Coverage for cas_server/views.py: 99%

Hot-keys on this page

r m x p toggle line displays

j k next/prev highlighted chunk

0 (zero) top of page

1 (one) first highlighted chunk

# -*- coding: utf-8 -*-

# This program is distributed in the hope that it will be useful, but WITHOUT

# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS

# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for

# more details.

# You should have received a copy of the GNU General Public License version 3

# along with this program; if not, write to the Free Software Foundation, Inc., 51

# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

"""views for the app"""

from .default_settings import settings, SessionStore

from django.shortcuts import render, redirect

from django.http import HttpResponse, HttpResponseRedirect

from django.contrib import messages

from django.utils.decorators import method_decorator

from django.utils.translation import ugettext as _

from django.utils import timezone

from django.views.decorators.csrf import csrf_exempt

from django.middleware.csrf import CsrfViewMiddleware

from django.views.generic import View

from django.utils.encoding import python_2_unicode_compatible

from django.utils.safestring import mark_safe

try:

from django.urls import reverse

except ImportError:

from django.core.urlresolvers import reverse

import re

import logging

import pprint

import requests

from lxml import etree

from datetime import timedelta

import cas_server.utils as utils

import cas_server.forms as forms

import cas_server.models as models

from .utils import json_response

from .models import Ticket, ServiceTicket, ProxyTicket, ProxyGrantingTicket

from .models import ServicePattern, FederatedIendityProvider, FederatedUser

from .federate import CASFederateValidateUser

logger = logging.getLogger(__name__)

class LogoutMixin(object):

"""destroy CAS session utils"""

def logout(self, all_session=False):

"""

effectively destroy a CAS session

:param boolean all_session: If ``True`` destroy all the user sessions, otherwise

destroy the current user session.

:return: The number of destroyed sessions

:rtype: int

"""

# initialize the counter of the number of destroyed sesisons

session_nb = 0

# save the current user username before flushing the session

username = self.request.session.get("username")

if username:

if all_session:

logger.info("Logging out user %s from all sessions." % username)

else:

logger.info("Logging out user %s." % username)

users = []

# try to get the user from the current session

try:

users.append(

models.User.objects.get(

username=username,

session_key=self.request.session.session_key

)

except models.User.DoesNotExist:

# if user not found in database, flush the session anyway

self.request.session.flush()

# If all_session is set, search all of the user sessions

if all_session:

users.extend(

models.User.objects.filter(

username=username

).exclude(

session_key=self.request.session.session_key

)

# Iterate over all user sessions that have to be logged out

for user in users:

# get the user session

session = SessionStore(session_key=user.session_key)

# flush the session

session.flush()

# send SLO requests

user.logout(self.request)

# delete the user

user.delete()

# increment the destroyed session counter

session_nb += 1

if username:

logger.info("User %s logged out" % username)

return session_nb

class CsrfExemptView(View):

"""base class for csrf exempt class views"""

@method_decorator(csrf_exempt) # csrf is disabled for allowing SLO requests reception

def dispatch(self, request, *args, **kwargs):

"""

dispatch different http request to the methods of the same name

:param django.http.HttpRequest request: The current request object

"""

return super(CsrfExemptView, self).dispatch(request, *args, **kwargs)

class LogoutView(View, LogoutMixin):

"""destroy CAS session (logout) view"""

#: current :class:`django.http.HttpRequest` object

request = None

#: service GET parameter

service = None

#: url GET paramet

url = None

#: ``True`` if the HTTP_X_AJAX http header is sent and ``settings.CAS_ENABLE_AJAX_AUTH``

#: is ``True``, ``False`` otherwise.

ajax = None

def init_get(self, request):

"""

Initialize the :class:`LogoutView` attributes on GET request

:param django.http.HttpRequest request: The current request object

"""

self.request = request

self.service = request.GET.get('service')

self.url = request.GET.get('url')

self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META

def get(self, request, *args, **kwargs):

"""

method called on GET request on this view

:param django.http.HttpRequest request: The current request object

"""

logger.info("logout requested")

# initialize the class attributes

self.init_get(request)

# if CAS federation mode is enable, bakup the provider before flushing the sessions

if settings.CAS_FEDERATE:

try:

user = FederatedUser.get_from_federated_username(

self.request.session.get("username")

)

auth = CASFederateValidateUser(user.provider, service_url="")

except FederatedUser.DoesNotExist:

auth = None

session_nb = self.logout(self.request.GET.get("all"))

# if CAS federation mode is enable, redirect to user CAS logout page, appending the

# current querystring

if settings.CAS_FEDERATE:

if auth is not None:

params = utils.copy_params(request.GET, ignore={"forget_provider"})

url = auth.get_logout_url()

response = HttpResponseRedirect(utils.update_url(url, params))

if request.GET.get("forget_provider"):

response.delete_cookie("remember_provider")

return response

# if service is set, redirect to service after logout

if self.service:

list(messages.get_messages(request)) # clean messages before leaving the django app

return HttpResponseRedirect(self.service)

# if service is not set but url is set, redirect to url after logout

elif self.url:

list(messages.get_messages(request)) # clean messages before leaving the django app

return HttpResponseRedirect(self.url)

else:

# build logout message depending of the number of sessions the user logs out

if session_nb == 1:

logout_msg = mark_safe(_(

"<h3>Logout successful</h3>"

"You have successfully logged out from the Central Authentication Service. "

"For security reasons, close your web browser."

