Coverage for cas_server/views.py: 94%

1# -*- coding: utf-8 -*- 

2# This program is distributed in the hope that it will be useful, but WITHOUT 

3# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS 

4# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for 

5# more details. 

6# 

7# You should have received a copy of the GNU General Public License version 3 

8# along with this program; if not, write to the Free Software Foundation, Inc., 51 

9# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 

10# 

11# (c) 2015-2025 Valentin Samir 

12"""views for the app""" 

13from .default_settings import settings, SessionStore 

14 

15from django.shortcuts import render, redirect 

16from django.http import HttpResponse, HttpResponseRedirect 

17from django.contrib import messages 

18from django.utils.decorators import method_decorator 

19from django.utils import timezone 

20from django.views.decorators.csrf import csrf_exempt 

21from django.middleware.csrf import CsrfViewMiddleware 

22from django.views.generic import View 

23try: 

24 from django.utils.encoding import python_2_unicode_compatible 

25 from django.utils.translation import ugettext as _ 

26except ImportError: 

27 def python_2_unicode_compatible(func): 

28 """ 

29 We use Django >= 3.0 with Python >= 3.4, we don't need Python 2 compatibility. 

30 """ 

31 return func 

32 from django.utils.translation import gettext as _ 

33from django.utils.safestring import mark_safe 

34try: 

35 from django.urls import reverse 

36except ImportError: 

37 from django.core.urlresolvers import reverse 

38 

39import re 

40import base64 

41import logging 

42import pprint 

43import requests 

44from lxml import etree 

45from datetime import timedelta 

46 

47if settings.CAS_AUTH_GSSAPI_ENABLE: 47 ↛ 48line 47 didn't jump to line 48 because the condition on line 47 was never true

48 try: 

49 import gssapi 

50 except ImportError: 

51 raise RuntimeError("Please install gssapi before using the Kerberos auth") 

52 

53import cas_server.utils as utils 

54import cas_server.models as models 

55 

56from .utils import json_response, import_attr 

57from .models import Ticket, ServiceTicket, ProxyTicket, ProxyGrantingTicket 

58from .models import ServicePattern, FederatedIendityProvider, FederatedUser 

59from .federate import CASFederateValidateUser 

60 

61logger = logging.getLogger(__name__) 

62 

63 

64class LogoutMixin(object): 

65 """destroy CAS session utils""" 

66 

67 def logout(self, all_session=False): 

68 """ 

69 effectively destroy a CAS session 

70 

71 :param boolean all_session: If ``True`` destroy all the user sessions, otherwise 

72 destroy the current user session. 

73 :return: The number of destroyed sessions 

74 :rtype: int 

75 """ 

76 # initialize the counter of the number of destroyed sesisons 

77 session_nb = 0 

78 # save the current user username before flushing the session 

79 username = self.request.session.get("username") 

80 if username: 

81 if all_session: 

82 logger.info("Logging out user %s from all sessions." % username) 

83 else: 

84 logger.info("Logging out user %s." % username) 

85 users = [] 

86 # try to get the user from the current session 

87 try: 

88 users.append( 

89 models.User.objects.get( 

90 username=username, 

91 session_key=self.request.session.session_key 

92 ) 

93 ) 

94 except models.User.DoesNotExist: 

95 # if user not found in database, flush the session anyway 

96 self.request.session.flush() 

97 

98 # If all_session is set, search all of the user sessions 

99 if all_session: 

100 users.extend( 

101 models.User.objects.filter( 

102 username=username 

103 ).exclude( 

104 session_key=self.request.session.session_key 

105 ) 

106 ) 

107 

108 # Iterate over all user sessions that have to be logged out 

109 for user in users: 

110 # get the user session 

111 session = SessionStore(session_key=user.session_key) 

112 # flush the session 

113 session.flush() 

114 # send SLO requests 

115 user.logout(self.request) 

116 # delete the user 

117 user.delete() 

118 # increment the destroyed session counter 

119 session_nb += 1 

120 if username: 

121 logger.info("User %s logged out" % username) 

122 return session_nb 

123 

124 

125class CsrfExemptView(View): 

126 """base class for csrf exempt class views""" 

127 

128 @method_decorator(csrf_exempt) # csrf is disabled for allowing SLO requests reception 

129 def dispatch(self, request, *args, **kwargs): 

130 """ 

131 dispatch different http request to the methods of the same name 

132 

133 :param django.http.HttpRequest request: The current request object 

134 """ 

135 return super(CsrfExemptView, self).dispatch(request, *args, **kwargs) 

136 

137 

138class LogoutView(View, LogoutMixin): 

139 """destroy CAS session (logout) view""" 

140 

141 #: current :class:`django.http.HttpRequest` object 

142 request = None 

143 #: service GET parameter 

144 service = None 

145 #: url GET paramet 

146 url = None 

147 #: ``True`` if the HTTP_X_AJAX http header is sent and ``settings.CAS_ENABLE_AJAX_AUTH`` 

148 #: is ``True``, ``False`` otherwise. 

149 ajax = None 

150 

151 def init_get(self, request): 

152 """ 

153 Initialize the :class:`LogoutView` attributes on GET request 

154 

155 :param django.http.HttpRequest request: The current request object 

156 """ 

157 self.request = request 

158 self.service = request.GET.get('service') 

159 self.url = request.GET.get('url') 

160 self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META 

161 

162 @staticmethod 

163 def delete_cookies(response): 

164 if settings.CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT: 164 ↛ 165line 164 didn't jump to line 165 because the condition on line 164 was never true

165 response.delete_cookie(settings.SESSION_COOKIE_NAME) 

166 if settings.CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT: 166 ↛ 167line 166 didn't jump to line 167 because the condition on line 166 was never true

167 response.delete_cookie(settings.CSRF_COOKIE_NAME) 

168 if settings.CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT: 168 ↛ 169line 168 didn't jump to line 169 because the condition on line 168 was never true

169 response.delete_cookie(settings.LANGUAGE_COOKIE_NAME) 

170 return response 

171 

172 def get(self, request, *args, **kwargs): 

173 """ 

174 method called on GET request on this view 

175 

176 :param django.http.HttpRequest request: The current request object 

177 """ 

178 logger.info("logout requested") 

179 # initialize the class attributes 

180 self.init_get(request) 

181 # if CAS federation mode is enable, bakup the provider before flushing the sessions 

182 if settings.CAS_FEDERATE: 

183 try: 

184 user = FederatedUser.get_from_federated_username( 

185 self.request.session.get("username") 

186 ) 

187 auth = CASFederateValidateUser(user.provider, service_url="") 

188 except FederatedUser.DoesNotExist: 

189 auth = None 

190 session_nb = self.logout(self.request.GET.get("all")) 

191 # if CAS federation mode is enable, redirect to user CAS logout page, appending the 

192 # current querystring 

193 if settings.CAS_FEDERATE: 

194 if auth is not None: 

195 params = utils.copy_params(request.GET, ignore={"forget_provider"}) 

196 url = auth.get_logout_url() 

197 response = HttpResponseRedirect(utils.update_url(url, params)) 

198 if request.GET.get("forget_provider"): 

199 response.delete_cookie("remember_provider") 

200 return self.delete_cookies(response) 

201 # if service is set, redirect to service after logout 

202 if self.service: 

203 list(messages.get_messages(request)) # clean messages before leaving the django app 

204 return self.delete_cookies(HttpResponseRedirect(self.service)) 

205 # if service is not set but url is set, redirect to url after logout 

206 elif self.url: 

207 list(messages.get_messages(request)) # clean messages before leaving the django app 

208 return self.delete_cookies(HttpResponseRedirect(self.url)) 

209 else: 

210 # build logout message depending of the number of sessions the user logs out 

211 if session_nb == 1: 

212 logout_msg = mark_safe(_( 

213 "<h3>Logout successful</h3>" 

214 "You have successfully logged out from the Central Authentication Service. " 

215 "For security reasons, close your web browser." 

216 )) 

217 elif session_nb > 1: 

218 logout_msg = mark_safe(_( 

219 "<h3>Logout successful</h3>" 

220 "You have successfully logged out from %d sessions of the Central " 

221 "Authentication Service. " 

222 "For security reasons, close your web browser." 

