Merge dev for create release 0.8.0

.github/workflows/python-app.yml

@@ -40,12 +40,11 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         if [ -f requirements-dev.txt ]; then pip install -r requirements-dev.txt; fi
-        if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
         #
         # force pplnx's pysaml2 due to spid-sp-test requirements
         #
         pip uninstall -y pysaml2
-        pip install --no-cache --upgrade git+https://github.com/peppelinux/pysaml2.git@pplnx-v6.5.1#pysaml2
+        pip install --no-cache --upgrade git+https://github.com/peppelinux/pysaml2.git@pplnx-7.0.1#pysaml2
     - name: Lint with flake8
       run: |
         # stop the build if there are Python syntax errors or undefined names
@@ -65,10 +64,9 @@ jobs:
     - name: Test SPID QA with spid-sp-test
       working-directory: ./example
       run: |
-        ./manage.py migrate > /dev/null 2>&1
-        ./manage.py runserver > /dev/null 2>&1 &
+        bash run.sh > /dev/null 2>&1 &
         sleep 5
-        spid_sp_test --metadata-url http://localhost:8000/spid/metadata/ --authn-url http://localhost:8000/spid/login/?idp=http://localhost:8080 --extra --exit-zero --debug ERROR -tr
+        spid_sp_test --metadata-url https://localhost:8000/spid/metadata/ --authn-url https://localhost:8000/spid/login/?idp=http://localhost:8080 --extra --debug ERROR -tr
     - name: Test Django reusable app
       working-directory: .
       run: |

.gitignore

@@ -135,3 +135,4 @@ example/spid_config/metadata/*
 tests/metadata/*
 !tests/metadata/spid-saml-check.xml
 
+example/static/*

README.md

@@ -53,15 +53,16 @@ Prepare environment:
 cd example/
 virtualenv -ppython3 env
 source env/bin/activate
-pip install -r ../requirements.txt
+pip install -r ../requirements-dev.txt
 ````
 
 Your example saml2 configuration is in `spid_config/spid_settings.py`.
 See djangosaml2 and pysaml2 official docs for clarifications.
 
 To run the demo project:
- - create the database `./manage.py migrate`
- - run `./manage.py runserver 0.0.0.0:8000`
+ - python -B ./manage.py migrate
+ - python -B ./manage.py collectstatic --noinput
+ - uwsgi --https 0.0.0.0:8000,./certificates/public.cert,./certificates/private.key --module example.wsgi:application --env example.settings --chdir .
 
 or execute the run.sh script with these environment settings to enable tests idps:
 
@@ -74,11 +75,11 @@ current demo metadata in *spid-testenv2* configuration, this way:
 
