PyPI - flask-appbuilder - Versions diffs - 5.0.2rc1__py3-none-any.whl → 5.1.0rc1__py3-none-any.whl - Mend

flask-appbuilder 5.0.2rc1py3-none-any.whl → 5.1.0rc1py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

flask_appbuilder/__init__.py CHANGED Viewed

@@ -1,5 +1,5 @@
 __author__ = "Daniel Vaz Gaspar"
-__version__ = "5.0.2rc1"
+__version__ = "5.1.0rc1"
 from .actions import action  # noqa: F401
 from .api import ModelRestApi  # noqa: F401

flask_appbuilder/const.py CHANGED Viewed

@@ -130,6 +130,7 @@ AUTH_DB = 1
 AUTH_LDAP = 2
 AUTH_REMOTE_USER = 3
 AUTH_OAUTH = 4
+AUTH_SAML = 5
 """ Constants for supported authentication types """
 # -----------------------------------

flask_appbuilder/security/manager.py CHANGED Viewed

@@ -4,9 +4,9 @@ import datetime
 import importlib
 import logging
 import re
-from typing import Any, Callable, Dict, List, Optional, Set, Tuple, Union
+from typing import Any, Callable, Dict, List, Optional, Set, Tuple, TYPE_CHECKING, Union
-from flask import current_app, Flask, g, session, url_for
+from flask import current_app, Flask, g, request, session, url_for
 from flask_appbuilder.exceptions import InvalidLoginAttempt, OAuthProviderUnknown
 from flask_babel import lazy_gettext as _
 from flask_jwt_extended import current_user as current_user_jwt
@@ -28,6 +28,7 @@ from .views import (
     AuthLDAPView,
     AuthOAuthView,
     AuthRemoteUserView,
+    AuthSAMLView,
     PermissionModelView,
     PermissionViewModelView,
     RegisterUserModelView,
@@ -40,6 +41,7 @@ from .views import (
     UserLDAPModelView,
     UserOAuthModelView,
     UserRemoteUserModelView,
+    UserSAMLModelView,
     UserStatsChartView,
     ViewMenuModelView,
 )
@@ -49,6 +51,7 @@ from ..const import (
     AUTH_LDAP,
     AUTH_OAUTH,
     AUTH_REMOTE_USER,
+    AUTH_SAML,
     LOGMSG_ERR_SEC_ADD_REGISTER_USER,
     LOGMSG_ERR_SEC_AUTH_LDAP,
     LOGMSG_ERR_SEC_AUTH_LDAP_TLS,
@@ -59,6 +62,9 @@ from ..const import (
     PERMISSION_PREFIX,
 )
+if TYPE_CHECKING:
+    from flask_appbuilder.security.saml.types import SAMLConfig, SAMLProvider
 log = logging.getLogger(__name__)
@@ -186,6 +192,11 @@ class BaseSecurityManager(AbstractSecurityManager):
     """ Override if you want your own Authentication OAuth view """
     authremoteuserview = AuthRemoteUserView
     """ Override if you want your own Authentication REMOTE_USER view """
+    authsamlview = AuthSAMLView
+    """ Override if you want your own Authentication SAML view """
+    usersamlmodelview = UserSAMLModelView
+    """ Override if you want your own user SAML view """
     registeruserdbview = RegisterUserDBView
     """ Override if you want your own register user db view """
@@ -519,6 +530,41 @@ class BaseSecurityManager(AbstractSecurityManager):
     def oauth_providers(self):
         return current_app.config["OAUTH_PROVIDERS"]
+    @property
+    def saml_providers(self) -> List["SAMLProvider"]:
+        return current_app.config.get("SAML_PROVIDERS", [])
+    @property
+    def saml_config(self) -> "SAMLConfig":
+        return current_app.config.get("SAML_CONFIG", {})
+    def get_saml_provider(self, name: str) -> Optional["SAMLProvider"]:
+        """Return a specific SAML provider by name."""
+        for provider in self.saml_providers:
+            if provider["name"] == name:
+                return provider
+        return None
+    def get_saml_settings(self, provider_name: str) -> "SAMLConfig":
+        """Build the python3-saml settings dict for a given provider.
+        Merges the global SAML_CONFIG with the provider-specific IdP config.
+        """
+        import copy
+        provider = self.get_saml_provider(provider_name)
+        if not provider:
+            raise ValueError(
+                f"SAML provider '{provider_name}' not found in configuration"
+            )
+        base_config = copy.deepcopy(self.saml_config)
+        if "idp" in provider:
+            base_config["idp"] = provider["idp"]
+        return base_config
     @property
     def is_auth_limited(self) -> bool:
         return current_app.config["AUTH_RATE_LIMITED"]
@@ -807,6 +853,9 @@ class BaseSecurityManager(AbstractSecurityManager):
         elif self.auth_type == AUTH_REMOTE_USER:
             self.user_view = self.userremoteusermodelview
             self.auth_view = self.authremoteuserview()
+        elif self.auth_type == AUTH_SAML:
+            self.user_view = self.usersamlmodelview
+            self.auth_view = self.authsamlview()
