initial commit
This commit is contained in:
commit
667483fc49
6
.gitignore
vendored
Normal file
6
.gitignore
vendored
Normal file
@ -0,0 +1,6 @@
|
||||
*.pyc
|
||||
|
||||
bootstrap3
|
||||
cas/
|
||||
db.sqlite3
|
||||
manage.py
|
1
cas_server/__init__.py
Normal file
1
cas_server/__init__.py
Normal file
@ -0,0 +1 @@
|
||||
import default_settings
|
28
cas_server/admin.py
Normal file
28
cas_server/admin.py
Normal file
@ -0,0 +1,28 @@
|
||||
from django.contrib import admin
|
||||
from models import *
|
||||
from forms import *
|
||||
# Register your models here.
|
||||
|
||||
class ServiceTicketInline(admin.TabularInline):
|
||||
model = ServiceTicket
|
||||
extra = 0
|
||||
form = TicketForm
|
||||
class ProxyTicketInline(admin.TabularInline):
|
||||
model = ProxyTicket
|
||||
extra = 0
|
||||
form = TicketForm
|
||||
class ProxyGrantingInline(admin.TabularInline):
|
||||
model = ProxyGrantingTicket
|
||||
extra = 0
|
||||
form = TicketForm
|
||||
|
||||
class UserAdmin(admin.ModelAdmin):
|
||||
inlines = (ServiceTicketInline, ProxyTicketInline, ProxyGrantingInline)
|
||||
|
||||
class ServicePatternAdmin(admin.ModelAdmin):
|
||||
list_display = ('pos', 'pattern', 'proxy')
|
||||
|
||||
|
||||
admin.site.register(User, UserAdmin)
|
||||
admin.site.register(ServicePattern, ServicePatternAdmin)
|
||||
#admin.site.register(ProxyGrantingTicketIOU, admin.ModelAdmin)
|
24
cas_server/default_settings.py
Normal file
24
cas_server/default_settings.py
Normal file
@ -0,0 +1,24 @@
|
||||
from django.conf import settings
|
||||
|
||||
def setting_default(name, default_value):
|
||||
value = getattr(settings, name, default_value)
|
||||
setattr(settings, name, value)
|
||||
|
||||
class AuthUser(object):
|
||||
def __init__(self, username):
|
||||
self.username = username
|
||||
|
||||
def test_password(self, password):
|
||||
return self.username == "test" and password == "test"
|
||||
|
||||
def attributs(self):
|
||||
return {'nom':'Nymous', 'prenom':'Ano', 'email':'anonymous@example.net'}
|
||||
|
||||
|
||||
setting_default('CAS_LOGIN_TEMPLATE', 'cas_server/login.html')
|
||||
setting_default('CAS_WARN_TEMPLATE', 'cas_server/warn.html')
|
||||
setting_default('CAS_LOGGED_TEMPLATE', 'cas_server/logged.html')
|
||||
setting_default('CAS_AUTH_CLASS', AuthUser)
|
||||
setting_default('CAS_ST_LEN', 30)
|
||||
setting_default('CAS_TICKET_VALIDITY', 300)
|
||||
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
|
36
cas_server/forms.py
Normal file
36
cas_server/forms.py
Normal file
@ -0,0 +1,36 @@
|
||||
from django import forms
|
||||
from django.conf import settings
|
||||
|
||||
import models
|
||||
|
||||
class UserCredential(forms.Form):
|
||||
username = forms.CharField(label='login')
|
||||
service = forms.CharField(widget=forms.HiddenInput(), required=False)
|
||||
password = forms.CharField(label='password', widget=forms.PasswordInput)
|
||||
method = forms.CharField(widget=forms.HiddenInput(), required=False)
|
||||
warn = forms.BooleanField(label='warn', required=False)
|
||||
|
||||
def __init__(self, *args, **kwargs):
|
||||
super(UserCredential, self).__init__(*args, **kwargs)
|
||||
|
||||
def clean(self):
|
||||
cleaned_data = super(UserCredential, self).clean()
|
||||
auth = settings.CAS_AUTH_CLASS(cleaned_data.get("username"))
|
||||
if auth.test_password(cleaned_data.get("password")):
|
||||
try:
|
||||
user = models.User.objects.get(username=auth.username)
|
||||
user.attributs=auth.attributs()
|
||||
user.save()
|
||||
except models.User.DoesNotExist:
|
||||
user = models.User.objects.create(username=auth.username, attributs=auth.attributs())
|
||||
user.save()
|
||||
self.user = user
|
||||
else:
|
||||
raise forms.ValidationError("Bad user")
|
||||
|
||||
|
||||
class TicketForm(forms.ModelForm):
|
||||
class Meta:
|
||||
model = models.Ticket
|
||||
exclude = []
|
||||
service = forms.CharField(widget=forms.TextInput)
|
127
cas_server/migrations/0001_initial.py
