From dbc788a3658747d0745f9e6b28f15f6f0f27ee31 Mon Sep 17 00:00:00 2001 From: peppelinux Date: Fri, 18 Jun 2021 09:35:08 +0200 Subject: [PATCH] fix: Documentation typos --- docs/contents/attribute_release.rst | 2 +- docs/contents/management_commands.rst | 2 +- docs/contents/migrate_from_shibidp.rst | 7 ++-- uniauth_saml2_idp/views.py | 46 +++++++++++++++----------- 4 files changed, 32 insertions(+), 25 deletions(-) diff --git a/docs/contents/attribute_release.rst b/docs/contents/attribute_release.rst index ff0ba52..5f07e70 100644 --- a/docs/contents/attribute_release.rst +++ b/docs/contents/attribute_release.rst @@ -1,7 +1,7 @@ Attribute releases ^^^^^^^^^^^^^^^^^^ -By default IdP will only release required Attributes defined in each SP metadata (isRequired=True), if they are available. Otherwise IdP will release a default attribute map, defined in settings parameters. +By default IdP will only release required Attributes defined in each SP metadata (isRequired=True or EntityCategories), if they are available. Otherwise the IdP will release a default attribute set, defined in settings parameters. It can also force some attribute release by checking ``force_attribute_release`` into each SP configuration. Every SP can use a specific Attribute Processor, you can even customize a brand new one in an application that can be easily installed into ``django_idp.settingslocal.INSTALLED_APPS``. diff --git a/docs/contents/management_commands.rst b/docs/contents/management_commands.rst index 2eb8c7b..fa343e3 100644 --- a/docs/contents/management_commands.rst +++ b/docs/contents/management_commands.rst @@ -19,7 +19,7 @@ This feature will let us check wich attributes will be released to a specified S :: - ./manage.py aacli -u joe -e https://sptest.auth.unical.it/saml2 + ./manage.py aacli -u mario -e https://sptest.auth.unical.it/saml2 example output:: diff --git a/docs/contents/migrate_from_shibidp.rst b/docs/contents/migrate_from_shibidp.rst index bc2f62e..b1c2398 100644 --- a/docs/contents/migrate_from_shibidp.rst +++ b/docs/contents/migrate_from_shibidp.rst @@ -4,7 +4,7 @@ Migrate from Shibboleth IdP Here a brief description of the general steps to do for migrating an existing Shibboleth IdP to uniAuth, carrying the same configuration. We have migrate from Shibboleth IdP 3.4.6 to uniAuth v2.0.0, here the steps we made to achieve this goal: -1. copy SAML2 certificates shibboleth idp SAML, in `credentials/` in your pysaml2 configuration. +1. copy SAML2 certificates shibboleth idp SAML, from `credentials/` to your pysaml2 configuration. 2. Standing on Shibboleth metadata, in `metadata/idp-metadata.xml`, place the same Service Endpoints urls to your project's urls file:: if 'uniauth_saml2_idp' in settings.INSTALLED_APPS: @@ -15,13 +15,14 @@ We have migrate from Shibboleth IdP 3.4.6 to uniAuth v2.0.0, here the steps we m name="saml_login_binding"), urlpatterns += path('idp/profile/SAML2//SLO', LogoutProcessView.as_view(), name="saml_logout_binding"), + urlpatterns += path('idp/shibboleth/', metadata, name='saml2_idp_metadata'), urlpatterns += path( 'idp/', include((uniauth_saml2_idp.urls, 'uniauth_saml2_idp',)) ), -3. Configure the same entityID. +3. Configure the same entityID in your pysaml2 configuration. 4. Migrate the existing Shibboleth IdP `conf/attribute-filters.xml` (and any other available in `conf/services.xml`) to uniauth SP definitions (ModelAdmin or settings.py). -5. If you use LDAP: Configure PyMultiLDAP rewrite rules and pattern matching standing on the Attributes defined in `conf/attribute-resolver.xml` (and any other available in `conf/services.xml). +5. If you use LDAP: Configure PyMultiLDAP rewrite rules and pattern matching, standing on the Attributes defined in `conf/attribute-resolver.xml` (and any other available in `conf/services.xml). 