saml_idp: Rewrite to CBV

passbook/core/forms/authentication.py

@@ -47,10 +47,6 @@ class SignUpForm(forms.Form):
                                       widget=forms.PasswordInput(attrs={
                                           'placeholder': _('Repeat Password')
                                           }))
-    # captcha = ReCaptchaField(
-    #     required=(not settings.DEBUG and not settings.TEST),
-    #     private_key=Setting.get('recaptcha:private'),
-    #     public_key=Setting.get('recaptcha:public'))
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -58,9 +54,6 @@ class SignUpForm(forms.Form):
         if 'initial' in kwargs:
             for field in kwargs.get('initial').keys():
                 self.fields[field].widget.attrs['readonly'] = 'readonly'
-        # TODO: Dynamically add captcha here
-        # if not Setting.get_bool('recaptcha:enabled'):
-        #     self.fields.pop('captcha')
 
     def clean_username(self):
         """Check if username is used already"""

passbook/lib/mixins.py

@@ -0,0 +1,12 @@
+"""passbook util mixins"""
+from django.utils.decorators import method_decorator
+from django.views.decorators.csrf import csrf_exempt
+
+
+class CSRFExemptMixin:
+    """wrapper to apply @csrf_exempt to CBV"""
+
+    @method_decorator(csrf_exempt)
+    def dispatch(self, *args, **kwargs):
+        """wrapper to apply @csrf_exempt to CBV"""
+        return super().dispatch(*args, **kwargs)

passbook/saml_idp/urls.py

@@ -4,9 +4,8 @@ from django.conf.urls import url
 from passbook.saml_idp import views
 
 urlpatterns = [
-    url(r'^login/$', views.login_begin, name="saml_login_begin"),
+    url(r'^login/$', views.LoginBeginView.as_view(), name="saml_login_begin"),
-    url(r'^login/process/$', views.login_process, name='saml_login_process'),
+    url(r'^login/process/$', views.LoginProcessView.as_view(), name='saml_login_process'),
-    url(r'^logout/$', views.logout, name="saml_logout"),
+    url(r'^logout/$', views.LogoutView.as_view(), name="saml_logout"),
-    url(r'^metadata/xml/$', views.descriptor, name='metadata_xml'),
+    url(r'^metadata/xml/$', views.DescriptorView.as_view(), name='metadata_xml'),
-    # url(r'^settings/$', views.IDPSettingsView.as_view(), name='admin_settings'),
 ]

passbook/saml_idp/views.py

@@ -1,25 +1,25 @@
 """passbook SAML IDP Views"""
 from logging import getLogger
 
-from django.contrib import auth
+from django.contrib.auth import logout
-from django.contrib.auth.decorators import login_required
+from django.contrib.auth.mixins import LoginRequiredMixin
 from django.core.exceptions import ValidationError
 from django.core.validators import URLValidator
-from django.http import (HttpResponse, HttpResponseBadRequest,
+from django.http import HttpResponse, HttpResponseBadRequest
-                         HttpResponseRedirect)
+from django.shortcuts import get_object_or_404, redirect, render, reverse
-from django.shortcuts import redirect, render
-from django.urls import reverse
 from django.utils.datastructures import MultiValueDictKeyError
-# from django.utils.html import escape
+from django.views import View
-# from django.utils.translation import ugettext as _
-from django.views.decorators.csrf import csrf_exempt
 
 from passbook.lib.config import CONFIG
+# from django.utils.html import escape
+# from django.utils.translation import ugettext as _
+from passbook.lib.mixins import CSRFExemptMixin
 # from passbook.core.models import Event, Setting, UserAcquirableRelationship
 from passbook.lib.utils.template import render_to_string
 # from passbook.core.views.common import ErrorResponseView
 # from passbook.core.views.settings import GenericSettingView
 from passbook.saml_idp import exceptions, registry
+from passbook.saml_idp.models import SAMLProvider
 
 # from OpenSSL.crypto import FILETYPE_PEM
 # from OpenSSL.crypto import Error as CryptoError
@@ -47,10 +47,11 @@ def render_xml(request, template, ctx):
     return render(request, template, context=ctx, content_type="application/xml")
 
 
-@csrf_exempt
+class LoginBeginView(CSRFExemptMixin, View):
-def login_begin(request):
     """Receives a SAML 2.0 AuthnRequest from a Service Provider and
     stores it in the session prior to enforcing login."""
+
+    def dispatch(self, request):
         if request.method == 'POST':
             source = request.POST
         else:
@@ -66,7 +67,10 @@ def login_begin(request):
         return redirect(reverse('passbook_saml_idp:saml_login_process'))
 
 
-def redirect_to_sp(request, acs_url, saml_response, relay_state):
+class RedirectToSPView(View):
+    """Return autosubmit form"""
+
+    def get(self, request, acs_url, saml_response, relay_state):
         """Return autosubmit form"""
         return render(request, 'core/autosubmit_form.html', {
             'url': acs_url,
@@ -77,34 +81,36 @@ def redirect_to_sp(request, acs_url, saml_response, relay_state):
         })
 