))

elif session_nb > 1:

logout_msg = mark_safe(_(

"<h3>Logout successful</h3>"

"You have successfully logged out from %d sessions of the Central "

"Authentication Service. "

"For security reasons, close your web browser."

) % session_nb)

else:

logout_msg = mark_safe(_(

"<h3>Logout successful</h3>"

"You were already logged out from the Central Authentication Service. "

"For security reasons, close your web browser."

))

# depending of settings, redirect to the login page with a logout message or display

# the logout page. The default is to display tge logout page.

if settings.CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT:

messages.add_message(request, messages.SUCCESS, logout_msg)

if self.ajax:

url = reverse("cas_server:login")

data = {

'status': 'success',

'detail': 'logout',

'url': url,

'session_nb': session_nb

}

return json_response(request, data)

else:

return redirect("cas_server:login")

else:

if self.ajax:

data = {'status': 'success', 'detail': 'logout', 'session_nb': session_nb}

return json_response(request, data)

else:

return render(

request,

settings.CAS_LOGOUT_TEMPLATE,

utils.context({'logout_msg': logout_msg})

)

class FederateAuth(CsrfExemptView):

"""

view to authenticated user against a backend CAS then CAS_FEDERATE is True

csrf is disabled for allowing SLO requests reception.

"""

#: current URL used as service URL by the CAS client

service_url = None

def get_cas_client(self, request, provider, renew=False):

"""

return a CAS client object matching provider

:param django.http.HttpRequest request: The current request object

:param cas_server.models.FederatedIendityProvider provider: the user identity provider

:return: The user CAS client object

:rtype: :class:`federate.CASFederateValidateUser

<cas_server.federate.CASFederateValidateUser>`

"""

# compute the current url, ignoring ticket dans provider GET parameters

service_url = utils.get_current_url(request, {"ticket", "provider"})

self.service_url = service_url

return CASFederateValidateUser(provider, service_url, renew=renew)

def post(self, request, provider=None):

"""

method called on POST request

:param django.http.HttpRequest request: The current request object

:param unicode provider: Optional parameter. The user provider suffix.

"""

# if settings.CAS_FEDERATE is not True redirect to the login page

if not settings.CAS_FEDERATE:

logger.warning("CAS_FEDERATE is False, set it to True to use federation")

return redirect("cas_server:login")

# POST with a provider suffix, this is probably an SLO request. csrf is disabled for

# allowing SLO requests reception

try:

provider = FederatedIendityProvider.objects.get(suffix=provider)

auth = self.get_cas_client(request, provider)

try:

auth.clean_sessions(request.POST['logoutRequest'])

except (KeyError, AttributeError):

pass

return HttpResponse("ok")

# else, a User is trying to log in using an identity provider

except FederatedIendityProvider.DoesNotExist:

# Manually checking for csrf to protect the code below

reason = CsrfViewMiddleware().process_view(request, None, (), {})

if reason is not None: # pragma: no cover (csrf checks are disabled during tests)

return reason # Failed the test, stop here.

form = forms.FederateSelect(request.POST)

if form.is_valid():

params = utils.copy_params(

request.POST,

ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt"}

)

if params.get("renew") == "False":

del params["renew"]

url = utils.reverse_params(

"cas_server:federateAuth",

kwargs=dict(provider=form.cleaned_data["provider"].suffix),

params=params

)

return HttpResponseRedirect(url)

else:

return redirect("cas_server:login")

def get(self, request, provider=None):

"""

method called on GET request

:param django.http.HttpRequestself. request: The current request object

:param unicode provider: Optional parameter. The user provider suffix.

"""

# if settings.CAS_FEDERATE is not True redirect to the login page

if not settings.CAS_FEDERATE:

logger.warning("CAS_FEDERATE is False, set it to True to use federation")

return redirect("cas_server:login")

renew = bool(request.GET.get('renew') and request.GET['renew'] != "False")

# Is the user is already authenticated, no need to request authentication to the user

# identity provider.

if self.request.session.get("authenticated") and not renew:

logger.warning("User already authenticated, dropping federated authentication request")

return redirect("cas_server:login")

try:

# get the identity provider from its suffix

provider = FederatedIendityProvider.objects.get(suffix=provider)

# get a CAS client for the user identity provider

auth = self.get_cas_client(request, provider, renew)

# if no ticket submited, redirect to the identity provider CAS login page

if 'ticket' not in request.GET:

logger.info("Trying to authenticate %s again" % auth.provider.server_url)

return HttpResponseRedirect(auth.get_login_url())

else:

ticket = request.GET['ticket']

try:

# if the ticket validation succeed

if auth.verify_ticket(ticket):

logger.info(

"Got a valid ticket for %s from %s" % (

auth.username,

auth.provider.server_url

)

params = utils.copy_params(request.GET, ignore={"ticket", "remember"})

request.session["federate_username"] = auth.federated_username

request.session["federate_ticket"] = ticket

auth.register_slo(

auth.federated_username,

request.session.session_key,

ticket

)

# redirect to the the login page for the user to become authenticated

# thanks to the `federate_username` and `federate_ticket` session parameters

url = utils.reverse_params("cas_server:login", params)

response = HttpResponseRedirect(url)

# If the user has checked "remember my identity provider" store it in a

# cookie

if request.GET.get("remember"):

max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT

utils.set_cookie(

response,

"remember_provider",

provider.suffix,

max_age

)

return response

# else redirect to the identity provider CAS login page

else:

logger.info(

(

"Got an invalid ticket %s from %s for service %s. "

