- chore: upgrade to pysaml 7.1.0

- feat: conf.py takes sp_kwargs to extend the customization of unit tests
- chore: RequestedAuthnContext updated to pysaml2 7.1 (IdentityPython/pysaml2#807)

Author: peppelinux

djangosaml2/tests/__init__.py

@@ -270,6 +270,41 @@ def test_unknown_idp(self):
         response = self.client.get(reverse('saml2_login')+'?idp=https://unknown.org')
         self.assertEqual(response.status_code, 403)
 
+
+    def test_login_authn_context(self):
+        sp_kwargs = {"requested_authn_context": {
+                "authn_context_class_ref": [
+                    "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
+                    "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",
+                ],
+                "comparison": "minimum",
+            }
+        }
+
+        # monkey patch SAML configuration
+        settings.SAML_CONFIG = conf.create_conf(
+            sp_host='sp.example.com',
+            idp_hosts=['idp.example.com'],
+            metadata_file='remote_metadata_one_idp.xml',
+            sp_kwargs=sp_kwargs
+        )
+
+        response = self.client.get(reverse('saml2_login'))
+        self.assertEqual(response.status_code, 302)
+        location = response['Location']
+
+        url = urlparse(location)
+        self.assertEqual(url.hostname, 'idp.example.com')
+        self.assertEqual(url.path, '/simplesaml/saml2/idp/SSOService.php')
+
+        params = parse_qs(url.query)
+        self.assertIn('SAMLRequest', params)
+
+        saml_request = params['SAMLRequest'][0]
+        self.assertIn('urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport', decode_base64_and_inflate(
+            saml_request).decode('utf-8'))
+
+
     def test_login_one_idp(self):
         # monkey patch SAML configuration
         settings.SAML_CONFIG = conf.create_conf(
@@ -294,6 +329,7 @@ def test_login_one_idp(self):
         self.assertIn('AuthnRequest xmlns', decode_base64_and_inflate(
             saml_request).decode('utf-8'))
 
+
         # if we set a next arg in the login view, it is preserverd
         # in the RelayState argument
         nexturl = '/another-view/'

djangosaml2/tests/conf.py

@@ -19,7 +19,8 @@
 
 
 def create_conf(sp_host='sp.example.com', idp_hosts=['idp.example.com'],
-                metadata_file='remote_metadata.xml', authn_requests_signed=None):
+                metadata_file='remote_metadata.xml', authn_requests_signed=None,
+                sp_kwargs:dict={}):
 
     try:
         from saml2.sigver import get_xmlsec_binary
@@ -89,6 +90,7 @@ def create_conf(sp_host='sp.example.com', idp_hosts=['idp.example.com'],
         },
         'valid_for': 24,
     }
+    config['service']['sp'].update(**sp_kwargs)
 
     if authn_requests_signed is not None:
         config['service']['sp']['authn_requests_signed'] = authn_requests_signed

djangosaml2/views.py

@@ -157,27 +157,6 @@ def load_sso_kwargs_scoping(self, sso_kwargs):
             )
             sso_kwargs['scoping'] = idp_scoping
 
-    def load_sso_kwargs_authn_context(self, sso_kwargs):
-        # this would work when https://github.com/IdentityPython/pysaml2/pull/807
-        ac = getattr(self.conf, '_sp_requested_authn_context', {})
-
-        # this works even without https://github.com/IdentityPython/pysaml2/pull/807
-        # hopefully to be removed soon !
-        if not ac:
-            scs = getattr(
-                settings, 'SAML_CONFIG', {}
-            ).get('service', {}).get('sp', {})
-            ac = scs.get('requested_authn_context', {})
-        # end transitional things to be removed soon !
-
-        if ac:
-            sso_kwargs["requested_authn_context"] = RequestedAuthnContext(
-                    authn_context_class_ref=[
-                        AuthnContextClassRef(ref) for ref in ac['authn_context_class_ref']
-                    ],
-                    comparison=ac.get('comparison', "minimum"),
-                )
-
     def load_sso_kwargs(self, sso_kwargs):
         """ Inherit me if you want to put your desidered things in sso_kwargs """
 
@@ -313,8 +292,6 @@ def get(self, request, *args, **kwargs):
         # Enrich sso_kwargs ...
         # idp scoping
         self.load_sso_kwargs_scoping(sso_kwargs)
-        # authn context
-        self.load_sso_kwargs_authn_context(sso_kwargs)
         # other customization to be inherited
         self.load_sso_kwargs(sso_kwargs)
 

docs/source/contents/setup.rst

@@ -218,9 +218,12 @@ Authn Context
 
 We can define the authentication context in settings.SAML_CONFIG['service']['sp'] as follows::
 
-    'requested_authn_context': {
-        'authn_context_class_ref': [saml2.saml.AUTHN_PASSWORD_PROTECTED],
-        'comparison': "exact"
+    "requested_authn_context": {
+        "authn_context_class_ref": [
+            "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
+            "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",
+        ],
+        "comparison": "minimum",
     }
 
 

setup.py

@@ -24,7 +24,7 @@ def read(*rnames):
 
 setup(
     name='djangosaml2',
-    version='1.3.4',
+    version='1.3.5',
     description='pysaml2 integration for Django',
     long_description=read('README.md'),
     long_description_content_type='text/markdown',
@@ -52,8 +52,8 @@ def read(*rnames):
     keywords="django,pysaml2,sso,saml2,federated authentication,authentication",
     author="Yaco Sistemas and independent contributors",
     author_email="[email protected]",
-    maintainer="Jozef Knaperek",
-    url="https://github.com/knaperek/djangosaml2",
+    maintainer="Giuseppe De Marco",
+    url="https://github.com/IdentityPython/djangosaml2",
     download_url="https://pypi.org/project/djangosaml2/",
     license='Apache 2.0',
     packages=find_packages(exclude=["tests", "tests.*"]),