 
-@login_required
+class LoginProcessView(View):
-def login_process(request):
     """Processor-based login continuation.
     Presents a SAML 2.0 Assertion for POSTing back to the Service Provider."""
+
+    def dispatch(self, request):
         LOGGER.debug("Request: %s", request)
-    proc, remote = registry.find_processor(request)
+        proc, provider = registry.find_processor(request)
         # Check if user has access
         access = True
-    # if remote.productextensionsaml2_set.exists() and \
+        # if provider.productextensionsaml2_set.exists() and \
-    #         remote.productextensionsaml2_set.first().product_set.exists():
+        #         provider.productextensionsaml2_set.first().product_set.exists():
         #     # Only check if there is a connection from OAuth2 Application to product
-    #     product = remote.productextensionsaml2_set.first().product_set.first()
+        #     product = provider.productextensionsaml2_set.first().product_set.first()
-    #     relationship = UserAcquirableRelationship.objects.filter(user=request.user, model=product)
+        #     relationship = UserAcquirableRelationship.objects.
+        # filter(user=request.user, model=product)
         #     # Product is invitation_only = True and no relation with user exists
         #     if product.invitation_only and not relationship.exists():
         #         access = False
         # Check if we should just autosubmit
-    if remote.skip_authorization and access:
+        if provider.skip_authorization and access:
-        # full_res = _generate_response(request, proc, remote)
+            # full_res = _generate_response(request, proc, provider)
             ctx = proc.generate_response()
             # User accepted request
             # Event.create(
             #     user=request.user,
-        #     message=_('You authenticated %s (via SAML) (skipped Authz)' % remote.name),
+            #     message=_('You authenticated %s (via SAML) (skipped Authz)' % provider.name),
             #     request=request,
             #     current=False,
             #     hidden=True)
-        return redirect_to_sp(
+            return RedirectToSPView.as_view()(
                 request=request,
                 acs_url=ctx['acs_url'],
                 saml_response=ctx['saml_response'],
@@ -113,17 +119,17 @@ def login_process(request):
             # User accepted request
             # Event.create(
             #     user=request.user,
-        #     message=_('You authenticated %s (via SAML)' % remote.name),
+            #     message=_('You authenticated %s (via SAML)' % provider.name),
             #     request=request,
             #     current=False,
             #     hidden=True)
-        return redirect_to_sp(
+            return RedirectToSPView.as_view()(
                 request=request,
                 acs_url=request.POST.get('ACSUrl'),
                 saml_response=request.POST.get('SAMLResponse'),
                 relay_state=request.POST.get('RelayState'))
         try:
-        full_res = _generate_response(request, proc, remote)
+            full_res = _generate_response(request, proc, provider)
             # if not access:
             #     LOGGER.warning("User '%s' has no invitation to '%s'", request.user, product)
             #     messages.error(request, "You have no access to '%s'" % product.name)
@@ -134,12 +140,14 @@ def login_process(request):
             # return ErrorResponseView.as_view()(request, str(exc))
 
 
-@csrf_exempt
+class LogoutView(CSRFExemptMixin, View):
-def logout(request):
     """Allows a non-SAML 2.0 URL to log out the user and
     returns a standard logged-out page. (SalesForce and others use this method,
     though it's technically not SAML 2.0)."""
-    auth.logout(request)
+
+    def get(self, request):
+        """Perform logout"""
+        logout(request)
 
         redirect_url = request.GET.get('redirect_to', '')
 
@@ -148,16 +156,17 @@ def logout(request):
         except ValidationError:
             pass
         else:
-        return HttpResponseRedirect(redirect_url)
+            return redirect(redirect_url)
 
         return render(request, 'saml/idp/logged_out.html')
 
 
-@login_required
+class SLOLogout(CSRFExemptMixin, LoginRequiredMixin, View):
-@csrf_exempt
-def slo_logout(request):
     """Receives a SAML 2.0 LogoutRequest from a Service Provider,
     logs out the user and returns a standard logged-out page."""
+
+    def post(self, request):
+        """Perform logout"""
         request.session['SAMLRequest'] = request.POST['SAMLRequest']
         # TODO: Parse SAML LogoutRequest from POST data, similar to login_process().
         # TODO: Add a URL dispatch for this view.
@@ -165,16 +174,20 @@ def slo_logout(request):
         # TODO: Combine this with login_process(), since they are so very similar?
         # TODO: Format a LogoutResponse and return it to the browser.
         # XXX: For now, simply log out without validating the request.
-    auth.logout(request)
+        logout(request)
         return render(request, 'saml/idp/logged_out.html')
 
 
-def descriptor(request):
+class DescriptorView(View):
     """Replies with the XML Metadata IDSSODescriptor."""
+
+    def get(self, request, application_id):
+        """Replies with the XML Metadata IDSSODescriptor."""
+        application = get_object_or_404(SAMLProvider, pk=application_id)
         entity_id = CONFIG.y('saml_idp.issuer')
         slo_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_logout'))
         sso_url = request.build_absolute_uri(reverse('passbook_saml_idp:saml_login_begin'))
-    pubkey = '' # TODO: Extract application/provider for pubkey
+        pubkey = application.signing_cert
         ctx = {
             'entity_id': entity_id,
             'cert_public_key': pubkey,