223 ) % session_nb) 

224 else: 

225 logout_msg = mark_safe(_( 

226 "<h3>Logout successful</h3>" 

227 "You were already logged out from the Central Authentication Service. " 

228 "For security reasons, close your web browser." 

229 )) 

230 

231 # depending of settings, redirect to the login page with a logout message or display 

232 # the logout page. The default is to display tge logout page. 

233 if settings.CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT: 

234 messages.add_message(request, messages.SUCCESS, logout_msg) 

235 if self.ajax: 

236 url = reverse("cas_server:login") 

237 data = { 

238 'status': 'success', 

239 'detail': 'logout', 

240 'url': url, 

241 'session_nb': session_nb 

242 } 

243 return self.delete_cookies(json_response(request, data)) 

244 else: 

245 return self.delete_cookies(redirect("cas_server:login")) 

246 else: 

247 if self.ajax: 

248 data = {'status': 'success', 'detail': 'logout', 'session_nb': session_nb} 

249 return self.delete_cookies(json_response(request, data)) 

250 else: 

251 return self.delete_cookies(render( 

252 request, 

253 settings.CAS_LOGOUT_TEMPLATE, 

254 utils.context({'logout_msg': logout_msg}) 

255 )) 

256 

257 

258class FederateAuth(CsrfExemptView): 

259 """ 

260 view to authenticated user against a backend CAS then CAS_FEDERATE is True 

261 

262 csrf is disabled for allowing SLO requests reception. 

263 """ 

264 

265 #: current URL used as service URL by the CAS client 

266 service_url = None 

267 

268 def get_cas_client(self, request, provider, renew=False): 

269 """ 

270 return a CAS client object matching provider 

271 

272 :param django.http.HttpRequest request: The current request object 

273 :param cas_server.models.FederatedIendityProvider provider: the user identity provider 

274 :return: The user CAS client object 

275 :rtype: :class:`federate.CASFederateValidateUser 

276 <cas_server.federate.CASFederateValidateUser>` 

277 """ 

278 # compute the current url, ignoring ticket dans provider GET parameters 

279 service_url = utils.get_current_url(request, {"ticket", "provider"}) 

280 self.service_url = service_url 

281 return CASFederateValidateUser(provider, service_url, renew=renew) 

282 

283 def post(self, request, provider=None, *args, **kwargs): 

284 """ 

285 method called on POST request 

286 

287 :param django.http.HttpRequest request: The current request object 

288 :param unicode provider: Optional parameter. The user provider suffix. 

289 """ 

290 # if settings.CAS_FEDERATE is not True redirect to the login page 

291 if not settings.CAS_FEDERATE: 

292 logger.warning("CAS_FEDERATE is False, set it to True to use federation") 

293 return redirect("cas_server:login") 

294 # POST with a provider suffix, this is probably an SLO request. csrf is disabled for 

295 # allowing SLO requests reception 

296 try: 

297 provider = FederatedIendityProvider.objects.get(suffix=provider) 

298 auth = self.get_cas_client(request, provider) 

299 try: 

300 auth.clean_sessions(request.POST['logoutRequest']) 

301 except (KeyError, AttributeError): 

302 pass 

303 return HttpResponse("ok") 

304 # else, a User is trying to log in using an identity provider 

305 except FederatedIendityProvider.DoesNotExist: 

306 # Manually checking for csrf to protect the code below 

307 reason = CsrfViewMiddleware(lambda request: HttpResponse()) \ 

308 .process_view(request, None, (), {}) 

309 if reason is not None: # pragma: no cover (csrf checks are disabled during tests) 

310 return reason # Failed the test, stop here. 

