Authentication with saml2 (replacement of shibboleth)

.gitignore

@@ -18,3 +18,5 @@ nginx.conf
 # Docker Compose 
 docker-compose.yml
 .env.local
+
+saml2

README.md

@@ -12,7 +12,7 @@ Clone the repository and access the directory:
 ```bash
 git clone https://github.com/linea-it/pzserver_app.git  
 cd pzserver_app
-mkdir -p archive/data archive/log/archive/log/backend
+mkdir -p archive/data archive/log/backend
 ```
 
 Copy the file `docker-compose-development.yml` and rename to `docker-compose.yml`
@@ -134,7 +134,7 @@ Turn on background environment (if you have the application already running on t
 docker-compose up -d
 ```
 
-    Access in the browser:
+Access in the browser:
     - Frontend: <http://localhost/>
     - Django Admin: <http://localhost/admin/>
     - Django REST: <http://localhost/api>
@@ -233,6 +233,64 @@ run single test method
 docker-compose exec backend pytest core/test/test_product_file.py::ProductFileListCreateAPIViewTestCase::test_list_product_file
 ```
 
+## Enable authentication via LIneA Satosa (Github)
+
+### Keys and certificates
+
+Edit the `.env` to include the path to the certificates for signing and encrypting SAML assertions:
+(It is possible to use the same certificate for both signing and encryption.)
+
+```bash
+# Keys and certificates
+SIG_KEY_PEM=<your-key-path>
+SIG_CERT_PEM=<your-certificate-path>
+ENCRYP_KEY_PEM=<your-key-path>
+ENCRYP_CERT_PEM=<your-certificate-path>
+```
+
+If you do not have valid certificates (not recommended in production), generate a self-signed certificate using the command below:
+
+Create the `certificates` directory with the following command:
+
+```bash
+mkdir -p saml2/certificates 
+
+openssl genrsa -out pz.key 2048
+openssl req -new -key pz.key -out pz.csr
+openssl x509 -req -days 365 -in pz.csr -signkey pz.key -out pz.crt
+
+cp pz.key pzkey.pem
+cp pz.crt pzcert.pem
+```
+
+Next we must uncomment the volume that represents the saml2 directory in docker-compose.yml:
+
+```yml
+- ./archive/log/backend:/archive/log
+- ./archive/data:/archive/data
+- ./saml2:/saml2  # uncomment if authentication with github is required
+```
+
+### IDP Metadata (Github)
+
+Edit the `.env` and tell where the metadata can be found:
+(Contact the infrastructure team to find out more details about the metadata.)
+
+```bash
+# IDP metadata
+IDP_METADATA=<Github-metadata-path>
+```
+
+And finally, just uncomment the `AUTH_SHIB_URL` variable in the `.env`:
+
+```bash
+# Saml2 / Satosa Auth
+# URL to login using satosa
+AUTH_SHIB_URL=${URI}/saml2/login/
+```
+
+With everything configured and the services started, we must access the URL `${URI}/saml2/metadata/` and send the content (xml) to the infrastructure team to create a trust relationship between the application and satosa.
+
 ## Setup Production Enviroment
 
 In the production environment **NO** it is necessary to clone the repository.
@@ -320,3 +378,4 @@ Procedure to update the production environment or any other that uses built imag
 - Edit the `.env` file to add new variables or change them if necessary.
 - Pull the new images with the `docker-compose pull` command.
 - Restart services `docker-compose stop && docker-compose up -d`.
+

backend/.gitignore

@@ -163,4 +163,6 @@ cython_debug/
 # Django
 django_static/
 
-archive/
+archive/
+
+saml2/

backend/Dockerfile

@@ -15,6 +15,9 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
     build-essential \
     libpcre3 \
     libpcre3-dev \
+    xmlsec1 \
+    libssl-dev \
+    libsasl2-dev \
     && apt-get clean \
     && apt-get autoclean \
     && apt-get autoremove --purge  -y \
@@ -48,4 +51,4 @@ COPY --chmod=0775 ./start.sh /start.sh
 # Switch to non-priviliged user and run app
 USER $USERNAME
 
