Add a custom saml_config_loader

* Makes the assumption that we only have one set of keys, and only one IDP * If any of the SAML2 variables use relatives paths, these will be replaced with absolute paths under the current requests's hostname, port, and scheme
2018-07-13 14:15:49 +10:00 · 2018-07-13 14:15:49 +10:00 · d690bfb88b
commit d690bfb88b
parent e0e8bdc9a8
2 changed files with 65 additions and 0 deletions
--- a/pinaxcon/saml2/saml_config_loader.py
+++ b/pinaxcon/saml2/saml_config_loader.py
@ -0,0 +1,62 @@
+import copy
+from urllib.parse import urlparse
+
+from django.conf import settings
+from saml2.config import SPConfig
+from saml2 import BINDING_HTTP_POST, BINDING_HTTP_REDIRECT
+
+def is_relative(url):
+    absolute = bool(urlparse(url).netloc)
+    return not absolute
+
+def absolutize(path, default_base):
+    if is_absolute(path):
+        return path
+    else:
+        return default_base + path
+
+SAML_CONFIG = settings.SAML_CONFIG
+
+_idp_configs = {}
+_relative_paths = []
+
+def relative_config_loader(request=None):
+    host = request.get_host()
+    if host in _idp_configs:
+        return _idp_configs[host]
+
+    base = request.scheme + "://" + request.get_host()
+
+    config = copy.deepcopy(settings.SAML_CONFIG)
+    endpoints = config['service']['sp']['endpoints']
+
+    if not _relative_paths:
+        if is_relative(config['entityid']):
+            _relative_paths.append('entityid')
+        if is_relative(endpoints['assertion_consumer_service'][0]):
+            _relative_paths.append('assertion_consumer_service')
+        if is_relative(endpoints['single_logout_service'][0][0]):
+            _relative_paths.append('single_logout_service')
+
+    if 'single_logout_service' in _relative_paths:
+        absolute_rdir = base + endpoints['single_logout_service'][0][0]
+        absolute_post = base + endpoints['single_logout_service'][1][0]
+        sls_endpoint = [
+            (absolute_rdir, BINDING_HTTP_REDIRECT),
+            (absolute_post, BINDING_HTTP_POST)
+        ]
+        config['service']['sp']['endpoints']['single_logout_service'] = sls_endpoint
+    if 'assertion_consumer_service' in _relative_paths:
+        acs = base + endpoints['assertion_consumer_service'][0]
+        config['service']['sp']['endpoints']['assertion_consumer_service'][0] = acs
+        
+    if 'entityid' in _relative_paths:
+        config['entityid'] = base + config['entityid']
+
+    conf = SPConfig()
+    conf.load(config)
+    
+    _idp_configs[host] = conf
+
+    return conf
+    
--- a/pinaxcon/settings.py
+++ b/pinaxcon/settings.py
@ -419,6 +419,9 @@ SAML_CONFIG = {
    'valid_for': 10,
 }

+if 'SAML_CONFIG_LOADER' in os.environ:
+    SAML_CONFIG_LOADER = os.environ.get('SAML_CONFIG_LOADER')
+
 DEFAULT_FILE_STORAGE = 'gapc_storage.storage.GoogleCloudStorage'
 GAPC_STORAGE = {
    'num_retries': 2,