311 form = import_attr(settings.CAS_FEDERATE_SELECT_FORM)(request.POST) 

312 if form.is_valid(): 

313 params = utils.copy_params( 

314 request.POST, 

315 ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt"} 

316 ) 

317 if params.get("renew") == "False": 

318 del params["renew"] 

319 url = utils.reverse_params( 

320 "cas_server:federateAuth", 

321 kwargs=dict(provider=form.cleaned_data["provider"].suffix), 

322 params=params 

323 ) 

324 return HttpResponseRedirect(url) 

325 else: 

326 return redirect("cas_server:login") 

327 

328 def get(self, request, provider=None): 

329 """ 

330 method called on GET request 

331 

332 :param django.http.HttpRequestself. request: The current request object 

333 :param unicode provider: Optional parameter. The user provider suffix. 

334 """ 

335 # if settings.CAS_FEDERATE is not True redirect to the login page 

336 if not settings.CAS_FEDERATE: 

337 logger.warning("CAS_FEDERATE is False, set it to True to use federation") 

338 return redirect("cas_server:login") 

339 renew = bool(request.GET.get('renew') and request.GET['renew'] != "False") 

340 # Is the user is already authenticated, no need to request authentication to the user 

341 # identity provider. 

342 if self.request.session.get("authenticated") and not renew: 

343 logger.warning("User already authenticated, dropping federated authentication request") 

344 return redirect("cas_server:login") 

345 try: 

346 # get the identity provider from its suffix 

347 provider = FederatedIendityProvider.objects.get(suffix=provider) 

348 # get a CAS client for the user identity provider 

349 auth = self.get_cas_client(request, provider, renew) 

350 # if no ticket submited, redirect to the identity provider CAS login page 

351 if 'ticket' not in request.GET: 

352 logger.info("Trying to authenticate %s again" % auth.provider.server_url) 

353 return HttpResponseRedirect(auth.get_login_url()) 

354 else: 

355 ticket = request.GET['ticket'] 

356 try: 

357 # if the ticket validation succeed 

358 if auth.verify_ticket(ticket): 

359 logger.info( 

360 "Got a valid ticket for %s from %s" % ( 

361 auth.username, 

362 auth.provider.server_url 

363 ) 

364 ) 

365 params = utils.copy_params(request.GET, ignore={"ticket", "remember"}) 

366 request.session["federate_username"] = auth.federated_username 

367 request.session["federate_ticket"] = ticket 

368 auth.register_slo( 

369 auth.federated_username, 

370 request.session.session_key, 

371 ticket 

372 ) 

373 # redirect to the the login page for the user to become authenticated 

374 # thanks to the `federate_username` and `federate_ticket` session parameters 

375 url = utils.reverse_params("cas_server:login", params) 

376 response = HttpResponseRedirect(url) 

377 # If the user has checked "remember my identity provider" store it in a 

378 # cookie 

379 if request.GET.get("remember"): 

380 max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT 

381 utils.set_cookie( 

382 response, 

383 "remember_provider", 

384 provider.suffix, 

385 max_age 

386 ) 

387 return response 

388 # else redirect to the identity provider CAS login page 

389 else: 

390 logger.info( 

391 ( 

392 "Got an invalid ticket %s from %s for service %s. " 

393 "Retrying authentication" 

394 ) % ( 

395 ticket, 

396 auth.provider.server_url, 

397 self.service_url 

398 ) 

399 ) 

400 return HttpResponseRedirect(auth.get_login_url()) 

401 # both xml.etree.ElementTree and lxml.etree exceptions inherit from SyntaxError 

402 except SyntaxError as error: 

403 messages.add_message( 

404 request, 

405 messages.ERROR, 

406 _( 

407 u"Invalid response from your identity provider CAS upon " 

408 u"ticket %(ticket)s validation: %(error)r" 

409 ) % {'ticket': ticket, 'error': error} 

410 ) 

411 response = redirect("cas_server:login") 

412 response.delete_cookie("remember_provider") 

413 return response 

414 except FederatedIendityProvider.DoesNotExist: 

415 logger.warning("Identity provider suffix %s not found" % provider) 

416 # if the identity provider is not found, redirect to the login page 

417 return redirect("cas_server:login") 

418 

419 

420class LoginView(View, LogoutMixin): 

421 """credential requestor / acceptor""" 

422 

423 # pylint: disable=too-many-instance-attributes 

424 # Nine is reasonable in this case. 