"Retrying authentication"

) % (

ticket,

auth.provider.server_url,

self.service_url

)

return HttpResponseRedirect(auth.get_login_url())

# both xml.etree.ElementTree and lxml.etree exceptions inherit from SyntaxError

except SyntaxError as error:

messages.add_message(

request,

messages.ERROR,

u"Invalid response from your identity provider CAS upon "

u"ticket %(ticket)s validation: %(error)r"

) % {'ticket': ticket, 'error': error}

)

response = redirect("cas_server:login")

response.delete_cookie("remember_provider")

return response

except FederatedIendityProvider.DoesNotExist:

logger.warning("Identity provider suffix %s not found" % provider)

# if the identity provider is not found, redirect to the login page

return redirect("cas_server:login")

class LoginView(View, LogoutMixin):

"""credential requestor / acceptor"""

# pylint: disable=too-many-instance-attributes

# Nine is reasonable in this case.

#: The current :class:`models.User<cas_server.models.User>` object

user = None

#: The form to display to the user

form = None

#: current :class:`django.http.HttpRequest` object

request = None

#: service GET/POST parameter

service = None

#: ``True`` if renew GET/POST parameter is present and not "False"

renew = None

#: the warn GET/POST parameter

warn = None

#: the gateway GET/POST parameter

gateway = None

#: the method GET/POST parameter

method = None

#: ``True`` if the HTTP_X_AJAX http header is sent and ``settings.CAS_ENABLE_AJAX_AUTH``

#: is ``True``, ``False`` otherwise.

ajax = None

#: ``True`` if the user has just authenticated

renewed = False

#: ``True`` if renew GET/POST parameter is present and not "False"

warned = False

#: The :class:`FederateAuth` transmited username (only used if ``settings.CAS_FEDERATE``

#: is ``True``)

username = None

#: The :class:`FederateAuth` transmited ticket (only used if ``settings.CAS_FEDERATE`` is

#: ``True``)

ticket = None

INVALID_LOGIN_TICKET = 1

USER_LOGIN_OK = 2

USER_LOGIN_FAILURE = 3

USER_ALREADY_LOGGED = 4

USER_AUTHENTICATED = 5

USER_NOT_AUTHENTICATED = 6

def init_post(self, request):

"""

Initialize POST received parameters

:param django.http.HttpRequest request: The current request object

"""

self.request = request

self.service = request.POST.get('service')

self.renew = bool(request.POST.get('renew') and request.POST['renew'] != "False")

self.gateway = request.POST.get('gateway')

self.method = request.POST.get('method')

self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META

if request.POST.get('warned') and request.POST['warned'] != "False":

self.warned = True

self.warn = request.POST.get('warn')

if settings.CAS_FEDERATE:

self.username = request.POST.get('username')

# in federated mode, the valdated indentity provider CAS ticket is used as password

self.ticket = request.POST.get('password')

def gen_lt(self):

"""Generate a new LoginTicket and add it to the list of valid LT for the user"""

self.request.session['lt'] = self.request.session.get('lt', []) + [utils.gen_lt()]

if len(self.request.session['lt']) > 100:

self.request.session['lt'] = self.request.session['lt'][-100:]

def check_lt(self):

"""

Check is the POSTed LoginTicket is valid, if yes invalide it

:return: ``True`` if the LoginTicket is valid, ``False`` otherwise

:rtype: bool

"""

# save LT for later check

lt_valid = self.request.session.get('lt', [])

lt_send = self.request.POST.get('lt')

# generate a new LT (by posting the LT has been consumed)

self.gen_lt()

# check if send LT is valid

if lt_send not in lt_valid:

return False

else:

self.request.session['lt'].remove(lt_send)

# we need to redo the affectation for django to detect that the list has changed

# and for its new value to be store in the session

self.request.session['lt'] = self.request.session['lt']

return True

def post(self, request, *args, **kwargs):

"""

method called on POST request on this view

:param django.http.HttpRequest request: The current request object

"""

# initialize class parameters

self.init_post(request)

# process the POST request

ret = self.process_post()

if ret == self.INVALID_LOGIN_TICKET:

messages.add_message(

self.request,

messages.ERROR,

_(u"Invalid login ticket, please try to log in again")

)

elif ret == self.USER_LOGIN_OK:

# On successful login, update the :class:`models.User<cas_server.models.User>` ``date``

# attribute by saving it. (``auto_now=True``)

self.user = models.User.objects.get_or_create(

username=self.request.session['username'],

session_key=self.request.session.session_key

)[0]

self.user.last_login = timezone.now()

self.user.save()

elif ret == self.USER_LOGIN_FAILURE: # bad user login

if settings.CAS_FEDERATE:

self.ticket = None

self.username = None

self.init_form()

# preserve valid LoginTickets from session flush

lt = self.request.session.get('lt', [])

# On login failure, flush the session

self.logout()

# restore valid LoginTickets

self.request.session['lt'] = lt

elif ret == self.USER_ALREADY_LOGGED:

pass

else: # pragma: no cover (should no happen)

raise EnvironmentError("invalid output for LoginView.process_post")

# call the GET/POST common part

response = self.common()

if self.warn:

utils.set_cookie(

response,

"warn",

"on",

10 * 365 * 24 * 3600

)

else:

response.delete_cookie("warn")

return response

def process_post(self):

"""

Analyse the POST request:

* check that the LoginTicket is valid

* check that the user sumited credentials are valid

:return:

* :attr:`INVALID_LOGIN_TICKET` if the POSTed LoginTicket is not valid

* :attr:`USER_ALREADY_LOGGED` if the user is already logged and do no request

reauthentication.

