Merge branch 'knaperek-master' into user-fetching-customization

Author: mhindery

CHANGES

@@ -19,6 +19,10 @@ Thanks to plumdog
 
 Thanks to plumdog
 
+UNRELEASED
+----------
+- Allowed creating Users with multiple required fields.
+
 0.17.1 (2018-07-16)
 ----------
 - A 403 (permission denied) is now raised if a SAMLResponse is replayed, instead of 500.

djangosaml2/backends.py

@@ -138,11 +138,8 @@ def get_or_create_user(self, user_lookup_key, user_lookup_value, create_unknown_
         except UserModel.DoesNotExist:
             # Create new one if desired by settings
             if create_unknown_user:
-                try:
-                    user, created = UserModel.objects.get_or_create(**user_query_args, defaults={user_lookup_key: user_lookup_value})
-                except Exception as e:
-                    logger.error('Could not create new user: %s', e)
-
+                user = UserModel(**user_query_args)
+                created = True
                 if created:
                     logger.debug('New user created: %s', user)
             else:

djangosaml2/tests/__init__.py

@@ -18,7 +18,7 @@
 import datetime
 import re
 import sys
-from unittest import skip
+from unittest import mock, skip
 
 from django.conf import settings
 from django.contrib.auth import SESSION_KEY, get_user_model
@@ -27,15 +27,16 @@
 from django.template import Context, Template
 from django.test import TestCase
 from django.test.client import RequestFactory
+from saml2.config import SPConfig
+from saml2.s_utils import decode_base64_and_inflate, deflate_and_base64_encode
+
 from djangosaml2 import views
 from djangosaml2.cache import OutstandingQueriesCache
 from djangosaml2.conf import get_config
 from djangosaml2.signals import post_authenticated
 from djangosaml2.tests import conf
 from djangosaml2.tests.auth_response import auth_response
 from djangosaml2.views import finish_logout
-from saml2.config import SPConfig
-from saml2.s_utils import decode_base64_and_inflate, deflate_and_base64_encode
 
 try:
     from django.urls import reverse
@@ -519,6 +520,43 @@ def test_idplist_templatetag(self):
 
         self.assertEqual(rendered, expected)
 
+    def test_sigalg_not_passed_when_not_signing_request(self):
+        # monkey patch SAML configuration
+        settings.SAML_CONFIG = conf.create_conf(
+            sp_host='sp.example.com',
+            idp_hosts=['idp.example.com'],
+            metadata_file='remote_metadata_one_idp.xml',
+        )
+
+        with mock.patch(
+            'djangosaml2.views.Saml2Client.prepare_for_authenticate',
+            return_value=('session_id', {'url': 'fake'}),
+
+        ) as prepare_for_auth_mock:
+            self.client.get(reverse('saml2_login'))
+        prepare_for_auth_mock.assert_called_once()
+        _args, kwargs = prepare_for_auth_mock.call_args
+        self.assertNotIn('sigalg', kwargs)
+
+    def test_sigalg_passed_when_signing_request(self):
+        # monkey patch SAML configuration
+        settings.SAML_CONFIG = conf.create_conf(
+            sp_host='sp.example.com',
+            idp_hosts=['idp.example.com'],
+            metadata_file='remote_metadata_one_idp.xml',
+        )
+
+        settings.SAML_CONFIG['service']['sp']['authn_requests_signed'] = True
+        with mock.patch(
+            'djangosaml2.views.Saml2Client.prepare_for_authenticate',
+            return_value=('session_id', {'url': 'fake'}),
+
+        ) as prepare_for_auth_mock:
+            self.client.get(reverse('saml2_login'))
+        prepare_for_auth_mock.assert_called_once()
+        _args, kwargs = prepare_for_auth_mock.call_args
+        self.assertIn('sigalg', kwargs)
+
 
 def test_config_loader(request):
     config = SPConfig()

djangosaml2/tests/attribute-maps/django_saml_uri.py

@@ -0,0 +1,19 @@
+X500ATTR_OID = 'urn:oid:2.5.4.'
+PKCS_9 = 'urn:oid:1.2.840.113549.1.9.1.'
+UCL_DIR_PILOT = 'urn:oid:0.9.2342.19200300.100.1.'
+
+MAP = {
+    'identifier': 'urn:oasis:names:tc:SAML:2.0:attrname-format:uri',
+    'fro': {
+        X500ATTR_OID+'3': 'first_name', # cn
+        X500ATTR_OID+'4': 'last_name', # sn
+        PKCS_9+'1': 'email',
+        UCL_DIR_PILOT+'1': 'uid',
+    },
+    'to': {
+        'first_name': X500ATTR_OID+'3',
+        'last_name': X500ATTR_OID+'4',
+        'email' : PKCS_9+'1',
+        'uid': UCL_DIR_PILOT+'1',
+    }
+}