425 

426 #: The current :class:`models.User<cas_server.models.User>` object 

427 user = None 

428 #: The form to display to the user 

429 form = None 

430 

431 #: current :class:`django.http.HttpRequest` object 

432 request = None 

433 #: service GET/POST parameter 

434 service = None 

435 #: ``True`` if renew GET/POST parameter is present and not "False" 

436 renew = None 

437 #: the warn GET/POST parameter 

438 warn = None 

439 #: the gateway GET/POST parameter 

440 gateway = None 

441 #: the method GET/POST parameter 

442 method = None 

443 

444 #: ``True`` if the HTTP_X_AJAX http header is sent and ``settings.CAS_ENABLE_AJAX_AUTH`` 

445 #: is ``True``, ``False`` otherwise. 

446 ajax = None 

447 

448 #: ``True`` if the user has just authenticated 

449 renewed = False 

450 #: ``True`` if renew GET/POST parameter is present and not "False" 

451 warned = False 

452 

453 #: The :class:`FederateAuth` transmited username (only used if ``settings.CAS_FEDERATE`` 

454 #: is ``True``) 

455 username = None 

456 #: The :class:`FederateAuth` transmited ticket (only used if ``settings.CAS_FEDERATE`` is 

457 #: ``True``) 

458 ticket = None 

459 

460 INVALID_LOGIN_TICKET = 1 

461 USER_LOGIN_OK = 2 

462 USER_LOGIN_FAILURE = 3 

463 USER_ALREADY_LOGGED = 4 

464 USER_AUTHENTICATED = 5 

465 USER_NOT_AUTHENTICATED = 6 

466 

467 def init_post(self, request): 

468 """ 

469 Initialize POST received parameters 

470 

471 :param django.http.HttpRequest request: The current request object 

472 """ 

473 self.request = request 

474 self.service = request.POST.get('service') 

475 self.renew = bool(request.POST.get('renew') and request.POST['renew'] != "False") 

476 self.gateway = request.POST.get('gateway') 

477 self.method = request.POST.get('method') 

478 self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META 

479 if request.POST.get('warned') and request.POST['warned'] != "False": 

480 self.warned = True 

481 self.warn = request.POST.get('warn') 

482 if settings.CAS_FEDERATE: 

483 self.username = request.POST.get('username') 

484 # in federated mode, the valdated indentity provider CAS ticket is used as password 

485 self.ticket = request.POST.get('password') 

486 

487 def gen_lt(self): 

488 """Generate a new LoginTicket and add it to the list of valid LT for the user""" 

489 self.request.session['lt'] = self.request.session.get('lt', []) + [utils.gen_lt()] 

490 if len(self.request.session['lt']) > 100: 

491 self.request.session['lt'] = self.request.session['lt'][-100:] 

492 

493 def check_lt(self): 

494 """ 

495 Check is the POSTed LoginTicket is valid, if yes invalide it 

496 

497 :return: ``True`` if the LoginTicket is valid, ``False`` otherwise 

498 :rtype: bool 

499 """ 

500 # save LT for later check 

501 lt_valid = self.request.session.get('lt', []) 

502 lt_send = self.request.POST.get('lt') 

503 # generate a new LT (by posting the LT has been consumed) 

504 self.gen_lt() 

505 # check if send LT is valid 

506 if lt_send not in lt_valid: 

507 return False 

508 else: 

509 self.request.session['lt'].remove(lt_send) 

510 # we need to redo the affectation for django to detect that the list has changed 

511 # and for its new value to be store in the session 

512 self.request.session['lt'] = self.request.session['lt'] 

513 return True 

514 

515 def post(self, request, *args, **kwargs): 

516 """ 

517 method called on POST request on this view 

518 

519 :param django.http.HttpRequest request: The current request object 

520 """ 

521 # initialize class parameters 

522 self.init_post(request) 

523 # process the POST request 

524 ret = self.process_post() 

525 if ret == self.INVALID_LOGIN_TICKET: 

526 messages.add_message( 

527 self.request, 

528 messages.ERROR, 

529 _(u"Invalid login ticket, please try to log in again") 

530 ) 

531 elif ret == self.USER_LOGIN_OK: 

