Only set "remember my provider" in federated mode upon successful authentication

This commit is contained in:
Valentin Samir 2016-08-01 11:30:41 +02:00
parent 0466d397f3
commit 0237364d8e
2 changed files with 44 additions and 26 deletions

View File

@ -88,19 +88,23 @@ class FederateAuthLoginLogoutTestCase(
response = client.post('/federate', params) response = client.post('/federate', params)
# we are redirected to the provider CAS client url # we are redirected to the provider CAS client url
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
self.assertEqual(response["Location"], '%s/federate/%s' % ( self.assertEqual(response["Location"], '%s/federate/%s%s' % (
'http://testserver' if django.VERSION < (1, 9) else "", 'http://testserver' if django.VERSION < (1, 9) else "",
provider.suffix provider.suffix,
"?remember=on" if remember else ""
)) ))
# let's follow the redirect # let's follow the redirect
response = client.get('/federate/%s' % provider.suffix) response = client.get(
'/federate/%s%s' % (provider.suffix, "?remember=on" if remember else "")
)
# we are redirected to the provider CAS for authentication # we are redirected to the provider CAS for authentication
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
self.assertEqual( self.assertEqual(
response["Location"], response["Location"],
"%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s" % ( "%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s%s" % (
provider.server_url, provider.server_url,
provider.suffix provider.suffix,
"%3Fremember%3Don" if remember else ""
) )
) )
# let's generate a ticket # let's generate a ticket
@ -108,7 +112,10 @@ class FederateAuthLoginLogoutTestCase(
# we lauch a dummy CAS server that only validate once for the service # we lauch a dummy CAS server that only validate once for the service
# http://testserver/federate/example.com with `ticket` # http://testserver/federate/example.com with `ticket`
tests_utils.DummyCAS.run( tests_utils.DummyCAS.run(
("http://testserver/federate/%s" % provider.suffix).encode("ascii"), ("http://testserver/federate/%s%s" % (
provider.suffix,
"?remember=on" if remember else ""
)).encode("ascii"),
ticket.encode("ascii"), ticket.encode("ascii"),
settings.CAS_TEST_USER.encode("utf8"), settings.CAS_TEST_USER.encode("utf8"),
[], [],
@ -116,7 +123,13 @@ class FederateAuthLoginLogoutTestCase(
) )
# we normally provide a good ticket and should be redirected to /login as the ticket # we normally provide a good ticket and should be redirected to /login as the ticket
# get successfully validated again the dummy CAS # get successfully validated again the dummy CAS
response = client.get('/federate/%s' % provider.suffix, {'ticket': ticket}) response = client.get(
'/federate/%s' % provider.suffix,
{'ticket': ticket, 'remember': 'on' if remember else ''}
)
if remember:
self.assertIn("_remember_provider", client.cookies)
self.assertEqual(client.cookies["_remember_provider"].value, provider.suffix)
self.assertEqual(response.status_code, 302) self.assertEqual(response.status_code, 302)
self.assertEqual(response["Location"], "%s/login" % ( self.assertEqual(response["Location"], "%s/login" % (
'http://testserver' if django.VERSION < (1, 9) else "" 'http://testserver' if django.VERSION < (1, 9) else ""

View File

@ -218,8 +218,7 @@ class FederateAuth(View):
""" """
return super(FederateAuth, self).dispatch(request, *args, **kwargs) return super(FederateAuth, self).dispatch(request, *args, **kwargs)
@staticmethod def get_cas_client(self, request, provider):
def get_cas_client(request, provider):
""" """
return a CAS client object matching provider return a CAS client object matching provider
@ -231,6 +230,7 @@ class FederateAuth(View):
""" """
# compute the current url, ignoring ticket dans provider GET parameters # compute the current url, ignoring ticket dans provider GET parameters
service_url = utils.get_current_url(request, {"ticket", "provider"}) service_url = utils.get_current_url(request, {"ticket", "provider"})
self.service_url = service_url
return CASFederateValidateUser(provider, service_url) return CASFederateValidateUser(provider, service_url)
def post(self, request, provider=None): def post(self, request, provider=None):
@ -264,7 +264,7 @@ class FederateAuth(View):
if form.is_valid(): if form.is_valid():
params = utils.copy_params( params = utils.copy_params(
request.POST, request.POST,
ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt", "remember"} ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt"}
) )
if params.get("renew") == "False": if params.get("renew") == "False":
del params["renew"] del params["renew"]
@ -273,17 +273,7 @@ class FederateAuth(View):
kwargs=dict(provider=form.cleaned_data["provider"].suffix), kwargs=dict(provider=form.cleaned_data["provider"].suffix),
params=params params=params
) )
response = HttpResponseRedirect(url) return HttpResponseRedirect(url)
# If the user has checked "remember my identity provider" store it in a cookie
if form.cleaned_data["remember"]:
max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
utils.set_cookie(
response,
"_remember_provider",
form.cleaned_data["provider"].suffix,
max_age
)
return response
else: else:
return redirect("cas_server:login") return redirect("cas_server:login")
@ -323,7 +313,7 @@ class FederateAuth(View):
auth.provider.server_url auth.provider.server_url
) )
) )
params = utils.copy_params(request.GET, ignore={"ticket"}) params = utils.copy_params(request.GET, ignore={"ticket", "remember"})
request.session["federate_username"] = auth.federated_username request.session["federate_username"] = auth.federated_username
request.session["federate_ticket"] = ticket request.session["federate_ticket"] = ticket
auth.register_slo( auth.register_slo(
@ -334,13 +324,28 @@ class FederateAuth(View):
# redirect to the the login page for the user to become authenticated # redirect to the the login page for the user to become authenticated
# thanks to the `federate_username` and `federate_ticket` session parameters # thanks to the `federate_username` and `federate_ticket` session parameters
url = utils.reverse_params("cas_server:login", params) url = utils.reverse_params("cas_server:login", params)
return HttpResponseRedirect(url) response = HttpResponseRedirect(url)
# If the user has checked "remember my identity provider" store it in a
# cookie
if request.GET.get("remember"):
max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
utils.set_cookie(
response,
"_remember_provider",
provider.suffix,
max_age
)
return response
# else redirect to the identity provider CAS login page # else redirect to the identity provider CAS login page
else: else:
logger.info( logger.info(
"Got a invalid ticket for %s from %s. Retrying to authenticate" % ( (
auth.username, "Got a invalid ticket %s from %s for service %s. "
auth.provider.server_url "Retrying to authenticate"
) % (
ticket,
auth.provider.server_url,
self.service_url
) )
) )
return HttpResponseRedirect(auth.get_login_url()) return HttpResponseRedirect(auth.get_login_url())