diff --git a/docs/conf_sso_test_msscolab.rst b/docs/conf_sso_test_msscolab.rst index e688b2597..1e51cf043 100644 --- a/docs/conf_sso_test_msscolab.rst +++ b/docs/conf_sso_test_msscolab.rst @@ -7,6 +7,11 @@ Testing IDP (`mslib/msidp`) is specifically designed for testing the Single Sign Here is documentation that explains the configuration of the MSS Colab Server with the testing IdP. +.. warning:: + When running publicly rather than in development, you should not use the built-in development server ( msidp / idp.py ). + + The development server is provided by MSS for convenience, but is not designed to be particularly efficient, stable, or secure. + Getting started --------------- @@ -117,4 +122,4 @@ When migrations finished, you can start mscolab server using the following comm $ msui * Login with identity provider through Qt Client application. -* To log in to the mscolab server through the identity provider, you can use the credentials specified in the ``PASSWD`` section of the ``MSS/mslib/msidp/idp.py`` file. Look for the relevant section in the file to find the necessary login credentials. +* To log in to the mscolab server through the identity provider, you can use the credentials specified in the ``USERS`` and ``PASSWD`` section of the ``MSS/mslib/msidp/idp_user.py`` file. Look for the relevant section in the file to find the necessary login credentials. diff --git a/docs/sso_via_saml_mscolab.rst b/docs/sso_via_saml_mscolab.rst index 69277ff14..4290b172c 100644 --- a/docs/sso_via_saml_mscolab.rst +++ b/docs/sso_via_saml_mscolab.rst @@ -38,7 +38,7 @@ In this documentation, you will go through the following topics. *************** This documentation will explain how to configure MSColab with an existing IdP or multiple IdPs, along with examples of implementation. -If you are not aware of how the SAML process works in the MSColab server, it is highly recommended to set up msidp and test it with MSColab as an initial step before configuring existing 3rd party IdPs. +If you are not aware of how the SAML process works in the MSColab server, it is highly recommended to set up msidp and test it with MSColab as an initial step before configuring existing 3rd party IdPs (msidp is solely for development and testing purposes, do not use in production environments). .. note:: You can find instructions to set up msidp by `conf_sso_test_msscolab.rst`. diff --git a/mslib/msidp/idp.py b/mslib/msidp/idp.py index 55d04c051..6ffa3316e 100644 --- a/mslib/msidp/idp.py +++ b/mslib/msidp/idp.py @@ -39,6 +39,7 @@ import re import time import sys +import warnings from mslib import msidp from http.cookies import SimpleCookie @@ -80,7 +81,7 @@ from werkzeug.serving import run_simple as WSGIServer from mslib.msidp.idp_user import EXTRA -from mslib.msidp.idp_user import USERS +from mslib.msidp.idp_user import USERS, PASSWD from mako.lookup import TemplateLookup from mslib.mscolab.conf import mscolab_settings @@ -555,17 +556,6 @@ def do_authentication(environ, start_response, authn_context, key, redirect_uri, # ----------------------------------------------------------------------------- - -PASSWD = { - "testuser": "qwerty", - "roland": "dianakra", - "babs": "howes", - "upper": "crust", - "testuser2": "abcd1234", - "testuser3": "ABCD1234", -} - - def username_password_authn(environ, start_response, reference, key, redirect_uri, headers=None): """ Display the login form @@ -786,7 +776,6 @@ def do(self, request, binding, relay_state="", encrypt_cert=None): msg = IdpServerSettings_.IDP.create_artifact_response(_req, _req.artifact.text) hinfo = IdpServerSettings_.IDP.apply_binding(BINDING_SOAP, f"{msg}", "", "", response=True) - resp = Response(hinfo["data"], headers=hinfo["headers"]) return resp(self.environ, self.start_response) @@ -1099,6 +1088,10 @@ def __init__(self): def main(): + warnings.warn( + '\033[91mWARNING: msidp is solely for development and ' + 'testing purposes; do not use in production environments.\033[0m' + ) parser = argparse.ArgumentParser() parser.add_argument("-p", dest="path", help="Path to configuration file.", default="./idp_conf.py") diff --git a/mslib/msidp/idp_user.py b/mslib/msidp/idp_user.py index 6d43edd1e..b6d983ba2 100644 --- a/mslib/msidp/idp_user.py +++ b/mslib/msidp/idp_user.py @@ -48,88 +48,17 @@ "norEduPersonNIN": "SE199012315555", "postaladdress": "postaladdress", "cn": "cn", - }, - "testuser2": { - "sn": "Testsson2", - "givenName": "Test2", - "eduPersonAffiliation": "student", - "eduPersonScopedAffiliation": "student2@example.com", - "eduPersonPrincipalName": "test2@example.com", - "uid": "testuser2", - "eduPersonTargetedID": ["one!for!all"], - "c": "SE", - "o": "Example Co.", - "ou": "IT", - "initials": "P", - "co": "co", - "mail": "mail", - "noreduorgacronym": "noreduorgacronym", - "schacHomeOrganization": "example.com", - "email": "test2@example.com", - "displayName": "Test Testsson", - "labeledURL": "http://www.example.com/test My homepage", - "norEduPersonNIN": "SE199012315555", - "postaladdress": "postaladdress", - "cn": "cn", - }, - "testuser3": { - "sn": "Testsson3", - "givenName": "Test3", - "eduPersonAffiliation": "student", - "eduPersonScopedAffiliation": "student3@example.com", - "eduPersonPrincipalName": "test3@example.com", - "uid": "testuser3", - "eduPersonTargetedID": ["one!for!all"], - "c": "SE", - "o": "Example Co.", - "ou": "IT", - "initials": "P", - "co": "co", - "mail": "mail", - "noreduorgacronym": "noreduorgacronym", - "schacHomeOrganization": "example.com", - "email": "test3@example.com", - "displayName": "Test Testsson", - "labeledURL": "http://www.example.com/test My homepage", - "norEduPersonNIN": "SE199012315555", - "postaladdress": "postaladdress", - "cn": "cn", - }, - "roland": { - "sn": "Hedberg", - "givenName": "Roland", - "email": "roland@example.com", - "eduPersonScopedAffiliation": "staff@example.com", - "eduPersonPrincipalName": "rohe@example.com", - "uid": "rohe", - "eduPersonTargetedID": ["one!for!all"], - "c": "SE", - "o": "Example Co.", - "ou": "IT", - "initials": "P", - "mail": "roland@example.com", - "displayName": "P. Roland Hedberg", - "labeledURL": "http://www.example.com/rohe My homepage", - "norEduPersonNIN": "SE197001012222", - }, - "babs": { - "surname": "Babs", - "givenName": "Ozzie", - "email": "babs@example.com", - "eduPersonAffiliation": "affiliate" - }, - "upper": { - "surname": "Jeter", - "givenName": "Derek", - "email": "upper@example.com", - "eduPersonAffiliation": "affiliate" - }, + } } EXTRA = { "roland": { "eduPersonEntitlement": "urn:mace:swamid.se:foo:bar", "schacGender": "male", - "schacUserPresenceID": "skype:pepe.perez", + "schacUserPresenceID": "sky:pepe.perez", } } + +PASSWD = { + "testuser": "qwerty", +} diff --git a/mslib/msidp/idp_uwsgi.py b/mslib/msidp/idp_uwsgi.py index 8e1bb3b43..7d86b6bbf 100644 --- a/mslib/msidp/idp_uwsgi.py +++ b/mslib/msidp/idp_uwsgi.py @@ -70,8 +70,7 @@ from saml2.s_utils import PolicyError, UnknownPrincipal, exception_trace, UnsupportedBinding, rndstr from saml2.sigver import encrypt_cert_from_item, verify_redirect_signature -from mslib.msidp.idp_user import EXTRA -from mslib.msidp.idp_user import USERS +from mslib.msidp.idp_user import EXTRA, USERS, PASSWD from mako.lookup import TemplateLookup @@ -538,10 +537,6 @@ def do_authentication(environ, start_response, authn_context, key, redirect_uri) # ----------------------------------------------------------------------------- -PASSWD = {"daev0001": "qwerty", "haho0032": "qwerty", - "roland": "dianakra", "babs": "howes", "upper": "crust"} - - def username_password_authn(environ, start_response, reference, key, redirect_uri): """ Display the login form