Merge branch 'keitaroinc:main' into feature/include_root_path_in_spconfig

Author: seitenbau-govdata

.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Setup Python
         uses: actions/setup-python@v4
         with:
-          python-version: '3.8'
+          python-version: '3.10'
 
       - name: Install flake8
         run: |
@@ -26,16 +26,16 @@ jobs:
 
       - name: Lint with flake8
         run: |
-          flake8 . --count --max-complexity=10 --max-line-length=127 --statistics --exclude ckan,ckanext-saml2auth
+          flake8 . --count --max-complexity=12 --max-line-length=127 --statistics --exclude ckan,ckanext-saml2auth
 
   test:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        python-version: [ '3.7', '3.8', '3.9']
-        ckan-version: ["2.9", "2.10"]
-    name: Python ${{ matrix.python-version }} extension test
+        python-version: ['3.9', '3.10']  # TODO '3.11'
+        ckan-version: ["2.10", "2.11"]
+    name: Python ${{ matrix.python-version }} CKAN ${{ matrix.ckan-version }} extension test
 
     services:
       postgresql:
@@ -61,9 +61,7 @@ jobs:
           - 6379:6379
 
       ckan-solr:
-        # Workflow level env variables are not addressable on job level, only on steps level
-        # image: ghcr.io/keitaroinc/ckan-solr-dev:{{ env.CKANVERSION }}
-        image: ghcr.io/keitaroinc/ckan-solr-dev:2.9
+        image: ckan/ckan-solr:2.10
         ports:
           - 8983:8983
 
@@ -90,8 +88,9 @@ jobs:
 
       - name: Test with pytest
         run: |
+          echo "Running SAML2AUTH tests"
           pytest --ckan-ini=subdir/test.ini --cov=ckanext.saml2auth --disable-warnings ckanext/saml2auth/tests
-
+      
       - name: Coveralls
         uses: AndreMiras/coveralls-python-action@develop
         with:
@@ -132,4 +131,4 @@ jobs:
     - name: Coveralls Finished
       uses: AndreMiras/coveralls-python-action@develop
       with:
-        parallel-finished: true
+        parallel-finished: true

README.md

@@ -1,12 +1,14 @@
 [![CI][]][1] [![Coverage][]][2] [![Gitter][]][3] [![Pypi][]][4] [![Python][]][5] [![CKAN][]][6]
 
+
 # ckanext-saml2auth
 
 A [CKAN](https://ckan.org) extension to enable Single Sign-On (SSO) for CKAN data portals via SAML2 Authentication.
 
 ## Requirements
 
-This extension works with CKAN 2.9+.
+This extension works with CKAN 2.10+
+Note: For CKAN 2.9 or older use v1.3.0 or older versions.
 
 ## Installation
 
@@ -135,6 +137,8 @@ Optional:
     # Saml logout request preferred binding settings variable
     # Default: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
     ckanext.saml2auth.logout_expected_binding =  urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+    # If you don't want to logout from external source you can use
+    ckanext.saml2auth.logout_expected_binding = skip-external-logout
 
     # Default fallback endpoint to redirect to if no RelayState provided in the SAML Response
     # Default: user.me (ie /dashboard)
@@ -228,7 +232,7 @@ to PyPI follow these steps:
   [3]: https://gitter.im/keitaroinc/ckan?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge
   [Pypi]: https://img.shields.io/pypi/v/ckanext-saml2auth
   [4]: https://pypi.org/project/ckanext-saml2auth
-  [Python]: https://img.shields.io/badge/python-3.7%20%7C%203.8%20%7C%203.9-blue
+  [Python]: https://img.shields.io/badge/python-3.9%20|%203.10%20|%203.11-blue
   [5]: https://www.python.org
-  [CKAN]: https://img.shields.io/badge/ckan-2.9%20%7C%202.10-yellow
+  [CKAN]: https://img.shields.io/badge/ckan-2.10%20|%202.11-yellow
   [6]: https://www.ckan.org

bin/setup-ckan.bash

@@ -46,9 +46,10 @@ cd ckan
 ckan -c test-core.ini db init
 cd -
 
-echo "Installing ckanext-saml2auth and its requirements..."
-python setup.py develop
+echo "Installing saml2 requirements..."
 pip install -r dev-requirements.txt
+echo "Installing ckanext-saml2auth..."
+pip install -e .
 