Normal file
127
cas_server/migrations/0001_initial.py
Normal file
@ -0,0 +1,127 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
from __future__ import unicode_literals
|
||||
|
||||
from django.db import models, migrations
|
||||
import cas_server.models
|
||||
import picklefield.fields
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='Proxy',
|
||||
fields=[
|
||||
('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
|
||||
('url', models.CharField(max_length=255)),
|
||||
],
|
||||
options={
|
||||
'ordering': ('-pk',),
|
||||
},
|
||||
bases=(models.Model,),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='ProxyGrantingTicket',
|
||||
fields=[
|
||||
('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
|
||||
('attributs', picklefield.fields.PickledObjectField(editable=False)),
|
||||
('validate', models.BooleanField(default=False)),
|
||||
('service', models.TextField()),
|
||||
('creation', models.DateTimeField(auto_now_add=True)),
|
||||
('renew', models.BooleanField(default=False)),
|
||||
('value', models.CharField(default=cas_server.models._gen_pgt, unique=True, max_length=255)),
|
||||
],
|
||||
options={
|
||||
'abstract': False,
|
||||
},
|
||||
bases=(models.Model,),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='ProxyTicket',
|
||||
fields=[
|
||||
('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
|
||||
('attributs', picklefield.fields.PickledObjectField(editable=False)),
|
||||
('validate', models.BooleanField(default=False)),
|
||||
('service', models.TextField()),
|
||||
('creation', models.DateTimeField(auto_now_add=True)),
|
||||
('renew', models.BooleanField(default=False)),
|
||||
('value', models.CharField(default=cas_server.models._gen_pt, unique=True, max_length=255)),
|
||||
],
|
||||
options={
|
||||
'abstract': False,
|
||||
},
|
||||
bases=(models.Model,),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='ServicePattern',
|
||||
fields=[
|
||||
('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
|
||||
('pos', models.IntegerField(default=100)),
|
||||
('pattern', models.CharField(unique=True, max_length=255)),
|
||||
('user_field', models.CharField(default=b'', help_text=b"Nom de l'attribut transmit comme username, vide = login", max_length=255, blank=True)),
|
||||
('usernames', models.CharField(default=b'', help_text=b"Liste d'utilisateurs accept\xc3\xa9s s\xc3\xa9par\xc3\xa9 par des virgules, vide = tous les utilisateur", max_length=255, blank=True)),
|
||||
('attributs', models.CharField(default=b'', help_text=b"Liste des nom d'attributs \xc3\xa0 transmettre au service, s\xc3\xa9par\xc3\xa9 par une virgule. vide = aucun", max_length=255, blank=True)),
|
||||
('proxy', models.BooleanField(default=False, help_text=b"Un ProxyGrantingTicket peut \xc3\xaatre d\xc3\xa9livr\xc3\xa9 au service pour s'authentifier en temps que l'utilisateur sur d'autres services")),
|
||||
('filter', models.CharField(default=b'', help_text=b'Une lambda fonction pour filtrer sur les utilisateur o\xc3\xb9 leurs attribut, arg1: username, arg2:attrs_dict. vide = pas de filtre', max_length=255, blank=True)),
|
||||
],
|
||||
options={
|
||||
'ordering': ('pos',),
|
||||
},
|
||||
bases=(models.Model,),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='ServiceTicket',
|
||||
fields=[
|
||||
('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
|
||||
('attributs', picklefield.fields.PickledObjectField(editable=False)),
|
||||
('validate', models.BooleanField(default=False)),
|
||||
('service', models.TextField()),
|
||||
('creation', models.DateTimeField(auto_now_add=True)),
|
||||
('renew', models.BooleanField(default=False)),
|
||||
('value', models.CharField(default=cas_server.models._gen_st, unique=True, max_length=255)),
|
||||
],
|
||||
options={
|
||||
'abstract': False,
|
||||
},
|
||||
bases=(models.Model,),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='User',
|
||||
fields=[
|
||||
('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)),
|
||||
('username', models.CharField(unique=True, max_length=30)),
|
||||
('attributs', picklefield.fields.PickledObjectField(editable=False)),
|
||||
('date', models.DateTimeField(auto_now=True, auto_now_add=True)),
|
||||
],
|
||||
options={
|
||||
},
|
||||
bases=(models.Model,),
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='serviceticket',
|
||||
name='user',
|
||||
field=models.ForeignKey(related_name='serviceticket', to='cas_server.User'),
|
||||
preserve_default=True,
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='proxyticket',
|
||||
name='user',
|
||||
field=models.ForeignKey(related_name='proxyticket', to='cas_server.User'),
|
||||
preserve_default=True,
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='proxygrantingticket',
|
||||
name='user',
|
||||
field=models.ForeignKey(related_name='proxygrantingticket', to='cas_server.User'),
|
||||
preserve_default=True,
|
||||
),
|
||||
migrations.AddField(
|
||||
model_name='proxy',
|
||||
name='proxy_ticket',
|
||||
field=models.ForeignKey(related_name='proxies', to='cas_server.ProxyTicket'),
|
||||
preserve_default=True,
|
||||
),
|
||||
]
|
0
cas_server/migrations/__init__.py
Normal file
0
cas_server/migrations/__init__.py
Normal file
131
cas_server/models.py
Normal file
131
cas_server/models.py
Normal file
@ -0,0 +1,131 @@
|
||||
# ⁻*- coding: utf-8 -*-
|
||||
|
||||
from django.conf import settings
|
||||
from django.db import models
|
||||
from django.contrib import messages
|
||||
from picklefield.fields import PickledObjectField
|
||||
|
||||
import re
|
||||
import os
|
||||
import time
|
||||
import random
|
||||
import string
|
||||
import requests
|
||||
|
||||
import utils
|
||||
def _gen_ticket(prefix):
|
||||
return '%s-%s' % (prefix, ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(settings.CAS_ST_LEN)))
|
||||
|
||||
def _gen_st():
|
||||
return _gen_ticket('ST')
|
||||
|
||||
def _gen_pt():
|
||||
return _gen_ticket('PT')
|
||||
|
||||
def _gen_pgt():
|
||||
return _gen_ticket('PGT')
|
||||
|
||||
|
||||
class User(models.Model):
|
||||
username = models.CharField(max_length=30, unique=True)
|
||||
attributs = PickledObjectField()
|
||||
date = models.DateTimeField(auto_now_add=True, auto_now=True)
|
||||
|
||||
def __unicode__(self):
|
||||
return self.username
|
||||
|
||||
def logout(self, request):
|
||||
for ticket in ServiceTicket.objects.filter(user=self):
|
||||
ticket.logout(request)
|
||||
ticket.delete()
|
||||
for ticket in ProxyTicket.objects.filter(user=self):
|
||||
ticket.logout(request)
|
||||
ticket.delete()
|
||||
for ticket in ProxyGrantingTicket.objects.filter(user=self):
|
||||
ticket.logout(request)
|
||||
ticket.delete()
|
||||
|
||||
def delete(self):
|
||||
super(User, self).delete()
|
||||
|
||||
def get_service_url(self, service, service_pattern, renew):
|
||||
attributs = [s.strip() for s in service_pattern.attributs.split(',')]
|
||||
ticket = ServiceTicket.objects.create(user=self, attributs = dict([(k, v) for (k, v) in self.attributs.items() if k in attributs]), service=service, renew=renew)
|
||||
ticket.save()
|
||||
url = utils.update_url(service, {'ticket':ticket.value})
|
||||
return url
|
||||
|
||||
class Ticket(models.Model):
|
||||
class Meta:
|
||||
abstract = True
|
||||
user = models.ForeignKey(User, related_name="%(class)s")
|
||||
attributs = PickledObjectField()
|
||||
validate = models.BooleanField(default=False)
|
||||
service = models.TextField()
|
||||
creation = models.DateTimeField(auto_now_add=True)
|
||||
renew = models.BooleanField(default=False)
|
||||
|
||||
def __unicode__(self):
|
||||
return u"%s: %s %s" % (self.user, self.value, self.service)
|
||||
|
||||
def logout(self, request):
|
||||
#if self.validate:
|
||||
xml = """<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
|
||||
ID="%(id)s" Version="2.0" IssueInstant="%(datetime)s">