 ````
 # cd into spid-testenv2/ base dir ...
-wget http://localhost:8000/spid/metadata -O conf/sp_metadata.xml
+wget https://localhost:8000/spid/metadata -O conf/sp_metadata.xml
 ````
 
 Finally, start spid-testenv2 and spid-saml-check (docker is suggested) and
-then open 'http://localhost:8000' in your browser.
+then open 'https://localhost:8000' in your browser.
 
 
 Demo project with Docker
@@ -100,7 +101,6 @@ Setup for an existing project
 
 djangosaml2_spid uses a pySAML2 fork.
 
-* `pip install git+https://github.com/peppelinux/[email protected]`
 * `pip install git+https://github.com/italia/spid-django`
 * Copy the `example/spid_config/` to your project base dir and remember to edit with your custom paramenters
 * Import SAML2 entity configuration in your project settings file: `from spid_config.spid_settings import *`
@@ -202,6 +202,7 @@ only by developers.
 To test the application:
 ````
 pip install -r requirements-dev.txt
+pip install -e .
 python runtests.py
 ````
 
@@ -217,10 +218,11 @@ coverage report -m
 Warnings
 --------
 
-- Unsolicited response error: [SameSite cookie restrictions](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) will block cookies in Cross Domain POST if not in https. Use Firefox during tests on localhost with spid-saml-check.
-- Read djangosaml2 documentation, set COOKIE SECURE when in production and in https.
+- debug server uses the same SAML2 certificates, please create your SAML2 certificates for production and also a real TLS one for httpd!
+- Read djangosaml2 documentation, set SESSION_COOKIE_SECURE in your project settings.py
 - The SPID Button template is only for test purpose, please don't use it in production, do your customization instead!
 - In a production environment please don't use "remote" as metadata storage, use "local" or "mdq" instead!
+- When using spid-saml-check via docker image, mind that the metadata download url would match to `https://172.17.0.1:8000/spid/metadata` and not to localhost!
 
 Authors
 ------------

example/example/settings.py

@@ -29,6 +29,13 @@
 
 ALLOWED_HOSTS = ['*']
 
+# COOKIES
+SESSION_COOKIE_SECURE = True
+# SESSION_COOKIE_SAMESITE = "None"
+SESSION_EXPIRE_AT_BROWSER_CLOSE = True
+# CSRF_COOKIE_HTTPONLY = True
+# CSRF_COOKIE_SAMESITE = "None"
+CSRF_COOKIE_SECURE = True
 
 # Application definition
 
@@ -139,3 +146,4 @@
 # https://docs.djangoproject.com/en/3.1/howto/static-files/
 
 STATIC_URL = '/static/'
+STATIC_ROOT = 'static'

example/example/urls.py

@@ -1,4 +1,5 @@
 from django.conf import settings
+from django.conf.urls.static import static
 from django.contrib import admin
 from django.urls import path, include
 from django.views.generic.base import RedirectView
@@ -7,5 +8,7 @@
 urlpatterns = [
     path('admin/', admin.site.urls),
     path('', include((djangosaml2_spid.urls, 'djangosaml2_spid',))),
-    path('', RedirectView.as_view(url=settings.SPID_URLS_PREFIX), name='example-index')
+    path('', RedirectView.as_view(url=settings.SPID_URLS_PREFIX), name='example-index'),
 ]
+
+urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)

example/run.sh

@@ -1,2 +1,5 @@
 python -B ./manage.py migrate
-python -B ./manage.py runserver 0.0.0.0:8000
+python -B ./manage.py collectstatic --noinput
+
+# python -B ./manage.py runserver 0.0.0.0:8000
+uwsgi --http-keepalive  --https 0.0.0.0:8000,./certificates/public.cert,./certificates/private.key --module example.wsgi:application --env example.settings --chdir .

example/spid_config/spid_settings.py

@@ -6,7 +6,7 @@
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
-SPID_BASE_URL = "http://localhost:8000"
+SPID_BASE_URL = "https://localhost:8000"
 SPID_URLS_PREFIX = 'spid'
 
 SPID_ACS_URL_PATH = f'{SPID_URLS_PREFIX}/acs/'

requirements-dev.txt

@@ -1,3 +1,4 @@
+-r requirements.txt
 autoflake
 autopep8
 coverage
@@ -7,3 +8,4 @@ isort
 bandit
 tox
 spid-sp-test>=0.4.6
+uwsgi

requirements.txt

@@ -1,7 +1,7 @@
-django>=2.2.17,<4.0
+django>=2.2.24,<4.0
 
 # hint before: pip install -U setuptools
-pysaml2 @ git+https://github.com/peppelinux/pysaml2.git@pplnx-v6.5.1#pysaml2
+pysaml2 @ git+https://github.com/peppelinux/pysaml2.git@pplnx-7.0.1#pysaml2
 cffi
 
 # django saml2 SP

setup.py

@@ -11,7 +11,7 @@
 
 setup(
     name="djangosaml2-spid",
-    version='0.7.5',
+    version='0.8.0',
     description="Djangosaml2 SPID Service Provider",
     long_description=README,
     long_description_content_type='text/markdown',

src/djangosaml2_spid/conf.py

@@ -264,7 +264,7 @@ def config_settings_loader(request: Optional[HttpRequest] = None) -> SPConfig:
                 # Responses, i.e. SAML Responses for which it has not sent
                 # a respective SAML Authentication Request. Set to True to
                 # let ACS endpoint work.
-                'allow_unsolicited': True,
+                'allow_unsolicited': False,
 
                 # Permits to have attributes not configured in attribute-mappings
                 # otherwise...without OID will be rejected

src/djangosaml2_spid/spid_validator.py

@@ -35,12 +35,21 @@ def __init__(self, authn_response='', issuer='',
 
     # handled adding authn req arguments in the session state (cookie)
     def validate_in_response_to(self):
-        """ spid test 18
+        """ spid test 16, 17 e 18
         """
-        if self.in_response_to:
-            if self.in_response_to != self.response.in_response_to:
-                raise SpidError(f'In response To not valid: '
-                                f'{self.in_response_to} != {self.response.in_response_to}')
+        if not self.response.in_response_to:
+            if self.response.in_response_to is None:
+                raise SpidError('InResponseTo not provided')  # Error nr.17
+            raise SpidError('InResponseTo unspecified')  # Error nr.16
+
+        # Check for error nr.18
+        if isinstance(self.in_response_to, str):