 echo "Moving test.ini into a subdir..."
 mkdir subdir

ckanext/saml2auth/cache.py

@@ -18,12 +18,16 @@
 import logging
 
 from saml2.ident import code, decode
+from saml2.saml import NameID
 
 log = logging.getLogger(__name__)
 
 
 def set_subject_id(session, subject_id):
-    session['_saml2_subject_id'] = code(subject_id)
+    if isinstance(subject_id, str):
+        session['_saml2_subject_id'] = subject_id
+    else:
+        session['_saml2_subject_id'] = code(subject_id)
 
 
 def get_subject_id(session):
@@ -34,11 +38,32 @@ def get_subject_id(session):
 
 
 def set_saml_session_info(session, saml_session_info):
+    """Adds information about pysaml2 AuthnResponse to CKAN's session.
+
+    `pysaml2` returns a NameID object in the session_info() call. Since we want
+    to serialize the object to write it into the cookie we need to convert it.
+    `name_id` is the same as `_saml2_subject_id` so we apply `code` as we do in
+    `set_subject_id`.
+
+    We are not sure if it always return an object, so we checking to be sure.
+    """
+    if isinstance(saml_session_info['name_id'], NameID):
+        saml_session_info['name_id'] = code(saml_session_info['name_id'])
     session['_saml_session_info'] = saml_session_info
 
 
 def get_saml_session_info(session):
+    """Returns the saml session info from the session object.
+
+    The session object is serializable but pysaml expect a NameID object as
+    name_id, so we are decoding it again as we do in get_subject_id.
+    """
     try:
-        return session['_saml_session_info']
+        session_info = session['_saml_session_info']
     except KeyError:
         return None
+
+    if isinstance(session_info['name_id'], str):
+        session_info['name_id'] = decode(session_info['name_id'])
+
+    return session_info

ckanext/saml2auth/config_declaration.yaml

@@ -0,0 +1,171 @@
+version: 1
+groups:
+  - annotation: ckanext-saml2auth settings
+    options:
+      - key: ckanext.saml2auth.idp_metadata.location
+        example: local
+        default: remote
+        description: |
+            Specifies the metadata location type.
+            Options: local or remote
+        required: true
+      - key: ckanext.saml2auth.idp_metadata.local_path 
+        example: /opt/metadata/idp.xml
+        default:
+        description: |
+            Path to a local file accessible on the server the service runs on.
+            Ignore this config if the idp metadata location is set to: remote
+        required: false
+      - key: ckanext.saml2auth.idp_metadata.remote_url
+        example: https://kalmar2.org/simplesaml/module.php/aggregator/?id=kalmarcentral2&set=saml2
+        default:
+        description: |
+            A remote URL serving aggregate metadata
+            Ignore this config if the idp metadata location is set to: local
+        required: false
+      - key: ckanext.saml2auth.idp_metadata.remote_cert
+        example: /opt/metadata/kalmar2.cert
+        default:
+        description: |
+            Path to a local file accessible on the server the service runs on
+            Ignore this config if the idp metadata location is set to: local and metadata is public
+        required: false
+      - key: ckanext.saml2auth.user_firstname
+        example: name
+        default: firstname
+        description: |
+            Corresponding SAML user field for firstname
+        required: false
+      - key: ckanext.saml2auth.user_lastname
+        example: surname
+        default: lastname
+        description: |
+            Corresponding SAML user field for lastname
+        required: false
+      - key: ckanext.saml2auth.user_email
+        example: emailadress
+        default: email
+        description: |
+            Corresponding SAML user field for email
+        required: true
+      - key: ckanext.saml2auth.user_fullname
+        example: fullname
+        default: fullname
+        description: |
+            Corresponding SAML user field for fullname
+            (Optional: Can be used as an alternative to firstname + lastname)
+        required: false
+      - key: ckanext.saml2auth.enable_ckan_internal_login
+        example: True
+        default: False
+        description: |
+            Configuration setting that enables CKAN's internal register/login functionality as well
+        required: false
+        type: bool
+      - key: ckanext.saml2auth.sysadmins_list
+        example: mail@domain.com mail2@domain.com mail3@domain.com
+        default:
+        description: |
+            List of email addresses from users that should be created as sysadmins (system administrators)
+            Note that this means that CKAN sysadmins will _only_ be managed based on this config option and will override existing user permissions in the CKAN database
+            If not set then it is ignored and CKAN sysadmins are managed through normal means
+        required: false
+      - key: ckanext.saml2auth.allow_unknown_attributes
+        example: False
+        default: True
+        description: |
+            Indicates that attributes that are not recognized (they are not configured in attribute-mapping),
+            will not be discarded.
+        required: false
+        type: bool
+      - key: ckanext.saml2auth.sp.name_id_format
+        example: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
+        default: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        description: |
+            A list of string values that will be used to set the <NameIDFormat> element of the metadata of an entity.
+        required: false
+      - key: ckanext.saml2auth.sp.name_id_policy_format
+        example: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        default:
+        description: |
+            A string value that will be used to set the Format attribute of the <NameIDPolicy> element of the metadata of an entity.
+        required: false
+      - key: ckanext.saml2auth.entity_id
+        example: urn:gov:gsa:SAML:2.0.profiles:sp:sso:gsa:catalog-dev
+        default: urn:mace:umu.se:saml:ckan:sp
+        description: |
+              Entity ID (also know as Issuer)
+              Define the entity ID.
+        required: false
+      - key: ckanext.saml2auth.want_response_signed
+        example: False
+        default: True
+        description: |
+            Indicates if SAML responses must be signed.
+        required: false
+        type: bool
+      - key: ckanext.saml2auth.want_assertions_signed
+        example: True
+        default: False
+        description: |
+            Indicates if SAML assertions must be signed.
+        required: false
+        type: bool
+      - key: ckanext.saml2auth.want_assertions_or_response_signed
+        example: True
+        default: False
+        description: |
+            If set to true, either the SAML response or the assertion must be signed.
+        required: false
+        type: bool
+      - key: ckanext.saml2auth.key_file_path
+        example: /path/to/mykey.pem
+        default:
+        description: |
+            Path to the private key file used to sign SAML requests or decrypt assertions.
+        required: false
+      - key: ckanext.saml2auth.cert_file_path
+        example: /path/to/mycert.pem
+        default:
+        description: |
+            Path to the public certificate file used to verify signatures or encrypt assertions.
+        required: false
+      - key: ckanext.saml2auth.attribute_map_dir
+        example: /path/to/dir/attributemaps
+        default:
+        description: |
+            Directory path containing SAML attribute mapping configuration files.
+        required: false
+      - key: ckanext.saml2auth.requested_authn_context
+        example: http://idmanagement.gov/ns/assurance/aal/3?hspd12=true
+        default:
+        description: |
+            Specifies authentication context class references requested during login.
+            You can provide multiple values separated by spaces.
+        required: false
+      - key: ckanext.saml2auth.requested_authn_context_comparison
+        example: exact
+        default: exact
+        description: |
+            Comparison method for RequestedAuthnContext.
+            Options: exact, minimum, maximum, better
+        required: false
+      - key: ckanext.saml2auth.logout_requests_signed
+        example: True
+        default: False
+        description: |
+            Indicates whether this service provider will sign logout requests.
+        required: false
+        type: bool
+      - key: ckanext.saml2auth.logout_expected_binding
+        example: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+        default: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
+        description: |
+            The expected SAML binding method for logout requests.
+        required: false
+      - key: ckanext.saml2auth.default_fallback_endpoint
+        example: home.index
+        default: user.me
+        description: |
+            The default endpoint to redirect to if no RelayState is provided in the SAML response.
+        required: false