|
||||
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:NameID>
|
||||
<samlp:SessionIndex>%(ticket)s</samlp:SessionIndex>
|
||||
</samlp:LogoutRequest>""" % {'id' : os.urandom(20).encode("hex"), 'datetime' : int(time.time()), 'ticket': self.value}
|
||||
headers = {'Content-Type': 'text/xml'}
|
||||
try:
|
||||
requests.post(self.service.encode('utf-8'), data=xml.encode('utf-8'), headers=headers)
|
||||
except Exception as e:
|
||||
messages.add_message(request, messages.WARNING, u'Erreur lors de la déconnexion du service %s:\n%s' % (self.service, e))
|
||||
|
||||
class ServiceTicket(Ticket):
|
||||
value = models.CharField(max_length=255, default=_gen_st, unique=True)
|
||||
class ProxyTicket(Ticket):
|
||||
value = models.CharField(max_length=255, default=_gen_pt, unique=True)
|
||||
class ProxyGrantingTicket(Ticket):
|
||||
value = models.CharField(max_length=255, default=_gen_pgt, unique=True)
|
||||
#class ProxyGrantingTicketIOU(Ticket):
|
||||
# value = models.CharField(max_length=255, default=lambda:_gen_ticket('PGTIOU'), unique=True)
|
||||
|
||||
class Proxy(models.Model):
|
||||
class Meta:
|
||||
ordering = ("-pk", )
|
||||
url = models.CharField(max_length=255)
|
||||
proxy_ticket = models.ForeignKey(ProxyTicket, related_name="proxies")
|
||||
|
||||
class BadUsername(Exception):
|
||||
pass
|
||||
class BadFilter(Exception):
|
||||
pass
|
||||
class ServicePattern(models.Model):
|
||||
class Meta:
|
||||
ordering = ("pos", )
|
||||
|
||||
pos = models.IntegerField(default=100)
|
||||
pattern = models.CharField(max_length=255, unique=True)
|
||||
user_field = models.CharField(max_length=255, default="", blank=True, help_text="Nom de l'attribut transmit comme username, vide = login")
|
||||
usernames = models.CharField(max_length=255, default="", blank=True, help_text="Liste d'utilisateurs acceptés séparé par des virgules, vide = tous les utilisateur")
|
||||
attributs = models.CharField(max_length=255, default="", blank=True, help_text="Liste des nom d'attributs à transmettre au service, séparé par une virgule. vide = aucun")
|
||||
proxy = models.BooleanField(default=False, help_text="Un ProxyGrantingTicket peut être délivré au service pour s'authentifier en temps que l'utilisateur sur d'autres services")
|
||||
filter = models.CharField(max_length=255, default="", blank=True, help_text="Une lambda fonction pour filtrer sur les utilisateur où leurs attribut, arg1: username, arg2:attrs_dict. vide = pas de filtre")
|
||||
|
||||
def __unicode__(self):
|
||||
return u"%s: %s" % (self.pos, self.pattern)
|
||||
|
||||
def check_user(self, user):
|
||||
if self.usernames and not user.username in self.usernames.split(','):
|
||||
raise BadUsername()
|
||||
if self.filter and self.filter.startswith("lambda") and not eval(str(self.filter))(user.username, user.attributs):
|
||||
raise BadFilter()
|
||||
return True
|
||||
|
||||
|
||||
@classmethod
|
||||
def validate(cls, service):
|
||||
for s in cls.objects.all():
|
||||
if re.match(s.pattern, service):
|
||||
return s
|
||||
raise cls.DoesNotExist()
|
42
cas_server/static/cas_server/login.css
Normal file
42
cas_server/static/cas_server/login.css
Normal file
@ -0,0 +1,42 @@
|
||||
body {
|
||||
padding-top: 40px;
|
||||
padding-bottom: 40px;
|
||||
background-color: #eee;
|
||||
}
|
||||
|
||||
/*.form-signin {
|
||||
max-width: 330px;
|
||||
padding: 15px;
|
||||
margin: 0 auto;
|
||||
}
|
||||
*/
|
||||
.form-signin .form-signin-heading,
|
||||
.form-signin .checkbox {
|
||||
margin-bottom: 10px;
|
||||
}
|
||||
.form-signin .checkbox {
|
||||
font-weight: normal;
|
||||
}
|
||||
.form-signin .form-control {
|
||||
position: relative;
|
||||
height: auto;
|
||||
-webkit-box-sizing: border-box;
|
||||
-moz-box-sizing: border-box;
|
||||
box-sizing: border-box;
|
||||
padding: 10px;
|
||||
font-size: 16px;
|
||||
}
|
||||
.form-signin .form-control:focus {
|
||||
z-index: 2;
|
||||
}