         self.appbuilder.add_view_no_menu(self.auth_view)
         # this needs to be done after the view is added, otherwise the blueprint
@@ -1448,6 +1497,238 @@ class BaseSecurityManager(AbstractSecurityManager):
         else:
             return None
+    @staticmethod
+    def _prepare_saml_request() -> Dict[str, Any]:
+        """Prepare Flask request data in the format expected by python3-saml."""
+        return {
+            "https": "on" if request.scheme == "https" else "off",
+            "http_host": request.host,
+            "server_port": request.environ.get("SERVER_PORT", "443"),
+            "script_name": request.path,
+            "get_data": request.args.copy(),
+            "post_data": request.form.copy(),
+            "query_string": request.query_string.decode("utf-8"),
+        }
+    def _get_saml_auth(self, idp: str):
+        """Create a OneLogin_Saml2_Auth instance for the given IdP."""
+        from onelogin.saml2.auth import OneLogin_Saml2_Auth
+        return OneLogin_Saml2_Auth(
+            self._prepare_saml_request(), self.get_saml_settings(idp)
+        )
+    def get_saml_login_redirect_url(self, idp: str) -> str:
+        """Create a SAML authentication request and return the redirect URL.
+        :param idp: The SAML identity provider name.
+        :returns: The IdP redirect URL for SSO.
+        """
+        return self._get_saml_auth(idp).login()
+    def get_saml_userinfo(self, idp: str) -> Optional[Dict[str, Any]]:
+        """Process a SAML ACS response and return mapped user info.
+        :param idp: The SAML identity provider name.
+        :returns: A dict with mapped user info, session_index, and name_id,
+                  or None if authentication failed.
+        """
+        from flask_appbuilder.security.saml.utils import map_saml_attributes
+        auth = self._get_saml_auth(idp)
+        auth.process_response()
+        errors = auth.get_errors()
+        if errors:
+            error_reason = auth.get_last_error_reason() or ""
+            # Check for issuer mismatch (multi-tab / wrong IdP scenario)
+            if "issuer" in error_reason.lower():
+                log.error(
+                    "SAML Issuer mismatch for IdP '%s'. This may happen if you "
+                    "initiated login with a different IdP in another tab. "
+                    "Error: %s",
+                    idp,
+                    error_reason,
+                )
+            else:
+                log.error(
+                    "SAML ACS errors for IdP '%s': %s (reason: %s)",
+                    idp,
+                    errors,
+                    error_reason,
+                )
+            return None
+        if not auth.is_authenticated():
+            return None
+        saml_attributes = auth.get_attributes()
+        name_id = auth.get_nameid()
+        log.debug(
+            "SAML attributes from IdP '%s': %s, NameID: %s",
+            idp,
+            saml_attributes,
+            name_id,
+        )
+        provider = self.get_saml_provider(idp)
+        attribute_mapping = provider.get("attribute_mapping", {})
+        userinfo = map_saml_attributes(saml_attributes, attribute_mapping, name_id)
+        # Include session data needed for SLO
+        userinfo["saml_name_id"] = name_id
+        userinfo["saml_session_index"] = auth.get_session_index()
+        log.debug("Mapped SAML userinfo: %s", userinfo)
+        return userinfo
+    def get_saml_logout_redirect_url(
+        self,
+        idp: str,
+        name_id: Optional[str] = None,
+        session_index: Optional[str] = None,
+    ) -> Tuple[Optional[str], bool]:
+        """Process SAML SLO or initiate a logout request.
+        Handles three cases:
+        - Incoming SLO request from IdP (SAMLRequest)
+        - SLO response from IdP (SAMLResponse)
+        - SP-initiated logout (returns redirect URL to IdP)
+        :param idp: The SAML identity provider name.
+        :param name_id: The SAML NameID for the session.
+        :param session_index: The SAML session index.
+        :returns: Tuple of (redirect URL or None, should_logout flag).
+                  The caller should call logout_user() if should_logout is True.
+        """
+        auth = self._get_saml_auth(idp)
+        should_logout = False
+        def mark_logout():
+            nonlocal should_logout
+            should_logout = True
+        # Incoming SLO request from IdP
