sources/saml(major): add saml SP

2019-11-07 17:02:56 +01:00
parent 3bd56ce522
commit dabce36667
22 changed files with 610 additions and 0 deletions
--- a/passbook/sources/saml/templates/saml/sp/login.html
+++ b/passbook/sources/saml/templates/saml/sp/login.html
@ -0,0 +1,27 @@
+{% extends "login/base.html" %}
+
+{% load utils %}
+{% load i18n %}
+
+{% block title %}
+{% title 'Authorize Application' %}
+{% endblock %}
+
+{% block card %}
+<header class="login-pf-header">
+    <h1>{% trans 'Authorize Application' %}</h1>
+</header>
+<form method="POST" action="{{ request_url }}">
+    {% csrf_token %}
+    <input type="hidden" name="SAMLRequest" value="{{ request }}" />
+    <input type="hidden" name="RelayState" value="{{ token }}" />
+    <div class="login-group">
+        <h3>
+            {% blocktrans with remote=source.name %}
+            You're about to sign-in via {{ remote }}
+            {% endblocktrans %}
+        </h3>
+        <input class="btn btn-primary btn-block btn-lg" type="submit" value="{% trans 'Continue' %}" />
+    </div>
+</form>
+{% endblock %}
--- a/passbook/sources/saml/templates/saml/sp/sso_single_logout.html
+++ b/passbook/sources/saml/templates/saml/sp/sso_single_logout.html
@ -0,0 +1,19 @@
+{% extends "saml/sp/base.html" %}
+
+{% block content %}
+You are now logged out of this Service Provider.<br />
+{% if idp_logout_url %}
+You are still logged into your Identity Provider.
+You should logout of your Identity Provider here:<br />
+<a href="{{ idp_logout_url }}">{{ idp_logout_url }}</a>
+{#XXX: Maybe this should happen as a redirect, rather than as javascript. #}
+{% if autosubmit %}
+<script language="javascript">
+<!--
+/* Automatically submit the form. */
+document.location.href = '{{ idp_logout_url }}';
+//-->
+</script>
+{% endif %}
+{% endif %}
+{% endblock content %}
--- a/passbook/sources/saml/templates/saml/sp/xml/authn_request.xml
+++ b/passbook/sources/saml/templates/saml/sp/xml/authn_request.xml
@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+    <samlp:AuthnRequest AssertionConsumerServiceURL="{{ ACS_URL }}"
+            Destination="{{ DESTINATION }}"
+            ID="{{ AUTHN_REQUEST_ID }}"
+            IssueInstant="{{ ISSUE_INSTANT }}"
+            ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+            Version="2.0"
+            xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
+        <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{{ ISSUER }}</saml:Issuer>
+        {{ AUTHN_REQUEST_SIGNATURE }}
+</samlp:AuthnRequest>
--- a/passbook/sources/saml/templates/saml/sp/xml/signature.xml
+++ b/passbook/sources/saml/templates/saml/sp/xml/signature.xml
@ -0,0 +1,9 @@
+<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    {{ SIGNED_INFO }}
+    <ds:SignatureValue>{{ RSA_SIGNATURE }}</ds:SignatureValue>
+    <ds:KeyInfo>
+        <ds:X509Data>
+            <ds:X509Certificate>{{ CERTIFICATE }}</ds:X509Certificate>
+        </ds:X509Data>
+    </ds:KeyInfo>
+</ds:Signature>
--- a/passbook/sources/saml/templates/saml/sp/xml/signed_info.xml
+++ b/passbook/sources/saml/templates/saml/sp/xml/signed_info.xml
@ -0,0 +1,12 @@
+<ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
+    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
+    <ds:Reference URI="#${REFERENCE_URI}">
+        <ds:Transforms>
+            <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
+            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
+        </ds:Transforms>
+        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
+        <ds:DigestValue>{{ SUBJECT_DIGEST }}</ds:DigestValue>
+    </ds:Reference>
+</ds:SignedInfo>
--- a/passbook/sources/saml/templates/saml/sp/xml/spssodescriptor.xml
+++ b/passbook/sources/saml/templates/saml/sp/xml/spssodescriptor.xml
@ -0,0 +1,70 @@
+<md:EntityDescriptor
+  xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+  xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
+  xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
+  entityID="{{ entity_id }}">
+  <md:SPSSODescriptor
+    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
+    <md:KeyDescriptor use="signing">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>{{ cert_public_key }}</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:KeyDescriptor use="encryption">
+      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
+        <ds:X509Data>
+          <ds:X509Certificate>{{ cert_public_key }}</ds:X509Certificate>
+        </ds:X509Data>
+      </ds:KeyInfo>
+    </md:KeyDescriptor>
+    <md:NameIDFormat>
+      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
+    </md:NameIDFormat>
+    <md:AssertionConsumerService isDefault="true" index="0"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
+      Location="{{ acs_url }}"/>
+{% comment %}
+<!-- Other bits that we might need. -->
+<!-- Ref: saml-metadata-2.0-os.pdf, pg 10, section 2.3... -->
+    <md:NameIDFormat>
+      urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+    </md:NameIDFormat>
+    <md:ArtifactResolutionService isDefault="true" index="0"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
+      Location="https://sp.example.com/SAML2/ArtifactResolution"/>
+    <md:AssertionConsumerService index="1"
+      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
+      Location="https://sp.example.com/SAML2/Artifact"/>
+    <md:AttributeConsumingService isDefault="true" index="1">
+      <md:ServiceName xml:lang="en">
+        Service Provider Portal
+      </md:ServiceName>
+      <md:RequestedAttribute
+        NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
+        Name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"
+        FriendlyName="eduPersonAffiliation">
+      </md:RequestedAttribute>
+    </md:AttributeConsumingService>
+{% endcomment %}
+  </md:SPSSODescriptor>
+{% comment %}
+<!-- #TODO: Add support for optional Organization section -->
+{# if org #}
+  <md:Organization>
+    <md:OrganizationName xml:lang="en">{{ org.name }}</md:OrganizationName>
+    <md:OrganizationDisplayName xml:lang="en">{{ org.display_name }}</md:OrganizationDisplayName>
+    <md:OrganizationURL xml:lang="en">{{ org.url }}</md:OrganizationURL>
+  </md:Organization>
+{# endif #}
+<!-- #TODO: Add support for optional ContactPerson section(s) -->
+{# for contact in contacts #}
+  <md:ContactPerson contactType="{{ contact.type }}">
+    <md:GivenName>{{ contact.given_name }}</md:GivenName>
+    <md:SurName>{{ contact.sur_name }}</md:SurName>
+    <md:EmailAddress>{{ contact.email }}</md:EmailAddress>
+  </md:ContactPerson>
+{# endfor #}
+{% endcomment %}
+</md:EntityDescriptor>