From 330917df4c72bf9b065c7fb859f887cd77dc6bd9 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 13 Dec 2021 17:47:56 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20saml2=20=E7=99=BB?=
 =?UTF-8?q?=E9=99=86=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/saml2/backends.py |  6 +++---
 apps/authentication/backends/saml2/views.py    | 17 ++++++++++++++---
 apps/jumpserver/conf.py                        | 13 ++++++++++++-
 apps/orgs/caches.py                            |  2 +-
 4 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/apps/authentication/backends/saml2/backends.py b/apps/authentication/backends/saml2/backends.py
index 0cacdf920..8b7cfe3d0 100644
--- a/apps/authentication/backends/saml2/backends.py
+++ b/apps/authentication/backends/saml2/backends.py
@@ -17,8 +17,7 @@ logger = get_logger(__file__)
 
 
 class SAML2Backend(ModelBackend):
-    @staticmethod
-    def user_can_authenticate(user):
+    def user_can_authenticate(self, user):
         is_valid = getattr(user, 'is_valid', None)
         return is_valid or is_valid is None
 
@@ -42,9 +41,10 @@ class SAML2Backend(ModelBackend):
         log_prompt = "Process authenticate [SAML2AuthCodeBackend]: {}"
         logger.debug(log_prompt.format('Start'))
         if saml_user_data is None:
-            logger.debug(log_prompt.format('saml_user_data is missing'))
+            logger.error(log_prompt.format('saml_user_data is missing'))
             return None
 
+        logger.debug(log_prompt.format('saml data, {}'.format(saml_user_data)))
         username = saml_user_data.get('username')
         if not username:
             logger.debug(log_prompt.format('username is missing'))
diff --git a/apps/authentication/backends/saml2/views.py b/apps/authentication/backends/saml2/views.py
index 129257608..9841fcd1d 100644
--- a/apps/authentication/backends/saml2/views.py
+++ b/apps/authentication/backends/saml2/views.py
@@ -1,5 +1,4 @@
-import json
-import os
+import copy
 
 from django.views import View
 from django.contrib import auth as auth
@@ -96,10 +95,18 @@ class PrepareRequestMixin:
     def get_advanced_settings():
         try:
             other_settings = dict(settings.SAML2_SP_ADVANCED_SETTINGS)
+            other_settings = copy.deepcopy(other_settings)
         except Exception as error:
             logger.error('Get other settings error: %s', error)
             other_settings = {}
 
+        security_default = {
+            'wantAttributeStatement': False,
+            'allowRepeatAttributeName': True
+        }
+        security = other_settings.get('security', {})
+        security_default.update(security)
+
         default = {
             "organization": {
                 "en": {
@@ -107,9 +114,10 @@ class PrepareRequestMixin:
                     "displayname": "JumpServer",
                     "url": "https://jumpserver.org/"
                 }
-            }
+            },
         }
         default.update(other_settings)
+        default['security'] = security_default
         return default
 
     def get_sp_settings(self):
@@ -156,9 +164,12 @@ class PrepareRequestMixin:
         user_attrs = {}
         real_key_index = len(settings.SITE_URL) + 1
         attrs = saml_instance.get_attributes()
+        valid_attrs = ['username', 'name', 'email', 'comment', 'phone']
 
         for attr, value in attrs.items():
             attr = attr[real_key_index:]
+            if attr not in valid_attrs:
+                continue
             user_attrs[attr] = self.value_to_str(value)
         return user_attrs
 
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index da4c5646f..654164fe9 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -234,7 +234,18 @@ class Config(dict):
         'SAML2_LOGOUT_COMPLETELY': True,
         'AUTH_SAML2_ALWAYS_UPDATE_USER': True,
         'SAML2_RENAME_ATTRIBUTES': {'uid': 'username', 'email': 'email'},
-        'SAML2_SP_ADVANCED_SETTINGS': {"organization": {"en": {"name": "JumpServer", "displayname": "JumpServer", "url": "https://jumpserver.org/"}}},
+        'SAML2_SP_ADVANCED_SETTINGS': {
+            "organization": {
+                "en": {
+                    "name": "JumpServer",
+                    "displayname": "JumpServer",
+                    "url": "https://jumpserver.org/"
+                }
+            },
+            "strict": True,
+            "security": {
+            }
+        },
         'SAML2_IDP_METADATA_URL': '',
         'SAML2_IDP_METADATA_XML': '',
         'SAML2_SP_KEY_CONTENT': '',
diff --git a/apps/orgs/caches.py b/apps/orgs/caches.py
index 3d4236b1c..ae1a610ce 100644
--- a/apps/orgs/caches.py
+++ b/apps/orgs/caches.py
@@ -72,7 +72,7 @@ class OrgResourceStatisticsCache(OrgRelatedCache):
         self.org = org
 
     def get_key_suffix(self):
-        return f'<org:{self.org.id}>'
+        return f'org_{self.org.id}'
 
     def get_current_org(self):
         return self.org