* :attr:`USER_LOGIN_FAILURE` if the user is not logged or request for

reauthentication and his credentials are not valid

* :attr:`USER_LOGIN_OK` if the user is not logged or request for

reauthentication and his credentials are valid

:rtype: int

"""

if not self.check_lt():

self.init_form(self.request.POST)

logger.warning("Received an invalid login ticket")

return self.INVALID_LOGIN_TICKET

elif not self.request.session.get("authenticated") or self.renew:

# authentication request receive, initialize the form to use

self.init_form(self.request.POST)

if self.form.is_valid():

self.request.session.set_expiry(0)

self.request.session["username"] = self.form.cleaned_data['username']

self.request.session["warn"] = True if self.form.cleaned_data.get("warn") else False

self.request.session["authenticated"] = True

self.renewed = True

self.warned = True

logger.info("User %s successfully authenticated" % self.request.session["username"])

return self.USER_LOGIN_OK

else:

logger.warning("A login attempt failed")

return self.USER_LOGIN_FAILURE

else:

logger.warning("Received a login attempt for an already-active user")

return self.USER_ALREADY_LOGGED

def init_get(self, request):

"""

Initialize GET received parameters

:param django.http.HttpRequest request: The current request object

"""

self.request = request

self.service = request.GET.get('service')

self.renew = bool(request.GET.get('renew') and request.GET['renew'] != "False")

self.gateway = request.GET.get('gateway')

self.method = request.GET.get('method')

self.ajax = settings.CAS_ENABLE_AJAX_AUTH and 'HTTP_X_AJAX' in request.META

self.warn = request.GET.get('warn')

if settings.CAS_FEDERATE:

# here username and ticket are fetch from the session after a redirection from

# FederateAuth.get

self.username = request.session.get("federate_username")

self.ticket = request.session.get("federate_ticket")

if self.username:

del request.session["federate_username"]

if self.ticket:

del request.session["federate_ticket"]

def get(self, request, *args, **kwargs):

"""

method called on GET request on this view

:param django.http.HttpRequest request: The current request object

"""

# initialize class parameters

self.init_get(request)

# process the GET request

self.process_get()

# call the GET/POST common part

return self.common()

def process_get(self):

"""

Analyse the GET request

:return:

* :attr:`USER_NOT_AUTHENTICATED` if the user is not authenticated or is requesting

for authentication renewal

* :attr:`USER_AUTHENTICATED` if the user is authenticated and is not requesting

for authentication renewal

:rtype: int

"""

# generate a new LT

self.gen_lt()

if not self.request.session.get("authenticated") or self.renew:

# authentication will be needed, initialize the form to use

self.init_form()

return self.USER_NOT_AUTHENTICATED

return self.USER_AUTHENTICATED

def init_form(self, values=None):

"""

Initialization of the good form depending of POST and GET parameters

:param django.http.QueryDict values: A POST or GET QueryDict

"""

if values:

values = values.copy()

values['lt'] = self.request.session['lt'][-1]

form_initial = {

'service': self.service,

'method': self.method,

'warn': (

self.warn or self.request.session.get("warn") or self.request.COOKIES.get('warn')

'lt': self.request.session['lt'][-1],

'renew': self.renew

}

if settings.CAS_FEDERATE:

if self.username and self.ticket:

form_initial['username'] = self.username

form_initial['password'] = self.ticket

form_initial['ticket'] = self.ticket

self.form = forms.FederateUserCredential(

values,

initial=form_initial

)

else:

self.form = forms.FederateSelect(values, initial=form_initial)

else:

self.form = forms.UserCredential(

values,

initial=form_initial

)

def service_login(self):

"""

Perform login against a service

:return:

* The rendering of the ``settings.CAS_WARN_TEMPLATE`` if the user asked to be

warned before ticket emission and has not yep been warned.

* The redirection to the service URL with a ticket GET parameter

* The redirection to the service URL without a ticket if ticket generation failed

and the :attr:`gateway` attribute is set

* The rendering of the ``settings.CAS_LOGGED_TEMPLATE`` template with some error

messages if the ticket generation failed (e.g: user not allowed).

:rtype: django.http.HttpResponse

"""

try:

# is the service allowed

service_pattern = ServicePattern.validate(self.service)

# is the current user allowed on this service

service_pattern.check_user(self.user)

# if the user has asked to be warned before any login to a service

if self.request.session.get("warn", True) and not self.warned:

messages.add_message(

self.request,

messages.WARNING,

_(u"Authentication has been required by service %(name)s (%(url)s)") %

{'name': service_pattern.name, 'url': self.service}

)

if self.ajax:

data = {"status": "error", "detail": "confirmation needed"}

return json_response(self.request, data)

else:

warn_form = forms.WarnForm(initial={

'service': self.service,

'renew': self.renew,

'gateway': self.gateway,

'method': self.method,

'warned': True,

'lt': self.request.session['lt'][-1]

})

return render(

self.request,

settings.CAS_WARN_TEMPLATE,

utils.context({'form': warn_form})

)

else:

