Coverage for cas_server/default_settings.py: 95%
91 statements
« prev ^ index » next coverage.py v7.8.0, created at 2025-05-18 09:47 +0000
1# -*- coding: utf-8 -*-
2# This program is distributed in the hope that it will be useful, but WITHOUT
3# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
4# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
5# more details.
6#
7# You should have received a copy of the GNU General Public License version 3
8# along with this program; if not, write to the Free Software Foundation, Inc., 51
9# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
10#
11# (c) 2015-2025 Valentin Samir
12"""Default values for the app's settings"""
13from django.conf import settings
14from django.templatetags.static import static
16from importlib import import_module
18import sys
19if sys.version_info < (3, ): 19 ↛ 20line 19 didn't jump to line 20 because the condition on line 19 was never true
20 from django.utils.translation import ugettext_lazy as _
21else:
22 from django.utils.translation import gettext_lazy as _
25try:
26 #: URL to the logo showed in the up left corner on the default templates.
27 CAS_LOGO_URL = static("cas_server/logo.png")
28 #: URL to the favicon (shortcut icon) used by the default templates. Default is a key icon.
29 CAS_FAVICON_URL = static("cas_server/favicon.ico")
30# is settings.DEBUG is False and collectstatics has not been run yet, the static function will
31# raise a ValueError because the file is not found.
32except ValueError:
33 #: URL to the logo showed in the up left corner on the default templates.
34 CAS_LOGO_URL = None
35 #: URL to the favicon (shortcut icon) used by the default templates. Default is a key icon.
36 CAS_FAVICON_URL = None
39#: Show the powered by footer if set to ``True``
40CAS_SHOW_POWERED = True
41#: URLs to css and javascript external components.
42CAS_COMPONENT_URLS = {
43 "bootstrap3_css": "https://cdn.jsdelivr.net/npm/bootstrap@3.4.1/dist/css/bootstrap.min.css",
44 "bootstrap3_js": "https://cdn.jsdelivr.net/npm/bootstrap@3.4.1/dist/js/bootstrap.min.js",
45 "html5shiv": "https://cdn.jsdelivr.net/npm/html5shiv@3.7.3/dist/html5shiv.min.js",
46 "respond": "https://cdn.jsdelivr.net/npm/respond.js@1.4.2/dest/respond.min.js",
47 "bootstrap4_css": "https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css",
48 "bootstrap4_js": "https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.bundle.min.js",
49 "jquery": "https://code.jquery.com/jquery.min.js",
50}
51#: Path to the template showed on /login then the user is not autenticated.
52CAS_LOGIN_TEMPLATE = 'cas_server/bs4/login.html'
53#: Path to the template showed on /login?service=... then the user is authenticated and has asked
54#: to be warned before being connected to a service.
55CAS_WARN_TEMPLATE = 'cas_server/bs4/warn.html'
56#: Path to the template showed on /login then to user is authenticated.
57CAS_LOGGED_TEMPLATE = 'cas_server/bs4/logged.html'
58#: Path to the template showed on /logout then to user is being disconnected.
59CAS_LOGOUT_TEMPLATE = 'cas_server/bs4/logout.html'
60#: Should we redirect users to /login after they logged out instead of displaying
61#: :obj:`CAS_LOGOUT_TEMPLATE`.
62CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT = False
65#: A dotted path to a class or a class implementing cas_server.auth.AuthUser.
66CAS_AUTH_CLASS = 'cas_server.auth.DjangoAuthUser'
67#: Activate Kerberos authentication (not compatible with federate mode or auth class
68#: requiring access to the user credential to retrieve user attributes).
69#: See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/env_variables.html
70#: for environment variables allowing to configure the underlying GSSAPI C library
71#: Username retrieved form kerberos auth MUST match username used by the ``CAS_AUTH_CLASS``
72CAS_AUTH_GSSAPI_ENABLE = False
73#: SPN to use for Kerberos authentication (must be available in the loaded keytab)
74CAS_AUTH_GSSAPI_SERVICENAME = "host/myhost.example.com@AD.EXAMPLE.COM"
75#: Path to certificate authorities file. Usually on linux the local CAs are in
76#: /etc/ssl/certs/ca-certificates.crt. ``True`` tell requests to use its internal certificat
77#: authorities.
78CAS_PROXY_CA_CERTIFICATE_PATH = True
79#: Maximum number of parallel single log out requests send
80#: if more requests need to be send, there are queued
81CAS_SLO_MAX_PARALLEL_REQUESTS = 10
82#: Timeout for a single SLO request in seconds.
83CAS_SLO_TIMEOUT = 5
84#: Shared to transmit then using the view :class:`cas_server.views.Auth`
85CAS_AUTH_SHARED_SECRET = ''
86#: Max time after with the user MUST reauthenticate. Let it to `None` for no max time.
87#: This can be used to force refreshing cached informations only available upon user authentication
88#: like the user attributes in federation mode or with the ldap auth in bind mode.