532 pass 

533 elif ret == self.USER_LOGIN_FAILURE: # bad user login 

534 if settings.CAS_FEDERATE: 

535 self.ticket = None 

536 self.username = None 

537 self.init_form() 

538 # preserve valid LoginTickets from session flush 

539 lt = self.request.session.get('lt', []) 

540 # On login failure, flush the session 

541 self.logout() 

542 # restore valid LoginTickets 

543 self.request.session['lt'] = lt 

544 elif ret == self.USER_ALREADY_LOGGED: 

545 pass 

546 else: # pragma: no cover (should no happen) 

547 raise EnvironmentError("invalid output for LoginView.process_post") 

548 # call the GET/POST common part 

549 response = self.common() 

550 if self.warn: 

551 utils.set_cookie( 

552 response, 

553 "warn", 

554 "on", 

555 10 * 365 * 24 * 3600 

556 ) 

557 else: 

558 response.delete_cookie("warn") 

559 return response 

560 

561 def user_login(self, username, warn, warned=True): 

562 self.request.session.set_expiry(0) 

563 self.request.session["username"] = username 

564 self.request.session["warn"] = warn 

565 self.request.session["authenticated"] = True 

566 self.renewed = True 

567 self.warned = warned 

568 

569 # On successful login, update the :class:`models.User<cas_server.models.User>` ``date`` 

570 # attribute by saving it. (``auto_now=True``) 

571 self.user = models.User.objects.get_or_create( 

572 username=self.request.session['username'], 

573 session_key=self.request.session.session_key 

574 )[0] 

575 self.user.last_login = timezone.now() 

576 self.user.save() 

577 

578 logger.info("User %s successfully authenticated" % username) 

579 

580 def process_post(self): 

581 """ 

582 Analyse the POST request: 

583 

584 * check that the LoginTicket is valid 

585 * check that the user sumited credentials are valid 

586 

587 :return: 

588 * :attr:`INVALID_LOGIN_TICKET` if the POSTed LoginTicket is not valid 

589 * :attr:`USER_ALREADY_LOGGED` if the user is already logged and do no request 

590 reauthentication. 

591 * :attr:`USER_LOGIN_FAILURE` if the user is not logged or request for 

592 reauthentication and his credentials are not valid 

593 * :attr:`USER_LOGIN_OK` if the user is not logged or request for 

594 reauthentication and his credentials are valid 

595 :rtype: int 

596 """ 

597 if not self.check_lt(): 

598 self.init_form(self.request.POST) 

599 logger.warning("Received an invalid login ticket") 

600 return self.INVALID_LOGIN_TICKET 

601 elif not self.request.session.get("authenticated") or self.renew: 

602 # authentication request receive, initialize the form to use 

603 self.init_form(self.request.POST) 

604 if self.form.is_valid(): 

605 self.user_login( 

606 self.form.cleaned_data['username'], 

607 True if self.form.cleaned_data.get("warn") else False, 

608 warned=True 

609 ) 

610 return self.USER_LOGIN_OK 

611 else: 

612 logger.warning("A login attempt failed") 

613 return self.USER_LOGIN_FAILURE 

614 else: 

615 logger.warning("Received a login attempt for an already-active user") 

616 return self.USER_ALREADY_LOGGED 

617 

618 def init_get(self, request): 

619 """ 

620 Initialize GET received parameters 

621 

622 :param django.http.HttpRequest request: The current request object 

623 """ 

624 self.request = request 

625 self.service = request.GET.get('service') 

626 self.renew = bool(request.GET.get('renew') and request.GET['renew'] != "False") 

627 self.gateway = request.GET.get('gateway') 

628 self.method = request.GET.get('method') 

629 self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META 

630 self.warn = request.GET.get('warn') 

631 if settings.CAS_FEDERATE: 

632 # here username and ticket are fetch from the session after a redirection from 

633 # FederateAuth.get 

634 self.username = request.session.get("federate_username") 

635 self.ticket = request.session.get("federate_ticket") 

636 if self.username: 

637 del request.session["federate_username"] 

638 if self.ticket: 

