SAML to prod

.gitignore

@@ -8,7 +8,9 @@ __pycache__/
 
 ### Project-specific ###
 media/
+certs/
 fetc/ldap_settings.py
+fetc/saml_settings.py
 *.sqlite3
 
 ### Coverage ###

docs/installation/steps.rst

@@ -33,6 +33,7 @@ The following packages needs to be installed:
 	+ libsasl2-dev
 	+ libssl-dev
 	+ gettext
+	+ libpoppler-cpp-dev
 
 2. Prepare Filesystem & Files
 =============================

fetc/saml_settings.example.py

@@ -0,0 +1,90 @@
+"""Copy this file to saml_settings.py if you want to use local SAML
+
+This will 1) enable SAML in settings.py and 2) configure the SAML library to
+use your local Development IdP.
+
+For more information on the DevIdP, please consult its Github page:
+https://github.com/CentreForDigitalHumanities/Development-IdP
+
+You'll also need some certs, this code assumes they are located in a 'certs'
+dir at the project-root. These certs can either be borrowed from the Dev-IdP
+project or generated by hand. For the latter, see the CDH Docs.
+
+These certs are used for signing the SAML data from this app to the IdP.
+
+For detailed documentation on SAML and the CDH Federated Auth library, please
+consult the CDH Federated Authentication docs:
+https://centrefordigitalhumanities.github.io/Federated-Authentication-Docs/
+"""
+import os
+
+# Import all default SAML settings from the library, we override some later
+# Tip: the imported file also contains a lot of docs, which might be nice to
+# read also
+from cdh.federated_auth.saml.settings import *
+
+# Used to get the full path of <project_root>
+_BASE_DIR = os.path.dirname(os.path.dirname(__file__))
+
+# This dict is used to map attributes send by the IdP to the attributes used
+# in this app's user model. They key is the name of the attribute as sent by
+# the IdP, the value is a tuple with the name of the field on the user model
+# See also:
+# https://djangosaml2.readthedocs.io/contents/setup.html#users-attributes-and-account-linking
+SAML_ATTRIBUTE_MAPPING = {
+    'uuShortID':  ('username',),
+    'mail':     ('email',),
+    'givenName': ('first_name',),
+    'uuPrefixedSn':  ('last_name',),
+    # TODO: create an attribute on the user model to store this value
+    # 'uuLegacyDepartment':  (),
+}
+
+# Controls which mechanism is used to exchange SAML data with the IdP
+# Either POST or REDIRECT. POST is generally preferred, as REDIRECT can run
+# into problems as it encodes the SAML data into the URL.
+SAML_DEFAULT_BINDING = saml2.BINDING_HTTP_POST
+
+# Use the helper function to generate the SAML_CONFIG.
+# This is the main setting used to set up SAML
+SAML_CONFIG = create_saml_config(
+    # This should be the URL of the ethics app (with protocol). Currently
+    # localhost, port 8000. Please change if you run the app on a different
+    # hostname/port
+    # Note that localhost and 127.0.0.1 are not interchangeable here
+    base_url='http://localhost:8000/',
+    # The name of the app, does not _really_ matter
+    name='FEtC-H Portal',
+    # The full location of the private key of the cert, currently
+    # <project_root>/certs/private.key
+    key_file=os.path.join(_BASE_DIR, 'certs/private.key'),
+    # The full location of the certificate, currently
+    # <project_root>/certs/private.key
+    cert_file=os.path.join(_BASE_DIR, 'certs/public.cert'),
+    # The location of the IdP's metadata
+    # The current value is valid for the Development IdP, if run at port 7000
+    # If you run it in a different place/port, please update
+    # If you use a different IdP, find its metadata URL and copy/paste it here
+    idp_metadata='http://localhost:7000/saml/idp/metadata/',
+    # If set to True, the app will allow login attempts not requested by the app
+    # This _can_ happen if a user logs in directly from the IdP. Currently set
+    # to true, as the DevIdP can sometimes do funky stuff with the session ID
+    allow_unsolicited=True,
+    # A list of attributes the IdP needs to provide for the app to authenticate
+    # Uses the naming of the IdP, not the internal names in Django
+    required_attributes=['uuShortID', 'mail', 'givenName', 'uuPrefixedSn'],
+    # A list of nice-to-have attributes from the IdP
+    # Uses the naming of the IdP, not the internal names in Django
+    optional_attributes=['uuLegacyDepartment', ],
+    # Contact info for this app; will be added to the app's metadata and is
+    # generally used by the IdP admins to contact all app-admins if they change
+    # something.
+    contact_given_name='Humanities IT Portal Development',
+    contact_email='[email protected]',
+)
+
+# Add the SAML auth backend to the list of enabled backends.
+AUTHENTICATION_BACKENDS = (
+    'django.contrib.auth.backends.ModelBackend',
+    'djangosaml2.backends.Saml2Backend',
+)