|
||||
.form-signin input[type="text"] {
|
||||
margin-bottom: -1px;
|
||||
border-bottom-right-radius: 0;
|
||||
border-bottom-left-radius: 0;
|
||||
}
|
||||
.form-signin input[type="password"] {
|
||||
margin-bottom: 10px;
|
||||
border-top-left-radius: 0;
|
||||
border-top-right-radius: 0;
|
||||
}
|
||||
|
6
cas_server/templates/cas_server/base.html
Normal file
6
cas_server/templates/cas_server/base.html
Normal file
@ -0,0 +1,6 @@
|
||||
{% extends 'bootstrap3/bootstrap3.html' %}
|
||||
{% block bootstrap3_title %}{% block title %}{% endblock %}{% endblock %}
|
||||
|
||||
{% load url from future %}
|
||||
|
||||
{% load bootstrap3 %}
|
20
cas_server/templates/cas_server/logged.html
Normal file
20
cas_server/templates/cas_server/logged.html
Normal file
@ -0,0 +1,20 @@
|
||||
{% extends "cas_server/base.html" %}
|
||||
{% load bootstrap3 %}
|
||||
{% load staticfiles %}
|
||||
{% block bootstrap3_extra_head %}
|
||||
<link href="{% static "cas_server/login.css" %}" rel="stylesheet">
|
||||
{% endblock %}
|
||||
{% block bootstrap3_content %}
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-md-3"></div>
|
||||
<div class="col-md-6">
|
||||
{% bootstrap_messages %}
|
||||
<div class="alert alert-success" role="alert">Logged</div>
|
||||
{% bootstrap_button 'Arrêter' size='lg' button_class="btn-danger btn-block" href="logout" %}
|
||||
</div>
|
||||
<div class="col-md-3"></div>
|
||||
</div>
|
||||
</div> <!-- /container -->
|
||||
{% endblock %}
|
||||
|
24
cas_server/templates/cas_server/login.html
Normal file
24
cas_server/templates/cas_server/login.html
Normal file
@ -0,0 +1,24 @@
|
||||
{% extends "cas_server/base.html" %}
|
||||
{% load bootstrap3 %}
|
||||
{% load staticfiles %}
|
||||
{% block bootstrap3_extra_head %}
|
||||
<link href="{% static "cas_server/login.css" %}" rel="stylesheet">
|
||||
{% endblock %}
|
||||
{% block bootstrap3_content %}
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-md-3"></div>
|
||||
<div class="col-md-6">
|
||||
{% bootstrap_messages %}
|
||||
<form class="form-signin" method="post">
|
||||
<h2 class="form-signin-heading">Merci de se connecter</h2>
|
||||
{% csrf_token %}
|
||||
{% bootstrap_form form %}
|
||||
{% bootstrap_button 'Connection' size='lg' button_type="submit" button_class="btn-block"%}
|
||||
</form>
|
||||
</div>
|
||||
<div class="col-md-3"></div>
|
||||
</div>
|
||||
</div> <!-- /container -->
|
||||
{% endblock %}
|
||||
|
5
cas_server/templates/cas_server/proxy.xml
Normal file
5
cas_server/templates/cas_server/proxy.xml
Normal file
@ -0,0 +1,5 @@
|
||||
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
|
||||
<cas:proxySuccess>
|
||||
<cas:proxyTicket>{{ticket}}</cas:proxyTicket>
|
||||
</cas:proxySuccess>
|
||||
</cas:serviceResponse>
|
19
cas_server/templates/cas_server/serviceValidate.xml
Normal file
19
cas_server/templates/cas_server/serviceValidate.xml
Normal file
@ -0,0 +1,19 @@
|
||||
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
|
||||
<cas:authenticationSuccess>
|
||||
<cas:user>{{username}}</cas:user>
|
||||
<cas:attributes>
|
||||
{% for key, value in attributes %} <cas:{{key}}>{{value}}</cas:{{key}}>
|
||||
{% endfor %}
|
||||
</cas:attributes>
|
||||
{% if proxyGrantingTicket %}
|
||||
<cas:proxyGrantingTicket>{{proxyGrantingTicket}}</cas:proxyGrantingTicket>
|
||||
{% endif %}
|
||||
{% if proxies %}
|
||||
<cas:proxies>
|
||||
{% for proxy in proxies %}
|
||||
<cas:proxy>{{proxy}}</cas:proxy>
|
||||
{% endfor %}
|
||||
</cas:proxies>
|
||||
{% endif %}
|
||||
</cas:authenticationSuccess>
|
||||
</cas:serviceResponse>
|
5
cas_server/templates/cas_server/serviceValidateError.xml
Normal file
5
cas_server/templates/cas_server/serviceValidateError.xml
Normal file
@ -0,0 +1,5 @@
|
||||
<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
|
||||
<cas:authenticationFailure code="{{code}}">
|
||||
{{msg}}
|
||||
</cas:authenticationFailure>
|
||||
</cas:serviceResponse>