+            if self.response.in_response_to != self.in_response_to:
+                raise SpidError(f'InResponseTo not valid: '
+                                f'{self.response.in_response_to} != {self.in_response_to}')
+        elif self.response.in_response_to not in self.in_response_to:
+            raise SpidError(f'InResponseTo not valid: '
+                            f'{self.response.in_response_to} not in {self.in_response_to}')
 
     def validate_destination(self):
         """ spid test 19 e 20
@@ -55,14 +64,21 @@ def validate_issuer(self):
         <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://localhost:8080</saml:Issuer>
         """
 
-        # 30
         # check that this issuer is in the metadata...
         if self.requester:
             if self.requester != self.response.issuer.text:
                 raise SpidError(
                     f'Issuer different {self.response.issuer.text}'
                 )
 
+        # 30, 31
+        # check that this issuer is in the metadata...
+        if self.response.issuer.format:
+            if self.response.issuer.format != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity":
+                raise SpidError(
+                    f'Issuer NameFormat is invalid: {self.response.issuer.format} != "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"'
+            )
+
         msg = 'Issuer format is not valid: {}'
         # 70, 71
         # if not hasattr(self.response.issuer, 'format') or \

src/djangosaml2_spid/static/spid/fonts/Lora/OFL.txt

@@ -0,0 +1,93 @@
+Copyright 2011 The Lora Project Authors (https://github.com/cyrealtype/Lora-Cyrillic), with Reserved Font Name "Lora".
+
+This Font Software is licensed under the SIL Open Font License, Version 1.1.
+This license is copied below, and is also available with a FAQ at:
+http://scripts.sil.org/OFL
+
+
+-----------------------------------------------------------
+SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007
+-----------------------------------------------------------
+
+PREAMBLE
+The goals of the Open Font License (OFL) are to stimulate worldwide
+development of collaborative font projects, to support the font creation
+efforts of academic and linguistic communities, and to provide a free and
+open framework in which fonts may be shared and improved in partnership
+with others.
+
+The OFL allows the licensed fonts to be used, studied, modified and
+redistributed freely as long as they are not sold by themselves. The
+fonts, including any derivative works, can be bundled, embedded, 
+redistributed and/or sold with any software provided that any reserved
+names are not used by derivative works. The fonts and derivatives,
+however, cannot be released under any other type of license. The
+requirement for fonts to remain under this license does not apply
+to any document created using the fonts or their derivatives.
+
+DEFINITIONS
+"Font Software" refers to the set of files released by the Copyright
+Holder(s) under this license and clearly marked as such. This may
+include source files, build scripts and documentation.
+
+"Reserved Font Name" refers to any names specified as such after the
+copyright statement(s).
+
+"Original Version" refers to the collection of Font Software components as
+distributed by the Copyright Holder(s).
+
+"Modified Version" refers to any derivative made by adding to, deleting,
+or substituting -- in part or in whole -- any of the components of the
+Original Version, by changing formats or by porting the Font Software to a
+new environment.
+
+"Author" refers to any designer, engineer, programmer, technical
+writer or other person who contributed to the Font Software.
+
+PERMISSION & CONDITIONS
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Font Software, to use, study, copy, merge, embed, modify,
+redistribute, and sell modified and unmodified copies of the Font
+Software, subject to the following conditions:
+
+1) Neither the Font Software nor any of its individual components,
+in Original or Modified Versions, may be sold by itself.
+
+2) Original or Modified Versions of the Font Software may be bundled,
+redistributed and/or sold with any software, provided that each copy
+contains the above copyright notice and this license. These can be
+included either as stand-alone text files, human-readable headers or
+in the appropriate machine-readable metadata fields within text or
+binary files as long as those fields can be easily viewed by the user.
+
+3) No Modified Version of the Font Software may use the Reserved Font
+Name(s) unless explicit written permission is granted by the corresponding
+Copyright Holder. This restriction only applies to the primary font name as
+presented to the users.
+
+4) The name(s) of the Copyright Holder(s) or the Author(s) of the Font
+Software shall not be used to promote, endorse or advertise any
+Modified Version, except to acknowledge the contribution(s) of the
+Copyright Holder(s) and the Author(s) or with their explicit written
+permission.
+
+5) The Font Software, modified or unmodified, in part or in whole,
+must be distributed entirely under this license, and must not be
+distributed under any other license. The requirement for fonts to
+remain under this license does not apply to any document created
+using the Font Software.
+
+TERMINATION
+This license becomes null and void if any of the above conditions are
+not met.
+
+DISCLAIMER
+THE FONT SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT
+OF COPYRIGHT, PATENT, TRADEMARK, OR OTHER RIGHT. IN NO EVENT SHALL THE
+COPYRIGHT HOLDER BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+INCLUDING ANY GENERAL, SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
+DAMAGES, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+FROM, OUT OF THE USE OR INABILITY TO USE THE FONT SOFTWARE OR FROM
+OTHER DEALINGS IN THE FONT SOFTWARE.