fetc/settings.py

@@ -11,6 +11,7 @@
 """
 import os
 
+from django.urls import reverse_lazy
 from django.utils.translation import ugettext_lazy as _
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
@@ -28,7 +29,7 @@
 
 # Application definition
 
-INSTALLED_APPS = (
+INSTALLED_APPS = [
     'django.contrib.auth',
     'django.contrib.contenttypes',
     'django.contrib.sessions',
@@ -56,9 +57,9 @@
 
     'django.contrib.admin',
     'django_user_agents',
-)
+]
 
-MIDDLEWARE = (
+MIDDLEWARE = [
     'debug_toolbar.middleware.DebugToolbarMiddleware',
     'django.contrib.sessions.middleware.SessionMiddleware',
     'django.middleware.locale.LocaleMiddleware',
@@ -70,7 +71,7 @@
     'django.middleware.security.SecurityMiddleware',
     'django_user_agents.middleware.UserAgentMiddleware',
     'impersonate.middleware.ImpersonateMiddleware',
-)
+]
 
 TEMPLATES = [
     {
@@ -92,6 +93,16 @@
 
 LOGIN_REDIRECT_URL = '/'
 
+# Determines what login options are displayed on the landing page. NOTE: this
+# does not determine which login screen is actually used as default when using
+# a LoginRequiredMixin or similar.
+# Django login is also used by LDAP auth
+# SHOW_SAML_LOGIN is set to true if saml_settings.py is present and loaded
+SHOW_DJANGO_LOGIN = True
+SHOW_SAML_LOGIN = False
+# Debug option, adds a label to the buttons. Otherwise, the buttons are
+# identical
+SHOW_LOGIN_DESCRIPTORS = DEBUG
 
 # Database
 # https://docs.djangoproject.com/en/1.8/ref/settings/#databases
@@ -171,3 +182,16 @@
     from .ldap_settings import *
 except ImportError:
     print('Proceeding without LDAP settings')
+
+try:
+    from .saml_settings import *
+
+    # Only add stuff to settings if we actually have SAML settings
+    INSTALLED_APPS += SAML_APPS
+    MIDDLEWARE += SAML_MIDDLEWARE
+
+    LOGIN_URL = reverse_lazy('saml-login')
+    SHOW_SAML_LOGIN = True
+
+except ImportError:
+    print('Proceeding without SAML settings')

fetc/urls.py

@@ -19,8 +19,9 @@
 
 
 urlpatterns = [
+    # Always keep the default login view available, just to be sure
+    # We set the correct login view (this or SAML) in settings
     path('accounts/login/', auth_views.LoginView.as_view(), name='login'),
-    path('accounts/logout/', auth_views.LogoutView.as_view(), name='logout'),
 
     # Access user uploads
     path('media/<str:filename>',
@@ -52,6 +53,28 @@
         path('__debug__/', include(debug_toolbar.urls)),
     )
 
+# If SAML is enabled, add the required URL patterns for SAML
+if 'cdh.federated_auth' in settings.INSTALLED_APPS:
+    from djangosaml2.views import LoginView
+    from cdh.federated_auth.saml.views import LogoutInitView
+
+    urlpatterns.extend([
+        path('saml/login/', LoginView.as_view(), name='saml-login'),
+        # We can only have one logout view. Luckily, the SAML logout view can
+        # handle local accounts as well.
+        path('saml/logout/', LogoutInitView.as_view(), name='logout'),
+        path('saml/', include('djangosaml2.urls')),
+    ])
+else:
+    # If not, append the default logout-view
+    urlpatterns.append(
+        path(
+            'accounts/logout/',
+            auth_views.LogoutView.as_view(),
+            name='logout'
+        ),
+    )
+
 admin.site.site_header = 'FETC-GW'
 admin.site.site_title = 'FETC-GW administratie'
 admin.site.index_title = 'FETC-GW administratie'