# redirect, using method ?

list(messages.get_messages(self.request)) # clean messages before leaving django

redirect_url = self.user.get_service_url(

self.service,

service_pattern,

renew=self.renewed

)

if not self.ajax:

return HttpResponseRedirect(redirect_url)

else:

data = {"status": "success", "detail": "auth", "url": redirect_url}

return json_response(self.request, data)

except ServicePattern.DoesNotExist:

error = 1

messages.add_message(

self.request,

messages.ERROR,

_(u'Service %(url)s not allowed.') % {'url': self.service}

)

except models.BadUsername:

error = 2

messages.add_message(

self.request,

messages.ERROR,

_(u"Username not allowed")

)

except models.BadFilter:

error = 3

messages.add_message(

self.request,

messages.ERROR,

_(u"User characteristics not allowed")

)

except models.UserFieldNotDefined:

error = 4

messages.add_message(

self.request,

messages.ERROR,

_(u"The attribute %(field)s is needed to use"

u" that service") % {'field': service_pattern.user_field}

)

# if gateway is set and auth failed redirect to the service without authentication

if self.gateway and not self.ajax:

list(messages.get_messages(self.request)) # clean messages before leaving django

return HttpResponseRedirect(self.service)

if not self.ajax:

return render(

self.request,

settings.CAS_LOGGED_TEMPLATE,

utils.context({'session': self.request.session})

)

else:

data = {"status": "error", "detail": "auth", "code": error}

return json_response(self.request, data)

def authenticated(self):

"""

Processing authenticated users

:return:

* The returned value of :meth:`service_login` if :attr:`service` is defined

* The rendering of ``settings.CAS_LOGGED_TEMPLATE`` otherwise

:rtype: django.http.HttpResponse

"""

# Try to get the current :class:`models.User<cas_server.models.User>` object for the current

# session

try:

self.user = models.User.objects.get(

username=self.request.session.get("username"),

session_key=self.request.session.session_key

)

# if not found, flush the session and redirect to the login page

except models.User.DoesNotExist:

logger.warning(

"User %s seems authenticated but is not found in the database." % (

self.request.session.get("username"),

)

self.logout()

if self.ajax:

data = {

"status": "error",

"detail": "login required",

"url": utils.reverse_params("cas_server:login", params=self.request.GET)

}

return json_response(self.request, data)

else:

return utils.redirect_params("cas_server:login", params=self.request.GET)

# if login against a service

if self.service:

return self.service_login()

# else display the logged template

else:

if self.ajax:

data = {"status": "success", "detail": "logged"}

return json_response(self.request, data)

else:

return render(

self.request,

settings.CAS_LOGGED_TEMPLATE,

utils.context({'session': self.request.session})

)

def not_authenticated(self):

"""

Processing non authenticated users

:return:

* The rendering of ``settings.CAS_LOGIN_TEMPLATE`` with various messages

depending of GET/POST parameters

* The redirection to :class:`FederateAuth` if ``settings.CAS_FEDERATE`` is ``True``

and the "remember my identity provider" cookie is found

:rtype: django.http.HttpResponse

"""

if self.service:

try:

service_pattern = ServicePattern.validate(self.service)

if self.gateway and not self.ajax:

# clean messages before leaving django

list(messages.get_messages(self.request))

return HttpResponseRedirect(self.service)

if settings.CAS_SHOW_SERVICE_MESSAGES:

if self.request.session.get("authenticated") and self.renew:

messages.add_message(

self.request,

messages.WARNING,

_(u"Authentication renewal required by service %(name)s (%(url)s).") %

{'name': service_pattern.name, 'url': self.service}

)

else:

messages.add_message(

self.request,

messages.WARNING,

_(u"Authentication required by service %(name)s (%(url)s).") %

{'name': service_pattern.name, 'url': self.service}

)

except ServicePattern.DoesNotExist:

if settings.CAS_SHOW_SERVICE_MESSAGES:

messages.add_message(

self.request,

messages.ERROR,

_(u'Service %s not allowed') % self.service

)

if self.ajax:

data = {

"status": "error",

"detail": "login required",

"url": utils.reverse_params("cas_server:login", params=self.request.GET)

}

return json_response(self.request, data)

else:

if settings.CAS_FEDERATE:

if self.username and self.ticket:

return render(

self.request,

settings.CAS_LOGIN_TEMPLATE,

utils.context({

'form': self.form,

'auto_submit': True,

'post_url': reverse("cas_server:login")

})

)

else:

if (

self.request.COOKIES.get('remember_provider') and

FederatedIendityProvider.objects.filter(

suffix=self.request.COOKIES['remember_provider']

)

params = utils.copy_params(self.request.GET)

url = utils.reverse_params(

"cas_server:federateAuth",

params=params,

kwargs=dict(provider=self.request.COOKIES['remember_provider'])

)

return HttpResponseRedirect(url)

else:

# if user is authenticated and auth renewal is requested, redirect directly

# to the user identity provider

if self.renew and self.request.session.get("authenticated"):

try:

user = FederatedUser.get_from_federated_username(

self.request.session.get("username")

)

params = utils.copy_params(self.request.GET)

url = utils.reverse_params(

"cas_server:federateAuth",

params=params,

kwargs=dict(provider=user.provider.suffix)

)

return HttpResponseRedirect(url)

# Should normally not happen: if the user is logged, it exists in the

# database.

except FederatedUser.DoesNotExist: # pragma: no cover

pass

return render(

self.request,

settings.CAS_LOGIN_TEMPLATE,

utils.context({

'form': self.form,

'post_url': reverse("cas_server:federateAuth")