89CAS_TGT_VALIDITY = None
92#: Number of seconds the service tickets and proxy tickets are valid. This is the maximal time
93#: between ticket issuance by the CAS and ticket validation by an application.
94CAS_TICKET_VALIDITY = 60
95#: Number of seconds the proxy granting tickets are valid.
96CAS_PGT_VALIDITY = 3600
97#: Number of seconds a ticket is kept in the database before sending Single Log Out request and
98#: being cleared.
99CAS_TICKET_TIMEOUT = 24*3600
102#: All CAS implementation MUST support ST and PT up to 32 chars,
103#: PGT and PGTIOU up to 64 chars and it is RECOMMENDED that all
104#: tickets up to 256 chars are supports so we use 64 for the default
105#: len.
106CAS_TICKET_LEN = 64
108#: alias of :obj:`settings.CAS_TICKET_LEN`
109CAS_LT_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
110#: alias of :obj:`settings.CAS_TICKET_LEN`
111#: Services MUST be able to accept service tickets of up to 32 characters in length.
112CAS_ST_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
113#: alias of :obj:`settings.CAS_TICKET_LEN`
114#: Back-end services MUST be able to accept proxy tickets of up to 32 characters.
115CAS_PT_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
116#: alias of :obj:`settings.CAS_TICKET_LEN`
117#: Services MUST be able to handle proxy-granting tickets of up to 64
118CAS_PGT_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
119#: alias of :obj:`settings.CAS_TICKET_LEN`
120#: Services MUST be able to handle PGTIOUs of up to 64 characters in length.
121CAS_PGTIOU_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
123#: Prefix of login tickets.
124CAS_LOGIN_TICKET_PREFIX = u'LT'
125#: Prefix of service tickets. Service tickets MUST begin with the characters ST so you should not
126#: change this.
127CAS_SERVICE_TICKET_PREFIX = u'ST'
128#: Prefix of proxy ticket. Proxy tickets SHOULD begin with the characters, PT.
129CAS_PROXY_TICKET_PREFIX = u'PT'
130#: Prefix of proxy granting ticket. Proxy-granting tickets SHOULD begin with the characters PGT.
131CAS_PROXY_GRANTING_TICKET_PREFIX = u'PGT'
132#: Prefix of proxy granting ticket IOU. Proxy-granting ticket IOUs SHOULD begin with the characters
133#: PGTIOU.
134CAS_PROXY_GRANTING_TICKET_IOU_PREFIX = u'PGTIOU'
137#: Host for the SQL server.
138CAS_SQL_HOST = 'localhost'
139#: Username for connecting to the SQL server.
140CAS_SQL_USERNAME = ''
141#: Password for connecting to the SQL server.
142CAS_SQL_PASSWORD = ''
143#: Database name.
144CAS_SQL_DBNAME = ''
145#: Database charset.
146CAS_SQL_DBCHARSET = 'utf8'
148#: The query performed upon user authentication.
149CAS_SQL_USER_QUERY = 'SELECT user AS username, pass AS password, users.* FROM users WHERE user = %s'
150#: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
151#: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
152#: ``"hex_sha512"``, ``"plain"``.
153CAS_SQL_PASSWORD_CHECK = 'crypt'
154#: charset the SQL users passwords was hash with
155CAS_SQL_PASSWORD_CHARSET = "utf-8"
158#: Address of the LDAP server
159CAS_LDAP_SERVER = 'localhost'
160#: LDAP user bind address, for example ``"cn=admin,dc=crans,dc=org"`` for connecting to the LDAP
161#: server.
162CAS_LDAP_USER = None
163#: LDAP connection password
164CAS_LDAP_PASSWORD = None
165#: LDAP seach base DN, for example ``"ou=data,dc=crans,dc=org"``.
166CAS_LDAP_BASE_DN = None
167#: LDAP search filter for searching user by username. User inputed usernames are escaped using
168#: :func:`ldap3.utils.conv.escape_bytes`.
169CAS_LDAP_USER_QUERY = "(uid=%(username)s)"
170#: LDAP attribute used for users usernames
171CAS_LDAP_USERNAME_ATTR = "uid"
172#: LDAP attribute used for users passwords
173CAS_LDAP_PASSWORD_ATTR = "userPassword"
174#: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
175#: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
176#: ``"hex_sha512"``, ``"plain"``, ``"bind"``.
177CAS_LDAP_PASSWORD_CHECK = "ldap"
178#: charset the LDAP users passwords was hash with
179CAS_LDAP_PASSWORD_CHARSET = "utf-8"
180#: This parameter is only used then ``CAS_LDAP_PASSWORD_CHECK`` is set to ``"bind"``.
181#:
182#: * if ``0`` the user attributes are retrieved by connecting to the ldap as ``CAS_LDAP_USER``.
183#: * if ``1`` the user attributes are retrieve then the user authenticate using
184#: the user credentials. These attributes are then cached for the session.
185#:
186#: The default is ``0``.