djangosaml2/views.py

@@ -29,13 +29,20 @@
 from django.utils.http import is_safe_url
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST
-from saml2 import BINDING_HTTP_POST, BINDING_HTTP_REDIRECT
+from saml2 import BINDING_HTTP_REDIRECT, BINDING_HTTP_POST
+from saml2.client_base import LogoutError
+from saml2.metadata import entity_descriptor
 from saml2.ident import code, decode
 from saml2.metadata import entity_descriptor
 from saml2.response import (SignatureError, StatusAuthnFailed, StatusError,
                             StatusNoAuthnContext, StatusRequestDenied,
                             UnsolicitedResponse)
 from saml2.s_utils import UnsupportedBinding
+from saml2.response import (
+    StatusError, StatusAuthnFailed, SignatureError, StatusRequestDenied,
+    UnsolicitedResponse, StatusNoAuthnContext,
+)
+from saml2.mdstore import SourceNotFound
 from saml2.sigver import MissingKey
 from saml2.validate import ResponseLifetimeExceed, ToEarly
 from saml2.xmldsig import (  # support for SHA1 is required by spec
@@ -122,7 +129,15 @@ def login(request,
                     })
 
     selected_idp = request.GET.get('idp', None)
-    conf = get_config(config_loader_path, request)
+    try:
+        conf = get_config(config_loader_path, request)
+    except SourceNotFound as excp:
+        msg = ('Error, IdP EntityID was not found '
+               'in metadata: {}')
+        logger.exception(msg.format(excp))
+        return HttpResponse(msg.format(('Please contact '
+                                        'technical support.')),
+                            status=500)
 
     kwargs = {}
     # pysaml needs a string otherwise: "cannot serialize True (type bool)"
@@ -176,17 +191,18 @@ def login(request,
     logger.debug('Redirecting user to the IdP via %s binding.', binding)
     if binding == BINDING_HTTP_REDIRECT:
         try:
-            # do not sign the xml itself, instead use the sigalg to
-            # generate the signature as a URL param
-            sig_alg_option_map = {'sha1': SIG_RSA_SHA1,
-                                  'sha256': SIG_RSA_SHA256}
-            sig_alg_option = getattr(conf, '_sp_authn_requests_signed_alg', 'sha1')
-            sigalg = sig_alg_option_map[sig_alg_option] if sign_requests else None
             nsprefix = get_namespace_prefixes()
+            if sign_requests:
+                # do not sign the xml itself, instead use the sigalg to
+                # generate the signature as a URL param
+                sig_alg_option_map = {'sha1': SIG_RSA_SHA1,
+                                      'sha256': SIG_RSA_SHA256}
+                sig_alg_option = getattr(conf, '_sp_authn_requests_signed_alg', 'sha1')
+                kwargs["sigalg"] = sig_alg_option_map[sig_alg_option]
             session_id, result = client.prepare_for_authenticate(
                 entityid=selected_idp, relay_state=came_from,
-                binding=binding, sign=False, sigalg=sigalg,
-                nsprefix=nsprefix, **kwargs)
+                binding=binding, sign=False, nsprefix=nsprefix,
+                **kwargs)
         except TypeError as e:
             logger.error('Unable to know which IdP to use')
             return HttpResponse(str(e))
@@ -376,7 +392,13 @@ def logout(request, config_loader_path=None):
             'The session does not contain the subject id for user %s',
             request.user)
 
-    result = client.global_logout(subject_id)
+    try:
+        result = client.global_logout(subject_id)
+    except LogoutError as exp:
+        logger.exception('Error Handled - SLO not supported by IDP: {}'.format(exp))
+        auth.logout(request)
+        state.sync()
+        return HttpResponseRedirect('/')
 
     state.sync()
 

setup.py

@@ -15,7 +15,6 @@
 
 import codecs
 import os
-import sys
 from setuptools import setup, find_packages
 
 
@@ -63,4 +62,8 @@ def read(*rnames):
         'Django>=2.2',
         'pysaml2>=4.6.0',
         ],
+    tests_require=[
+        # Provides assert_called_once.
+        'mock;python_version < "3.6"',
+    ]
     )

tests/testprofiles/models.py

@@ -30,3 +30,13 @@ class StandaloneUserModel(models.Model):
     USERNAME_FIELD.
     """
     username = models.CharField(max_length=30, unique=True)
+
+
+class RequiredFieldUser(models.Model):
+    email = models.EmailField(unique=True)
+    email_verified = models.BooleanField()
+
+    USERNAME_FIELD = 'email'
+
+    def set_unusable_password(self):
+        pass

tests/testprofiles/tests.py

@@ -190,6 +190,26 @@ def test_invalid_model_attribute_log(self):
             logs.output,
         )
 
+    @override_settings(AUTH_USER_MODEL='testprofiles.RequiredFieldUser')
+    def test_create_user_with_required_fields(self):
+        backend = Saml2Backend()
+        attribute_mapping = {
+            'mail': ['email'],
+            'mail_verified': ['email_verified']
+        }
+        attributes = {
+            'mail': ['john@example.org'],
+            'mail_verified': [True],
+        }
+        # User creation does not fail if several fields are required.
+        user = backend._get_or_create_saml2_user(
+            'john@example.org',
+            attributes,
+            attribute_mapping,
+        )
+        self.assertEquals(user.email, 'john@example.org')
+        self.assertIs(user.email_verified, True)
+
     def test_django_user_main_attribute(self):
         old_username_field = User.USERNAME_FIELD
         User.USERNAME_FIELD = 'slug'