639 del request.session["federate_ticket"] 

640 

641 def gssapi_auth(self): 

642 self.request.session['GSSAPI'] = False 

643 # read http header Authorization 

644 auth_header = self.request.META.get('HTTP_AUTHORIZATION', None) 

645 # if header is missing or do not match SPNEGO, start GSSAPI auth 

646 if auth_header is None or not auth_header.startswith('Negotiate '): 

647 # call the GET/POST common part 

648 response = self.common() 

649 response.status_code = 401 

650 # demande la négo GSSAPI 

651 response['WWW-Authenticate'] = 'Negotiate ' 

652 return response 

653 else: 

654 try: 

655 try: 

656 server_creds = gssapi.Credentials( 

657 usage='accept', 

658 name=gssapi.Name(settings.CAS_AUTH_GSSAPI_SERVICENAME) 

659 ) 

660 except gssapi.exceptions.GSSError as error: 

661 logger.error("Fail to create GSSAPI credentials objects: %s" % (error,)) 

662 server_creds = None 

663 # decode and check auth header 

664 tok = base64.b64decode(auth_header[len('Negotiate '):]) 

665 ctx = gssapi.SecurityContext(creds=server_creds, usage='accept') 

666 server_tok = ctx.step(tok) 

667 b64tok = base64.b64encode(server_tok) 

668 # If GSSAPI auth is successful 

669 if ctx.complete: 

670 # retreive the user username (remove the realm part) 

671 username = str(ctx.initiator_name).split('@', 1)[0] 

672 self.user_login( 

673 username, 

674 warn=False, 

675 warned=False 

676 ) 

677 self.request.session['GSSAPI'] = True 

678 # call the GET/POST common part 

679 return self.common() 

680 # sinon, ou la négo continue, ou l'utilisateur peut utiliser le form login/pass 

681 else: 

682 # call the GET/POST common part 

683 response = self.common() 

684 response.status_code = 401 

685 response['WWW-Authenticate'] = 'Negotiate ' + b64tok.decode('ascii') 

686 return response 

687 except gssapi.exceptions.GSSError as error: 

688 logger.error("Error during GSSAPI handshake: %s" % (error,)) 

689 # call the GET/POST common part 

690 return self.common() 

691 

692 def get(self, request, *args, **kwargs): 

693 """ 

694 method called on GET request on this view 

695 

696 :param django.http.HttpRequest request: The current request object 

697 """ 

698 # initialize class parameters 

699 self.init_get(request) 

700 # process the GET request 

701 self.process_get() 

702 if ( 702 ↛ 707line 702 didn't jump to line 707 because the condition on line 702 was never true

703 not settings.CAS_FEDERATE and 

704 settings.CAS_AUTH_GSSAPI_ENABLE and 

705 not request.session.get("authenticated") 

706 ): 

707 return self.gssapi_auth() 

708 else: 

709 # call the GET/POST common part 

710 return self.common() 

711 

712 def process_get(self): 

713 """ 

714 Analyse the GET request 

715 

716 :return: 

717 * :attr:`USER_NOT_AUTHENTICATED` if the user is not authenticated or is requesting 

718 for authentication renewal 

719 * :attr:`USER_AUTHENTICATED` if the user is authenticated and is not requesting 

720 for authentication renewal 

721 :rtype: int 

722 """ 

723 # generate a new LT 

724 self.gen_lt() 

725 if not self.request.session.get("authenticated") or self.renew: 

726 # authentication will be needed, initialize the form to use 

727 self.init_form() 

728 return self.USER_NOT_AUTHENTICATED 

729 return self.USER_AUTHENTICATED 

730 

731 def init_form(self, values=None): 

732 """ 

733 Initialization of the good form depending of POST and GET parameters 

734 

735 :param django.http.QueryDict values: A POST or GET QueryDict 

736 """ 

737 if values: 

738 values = values.copy() 

739 values['lt'] = self.request.session['lt'][-1] 

740 form_initial = { 

741 'service': self.service, 

742 'method': self.method, 

743 'warn': ( 

744 self.warn or self.request.session.get("warn") or self.request.COOKIES.get('warn') 

