied.html",
{"title": _("You don't have access to this application"),},
2019-12-31 11:51:16 +00:00
)
return super().dispatch(request, *args, **kwargs)
class LoginBeginView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Receives a SAML 2.0 AuthnRequest from a Service Provider and
stores it in the session prior to enforcing login."""
2018-11-16 08:10:35 +00:00
2019-02-27 10:20:52 +00:00
@method_decorator(csrf_exempt)
2020-02-17 14:40:49 +00:00
def dispatch(self, request: HttpRequest, application: str) -> HttpResponse:
2019-12-31 11:51:16 +00:00
if request.method == "POST":
2018-12-16 16:09:26 +00:00
source = request.POST
else:
source = request.GET
2018-11-16 08:10:35 +00:00
# Store these values now, because Django's login cycle won't preserve them.
2018-12-16 16:09:26 +00:00
try:
request.session[SESSION_KEY_SAML_REQUEST] = source[SESSION_KEY_SAML_REQUEST]
2018-12-16 16:09:26 +00:00
except (KeyError, MultiValueDictKeyError):
return bad_request_message(request, "The SAML request payload is missing.")
2018-11-16 08:10:35 +00:00
request.session[SESSION_KEY_RELAY_STATE] = source.get(
SESSION_KEY_RELAY_STATE, ""
)
try:
self.provider.processor.can_handle(request)
params = self.provider.processor.generate_response()
request.session[SESSION_KEY_PARAMS] = params
except CannotHandleAssertion as exc:
LOGGER.error(exc)
did_you_mean_link = request.build_absolute_uri(
reverse(
"passbook_providers_saml:saml-login-initiate",
kwargs={"application": application},
)
)
did_you_mean_message = (
f" Did you mean to go <a href='{did_you_mean_link}'>here</a>?"
)
return bad_request_message(
request, mark_safe(str(exc) + did_you_mean_message)
)
return redirect(
reverse(
"passbook_providers_saml:saml-login-authorize",
kwargs={"application": application},
)
)
class InitiateLoginView(AccessRequiredView):
"""IdP-initiated Login"""
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Initiates an IdP-initiated link to a simple SP resource/target URL."""
self.provider.processor.is_idp_initiated = True
self.provider.processor.init_deep_link(request)
params = self.provider.processor.generate_response()
request.session[SESSION_KEY_PARAMS] = params
2019-12-31 11:51:16 +00:00
return redirect(
reverse(
"passbook_providers_saml:saml-login-authorize",
2019-12-31 11:51:16 +00:00
kwargs={"application": application},
)
)
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
class AuthorizeView(AccessRequiredView):
"""Ask the user for authorization to continue to the SP.
Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
2018-11-16 08:10:35 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Handle get request, i.e. render form"""
# User access gets checked in dispatch
# Otherwise we generate the IdP initiated session
try:
# application.skip_authorization is set so we directly redirect the user
if self.provider.application.skip_authorization:
LOGGER.debug("skipping authz", application=self.provider.application)
return self.post(request, application)
return render(
request,
"saml/idp/login.html",
{"provider": self.provider, "title": "Authorize Application",},
)
except KeyError:
return bad_request_message(request, "Missing SAML Payload")
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def post(self, request: HttpRequest, application: str) -> HttpResponse:
"""Handle post request, return back to ACS"""
# User access gets checked in dispatch
# we get here when skip_authorization is True, and after the user accepted
# the authorization form
# Log Application Authorization
Event.new(
EventAction.AUTHORIZE_APPLICATION,
authorized_application=self.provider.application,
skipped_authorization=self.provider.application.skip_authorization,
).from_http(self.request)
self.request.session.pop(SESSION_KEY_SAML_REQUEST, None)
self.request.session.pop(SESSION_KEY_SAML_RESPONSE, None)
self.request.session.pop(SESSION_KEY_RELAY_STATE, None)
response: SAMLResponseParams = self.request.session.pop(SESSION_KEY_PARAMS)
return render(
self.request,
"saml/idp/autosubmit_form.html",
{
"url": response.acs_url,
"attrs": {
"ACSUrl": response.acs_url,
SESSION_KEY_SAML_RESPONSE: response.saml_response,
SESSION_KEY_RELAY_STATE: response.relay_state,
},
},
)
2018-12-16 16:09:26 +00:00
2020-02-18 21:28:47 +00:00
@method_decorator(csrf_exempt, name="dispatch")
class LogoutView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Allows a non-SAML 2.0 URL to log out the user and
2018-11-16 08:10:35 +00:00
returns a standard logged-out page. (SalesForce and others use this method,
2018-11-16 10:41:14 +00:00
though it's technically not SAML 2.0)."""
2018-11-16 08:10:35 +00:00
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def get(self, request: HttpRequest, application: str) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Perform logout"""
logout(request)
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
redirect_url = request.GET.get("redirect_to", "")
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
try:
URL_VALIDATOR(redirect_url)
except ValidationError:
pass
else:
return redirect(redirect_url)
2018-11-16 08:10:35 +00:00
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/logged_out.html")
2018-11-16 08:10:35 +00:00
2018-12-16 16:09:26 +00:00
2020-02-18 21:28:47 +00:00
@method_decorator(csrf_exempt, name="dispatch")
class SLOLogout(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Receives a SAML 2.0 LogoutRequest from a Service Provider,
logs out the user and returns a standard logged-out page."""
2018-12-16 16:09:26 +00:00
# pylint: disable=unused-argument
2020-02-17 14:40:49 +00:00
def post(self, request: HttpRequest, application: str) -> HttpResponse:
2018-12-16 16:09:26 +00:00
"""Perform logout"""
request.session[SESSION_KEY_SAML_REQUEST] = request.POST[
SESSION_KEY_SAML_REQUEST
]
2018-12-16 16:09:26 +00:00
# TODO: Parse SAML LogoutRequest from POST data, similar to login_process().
# TODO: Modify the base processor to handle logouts?
# TODO: Combine this with login_process(), since they are so very similar?
# TODO: Format a LogoutResponse and return it to the browser.
# XXX: For now, simply log out without validating the request.
logout(request)
2019-12-31 11:51:16 +00:00
return render(request, "saml/idp/logged_out.html")
2018-12-16 16:09:26 +00:00
class DescriptorDownloadView(AccessRequiredView):
2018-11-16 10:41:14 +00:00
"""Replies with the XML Metadata IDSSODescriptor."""
2018-12-16 16:09:26 +00:00
@staticmethod
def get_metadata(request: HttpRequest, provider: SAMLProvider) -> str:
"""Return rendered XML Metadata"""
entity_id = provider.issuer
2019-12-31 11:51:16 +00:00
slo_url = request.build_absolute_uri(
reverse(
"passbook_providers_saml:saml-logout",
kwargs={"application": provider.application.slug},
2019-12-31 11:51:16 +00:00
)
)
sso_post_url = request.build_absolute_uri(
2019-12-31 11:51:16 +00:00
reverse(
"passbook_providers_saml:saml-login",
kwargs={"application": provider.application.slug},
2019-12-31 11:51:16 +00:00
)
)
pubkey = strip_pem_header(provider.signing_cert.replace("\r", "")).replace(
2019-12-31 11:51:16 +00:00
"\n", ""
)
subject_format = provider.processor.subject_format
2018-12-16 16:09:26 +00:00
ctx = {
2019-12-31 11:51:16 +00:00
"entity_id": entity_id,
"cert_public_key": pubkey,
"slo_url": slo_url,
# Currently, the same endpoint accepts POST and REDIRECT
"sso_post_url": sso_post_url,
"sso_redirect_url": sso_post_url,
"subject_format": subject_format,
2018-12-16 16:09:26 +00:00
}
return render_to_string("saml/xml/metadata.xml", ctx)
# pylint: disable=unused-argument
def get(self, request: HttpRequest, application: str) -> HttpResponse:
"""Replies with the XML Metadata IDSSODescriptor."""
try:
metadata = DescriptorDownloadView.get_metadata(request, self.provider)
except Provider.application.RelatedObjectDoesNotExist: # pylint: disable=no-member
return bad_request_message(
request, "Provider is not assigned to an application."
)
else:
response = HttpResponse(metadata, content_type="application/xml")
response[
"Content-Disposition"
] = f'attachment; filename="{self.provider.name}_passbook_meta.xml"'
return response