187CAS_LDAP_ATTRS_VIEW = 0
190#: Username of the test user.
191CAS_TEST_USER = 'test'
192#: Password of the test user.
193CAS_TEST_PASSWORD = 'test'
194#: Attributes of the test user.
195CAS_TEST_ATTRIBUTES = {
196 'nom': 'Nymous',
197 'prenom': 'Ano',
198 'email': 'anonymous@example.net',
199 'alias': ['demo1', 'demo2']
200}
203#: A :class:`bool` for activatinc the hability to fetch tickets using javascript.
204CAS_ENABLE_AJAX_AUTH = False
207#: A :class:`bool` for activating the federated mode
208CAS_FEDERATE = False
209#: Time after witch the cookie use for “remember my identity provider” expire (one week).
210CAS_FEDERATE_REMEMBER_TIMEOUT = 604800
212#: A :class:`bool` for diplaying a warning on html pages then a new version of the application
213#: is avaible. Once closed by a user, it is not displayed to this user until the next new version.
214CAS_NEW_VERSION_HTML_WARNING = True
215#: A :class:`bool` for sending emails to ``settings.ADMINS`` when a new version is available.
216CAS_NEW_VERSION_EMAIL_WARNING = True
217#: URL to the pypi json of the application. Used to retreive the version number of the last version.
218#: You should not change it.
219CAS_NEW_VERSION_JSON_URL = "https://pypi.org/pypi/django-cas-server/json"
221#: If the service message should be displayed on the login page
222CAS_SHOW_SERVICE_MESSAGES = True
224#: Messages displayed in a info-box on the html pages of the default templates.
225#: ``CAS_INFO_MESSAGES`` is a :class:`dict` mapping message name to a message :class:`dict`.
226#: A message :class:`dict` has 3 keys:
227#:
228#: * ``message``: A :class:`unicode`, the message to display, potentially wrapped around
229#: ugettex_lazy
230#: * ``discardable``: A :class:`bool`, specify if the users can close the message info-box
231#: * ``type``: One of info, success, info, warning, danger. The type of the info-box.
232#:
233#: ``CAS_INFO_MESSAGES`` contains by default one message, ``cas_explained``, which explain
234#: roughly the purpose of a CAS.
235CAS_INFO_MESSAGES = {
236 "cas_explained": {
237 "message": _(
238 u"The Central Authentication Service grants you access to most of our websites by "
239 u"authenticating only once, so you don't need to type your credentials again unless "
240 u"your session expires or you logout."
241 ),
242 "discardable": True,
243 "type": "info", # one of info, success, info, warning, danger
244 },
245}
246#: :class:`list` of message names. Order in which info-box messages are displayed.
247#: Let the list empty to disable messages display.
248CAS_INFO_MESSAGES_ORDER = []
250#: :class:`bool` If `True` Django session cookie will be removed on logout from CAS server
251CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT = False
252#: :class:`bool` If `True` Django csrf cookie will be removed on logout from CAS server
253CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT = False
254#: :class:`bool` If `True` Django language cookie will be removed on logout from CAS server
255CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT = False
257#: A dotted path to a form or a form used on the login page to retrieve user credentials
258CAS_USER_CREDENTIAL_FORM = "cas_server.forms.UserCredential"
259#: A dotted path to a form or a form used on warn page before emitting a ticket
260CAS_WARN_FORM = "cas_server.forms.WarnForm"
261#: A dotted path to a form or a form used on the login page to select another CAS in federated mode
262CAS_FEDERATE_SELECT_FORM = "cas_server.forms.FederateSelect"
263#: A dotted path to a form or a form used on the login page in federated mode
264CAS_FEDERATE_USER_CREDENTIAL_FORM = "cas_server.forms.FederateUserCredential"
265#: A dotted path to a form or a form for Tickets in the admin interface
266CAS_TICKET_FORM = "cas_server.forms.TicketForm"
268GLOBALS = globals().copy()
269for name, default_value in GLOBALS.items():
270 # only care about parameter begining by CAS_
271 if name.startswith("CAS_"):
272 # get the current setting value, falling back to default_value
273 value = getattr(settings, name, default_value)
274 # set the setting value to its value if defined, else to the default_value.
275 setattr(settings, name, value)
277# Allow the user defined CAS_COMPONENT_URLS to omit not changed values
278MERGED_CAS_COMPONENT_URLS = CAS_COMPONENT_URLS.copy()
279MERGED_CAS_COMPONENT_URLS.update(settings.CAS_COMPONENT_URLS)
280settings.CAS_COMPONENT_URLS = MERGED_CAS_COMPONENT_URLS
282# if the federated mode is enabled, we must use the :class`cas_server.auth.CASFederateAuth` auth
283# backend.
284if settings.CAS_FEDERATE:
285 settings.CAS_AUTH_CLASS = "cas_server.auth.CASFederateAuth"
288#: SessionStore class depending of :django:setting:`SESSION_ENGINE`
289SessionStore = import_module(settings.SESSION_ENGINE).SessionStore