|
20
cas_server/templates/cas_server/warn.html
Normal file
20
cas_server/templates/cas_server/warn.html
Normal file
@ -0,0 +1,20 @@
|
||||
{% extends "cas_server/base.html" %}
|
||||
{% load bootstrap3 %}
|
||||
{% load staticfiles %}
|
||||
{% block bootstrap3_extra_head %}
|
||||
<link href="{% static "cas_server/login.css" %}" rel="stylesheet">
|
||||
{% endblock %}
|
||||
{% block bootstrap3_content %}
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-md-3"></div>
|
||||
<div class="col-md-6">
|
||||
{% bootstrap_messages %}
|
||||
<div class="alert alert-warning" role="alert">Une demande d'authentification a été émise pour le service {{service}}</div>
|
||||
{% bootstrap_button 'Se connecter au service' size='lg' button_class="btn-primary btn-block" href=service_ticket_url %}
|
||||
</div>
|
||||
<div class="col-md-3"></div>
|
||||
</div>
|
||||
</div> <!-- /container -->
|
||||
{% endblock %}
|
||||
|
3
cas_server/tests.py
Normal file
3
cas_server/tests.py
Normal file
@ -0,0 +1,3 @@
|
||||
from django.test import TestCase
|
||||
|
||||
# Create your tests here.
|
18
cas_server/urls.py
Normal file
18
cas_server/urls.py
Normal file
@ -0,0 +1,18 @@
|
||||
# ⁻*- coding: utf-8 -*-
|
||||
from django.conf.urls import patterns, url
|
||||
from django.views.generic import RedirectView
|
||||
|
||||
import views
|
||||
|
||||
urlpatterns = patterns('',
|
||||
url(r'^$', RedirectView.as_view(pattern_name="login")),
|
||||
url('^login$', views.login, name='login'),
|
||||
url('^logout$', views.logout, name='logout'),
|
||||
url('^validate$', views.validate, name='validate'),
|
||||
url('^serviceValidate$', views.serviceValidate, name='serviceValidate'),
|
||||
url('^proxyValidate$', views.proxyValidate, name='proxyValidate'),
|
||||
url('^proxy$', views.proxy, name='proxy'),
|
||||
url('^p3/serviceValidate$', views.p3_serviceValidate, name='p3_serviceValidate'),
|
||||
url('^p3/proxyValidate$', views.p3_proxyValidate, name='p3_proxyValidate'),
|
||||
)
|
||||
|
10
cas_server/utils.py
Normal file
10
cas_server/utils.py
Normal file
@ -0,0 +1,10 @@
|
||||
import urlparse
|
||||
import urllib
|
||||
|
||||
def update_url(url, params):
|
||||
url = urlparse.urlparse(url)
|
||||
url_parts = list(urlparse.urlparse(service))
|
||||
query = dict(urlparse.parse_qsl(url_parts[4]))
|
||||
query.update(params)
|
||||
url_parts[4] = urllib.urlencode(query)
|
||||
return urlparse.urlunparse(url_parts)
|
199
cas_server/views.py
Normal file
199
cas_server/views.py
Normal file
@ -0,0 +1,199 @@
|
||||
# ⁻*- coding: utf-8 -*-
|
||||
from django.shortcuts import render, redirect
|
||||
from django.http import HttpResponse, StreamingHttpResponse
|
||||
from django.conf import settings
|
||||
from django.contrib import messages
|
||||
|
||||
import requests
|
||||
from datetime import datetime, timedelta
|
||||
|
||||
import utils
|
||||
import forms
|
||||
import models
|
||||
|
||||
def _logout(request):
|
||||
try: del request.session["authenticated"]
|
||||
except KeyError: pass
|
||||
try: del request.session["username"]
|
||||
except KeyError: pass
|
||||
try: del request.session["warn"]
|
||||
except KeyError: pass
|
||||
|
||||
def login(request):
|
||||
user = None
|
||||
form = None
|
||||
service_pattern = None
|
||||
renewed = False
|
||||
if request.method == 'POST':
|
||||
service = request.POST.get('service')
|
||||
renew = True if request.POST.get('renew') else False
|
||||
gateway = request.POST.get('gateway')
|
||||
method = request.POST.get('method')
|
||||
|
||||
if not request.session.get("authenticated") or renew:
|
||||
form = forms.UserCredential(request.POST, initial={'service':service,'method':method,'warn':request.session.get("warn")})
|
||||
if form.is_valid():
|
||||
user = models.User.objects.get(username=form.cleaned_data['username'])
|
||||
request.session["username"] = form.cleaned_data['username']
|
||||
request.session["warn"] = True if form.cleaned_data.get("warn") else False
|
||||
request.session["authenticated"] = True
|
||||
renewed = True
|
||||
else:
|
||||
_logout(request)
|
||||
else:
|
||||
service = request.GET.get('service')
|
||||
renew = True if request.GET.get('renew') else False
|
||||
gateway = request.GET.get('gateway')
|
||||
method = request.GET.get('method')
|
||||
|
||||
if not request.session.get("authenticated") or renew:
|
||||
form = forms.UserCredential(initial={'service':service,'method':method,'warn':request.session.get("warn")})
|
||||
|
||||
# if authenticated and successfully renewed authentication if needed
|
||||
if request.session.get("authenticated") and (not renew or renewed):
|
||||
try:
|
||||
user = models.User.objects.get(username=request.session["username"])
|
||||
except models.User.DoesNotExist:
|
||||
_logout(request)
|
||||
|
||||
# if login agains a service is requestest
|
||||
if service:
|
||||
try:
|
||||
# is the service allowed
|
||||
service_pattern = models.ServicePattern.validate(service)
|
||||
# is the current user allowed on this service
|
||||
service_pattern.check_user(user)
|
||||
# if the user has asked to be warned before any login to a service (no transparent SSO)
|
||||
if request.session["warn"]:
|
||||
return render(request, settings.CAS_WARN_TEMPLATE, {'service_ticket_url':user.get_service_url(service, service_pattern, renew=renew),'service':service})
|
||||
else:
|
||||
return redirect(user.get_service_url(service, service_pattern, renew=renew)) # redirect, using method ?
|
||||
except models.ServicePattern.DoesNotExist:
|
||||
messages.add_message(request, messages.ERROR, u'Service %s non autorisé.' % service)
|
||||
except models.BadUsername:
|
||||
messages.add_message(request, messages.ERROR, u"Nom d'utilisateur non autorisé")
|
||||
except models.BadFilter:
|
||||
messages.add_message(request, messages.ERROR, u"Caractéristique utilisateur non autorisé")
|
||||
|
||||
# if gateway is set and auth failed redirect to the service without authentication
|
||||
if gateway:
|
||||
list(messages.get_messages(request)) # clean messages before leaving the django app
|
||||
return redirect(service)
|
||||
|
||||
return render(request, settings.CAS_LOGGED_TEMPLATE, {})
|
||||
else:
|
||||
if service:
|
||||
if gateway:
|
||||
list(messages.get_messages(request)) # clean messages before leaving the django app
|
||||
return redirect(service)
|
||||
return render(request, settings.CAS_LOGIN_TEMPLATE, {'form':form})
|
||||
|
||||
def logout(request):
|
||||
service = request.GET.get('service')
|
||||
if request.session.get("authenticated"):
|
||||
user = models.User.objects.get(username=request.session["username"])
|
||||
user.logout(request)
|
||||
user.delete()
|
||||
_logout(request)
|
||||
# if service is set, redirect to service after logout
|
||||
if service:
|
||||
list(messages.get_messages(request)) # clean messages before leaving the django app
|
||||
return redirect(service)
|
||||
# else redirect to login page
|
||||
else:
|
||||
messages.add_message(request, messages.SUCCESS, u'Déconnecté avec succès')
|
||||
return redirect("login")
|
||||
|
||||
def validate(request):
|
||||
service = request.GET.get('service')
|
||||
ticket = request.GET.get('ticket')
|
||||
renew = True if request.GET.get('renew') else False
|
||||
if service and ticket:
|
||||
try:
|
||||
ticket = models.ServiceTicket.objects.get(value=ticket, service=service, validate=False, renew=renew, creation__gt=(datetime.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)))
|
||||
ticket.validate = True
|
||||
ticket.save()
|
||||
return HttpResponse("yes\n", content_type="text/plain")
|
||||
except models.ServiceTicket.DoesNotExist:
|
||||
return HttpResponse("no\n", content_type="text/plain")
|
||||
else:
|
||||
return HttpResponse("no\n", content_type="text/plain")
|
||||
|
||||
|
||||
def psValidate(request, typ=['ST']):
|
||||
service = request.GET.get('service')
|
||||
ticket = request.GET.get('ticket')
|
||||
pgtUrl = request.GET.get('pgtUrl')
|
||||
renew = True if request.GET.get('renew') else False
|
||||
if service and ticket:
|
||||
for t in typ:
|
||||
if ticket.startswith(t):
|
||||
break
|
||||
else:
|
||||
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_TICKET'}, content_type="text/xml; charset=utf-8")
|
||||
try:
|
||||
proxies = []
|
||||
if ticket.startswith("ST"):
|
||||
ticket = models.ServiceTicket.objects.get(value=ticket, service=service, validate=False, renew=renew, creation__gt=(datetime.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)))
|
||||
elif ticket.startswith("PT"):
|
||||
ticket = models.ProxyTicket.objects.get(value=ticket, service=service, validate=False, renew=renew, creation__gt=(datetime.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)))
|
||||
for p in ticket.proxies.all():
|
||||
proxies.add(p.url)
|
||||
ticket.validate = True
|
||||
ticket.save()
|
||||
attributes = []
|
||||
for key, value in ticket.attributs.items():
|
||||
if isinstance(value, list):
|
||||
for v in value:
|
||||
attributes.append((key, v))
|
||||
else:
|
||||
attributes.append((key, value))
|
||||
params = {'username':ticket.user.username, 'attributes':attributes, 'proxies':proxies}
|
||||
if pgtUrl and pgtUrl.startswith("https://"):
|
||||
pattern = modele.ServicePattern(pgtUrl)
|
||||
if pattern.proxy:
|
||||
proxyid = models._gen_ticket('PGTIOU')
|
||||
pticket = models.ProxyGrantingTicket.objects.create(user=ticket.user, service=pgtUrl)
|
||||
url = utils.update_url(pgtUrl, {'pgtIou':proxyid, 'pgtId':pticket.value})
|
||||
try:
|
||||
r = requests.get(url, verify=settings.CAS_PROXY_CA_CERTIFICATE_PATH)
|
||||
if r.status_code == 200:
|
||||
params['proxyGrantingTicket'] = proxyid
|
||||
else:
|
||||
pticket.delete()
|
||||
return render(request, "cas_server/serviceValidate.xml", params, content_type="text/xml; charset=utf-8")
|
||||
except requests.exceptions.SSLError:
|
||||
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_PROXY_CALLBACK'}, content_type="text/xml; charset=utf-8")
|
||||
else:
|
||||
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_PROXY_CALLBACK'}, content_type="text/xml; charset=utf-8")
|
||||
else:
|
||||
return render(request, "cas_server/serviceValidate.xml", params, content_type="text/xml; charset=utf-8")
|
||||
except (models.ServiceTicket.DoesNotExist, models.ProxyTicket.DoesNotExist):
|
||||
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_TICKET'}, content_type="text/xml; charset=utf-8")
|
||||
else:
|
||||
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_REQUEST'}, content_type="text/xml; charset=utf-8")
|
||||
|
||||
def serviceValidate(request):
|
||||
return psValidate(request)
|
||||
def proxyValidate(request):
|
||||
return psValidate(request, ["ST", "PT"])
|
||||
|
||||
def proxy(request):
|
||||
pgt = request.GET.get('pgt')
|
||||
targetService = request.GET.get('targetService')
|
||||
if pgt and targetService:
|
||||
try:
|
||||
ticket = models.ProxyGrantingTicket.objects.get(value=pgt, creation__gt=(datetime.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)))
|
||||
pticket = models.ProxyTicket.objects.create(user=ticket.user, service=targetService)
|
||||
pticket.proxies.create(url=ticket.service)
|
||||
return render(request, "cas_server/proxy.xml", {'ticket':pticket.value}, content_type="text/xml; charset=utf-8")
|
||||
except models.ProxyGrantingTicket.DoesNotExist:
|
||||
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_TICKET'}, content_type="text/xml; charset=utf-8")
|
||||
else:
|
||||
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_REQUEST'}, content_type="text/xml; charset=utf-8")
|
||||
|
||||
def p3_serviceValidate(request):
|
||||
return serviceValidate(request)
|
||||
|
||||
def p3_proxyValidate(request):
|
||||
return proxyValidate(request)
|
Loading…
Reference in New Issue
Block a user