745 ), 

746 'lt': self.request.session['lt'][-1], 

747 'renew': self.renew 

748 } 

749 if settings.CAS_FEDERATE: 

750 if self.username and self.ticket: 

751 form_initial['username'] = self.username 

752 form_initial['password'] = self.ticket 

753 form_initial['ticket'] = self.ticket 

754 self.form = import_attr(settings.CAS_FEDERATE_USER_CREDENTIAL_FORM)( 

755 values, 

756 initial=form_initial 

757 ) 

758 else: 

759 self.form = import_attr( 

760 settings.CAS_FEDERATE_SELECT_FORM 

761 )(values, initial=form_initial) 

762 else: 

763 self.form = import_attr(settings.CAS_USER_CREDENTIAL_FORM)( 

764 values, 

765 initial=form_initial 

766 ) 

767 

768 def service_login(self): 

769 """ 

770 Perform login against a service 

771 

772 :return: 

773 * The rendering of the ``settings.CAS_WARN_TEMPLATE`` if the user asked to be 

774 warned before ticket emission and has not yep been warned. 

775 * The redirection to the service URL with a ticket GET parameter 

776 * The redirection to the service URL without a ticket if ticket generation failed 

777 and the :attr:`gateway` attribute is set 

778 * The rendering of the ``settings.CAS_LOGGED_TEMPLATE`` template with some error 

779 messages if the ticket generation failed (e.g: user not allowed). 

780 :rtype: django.http.HttpResponse 

781 """ 

782 try: 

783 # is the service allowed 

784 service_pattern = ServicePattern.validate(self.service) 

785 # is the current user allowed on this service 

786 service_pattern.check_user(self.user) 

787 # if the user has asked to be warned before any login to a service 

788 if self.request.session.get("warn", True) and not self.warned: 

789 messages.add_message( 

790 self.request, 

791 messages.WARNING, 

792 _(u"Authentication has been required by service %(name)s (%(url)s)") % 

793 {'name': service_pattern.name, 'url': self.service} 

794 ) 

795 if self.ajax: 

796 data = {"status": "error", "detail": "confirmation needed"} 

797 return json_response(self.request, data) 

798 else: 

799 warn_form = import_attr(settings.CAS_WARN_FORM)(initial={ 

800 'service': self.service, 

801 'renew': self.renew, 

802 'gateway': self.gateway, 

803 'method': self.method, 

804 'warned': True, 

805 'lt': self.request.session['lt'][-1] 

806 }) 

807 return render( 

808 self.request, 

809 settings.CAS_WARN_TEMPLATE, 

810 utils.context({'form': warn_form}) 

811 ) 

812 else: 

813 # redirect, using method ? 

814 list(messages.get_messages(self.request)) # clean messages before leaving django 

815 redirect_url = self.user.get_service_url( 

816 self.service, 

817 service_pattern, 

818 renew=self.renewed 

819 ) 

820 if not self.ajax: 

821 return HttpResponseRedirect(redirect_url) 

822 else: 

823 data = {"status": "success", "detail": "auth", "url": redirect_url} 

824 return json_response(self.request, data) 

825 except ServicePattern.DoesNotExist: 

826 error = 1 

827 messages.add_message( 

828 self.request, 

829 messages.ERROR, 

830 _(u'Service %(url)s not allowed.') % {'url': self.service} 

831 ) 

832 except models.BadUsername: 

833 error = 2 

834 messages.add_message( 

835 self.request, 

836 messages.ERROR, 

837 _(u"Username not allowed") 

838 ) 

839 except models.BadFilter: 

840 error = 3 

841 messages.add_message( 

842 self.request, 

843 messages.ERROR, 

844 _(u"User characteristics not allowed") 

845 ) 

846 except models.UserFieldNotDefined: 

847 error = 4 

848 messages.add_message( 

849 self.request, 

850 messages.ERROR, 

851 _(u"The attribute %(field)s is needed to use" 

852 u" that service") % {'field': service_pattern.user_field} 

853 ) 

854 

855 # if gateway is set and auth failed redirect to the service without authentication 

856 if self.gateway and not self.ajax: