msidp : Update Docs, user settings and warn msgs (#2289)

Open-MSS · Mar 27, 2024 · 2fc32cb · 2fc32cb
1 parent 70ce65f
commit 2fc32cb
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 98 deletions.
diff --git a/docs/conf_sso_test_msscolab.rst b/docs/conf_sso_test_msscolab.rst
@@ -7,6 +7,11 @@ Testing IDP (`mslib/msidp`) is specifically designed for testing the Single Sign
 
 Here is documentation that explains the configuration of the MSS Colab Server with the testing IdP.
 
+.. warning::
+   When running publicly rather than in development, you should not use the built-in development server ( msidp / idp.py ).
+
+   The development server is provided by MSS for convenience, but is not designed to be particularly efficient, stable, or secure.
+
 Getting started
 ---------------
 
@@ -117,4 +122,4 @@ When migrations finished, you can start mscolab server  using the following comm
     $ msui
 
 * Login with identity provider through Qt Client application.
-* To log in to the mscolab server through the identity provider, you can use the credentials specified in the ``PASSWD`` section of the ``MSS/mslib/msidp/idp.py`` file. Look for the relevant section in the file to find the necessary login credentials.
+* To log in to the mscolab server through the identity provider, you can use the credentials specified in the ``USERS`` and ``PASSWD`` section of the ``MSS/mslib/msidp/idp_user.py`` file. Look for the relevant section in the file to find the necessary login credentials.
diff --git a/docs/sso_via_saml_mscolab.rst b/docs/sso_via_saml_mscolab.rst
@@ -38,7 +38,7 @@ In this documentation, you will go through the following topics.
 ***************
 This documentation will explain how to configure MSColab with an existing IdP or multiple IdPs, along with examples of implementation.
 
-If you are not aware of how the SAML process works in the MSColab server, it is highly recommended to set up msidp and test it with MSColab as an initial step before configuring existing 3rd party IdPs.
+If you are not aware of how the SAML process works in the MSColab server, it is highly recommended to set up msidp and test it with MSColab as an initial step before configuring existing 3rd party IdPs (msidp is solely for development and testing purposes, do not use in production environments).
 
 .. note::
     You can find instructions to set up msidp by `conf_sso_test_msscolab.rst`.

diff --git a/mslib/msidp/idp.py b/mslib/msidp/idp.py
@@ -39,6 +39,7 @@
 import re
 import time
 import sys
+import warnings
 
 from mslib import msidp
 from http.cookies import SimpleCookie
@@ -80,7 +81,7 @@
 from werkzeug.serving import run_simple as WSGIServer
 
 from mslib.msidp.idp_user import EXTRA
-from mslib.msidp.idp_user import USERS
+from mslib.msidp.idp_user import USERS, PASSWD
 from mako.lookup import TemplateLookup
 from mslib.mscolab.conf import mscolab_settings
 
@@ -555,17 +556,6 @@ def do_authentication(environ, start_response, authn_context, key, redirect_uri,
 
 # -----------------------------------------------------------------------------
 
-
-PASSWD = {
-    "testuser": "qwerty",
-    "roland": "dianakra",
-    "babs": "howes",
-    "upper": "crust",
-    "testuser2": "abcd1234",
-    "testuser3": "ABCD1234",
-}
-
-
 def username_password_authn(environ, start_response, reference, key, redirect_uri, headers=None):
     """
     Display the login form
@@ -786,7 +776,6 @@ def do(self, request, binding, relay_state="", encrypt_cert=None):
         msg = IdpServerSettings_.IDP.create_artifact_response(_req, _req.artifact.text)
 
         hinfo = IdpServerSettings_.IDP.apply_binding(BINDING_SOAP, f"{msg}", "", "", response=True)
-
         resp = Response(hinfo["data"], headers=hinfo["headers"])
         return resp(self.environ, self.start_response)
 
@@ -1099,6 +1088,10 @@ def __init__(self):
 
 
 def main():
+    warnings.warn(
+        '\033[91mWARNING: msidp is solely for development and '
+        'testing purposes; do not use in production environments.\033[0m'
+    )
     parser = argparse.ArgumentParser()
     parser.add_argument("-p", dest="path", help="Path to configuration file.",
                         default="./idp_conf.py")

diff --git a/mslib/msidp/idp_user.py b/mslib/msidp/idp_user.py
@@ -48,88 +48,17 @@
         "norEduPersonNIN": "SE199012315555",
         "postaladdress": "postaladdress",
         "cn": "cn",
-    },
-    "testuser2": {
-        "sn": "Testsson2",
-        "givenName": "Test2",
-        "eduPersonAffiliation": "student",
-        "eduPersonScopedAffiliation": "[email protected]",
-        "eduPersonPrincipalName": "[email protected]",
-        "uid": "testuser2",
-        "eduPersonTargetedID": ["one!for!all"],
-        "c": "SE",
-        "o": "Example Co.",
-        "ou": "IT",
-        "initials": "P",
-        "co": "co",
-        "mail": "mail",
-        "noreduorgacronym": "noreduorgacronym",
-        "schacHomeOrganization": "example.com",
-        "email": "[email protected]",
-        "displayName": "Test Testsson",
-        "labeledURL": "http://www.example.com/test My homepage",
-        "norEduPersonNIN": "SE199012315555",
-        "postaladdress": "postaladdress",
-        "cn": "cn",
-    },
-    "testuser3": {
-        "sn": "Testsson3",
-        "givenName": "Test3",
-        "eduPersonAffiliation": "student",
-        "eduPersonScopedAffiliation": "[email protected]",
-        "eduPersonPrincipalName": "[email protected]",
-        "uid": "testuser3",
-        "eduPersonTargetedID": ["one!for!all"],
-        "c": "SE",
-        "o": "Example Co.",
-        "ou": "IT",
-        "initials": "P",
-        "co": "co",
-        "mail": "mail",
-        "noreduorgacronym": "noreduorgacronym",
-        "schacHomeOrganization": "example.com",
-        "email": "[email protected]",
-        "displayName": "Test Testsson",
-        "labeledURL": "http://www.example.com/test My homepage",
-        "norEduPersonNIN": "SE199012315555",
-        "postaladdress": "postaladdress",
-        "cn": "cn",
-    },
-    "roland": {
-        "sn": "Hedberg",
-        "givenName": "Roland",
-        "email": "[email protected]",
-        "eduPersonScopedAffiliation": "[email protected]",
-        "eduPersonPrincipalName": "[email protected]",
-        "uid": "rohe",
-        "eduPersonTargetedID": ["one!for!all"],
-        "c": "SE",
-        "o": "Example Co.",
-        "ou": "IT",
-        "initials": "P",
-        "mail": "[email protected]",
-        "displayName": "P. Roland Hedberg",
-        "labeledURL": "http://www.example.com/rohe My homepage",
-        "norEduPersonNIN": "SE197001012222",
-    },
-    "babs": {
-        "surname": "Babs",
-        "givenName": "Ozzie",
-        "email": "[email protected]",
-        "eduPersonAffiliation": "affiliate"
-    },
-    "upper": {
-        "surname": "Jeter",
-        "givenName": "Derek",
-        "email": "[email protected]",
-        "eduPersonAffiliation": "affiliate"
-    },
+    }
 }
 
 EXTRA = {
     "roland": {
         "eduPersonEntitlement": "urn:mace:swamid.se:foo:bar",
         "schacGender": "male",
-        "schacUserPresenceID": "skype:pepe.perez",
+        "schacUserPresenceID": "sky:pepe.perez",
     }
 }
+
+PASSWD = {
+    "testuser": "qwerty",
+}
diff --git a/mslib/msidp/idp_uwsgi.py b/mslib/msidp/idp_uwsgi.py
@@ -70,8 +70,7 @@
 from saml2.s_utils import PolicyError, UnknownPrincipal, exception_trace, UnsupportedBinding, rndstr
 from saml2.sigver import encrypt_cert_from_item, verify_redirect_signature
 
-from mslib.msidp.idp_user import EXTRA
-from mslib.msidp.idp_user import USERS
+from mslib.msidp.idp_user import EXTRA, USERS, PASSWD
 from mako.lookup import TemplateLookup
 
 
@@ -538,10 +537,6 @@ def do_authentication(environ, start_response, authn_context, key, redirect_uri)
 
 # -----------------------------------------------------------------------------
 
-PASSWD = {"daev0001": "qwerty", "haho0032": "qwerty",
-          "roland": "dianakra", "babs": "howes", "upper": "crust"}
-
-
 def username_password_authn(environ, start_response, reference, key, redirect_uri):
     """
     Display the login form