From ec61272a0c366ec5f7af787eab27bbecc168c6ef Mon Sep 17 00:00:00 2001
From: Andreas Kloeckner <inform@tiker.net>
Date: Wed, 17 Feb 2016 02:23:46 -0600
Subject: [PATCH] Get SAML2 working

---
 local_settings.py.example            | 26 +++++++++++++++++++++++---
 relate/settings.py                   | 11 ++---------
 relate/templates/sign-in-choice.html |  1 -
 relate/utils.py                      | 25 +++++++++++++++++++++++++
 requirements.txt                     |  2 +-
 5 files changed, 51 insertions(+), 14 deletions(-)

diff --git a/local_settings.py.example b/local_settings.py.example
index 5dd89b76..ccb43643 100644
--- a/local_settings.py.example
+++ b/local_settings.py.example
@@ -220,6 +220,18 @@ if RELATE_SIGN_IN_BY_SAML2_ENABLED:
 
     _BASE_URL = 'https://relate.cs.illinois.edu'
 
+    # see saml2-keygen.sh in this directory
+    _SAML_KEY_FILE = path.join(_BASEDIR, 'saml-config', 'sp-key.pem')
+    _SAML_CERT_FILE = path.join(_BASEDIR, 'saml-config', 'sp-cert.pem')
+
+    SAML_ATTRIBUTE_MAPPING = {
+        'eduPersonPrincipalName': ('username',),
+        'iTrustUIN': ('institutional_id',),
+        'mail': ('email',),
+        'givenName': ('first_name', ),
+        'sn': ('last_name', ),
+    }
+
     SAML_CONFIG = {
         # full path to the xmlsec1 binary programm
         'xmlsec_binary': '/usr/bin/xmlsec1',
@@ -233,6 +245,8 @@ if RELATE_SIGN_IN_BY_SAML2_ENABLED:
         # change)
         'attribute_map_dir': path.join(_BASEDIR, 'saml-config', 'attribute-maps'),
 
+        'allow_unknown_attributes': True,
+
         # this block states what services we provide
         'service': {
             'sp': {
@@ -297,9 +311,15 @@ if RELATE_SIGN_IN_BY_SAML2_ENABLED:
         'debug': 1,
 
         # certificate and key
-        # see saml2-keygen.sh in this directory
-        'key_file': path.join(_BASEDIR, 'saml-config', 'sp-key.pem'),  # private
-        'cert_file': path.join(_BASEDIR, 'saml-config', 'sp-cert.pem'),  # public
+        'key_file': _SAML_KEY_FILE,
+        'cert_file': _SAML_CERT_FILE,
+
+        'encryption_keypairs': [
+                {
+                    'key_file': _SAML_KEY_FILE,
+                    'cert_file': _SAML_CERT_FILE,
+                    }
+                ],
 
         # own metadata settings
         'contact_person': [
diff --git a/relate/settings.py b/relate/settings.py
index 33111ee8..2f68aff7 100644
--- a/relate/settings.py
+++ b/relate/settings.py
@@ -85,7 +85,7 @@ AUTHENTICATION_BACKENDS = (
 
 if local_settings["RELATE_SIGN_IN_BY_SAML2_ENABLED"]:
     AUTHENTICATION_BACKENDS = AUTHENTICATION_BACKENDS + (
-            'djangosaml2.backends.Saml2Backend',
+            'relate.utils.Saml2Backend',
             )
 
 AUTH_USER_MODEL = 'accounts.User'
@@ -267,17 +267,10 @@ LOCALE_PATHS = (
 
 # This makes SAML2 logins compatible with (and usable at the same time as)
 # email-based logins.
-SAML_DJANGO_USER_MAIN_ATTRIBUTE = 'email'
+SAML_DJANGO_USER_MAIN_ATTRIBUTE = 'username'
 
 SAML_CREATE_UNKNOWN_USER = True
 
-SAML_ATTRIBUTE_MAPPING = {
-    'uid': ('username', ),
-    'mail': ('email', ),
-    'cn': ('first_name', ),
-    'sn': ('last_name', ),
-}
-
 # }}}
 
 # This makes sure the RELATE_BASE_URL is configured.
diff --git a/relate/templates/sign-in-choice.html b/relate/templates/sign-in-choice.html
index 9d9c3bda..b53cd480 100644
--- a/relate/templates/sign-in-choice.html
+++ b/relate/templates/sign-in-choice.html
@@ -12,7 +12,6 @@
           href="{% url "djangosaml2.views.login" %}"
           role="button"><i class="fa fa-institution"></i>
           {% trans "Sign in using your institution's login" %} &raquo;</a>
-          (not yet working, but getting there)
       </li>
     {% endif %}
     {% if relate_sign_in_by_email_enabled %}
diff --git a/relate/utils.py b/relate/utils.py
index 28d10d11..0aa083a4 100644
--- a/relate/utils.py
+++ b/relate/utils.py
@@ -27,6 +27,7 @@ THE SOFTWARE.
 
 import six
 import django.forms as forms
+from djangosaml2.backends import Saml2Backend as Saml2BackendBase
 
 
 class StyledForm(forms.Form):
@@ -274,4 +275,28 @@ def to_js_lang_name(dj_lang_name):
 
 # }}}
 
+
+# {{{ SAML auth backend
+
+# This ticks the 'verified' boxes once we've receive attribute assertions
+# through SAML2.
+
+class Saml2Backend(Saml2BackendBase):
+    def _set_attribute(self, obj, attr, value):
+        mod = super(Saml2Backend, self)._set_attribute(obj, attr, value)
+
+        if attr == "institutional_id":
+            if not obj.institutional_id_verified:
+                obj.institutional_id_verified = True
+                mod = True
+
+        if attr in ["first_name", "last_name"]:
+            if not obj.name_verified:
+                obj.name_verified = True
+                mod = True
+
+        return mod
+
+# }}}
+
 # vim: foldmethod=marker
diff --git a/requirements.txt b/requirements.txt
index 3d6c33b6..2e5e0012 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -69,7 +69,7 @@ ipaddress
 
 # For interoperation with SAML2/Shibboleth
 pysaml2
-djangosaml2
+hg+https://inducer@bitbucket.org/inducer/djangosaml2
 
 # A task queue, used to execute long-running tasks
 celery
-- 
GitLab