+        if "SAMLRequest" in request.form or "SAMLRequest" in request.args:
+            url = auth.process_slo(delete_session_cb=mark_logout)
+            return url, should_logout
+        # SLO response from IdP
+        if "SAMLResponse" in request.form or "SAMLResponse" in request.args:
+            auth.process_slo(delete_session_cb=mark_logout)
+            return None, should_logout
+        # SP-initiated logout
+        return auth.logout(name_id=name_id, session_index=session_index), True
+    def _saml_calculate_user_roles(self, userinfo) -> List[str]:
+        user_role_objects = set()
+        # apply AUTH_ROLES_MAPPING
+        if len(self.auth_roles_mapping) > 0:
+            user_role_keys = userinfo.get("role_keys", [])
+            user_role_objects.update(self.get_roles_from_keys(user_role_keys))
+        # apply AUTH_USER_REGISTRATION_ROLE
+        if self.auth_user_registration:
+            registration_role_name = self.auth_user_registration_role
+            if self.auth_user_registration_role_jmespath:
+                import jmespath
+                registration_role_name = jmespath.search(
+                    self.auth_user_registration_role_jmespath, userinfo
+                )
+            fab_role = self.find_role(registration_role_name)
+            if fab_role:
+                user_role_objects.add(fab_role)
+            else:
+                log.warning(
+                    "Can't find AUTH_USER_REGISTRATION role: %s", registration_role_name
+                )
+        return list(user_role_objects)
+    def auth_user_saml(self, userinfo):
+        """
+        Method for authenticating user with SAML.
+        :param userinfo: dict with user information extracted from SAML assertion
+                         (keys are the same as User model columns)
+        """
+        # extract the username from userinfo
+        if "username" in userinfo:
+            username = userinfo["username"]
+        elif "email" in userinfo:
+            username = userinfo["email"]
+        else:
+            log.error("SAML userinfo does not have username or email %s", userinfo)
+            return None
+        if (username is None) or username == "":
+            return None
+        # Search the DB for this user by username or email
+        user = self.find_user(username=username)
+        if not user and userinfo.get("email"):
+            user = self.find_user(email=userinfo["email"])
+        # If user is not active, go away
+        if user and (not user.is_active):
+            return None
+        # If user is not registered, and not self-registration, go away
+        if (not user) and (not self.auth_user_registration):
+            return None
+        # Sync the user's roles and info
+        if user:
+            updated = False
+            if self.auth_roles_sync_at_login:
+                new_roles = self._saml_calculate_user_roles(userinfo)
+                if new_roles:
+                    user.roles = new_roles
+                    updated = True
+                    log.debug(
+                        "Calculated new roles for user='%s' as: %s",
+                        username,
+                        user.roles,
+                    )
+            # Update user info from SAML assertion
+            for field in ("first_name", "last_name", "email"):
+                new_val = userinfo.get(field)
+                if new_val and getattr(user, field) != new_val:
+                    setattr(user, field, new_val)
+                    updated = True
+            if updated:
+                self.update_user(user)
+        # If the user is new, register them
+        if (not user) and self.auth_user_registration:
+            user = self.add_user(
+                username=username,
+                first_name=userinfo.get("first_name", ""),
+                last_name=userinfo.get("last_name", ""),
+                email=userinfo.get("email", "") or f"{username}@email.notfound",
+                role=self._saml_calculate_user_roles(userinfo),
+            )
+            log.debug("New SAML user registered: %s", user)
+            if not user:
+                log.error("Error creating a new SAML user %s", username)
+                return None
+        # LOGIN SUCCESS
+        if user:
+            self.update_user_auth_stat(user)
+            return user
+        else:
+            return None
     """
         ----------------------------------------
             PERMISSION ACCESS CHECK