})

)

else:

return render(

self.request,

settings.CAS_LOGIN_TEMPLATE,

utils.context({'form': self.form})

)

def common(self):

"""

Common part execute uppon GET and POST request

:return:

* The returned value of :meth:`authenticated` if the user is authenticated and

not requesting for authentication or if the authentication has just been renewed

* The returned value of :meth:`not_authenticated` otherwise

:rtype: django.http.HttpResponse

"""

# if authenticated and successfully renewed authentication if needed

if self.request.session.get("authenticated") and (not self.renew or self.renewed):

return self.authenticated()

else:

return self.not_authenticated()

class Auth(CsrfExemptView):

"""

A simple view to validate username/password/service tuple

csrf is disable as it is intended to be used by programs. Security is assured by a shared

secret between the programs dans django-cas-server.

"""

@staticmethod

def post(request):

"""

method called on POST request on this view

:param django.http.HttpRequest request: The current request object

:return: ``HttpResponse(u"yes\\n")`` if the POSTed tuple (username, password, service)

if valid (i.e. (username, password) is valid dans username is allowed on service).

``HttpResponse(u"no\\n…")`` otherwise, with possibly an error message on the second

line.

:rtype: django.http.HttpResponse

"""

username = request.POST.get('username')

password = request.POST.get('password')

service = request.POST.get('service')

secret = request.POST.get('secret')

if not settings.CAS_AUTH_SHARED_SECRET:

return HttpResponse(

"no\nplease set CAS_AUTH_SHARED_SECRET",

content_type="text/plain; charset=utf-8"

)

if secret != settings.CAS_AUTH_SHARED_SECRET:

return HttpResponse(u"no\n", content_type="text/plain; charset=utf-8")

if not username or not password or not service:

return HttpResponse(u"no\n", content_type="text/plain; charset=utf-8")

form = forms.UserCredential(

request.POST,

initial={

'service': service,

'method': 'POST',

'warn': False

}

)

if form.is_valid():

try:

user = models.User.objects.get_or_create(

username=form.cleaned_data['username'],

session_key=request.session.session_key

)[0]

user.save()

# is the service allowed

service_pattern = ServicePattern.validate(service)

# is the current user allowed on this service

service_pattern.check_user(user)

if not request.session.get("authenticated"):

user.delete()

return HttpResponse(u"yes\n", content_type="text/plain; charset=utf-8")

except (ServicePattern.DoesNotExist, models.ServicePatternException):

return HttpResponse(u"no\n", content_type="text/plain; charset=utf-8")

else:

return HttpResponse(u"no\n", content_type="text/plain; charset=utf-8")

class Validate(View):

"""service ticket validation"""

@staticmethod

def get(request):

"""

method called on GET request on this view

:param django.http.HttpRequest request: The current request object

:return:

* ``HttpResponse("yes\\nusername")`` if submited (service, ticket) is valid

* else ``HttpResponse("no\\n")``

:rtype: django.http.HttpResponse

"""

# store wanted GET parameters

service = request.GET.get('service')

ticket = request.GET.get('ticket')

renew = True if request.GET.get('renew') else False

# service and ticket parameters are mandatory

if service and ticket:

try:

# search for the ticket, associated at service that is not yet validated but is

# still valid

ticket = ServiceTicket.get(ticket, renew, service)

logger.info(

"Validate: Service ticket %s validated, user %s authenticated on service %s" % (

ticket.value,

ticket.user.username,

ticket.service

)

return HttpResponse(

u"yes\n%s\n" % ticket.username(),

content_type="text/plain; charset=utf-8"

)

except ServiceTicket.DoesNotExist:

logger.warning(

(

"Validate: Service ticket %s not found or "

"already validated, auth to %s failed"

) % (

ticket,

service

)

return HttpResponse(u"no\n", content_type="text/plain; charset=utf-8")

else:

logger.warning("Validate: service or ticket missing")

return HttpResponse(u"no\n", content_type="text/plain; charset=utf-8")

@python_2_unicode_compatible

class ValidationBaseError(Exception):

"""Base class for both saml and cas validation error"""

#: The error code

code = None

#: The error message

msg = None

def __init__(self, code, msg=""):

self.code = code

self.msg = msg

super(ValidationBaseError, self).__init__(code)

def __str__(self):

return u"%s" % self.msg

def render(self, request):

"""

render the error template for the exception

:param django.http.HttpRequest request: The current request object:

:return: the rendered ``cas_server/serviceValidateError.xml`` template

:rtype: django.http.HttpResponse

"""

return render(

request,

self.template,

self.context(), content_type="text/xml; charset=utf-8"

)

class ValidateError(ValidationBaseError):

"""handle service validation error"""

#: template to be render for the error

template = "cas_server/serviceValidateError.xml"

def context(self):

"""

content to use to render :attr:`template`

:return: A dictionary to contextualize :attr:`template`

:rtype: dict

"""

return {'code': self.code, 'msg': self.msg}

class ValidateService(View):

"""service ticket validation [CAS 2.0] and [CAS 3.0]"""

#: Current :class:`django.http.HttpRequest` object

request = None

#: The service GET parameter

service = None

#: the ticket GET parameter

ticket = None

#: the pgtUrl GET parameter

pgt_url = None

#: the renew GET parameter

renew = None

#: specify if ProxyTicket are allowed by the view. Hence we user the same view for

#: ``/serviceValidate`` and ``/proxyValidate`` juste changing the parameter.

allow_proxy_ticket = False

def get(self, request):

"""

method called on GET request on this view

:param django.http.HttpRequest request: The current request object:

:return: The rendering of ``cas_server/serviceValidate.xml`` if no errors is raised,

the rendering or ``cas_server/serviceValidateError.xml`` otherwise.

:rtype: django.http.HttpResponse

"""

# define the class parameters

self.request = request

self.service = request.GET.get('service')

self.ticket = request.GET.get('ticket')

self.pgt_url = request.GET.get('pgtUrl')

self.renew = True if request.GET.get('renew') else False

# service and ticket parameter are mandatory

if not self.service or not self.ticket:

logger.warning("ValidateService: missing ticket or service")

return ValidateError(

u'INVALID_REQUEST',

u"you must specify a service and a ticket"

).render(request)

else:

try:

# search the ticket in the database

self.ticket, proxies = self.process_ticket()

# prepare template rendering context

params = {

'username': self.ticket.username(),

'attributes': self.ticket.attributs_flat(),

'proxies': proxies,

'auth_date': self.ticket.user.last_login.replace(microsecond=0).isoformat(),

'is_new_login': 'true' if self.ticket.renew else 'false'

}

# if pgtUrl is set, require https or localhost

if self.pgt_url and (

self.pgt_url.startswith("https://") or

re.match(r"^http://(127\.0\.0\.1|localhost)(:[0-9]+)?(/.*)?$", self.pgt_url)

return self.process_pgturl(params)

else:

logger.info(

"ValidateService: ticket %s validated for user %s on service %s." % (

self.ticket.value,

self.ticket.user.username,

self.ticket.service

)

logger.debug(

"ValidateService: User attributs are:\n%s" % (

pprint.pformat(self.ticket.attributs),

)

return render(

request,

"cas_server/serviceValidate.xml",

params,

content_type="text/xml; charset=utf-8"

)

except ValidateError as error:

logger.warning(

"ValidateService: validation error: %s %s" % (error.code, error.msg)

)

return error.render(request)

def process_ticket(self):

"""

fetch the ticket against the database and check its validity

:raises ValidateError: if the ticket is not found or not valid, potentially for that

service

:returns: A couple (ticket, proxies list)

:rtype: :obj:`tuple`

"""

try:

proxies = []

if self.allow_proxy_ticket:

ticket = models.Ticket.get(self.ticket, self.renew)

else:

ticket = models.ServiceTicket.get(self.ticket, self.renew)

try:

for prox in ticket.proxies.all():

proxies.append(prox.url)

except AttributeError:

pass

if ticket.service != self.service:

raise ValidateError(u'INVALID_SERVICE', self.service)

return ticket, proxies

except Ticket.DoesNotExist:

raise ValidateError(u'INVALID_TICKET', self.ticket)

except (ServiceTicket.DoesNotExist, ProxyTicket.DoesNotExist):

raise ValidateError(u'INVALID_TICKET', 'ticket not found')

def process_pgturl(self, params):

"""

Handle PGT request

:param dict params: A template context dict

:raises ValidateError: if pgtUrl is invalid or if TLS validation of the pgtUrl fails

:return: The rendering of ``cas_server/serviceValidate.xml``, using ``params``

:rtype: django.http.HttpResponse

"""

try:

pattern = ServicePattern.validate(self.pgt_url)

if pattern.proxy_callback:

proxyid = utils.gen_pgtiou()

pticket = ProxyGrantingTicket.objects.create(

user=self.ticket.user,

service=self.pgt_url,

service_pattern=pattern,

single_log_out=pattern.single_log_out

)

url = utils.update_url(self.pgt_url, {'pgtIou': proxyid, 'pgtId': pticket.value})

try:

ret = requests.get(url, verify=settings.CAS_PROXY_CA_CERTIFICATE_PATH)

if ret.status_code == 200:

params['proxyGrantingTicket'] = proxyid

else:

pticket.delete()

logger.info(

(

"ValidateService: ticket %s validated for user %s on service %s. "

"Proxy Granting Ticket transmited to %s."

) % (

self.ticket.value,

self.ticket.user.username,

self.ticket.service,

self.pgt_url

)

logger.debug(

"ValidateService: User attributs are:\n%s" % (

pprint.pformat(self.ticket.attributs),

)

return render(

self.request,

"cas_server/serviceValidate.xml",

params,

content_type="text/xml; charset=utf-8"

)

except requests.exceptions.RequestException as error:

error = utils.unpack_nested_exception(error)

raise ValidateError(

u'INVALID_PROXY_CALLBACK',

u"%s: %s" % (type(error), str(error))

)

else:

raise ValidateError(

u'INVALID_PROXY_CALLBACK',

u"callback url not allowed by configuration"

)

except ServicePattern.DoesNotExist:

raise ValidateError(

u'INVALID_PROXY_CALLBACK',

u'callback url not allowed by configuration'

)

class Proxy(View):

"""proxy ticket service"""

#: Current :class:`django.http.HttpRequest` object

request = None

#: A ProxyGrantingTicket from the pgt GET parameter

pgt = None

#: the targetService GET parameter

target_service = None

def get(self, request):

"""

method called on GET request on this view

:param django.http.HttpRequest request: The current request object:

:return: The returned value of :meth:`process_proxy` if no error is raised,

else the rendering of ``cas_server/serviceValidateError.xml``.