-ENTRYPOINT [ "/entrypoint.sh" ]
+ENTRYPOINT [ "/entrypoint.sh" ]

backend/attribute-maps/__init__.py

@@ -0,0 +1,2 @@
+__author__ = 'rohe0002'
+__all__ = ["adfs_v1x", "adfs_v20", "basic", "saml_uri", "shibboleth_uri"]

backend/attribute-maps/adfs_v1x.py

@@ -0,0 +1,18 @@
+CLAIMS = 'http://schemas.xmlsoap.org/claims/'
+
+
+MAP = {
+    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
+    'fro': {
+        CLAIMS+'commonname': 'commonName',
+        CLAIMS+'emailaddress': 'emailAddress',
+        CLAIMS+'group': 'group',
+        CLAIMS+'upn': 'upn',
+    },
+    'to': {
+        'commonName': CLAIMS+'commonname',
+        'emailAddress': CLAIMS+'emailaddress',
+        'group': CLAIMS+'group',
+        'upn': CLAIMS+'upn',
+    }
+}

backend/attribute-maps/adfs_v20.py

@@ -0,0 +1,49 @@
+CLAIMS = 'http://schemas.xmlsoap.org/claims/'
+COM_WS_CLAIMS = 'http://schemas.xmlsoap.com/ws/2005/05/identity/claims/'
+MS_CLAIMS = 'http://schemas.microsoft.com/ws/2008/06/identity/claims/'
+ORG_WS_CLAIMS = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/'
+
+
+MAP = {
+    "identifier": "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified",
+    'fro': {
+        CLAIMS+'commonname': 'commonName',
+        CLAIMS+'group': 'group',
+        COM_WS_CLAIMS+'denyonlysid': 'denyOnlySid',
+        MS_CLAIMS+'authenticationmethod': 'authenticationMethod',
+        MS_CLAIMS+'denyonlyprimarygroupsid': 'denyOnlyPrimaryGroupSid',
+        MS_CLAIMS+'denyonlyprimarysid': 'denyOnlyPrimarySid',
+        MS_CLAIMS+'groupsid': 'groupSid',
+        MS_CLAIMS+'primarygroupsid': 'primaryGroupSid',
+        MS_CLAIMS+'primarysid': 'primarySid',
+        MS_CLAIMS+'role': 'role',
+        MS_CLAIMS+'windowsaccountname': 'windowsAccountName',
+        ORG_WS_CLAIMS+'emailaddress': 'emailAddress',
+        ORG_WS_CLAIMS+'givenname': 'givenName',
+        ORG_WS_CLAIMS+'name': 'name',
+        ORG_WS_CLAIMS+'nameidentifier': 'nameId',
+        ORG_WS_CLAIMS+'privatepersonalidentifier': 'privatePersonalId',
+        ORG_WS_CLAIMS+'surname': 'surname',
+        ORG_WS_CLAIMS+'upn': 'upn',
+    },
+    'to': {
+        'authenticationMethod': MS_CLAIMS+'authenticationmethod',
+        'commonName': CLAIMS+'commonname',
+        'denyOnlyPrimaryGroupSid': MS_CLAIMS+'denyonlyprimarygroupsid',
+        'denyOnlyPrimarySid': MS_CLAIMS+'denyonlyprimarysid',
+        'denyOnlySid': COM_WS_CLAIMS+'denyonlysid',
+        'emailAddress': ORG_WS_CLAIMS+'emailaddress',
+        'givenName': ORG_WS_CLAIMS+'givenname',
+        'group': CLAIMS+'group',
+        'groupSid': MS_CLAIMS+'groupsid',
+        'name': ORG_WS_CLAIMS+'name',
+        'nameId': ORG_WS_CLAIMS+'nameidentifier',
+        'primaryGroupSid': MS_CLAIMS+'primarygroupsid',
+        'primarySid': MS_CLAIMS+'primarysid',
+        'privatePersonalId': ORG_WS_CLAIMS+'privatepersonalidentifier',
+        'role': MS_CLAIMS+'role',
+        'surname': ORG_WS_CLAIMS+'surname',
+        'upn': ORG_WS_CLAIMS+'upn',
+        'windowsAccountName': MS_CLAIMS+'windowsaccountname',
+    }
+}