From c2a6f7045b0a6a0d77a17f81999b538f8bc883d5 Mon Sep 17 00:00:00 2001 From: Art Lukyanchyk <artiom.lukyanchyk@hs-hannover.de> Date: Tue, 16 Jan 2018 16:56:03 +0100 Subject: [PATCH] Bugfixes, improvements, better README - all the stuff I forgot earlier --- README.md | 18 +++++++----------- ssoauth/management/commands/group_mapping.py | 4 ++-- ssoauth/views.py | 8 +++++++- 3 files changed, 16 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 9b4a2aa..50efd44 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,6 @@ - Python dependencies: see `requirements.txt` or `setup.py` - Add the app into `INSTALLED_APPS` - Include the app's `urls.py` into the project `urls.py` `urlpatterns`, preferably without a prefix -- If you want to use `ssoauth` to log into `django.contrib.admin` or some other app with its own login page, in `urls.py` add into the top of `urlpatterns`: `re_path("^(admin/)?login/?$", AuthenticateRedirectView.as_view())` #### Development Setup @@ -46,16 +45,13 @@ SP_FORCE_ENTITY_ID = "dev-id-{0}-{1}".format(socket.gethostname(), os.path.dirna LOGIN_URL = urls.reverse_lazy("sso-dev") # it's "sso-login" for prod ``` -#### Overriding Log In in Other Apps -There are some apps like `django.contrib.admin` or `wagtail` that will simply ignore `LOGIN_URL` and use their own log in page. If this behavior is undesirable and you would prefer using `ssoauth` instead: - - find out the login page of that app (let's assume it's `admin/login`) - - in `urls.py`, before including URLs for that app, include this view: - ```python3 - path("admin/login", ssoauth.views.LogInView(already_authenticated_403=True)), - ``` - Optional argument `already_authenticated_403=True` is used to avoid redirect loops caused by `django.contrib.admin`. - Instead of it you can also use `already_authenticated_redirect="url-name"`. - +#### Overriding Log In Pages of Other Apps +There are some apps like `django.contrib.admin` or `wagtail` that will simply ignore `LOGIN_URL` and use their own log in page. If this behavior is undesirable and you would prefer using `ssoauth` instead, add the following into your `urls.py` (_before_ including URLs of that other app): +```python3 +re_path(r"^(?:\w+/)?login/?$", ssoauth_views.LogInView.as_view(already_authenticated_403=True)), +``` + - Adjust the path if required + - Optional argument `already_authenticated_403=True` is used to avoid redirect loops (e.g. caused by `django.contrib.admin`). You can also use `already_authenticated_redirect="url-name"`. #### Regarding Logging Out diff --git a/ssoauth/management/commands/group_mapping.py b/ssoauth/management/commands/group_mapping.py index 42375fa..9a85dde 100644 --- a/ssoauth/management/commands/group_mapping.py +++ b/ssoauth/management/commands/group_mapping.py @@ -54,7 +54,7 @@ class Command(BaseCommand): groups = Group.objects.all() mapped = groups.filter(sso_mapping__isnull=False) unmapped = groups.filter(sso_mapping__isnull=True) - logger.info("There {g} groups, {m} mapped and {u} unmapped:".format(g=len(groups), m=len(mapped), u=len(unmapped))) + logger.info("There are {g} groups ({m} mapped, {u} unmapped):".format(g=len(groups), m=len(mapped), u=len(unmapped))) for group in groups.order_by("-sso_mapping", "name"): name = group.name try: @@ -95,7 +95,7 @@ class Command(BaseCommand): ## seems like the following code can create groups and permissions as we had it - ## in the old hshauth, based on the project settings + ## in the old There hshauth, based on the project settings # # @staticmethod # def ensure_group_exists(group_name, permission_names=list()): diff --git a/ssoauth/views.py b/ssoauth/views.py index 3aed913..48f22f5 100644 --- a/ssoauth/views.py +++ b/ssoauth/views.py @@ -75,7 +75,7 @@ class LogInView(SAMLMixin, View): def get(self, request, *args, **kwargs): if request.user.is_authenticated: if self.already_authenticated_403: - return exceptions.PermissionDenied() + raise exceptions.PermissionDenied() if self.already_authenticated_redirect: return http.HttpResponseRedirect(urls.reverse(self.already_authenticated_redirect)) if request.user.last_login > timezone.now() - timedelta(seconds=20): @@ -94,6 +94,7 @@ class LogInView(SAMLMixin, View): return str(next_url) +@method_decorator(never_cache, "dispatch") class LogOutView(RedirectView): """ Logs the user out locally. @@ -147,6 +148,9 @@ class ACSAuthNView(SAMLMixin, View): It's how OneLogin toolkit works, cannot easily detect/process other statements here, so I don't even try. """ + def get(self, *args, **kwargs): + raise http.Http404() + def post(self, request, *args, **kwargs): auth = self.get_onelogin_auth(request) auth.process_response() @@ -248,6 +252,7 @@ class SLSView(SAMLMixin, View): return response +@method_decorator(never_cache, "dispatch") class MetadataView(SAMLMixin, View): def get(self, request, *args, **kwargs): @@ -260,6 +265,7 @@ class MetadataView(SAMLMixin, View): return http.HttpResponse(content_type="text/xml", content=meta) +@method_decorator(never_cache, "dispatch") class DevView(FormView): class DevForm(forms.Form): -- GitLab