ckanext/saml2auth/helpers.py

@@ -121,3 +121,12 @@ def get_site_domain_for_cookie():
     parsed_url = urlparse(site_url)
     host = parsed_url.netloc.split(':')[0]
     return host if '.' in host else None
+
+
+def get_saml2auth_login_button_text():
+    """
+    Returns the configured text for the SAML2 login button.
+    Defaults to 'SSO' if not configured.
+    """
+    text = toolkit.config.get('ckanext.saml2auth.login_button_text', 'SSO')
+    return text

ckanext/saml2auth/plugin.py

@@ -37,6 +37,7 @@
 log = logging.getLogger(__name__)
 
 
+@toolkit.blanket.config_declarations
 class Saml2AuthPlugin(plugins.SingletonPlugin):
     plugins.implements(plugins.IConfigurer)
     plugins.implements(plugins.IBlueprint)
@@ -48,8 +49,8 @@ class Saml2AuthPlugin(plugins.SingletonPlugin):
 
     def get_helpers(self):
         return {
-            'is_default_login_enabled':
-                h.is_default_login_enabled
+            'is_default_login_enabled': h.is_default_login_enabled,
+            'get_saml2auth_login_button_text': h.get_saml2auth_login_button_text,
         }
 
     # IConfigurable
@@ -120,9 +121,12 @@ def _perform_slo():
 
     response = None
 
-    client = h.saml_client(
-        sp_config()
-    )
+    config = sp_config()
+    if config.get('logout_expected_binding') == 'skip-external-logout':
+        log.debug('Skipping external logout')
+        return
+
+    client = h.saml_client(config)
     saml_session_info = get_saml_session_info(session)
     subject_id = get_subject_id(session)
 

ckanext/saml2auth/templates/user/snippets/login_form.html

@@ -18,5 +18,5 @@
 {% ckan_extends %}
 {% block login_button %}
   <button class="btn btn-primary" type="submit">{{ _('Login') }}</button>
-  <a class="btn btn-default" href="{{ h.url_for('saml2auth.saml2login') }}">{{ _('SSO') }}</a>
+  <a class="btn btn-default" href="{{ h.url_for('saml2auth.saml2login') }}">{{ h.get_saml2auth_login_button_text() }}</a>
 {% endblock %}

ckanext/saml2auth/tests/responses/unsigned0.xml

@@ -17,7 +17,7 @@
       <saml:NameID SPNameQualifier="{{ entity_id }}" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">_ce3d2948b4cf20146dee0a0b3dd6f69b6cf86f62d7</saml:NameID>
       <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml:SubjectConfirmationData 
-          NotOnOrAfter="2024-01-18T06:21:48Z" 
+          NotOnOrAfter="2026-01-18T06:21:48Z" 
           Recipient="{{ recipient }}" 
           InResponseTo="ONELOGIN_4fee3b046395c4e751011e97f8900b5273d56685"/>
       </saml:SubjectConfirmation>