:rtype: django.http.HttpResponse

"""

self.request = request

self.pgt = request.GET.get('pgt')

self.target_service = request.GET.get('targetService')

try:

# pgt and targetService parameters are mandatory

if self.pgt and self.target_service:

return self.process_proxy()

else:

raise ValidateError(

u'INVALID_REQUEST',

u"you must specify and pgt and targetService"

)

except ValidateError as error:

logger.warning("Proxy: validation error: %s %s" % (error.code, error.msg))

return error.render(request)

def process_proxy(self):

"""

handle PT request

:raises ValidateError: if the PGT is not found, or the target service not allowed or

the user not allowed on the tardet service.

:return: The rendering of ``cas_server/proxy.xml``

:rtype: django.http.HttpResponse

"""

try:

# is the target service allowed

pattern = ServicePattern.validate(self.target_service)

# to get a proxy ticket require that the service allow it

if not pattern.proxy:

raise ValidateError(

u'UNAUTHORIZED_SERVICE',

u'the service %s does not allow proxy tickets' % self.target_service

)

# is the proxy granting ticket valid

ticket = ProxyGrantingTicket.get(self.pgt)

# is the pgt user allowed on the target service

pattern.check_user(ticket.user)

pticket = ticket.user.get_ticket(

ProxyTicket,

self.target_service,

pattern,

renew=False

)

models.Proxy.objects.create(proxy_ticket=pticket, url=ticket.service)

logger.info(

"Proxy ticket created for user %s on service %s." % (

ticket.user.username,

self.target_service

)

return render(

self.request,

"cas_server/proxy.xml",

{'ticket': pticket.value},

content_type="text/xml; charset=utf-8"

)

except (Ticket.DoesNotExist, ProxyGrantingTicket.DoesNotExist):

raise ValidateError(u'INVALID_TICKET', u'PGT %s not found' % self.pgt)

except ServicePattern.DoesNotExist:

raise ValidateError(u'UNAUTHORIZED_SERVICE', self.target_service)

except (models.BadUsername, models.BadFilter, models.UserFieldNotDefined):

raise ValidateError(

u'UNAUTHORIZED_USER',

u'User %s not allowed on %s' % (ticket.user.username, self.target_service)

)

class SamlValidateError(ValidationBaseError):

"""handle saml validation error"""

#: template to be render for the error

template = "cas_server/samlValidateError.xml"

def context(self):

"""

:return: A dictionary to contextualize :attr:`template`

:rtype: dict

"""

return {

'code': self.code,

'msg': self.msg,

'IssueInstant': timezone.now().isoformat(),

'ResponseID': utils.gen_saml_id()

}

class SamlValidate(CsrfExemptView):

"""SAML ticket validation"""

request = None

target = None

ticket = None

root = None

def post(self, request):

"""

method called on POST request on this view

:param django.http.HttpRequest request: The current request object

:return: the rendering of ``cas_server/samlValidate.xml`` if no error is raised,

else the rendering of ``cas_server/samlValidateError.xml``.

:rtype: django.http.HttpResponse

"""

self.request = request

self.target = request.GET.get('TARGET')

self.root = etree.fromstring(request.body)

try:

self.ticket = self.process_ticket()

expire_instant = (self.ticket.creation +

timedelta(seconds=self.ticket.VALIDITY)).isoformat()

params = {

'IssueInstant': timezone.now().isoformat(),

'expireInstant': expire_instant,

'Recipient': self.target,

'ResponseID': utils.gen_saml_id(),

'username': self.ticket.username(),

'attributes': self.ticket.attributs_flat(),

'auth_date': self.ticket.user.last_login.replace(microsecond=0).isoformat(),

'is_new_login': 'true' if self.ticket.renew else 'false'

}

logger.info(

"SamlValidate: ticket %s validated for user %s on service %s." % (

self.ticket.value,

self.ticket.user.username,

self.ticket.service

)

logger.debug(

"SamlValidate: User attributes are:\n%s" % pprint.pformat(self.ticket.attributs)

)

return render(

request,

"cas_server/samlValidate.xml",

params,

content_type="text/xml; charset=utf-8"

)

except SamlValidateError as error:

logger.warning("SamlValidate: validation error: %s %s" % (error.code, error.msg))

return error.render(request)

def process_ticket(self):

"""

validate ticket from SAML XML body

:raises: SamlValidateError: if the ticket is not found or not valid, or if we fail

to parse the posted XML.

:return: a ticket object

:rtype: :class:`models.Ticket<cas_server.models.Ticket>`

"""

try:

auth_req = self.root.getchildren()[1].getchildren()[0]

ticket = auth_req.getchildren()[0].text

ticket = models.Ticket.get(ticket)

if ticket.service != self.target:

raise SamlValidateError(

u'AuthnFailed',

u'TARGET %s does not match ticket service' % self.target

)

return ticket

except (IndexError, KeyError):

raise SamlValidateError(u'VersionMismatch')

except Ticket.DoesNotExist:

raise SamlValidateError(

u'AuthnFailed',

u'ticket %s should begin with PT- or ST-' % ticket

)

except (ServiceTicket.DoesNotExist, ProxyTicket.DoesNotExist):

raise SamlValidateError(u'AuthnFailed', u'ticket %s not found' % ticket)

Coverage for cas_server/views.py : 99%

579 statements 577 run 2 missing 8 excluded 0 partial