flask_appbuilder/security/saml/__init__.py ADDED Viewed

File without changes

flask_appbuilder/security/saml/metadata.py ADDED Viewed

@@ -0,0 +1,26 @@
+"""SP metadata generation for SAML authentication."""
+from __future__ import annotations
+import logging
+from typing import Any, Dict
+log = logging.getLogger(__name__)
+def get_sp_metadata(saml_settings: Dict[str, Any]) -> str:
+    """
+    Generate SP metadata XML from SAML settings.
+    :param saml_settings: The python3-saml settings dict
+    :return: SP metadata XML string
+    """
+    from onelogin.saml2.settings import OneLogin_Saml2_Settings
+    settings = OneLogin_Saml2_Settings(saml_settings, sp_validation_only=True)
+    metadata = settings.get_sp_metadata()
+    errors = settings.validate_metadata(metadata)
+    if errors:
+        log.error("SP Metadata validation errors: %s", errors)
+        raise ValueError(f"SP Metadata validation errors: {errors}")
+    return metadata

flask_appbuilder/security/saml/types.py ADDED Viewed

@@ -0,0 +1,73 @@
+"""SAML TypedDict definitions for Flask-AppBuilder."""
+from __future__ import annotations
+from typing import Any, Dict, List, TypedDict
+class SAMLServiceBinding(TypedDict):
+    url: str
+    binding: str
+class SAMLIdPConfig(TypedDict, total=False):
+    entityId: str
+    singleSignOnService: SAMLServiceBinding
+    singleLogoutService: SAMLServiceBinding
+    x509cert: str
+class SAMLProvider(TypedDict, total=False):
+    name: str
+    icon: str
+    idp: SAMLIdPConfig
+    attribute_mapping: Dict[str, str]
+class SAMLSPConfig(TypedDict, total=False):
+    entityId: str
+    assertionConsumerService: SAMLServiceBinding
+    singleLogoutService: SAMLServiceBinding
+    NameIDFormat: str
+    x509cert: str
+    privateKey: str
+class SAMLSecurityConfig(TypedDict, total=False):
+    nameIdEncrypted: bool
+    authnRequestsSigned: bool
+    logoutRequestSigned: bool
+    logoutResponseSigned: bool
+    signMetadata: bool
+    wantMessagesSigned: bool
+    wantAssertionsSigned: bool
+    wantAssertionsEncrypted: bool
+    wantNameId: bool
+    wantNameIdEncrypted: bool
+    wantAttributeStatement: bool
+class SAMLConfig(TypedDict, total=False):
+    strict: bool
+    debug: bool
+    sp: SAMLSPConfig
+    idp: SAMLIdPConfig
+    security: SAMLSecurityConfig
+class SAMLFlaskRequest(TypedDict):
+    https: str
+    http_host: str
+    server_port: str
+    script_name: str
+    get_data: Dict[str, Any]
+    post_data: Dict[str, Any]
+    query_string: str
+class SAMLUserInfo(TypedDict, total=False):
+    username: str
+    email: str
+    first_name: str
+    last_name: str
+    role_keys: List[str]

flask_appbuilder/security/saml/utils.py ADDED Viewed

@@ -0,0 +1,54 @@
+"""SAML utility helpers for Flask-AppBuilder."""
+from __future__ import annotations
+import logging
+from typing import Any, Dict, List, Optional
+from .types import SAMLUserInfo
+log = logging.getLogger(__name__)
+def map_saml_attributes(
+    saml_attributes: Dict[str, List[str]],
+    attribute_mapping: Dict[str, str],
+    name_id: Optional[str] = None,
+) -> SAMLUserInfo:
+    """Map SAML assertion attributes to FAB user fields.
+    Args:
+        saml_attributes: Raw attributes from the SAML assertion.
+        attribute_mapping: Mapping of SAML attribute names to FAB field names.
+        name_id: The SAML NameID value (used as fallback for username/email).
+    Returns:
+        Dictionary with FAB user field names as keys.
+    """
+    userinfo: Dict[str, Any] = {}
+    for saml_attr, fab_field in attribute_mapping.items():
+        value = saml_attributes.get(saml_attr)
+        if value is None:
+            continue
+        if fab_field == "role_keys":
+            userinfo[fab_field] = list(value)
+        else:
+            userinfo[fab_field] = value[0] if value else ""
+    # Fallback to NameID if no username/email mapped
+    if name_id and "username" not in userinfo:
+        userinfo["username"] = name_id
+        if "@" in name_id and "email" not in userinfo:
+            userinfo["email"] = name_id
+    return userinfo
+def fetch_idp_metadata(url: str) -> str:
+    """Fetch IdP metadata XML from a remote URL."""
+    import requests
+    resp = requests.get(url, timeout=10)
+    resp.raise_for_status()
+    return resp.text

flask_appbuilder/security/sqla/manager.py CHANGED Viewed

@@ -82,6 +82,8 @@ class SecurityManager(BaseSecurityManager):
             self.useroauthmodelview.datamodel = user_datamodel
         elif self.auth_type == c.AUTH_REMOTE_USER:
             self.userremoteusermodelview.datamodel = user_datamodel
+        elif self.auth_type == c.AUTH_SAML:
+            self.usersamlmodelview.datamodel = user_datamodel
         if self.userstatschartview:
             self.userstatschartview.datamodel = user_datamodel
@@ -282,6 +284,15 @@ class SecurityManager(BaseSecurityManager):
     def update_user(self, user):
         try:
+            # Load existing user from DB to detect role/group changes
+            existing_user = self.session.get(self.user_model, user.id)
+            roles_changed = set(existing_user.roles) != set(user.roles)
+            groups_changed = set(existing_user.groups) != set(user.groups)
+            if roles_changed or groups_changed:
+                user.changed_on = datetime.utcnow()  # pragma: no cover
             self.session.merge(user)
             self.session.commit()
             log.info(c.LOGMSG_INF_SEC_UPD_USER, user)

flask_appbuilder/security/views.py CHANGED Viewed

@@ -3,7 +3,17 @@ import logging
 import re
 from typing import Any, Optional
-from flask import abort, current_app, flash, g, redirect, request, session, url_for
+from flask import (
+    abort,
+    current_app,
+    flash,
+    g,
+    make_response,
+    redirect,
+    request,
+    session,
+    url_for,
+)
 from flask_appbuilder._compat import as_unicode
 from flask_appbuilder.actions import action
 from flask_appbuilder.baseviews import BaseView
@@ -21,6 +31,7 @@ from flask_appbuilder.security.forms import (
     roles_or_groups_required,
     UserInfoEdit,
 )
+from flask_appbuilder.security.saml.metadata import get_sp_metadata
 from flask_appbuilder.security.utils import generate_random_string
 from flask_appbuilder.utils.base import get_safe_redirect, lazy_formatter_gettext
 from flask_appbuilder.validators import PasswordComplexityValidator
@@ -732,6 +743,199 @@ class AuthOAuthView(AuthView):
             return redirect(next_url)
+class UserSAMLModelView(UserModelView):
+    """
+    View that adds SAML specifics to User view.
+    Override to implement your own custom view.
+    Then override usersamlmodelview property on SecurityManager.
+    """
+    pass
+class AuthSAMLView(AuthView):
+    """SAML 2.0 Authentication View."""
+    login_template = "appbuilder/general/security/login_saml.html"
+    @expose("/login/")
+    @expose("/login/<idp>")
+    @no_cache
+    def login(self, idp: Optional[str] = None) -> WerkzeugResponse:
+        if g.user is not None and g.user.is_authenticated:
+            return redirect(self.appbuilder.get_url_for_index)
+        sm = self.appbuilder.sm
+        providers = sm.saml_providers
+        if idp is None:
+            if len(providers) == 1:
+                return redirect(url_for(".login", idp=providers[0]["name"]))
+            return self.render_template(
+                self.login_template,
+                providers=providers,
+                title=self.title,
+                appbuilder=self.appbuilder,
+            )
+        from onelogin.saml2.errors import (
+            OneLogin_Saml2_Error,
+            OneLogin_Saml2_ValidationError,
+        )
+        try:
+            session["saml_idp"] = idp
+            next_url = get_safe_redirect(request.args.get("next", ""))
+            if next_url and next_url != self.appbuilder.get_url_for_index:
+                session["saml_next"] = next_url
+            return redirect(sm.get_saml_login_redirect_url(idp))
+        except (OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError) as e:
+            log.error("SAML error initiating login for IdP '%s': %s", idp, e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_index)
+        except ValueError as e:
+            log.error("SAML configuration error for IdP '%s': %s", idp, e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_index)
+    @expose("/saml/acs/", methods=["POST"])
+    @no_cache
+    def acs(self) -> WerkzeugResponse:
+        """Assertion Consumer Service - receives SAML responses from IdP."""
+        from onelogin.saml2.errors import (
+            OneLogin_Saml2_Error,
+            OneLogin_Saml2_ValidationError,
+        )
+        sm = self.appbuilder.sm
+        try:
+            idp = session.get("saml_idp")
+            if not idp:
+                providers = sm.saml_providers
+                if len(providers) == 1:
+                    idp = providers[0]["name"]
+                else:
+                    flash("Could not determine identity provider.", "warning")
+                    return redirect(self.appbuilder.get_url_for_login)
+            userinfo = sm.get_saml_userinfo(idp)
+            if userinfo is None:
+                flash(as_unicode(self.invalid_login_message), "warning")
+                return redirect(self.appbuilder.get_url_for_login)
+            user = sm.auth_user_saml(userinfo)
+            if user is None:
+                flash(as_unicode(self.invalid_login_message), "warning")
+                return redirect(self.appbuilder.get_url_for_login)
+            # Calculate redirect URL before login (so failures don't leave partial state)
+            next_url = session.pop("saml_next", "") or ""
+            if next_url:
+                next_url = get_safe_redirect(next_url)
+            else:
+                next_url = self.appbuilder.get_url_for_index
+            # Store SAML session info for SLO
+            session["saml_name_id"] = userinfo.get("saml_name_id")
+            session["saml_session_index"] = userinfo.get("saml_session_index")
+            session["saml_idp"] = idp
+            # login_user is the last operation before redirect
+            login_user(user, remember=False)
+            return redirect(next_url)
+        except (OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError) as e:
+            log.error("SAML validation error in ACS: %s", e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_login)
+        except ValueError as e:
+            # Provider not found or config error
+            log.error("SAML configuration error in ACS: %s", e)
+            flash(as_unicode(self.invalid_login_message), "warning")
+            return redirect(self.appbuilder.get_url_for_login)
+    @expose("/saml/slo/", methods=["GET", "POST"])
+    def slo(self) -> WerkzeugResponse:
+        """Single Logout endpoint."""
+        from onelogin.saml2.errors import (
+            OneLogin_Saml2_Error,
+            OneLogin_Saml2_ValidationError,
+        )
+        try:
+            idp = session.get("saml_idp")
+            if not idp:
+                logout_user()
+                return redirect(self.appbuilder.get_url_for_index)
+            url, should_logout = self.appbuilder.sm.get_saml_logout_redirect_url(
+                idp,
+                name_id=session.get("saml_name_id"),
+                session_index=session.get("saml_session_index"),
+            )
+            if should_logout:
+                logout_user()
+            return redirect(url or self.appbuilder.get_url_for_index)
+        except (OneLogin_Saml2_Error, OneLogin_Saml2_ValidationError) as e:
+            log.error("SAML SLO validation error: %s", e)
+            logout_user()
+            return redirect(self.appbuilder.get_url_for_index)
+        except ValueError as e:
+            log.error("SAML SLO configuration error: %s", e)
+            logout_user()
+            return redirect(self.appbuilder.get_url_for_index)
+    @expose("/logout/")
+    def logout(self) -> WerkzeugResponse:
+        """Override logout to support SAML SLO."""
+        idp = session.get("saml_idp")
+        if idp:
+            try:
+                return redirect(url_for(".slo"))
+            except Exception:
+                pass
+        logout_user()
+        return redirect(
+            current_app.config.get(
+                "LOGOUT_REDIRECT_URL", self.appbuilder.get_url_for_index
+            )
+        )
+    @expose("/saml/metadata/")
+    @expose("/saml/metadata/<idp>")
+    def metadata(self, idp: Optional[str] = None) -> WerkzeugResponse:
+        """SP Metadata endpoint.
+        Without idp parameter, returns metadata for the first configured provider.
+        With idp parameter, returns metadata for that specific provider.
+        """
+        try:
+            sm = self.appbuilder.sm
+            providers = sm.saml_providers
+            if not providers:
+                abort(404)
+            # Use specified IdP or default to first provider
+            provider_name = idp if idp else providers[0]["name"]
+            if idp and not sm.get_saml_provider(idp):
+                log.warning("Metadata requested for unknown IdP: %s", idp)
+                abort(404)
+            saml_settings = sm.get_saml_settings(provider_name)
+            metadata_xml = get_sp_metadata(saml_settings)
+            resp = make_response(metadata_xml, 200)
+            resp.headers["Content-Type"] = "text/xml"
+            return resp
+        except ValueError as e:
+            log.error("SAML metadata configuration error: %s", e)
+            abort(404)
+        except Exception as e:
+            log.error("Error generating SP metadata: %s", e)
+            abort(500)
 class AuthRemoteUserView(AuthView):
     login_template = ""

flask_appbuilder/templates/appbuilder/general/security/login_saml.html ADDED Viewed

@@ -0,0 +1,45 @@
+<!-- extend base layout -->
+{% extends "appbuilder/base.html" %}
+{% block content %}
+<div class="container">
+    <div id="loginbox" style="margin-top:50px;" class="mainbox col-md-6 col-md-offset-3 col-sm-8 col-sm-offset-2">
+        <div class="panel panel-primary">
+            <div class="panel-heading">
+                <div class="panel-title">{{ title }}</div>
+            </div>
+            <div style="padding-top:30px" class="panel-body">
+                <div>
+                    {% for provider in providers %}
+                    <a
+                        id="btn-signin-{{provider.name}}"
+                        class="btn btn-primary btn-block"
+                        type="submit"
+                    >
+                        {{_('Sign In with ')}}{{ provider.name }}
+                        <i id="{{provider.name}}" class="provider-select fa {{provider.get('icon', 'fa-sign-in')}} fa-1x"></i>
+                    </a>
+                    {% endfor %}
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+<script nonce="{{ baselib.get_nonce() }}">
+    var baseLoginUrl = {{ appbuilder.get_url_for_login | tojson }};
+    var nextParam = {{ request.args.get('next', '') | urlencode | tojson }};
+    var next = nextParam ? "?next=" + nextParam : "";
+    function signin(provider) {
+        window.location.href = baseLoginUrl + provider + next;
+    }
+    {% for provider in providers %}
+        document.getElementById({{ ("btn-signin-" ~ provider.name) | tojson }})
+            .addEventListener("click", function () { signin({{ provider.name | tojson }}) })
+    {% endfor %}
+</script>
+{% endblock %}

{flask_appbuilder-5.0.2rc1.dist-info → flask_appbuilder-5.1.0rc1.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: flask-appbuilder
-Version: 5.0.2rc1
+Version: 5.1.0rc1
 Summary: Simple and rapid application development framework, built on top of Flask. includes detailed security, auto CRUD generation for your models, google charts and much more.
 Home-page: https://github.com/dpgaspar/flask-appbuilder/
 Author: Daniel Vaz Gaspar
@@ -46,6 +46,8 @@ Provides-Extra: jmespath
 Requires-Dist: jmespath >=0.9.5 ; extra == 'jmespath'
 Provides-Extra: oauth
 Requires-Dist: Authlib <2.0.0,>=0.14 ; extra == 'oauth'
+Provides-Extra: saml
+Requires-Dist: python3-saml >=1.15.0 ; extra == 'saml'
 Provides-Extra: talisman
 Requires-Dist: flask-talisman <2.0,>=1.0.0 ; extra == 'talisman'

{flask_appbuilder-5.0.2rc1.dist-info → flask_appbuilder-5.1.0rc1.dist-info}/RECORD RENAMED Viewed

@@ -1,11 +1,11 @@
-flask_appbuilder/__init__.py,sha256=DZ5Z_ZuBYFwQDQTJvaXQ3UwiC74ue591z3P1gm7QtC0,707
+flask_appbuilder/__init__.py,sha256=lmXrKS-u2dqo1cXjtxLSCtntWDGWif_1FBuVg6-WeiE,707
 flask_appbuilder/_compat.py,sha256=Ac71GIwVHe9Pq7i2qDsrGUgL63Vz5oeC4rjhWw0kd6g,1969
 flask_appbuilder/actions.py,sha256=-TqIH159BKCB-ezHJifbubApk2nxjospNYfH_7IgBJ8,1177
 flask_appbuilder/base.py,sha256=m9TTuOoBiU99qHfCPv27RwhVeXu4IjpS2_RzkQJvnFY,25543
 flask_appbuilder/basemanager.py,sha256=MdgZ52RhUBxKWRBxp4a2u41cUy9u7FBYWVHo6FW_RG0,342
 flask_appbuilder/baseviews.py,sha256=z97PnyNnK30MyDU6vnaBdPdZFiXJMK6gMg9oDQJpKfQ,50171
 flask_appbuilder/cli.py,sha256=2QtMfOOVzdtSRBhZKYe1W3T6oFMchoSRv3ptS3U304w,14347
-flask_appbuilder/const.py,sha256=D4ZZN1afeg0OYSiBVqfoFeq0n5ij62e8oYh9kiNmaP0,8378
+flask_appbuilder/const.py,sha256=scpuwc53EgiT7FBbb4eiCFAc1EJn2l6UQBRK0D2xF_w,8392
 flask_appbuilder/exceptions.py,sha256=nA-l9TNFCuKt6KhS0YAF4Tn9Mf2KgNe2lBXykyChf2M,1798
 flask_appbuilder/fields.py,sha256=GyM_EjpP0HL1cpqhVjWludv3uj1VdKImM-kj5fazDk8,9328
 flask_appbuilder/fieldwidgets.py,sha256=XPQPzBsNsTOi848nK2lsQG0knkZzx9kLvujspqL83Qs,6058
@@ -49,13 +49,17 @@ flask_appbuilder/security/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJW
 flask_appbuilder/security/api.py,sha256=HcVBiiSk9gwsMGJXhvYFSVYdowNOFoDMGyN6DqZOH4s,5229
 flask_appbuilder/security/decorators.py,sha256=0qiJEN5MiSwsxE_LI2vtGkdEoqMH8fqXarlGRk9SAYo,11011
 flask_appbuilder/security/forms.py,sha256=PTJlF4-5HOOSBmfZYq_YWC5QSyEPYsvirLt4oeBgvXQ,3452
-flask_appbuilder/security/manager.py,sha256=hkf59yDN_yrj6hRk9PNrqqBTdlZdu4bk_WAE8A6eSFk,79414
+flask_appbuilder/security/manager.py,sha256=Hd5msEYmU1_ZiQ0McZnA_vw3Kma84QMDgBnRxiqoVSM,89522
 flask_appbuilder/security/registerviews.py,sha256=cj1KDR6DiZ4WlDfIdrpvBp1Nd_VJ4gyHn6qc_A4HUTM,7512
 flask_appbuilder/security/schemas.py,sha256=keManyd6dh-FXBXGkuvVHLWh-BSYoJytv8pTZ2wTHhY,1359
 flask_appbuilder/security/utils.py,sha256=0PwDO-mB76RLPYlV9tCksChIMRq3zQgwLwiVMJ8jeiU,247
-flask_appbuilder/security/views.py,sha256=yABRVGT8A1Xn_c0-Cs-qlcp3VWUV3zN9Aqde8F4DczM,25570
+flask_appbuilder/security/views.py,sha256=crZitKI_DOzMOTwy7Zsjh-7xDFsEQhJTijGQ0u-dpYg,33042
+flask_appbuilder/security/saml/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+flask_appbuilder/security/saml/metadata.py,sha256=Vvd_OrxdBC8wcX-SJpYoqfZ-zxzgOC7S3fRWjz2g1Tc,793
+flask_appbuilder/security/saml/types.py,sha256=v8EwQSMittRvXCyAWlUSo_77pWeA1XcG-CAjDGxHqOM,1591
+flask_appbuilder/security/saml/utils.py,sha256=PKgFyPi8pxzfmM0h3C42qp6ro-qIdzrtihA3T9aGwEA,1550
 flask_appbuilder/security/sqla/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-flask_appbuilder/security/sqla/manager.py,sha256=Pj_HsTC0dxm8P3pDGvs1YkSAgB1HjUuc_3T18uUwoV4,28515
+flask_appbuilder/security/sqla/manager.py,sha256=3SZjwcKS4zVuOKipx4QcDUu57ggpbrE31sfermPs6vM,29032
 flask_appbuilder/security/sqla/models.py,sha256=Za5Ec7qRCGA9WAmwGdTzI1OZLTx_ovoH0hUYf1Q1im0,9497
 flask_appbuilder/security/sqla/apis/__init__.py,sha256=BEPT-0mp9n48tq72bZQiES80P0L8vdWYqki3kbhTr-s,512
 flask_appbuilder/security/sqla/apis/group/__init__.py,sha256=6HMo0L15Bw5dZX_1k2eh1zh-3Jg2KuDIlIy8V8R9jCU,40
@@ -167,6 +171,7 @@ flask_appbuilder/templates/appbuilder/general/security/activation.html,sha256=xE
 flask_appbuilder/templates/appbuilder/general/security/login_db.html,sha256=gJVY9kxEa_-bpxHTAJsVBCVJ2MZmlg0oVnNC18vB4bE,2955
 flask_appbuilder/templates/appbuilder/general/security/login_ldap.html,sha256=W3pPTRUwFkCKTJEDItipq0E1SvBZ92dP6wekR_qxYrc,2002
 flask_appbuilder/templates/appbuilder/general/security/login_oauth.html,sha256=-XwSh9NBm3rpd_kryjRThF_mqQTFPgiJu_zOnYGAGtM,1595
+flask_appbuilder/templates/appbuilder/general/security/login_saml.html,sha256=CbIslIhPSXp4mfO32cg4ztxP9Uvufkfkeezp2H66v3w,1644
 flask_appbuilder/templates/appbuilder/general/security/register_mail.html,sha256=o40VoLzyETkSM7lW5el2Hff-gIAh3i5jMlW0d2Ay-4M,230
 flask_appbuilder/templates/appbuilder/general/security/register_oauth.html,sha256=Zl-ORB_dCbphWaXYigEGSVIBU6ZrcNwAGDPrUUXSVo4,1057
 flask_appbuilder/templates/appbuilder/general/widgets/base_list.html,sha256=Fv7FyPoLPanYh_zmFosQnibJb0jTJ4QwToqKAkBCHqU,1153
@@ -232,9 +237,9 @@ flask_appbuilder/utils/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3
 flask_appbuilder/utils/base.py,sha256=MtrE-rqiigb45HzcJmvz3J_-22mtKXjXYNB9tQ6CcbY,2490
 flask_appbuilder/utils/legacy.py,sha256=Bz2_imi02_aOE_w7dN_0Igl_fWjD1PTLlu6gx8IMAW4,1001
 flask_appbuilder/utils/limit.py,sha256=hEwMH2k_bPiqMaaP--alPW5YaiJS21YBgRthKiv0uPo,725
-flask_appbuilder-5.0.2rc1.dist-info/LICENSE,sha256=pZ-ajm1I_0h91a1peoZFSemkiFE8kK1H_xmV_cxlQlY,1493
-flask_appbuilder-5.0.2rc1.dist-info/METADATA,sha256=2eGPWWBK8DzVIC0FO_tuetWczp4cMZAD9-TI7Uv8oRs,8786
-flask_appbuilder-5.0.2rc1.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-flask_appbuilder-5.0.2rc1.dist-info/entry_points.txt,sha256=h5lBK4jb4RFWW8gH7C-0tE5QvQGUA5wx5hlYOhNWy4Q,48
-flask_appbuilder-5.0.2rc1.dist-info/top_level.txt,sha256=Dy4t809z2TNdpjQhDUMEXU8Hc61x1e6WRNaC7hG6r8M,17
-flask_appbuilder-5.0.2rc1.dist-info/RECORD,,
+flask_appbuilder-5.1.0rc1.dist-info/LICENSE,sha256=pZ-ajm1I_0h91a1peoZFSemkiFE8kK1H_xmV_cxlQlY,1493
+flask_appbuilder-5.1.0rc1.dist-info/METADATA,sha256=MBUIZeUJjLK-p7NTSJ2HyHjWMXvYyta2HAi3RiCYgGs,8862
+flask_appbuilder-5.1.0rc1.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+flask_appbuilder-5.1.0rc1.dist-info/entry_points.txt,sha256=h5lBK4jb4RFWW8gH7C-0tE5QvQGUA5wx5hlYOhNWy4Q,48
+flask_appbuilder-5.1.0rc1.dist-info/top_level.txt,sha256=Dy4t809z2TNdpjQhDUMEXU8Hc61x1e6WRNaC7hG6r8M,17
+flask_appbuilder-5.1.0rc1.dist-info/RECORD,,

{flask_appbuilder-5.0.2rc1.dist-info → flask_appbuilder-5.1.0rc1.dist-info}/LICENSE RENAMED Viewed

File without changes

{flask_appbuilder-5.0.2rc1.dist-info → flask_appbuilder-5.1.0rc1.dist-info}/WHEEL RENAMED Viewed

File without changes

{flask_appbuilder-5.0.2rc1.dist-info → flask_appbuilder-5.1.0rc1.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{flask_appbuilder-5.0.2rc1.dist-info → flask_appbuilder-5.1.0rc1.dist-info}/top_level.txt RENAMED Viewed

File without changes

flask-appbuilder 5.0.2rc1__py3-none-any.whl → 5.1.0rc1__py3-none-any.whl

flask-appbuilder 5.0.2rc1py3-none-any.whl → 5.1.0rc1py3-none-any.whl