6. Configure your metadata store (ModelAdmin or settings.py). It's suggested to use a MDQ Server for loading large federation xml files, as to be with eduGain. 7. Use uniauth `aacli` and `mdquery` commands to check the availability of Entities and the attribute to be released to them. diff --git a/uniauth_saml2_idp/views.py b/uniauth_saml2_idp/views.py index 41cfac4..f9f5439 100644 --- a/uniauth_saml2_idp/views.py +++ b/uniauth_saml2_idp/views.py @@ -165,8 +165,10 @@ def dispatch(self, request, *args, **kwargs): # Force Authn check if self.saml_request.message.force_authn: logout(request) - msg = "SSO AuthnRequest [force_authn=True]: {} [{}]".format(self.saml_request.message.issuer.text, - self.saml_request.message.id) + msg = "SSO AuthnRequest [force_authn=True]: {} [{}]".format( + self.saml_request.message.issuer.text, + self.saml_request.message.id + ) logger.info(msg) request.saml_session['message_id'] = self.saml_request.message.id @@ -476,14 +478,14 @@ def build_authn_response(self, user, authn, resp_args): # talking logs msg = ( 'SSO AuthnResponse [{}] to {} [{}]: {} attrs ({}) on {} filtered by policy') - self.request.saml_session['authn_log'] = msg.format(name_id.format, - self.sp['id'], - self.request.saml_session.get( - 'message_id'), - len(ava), - ','.join( - ava.keys()), - len(identity)) + self.request.saml_session['authn_log'] = msg.format( + name_id.format, + self.sp['id'], + self.request.saml_session.get('message_id'), + len(ava), + ','.join(ava.keys()), + len(identity) + ) logger.info(self.request.saml_session['authn_log']) self.request.saml_session['identity'] = ava @@ -510,7 +512,7 @@ def build_authn_response(self, user, authn, resp_args): resp_args['encrypt_cert_assertion'] = sp_enc_cert[0] resp_args['encrypt_cert_advice'] = sp_enc_cert[0] - # PREFIM won't work with shibboleth + # PREFIM here won't work with shibboleth # WARN Shibboleth.AttributeResolver.Query [4] [default]: no SAML 2 AttributeAuthority role found in metadata # resp_args['pefim'] = 1 # END ENCRYPTED ASSERTION @@ -589,9 +591,10 @@ def render_response(self, request, html_response): request.saml_session['sp_entity_id'] = self.sp['id'] # Conditions for showing user agreement screen - user_agreement_enabled_for_sp = self.sp['config'].get('show_user_agreement_screen', - getattr(settings, - "SAML_IDP_SHOW_USER_AGREEMENT_SCREEN")) + user_agreement_enabled_for_sp = self.sp['config'].get( + 'show_user_agreement_screen', + getattr(settings, "SAML_IDP_SHOW_USER_AGREEMENT_SCREEN") + ) agreement_for_sp = AgreementRecord.objects.filter(user=request.user, sp_entity_id=self.sp['id']).first() @@ -648,18 +651,21 @@ def form_valid(self, form): authn_issue_instant = self.request.saml_session['issue_instant'] for tformat in settings.SAML2_DATETIME_FORMATS: try: - issue_instant = timezone.datetime.strptime(authn_issue_instant, - tformat) + issue_instant = timezone.datetime.strptime( + authn_issue_instant, tformat + ) break except Exception as e: - logger.debug('{} not parseable with {}: {}'.format(authn_issue_instant, - tformat, e)) + logger.debug('{} not parseable with {}: {}'.format( + authn_issue_instant, tformat, e) + ) # end check mins = getattr(settings, 'SESSION_COOKIE_AGE', 600) dt_check = None try: - dt_check = issue_instant < timezone.make_naive((now - datetime.timedelta(minutes=mins)), - timezone.get_current_timezone()) + dt_check = issue_instant < timezone.make_naive( + (now - datetime.timedelta(minutes=mins)), + timezone.get_current_timezone()) except Exception as e: logger.error('Issue instant time comparison failed: {}'.format(e)) if dt_check: