Some login backends

This commit is contained in:
Valentin Samir 2015-05-17 23:24:41 +02:00
parent db65c3c50f
commit 9112e6e475
7 changed files with 197 additions and 52 deletions

View File

@ -1 +0,0 @@
import default_settings

94
cas_server/auth.py Normal file
View File

@ -0,0 +1,94 @@
# ⁻*- coding: utf-8 -*-
from django.conf import settings
from django.contrib.auth.models import User
try:
import MySQLdb
import MySQLdb.cursors
import crypt
except ImportError:
MySQLdb = None
class DummyAuthUser(object):
def __init__(self, username):
self.username = username
def test_password(self, password):
return False
def attributs(self):
return {}
class TestAuthUser(DummyAuthUser):
def __init__(self, username):
self.username = username
def test_password(self, password):
return self.username == "test" and password == "test"
def attributs(self):
return {'nom':'Nymous', 'prenom':'Ano', 'email':'anonymous@example.net'}
class MysqlAuthUser(DummyAuthUser):
user = None
def __init__(self, username):
mysql_config = {
"user": settings.CAS_SQL_USERNAME,
"passwd": settings.CAS_SQL_PASSWORD,
"db": settings.CAS_SQL_DBNAME,
"host": settings.CAS_SQL_HOST,
"charset":settings.CAS_SQL_DBCHARSET,
"cursorclass":MySQLdb.cursors.DictCursor
}
if not MySQLdb:
raise RuntimeError("Please install MySQLdb before using the MysqlAuthUser backend")
conn = MySQLdb.connect(**mysql_config)
curs = conn.cursor()
if curs.execute(settings.CAS_SQL_USER_QUERY, (username,)) == 1:
self.user = curs.fetchone()
super(MysqlAuthUser, self).__init__(username)
def test_password(self, password):
if not self.user:
return False
else:
if settings.CAS_SQL_PASSWORD_CHECK == "plain":
return password == self.user["password"]
elif settings.CAS_SQL_PASSWORD_CHECK == "crypt":
if self.user["password"].startswith('$'):
salt = '$'.join(self.user["password"].split('$', 3)[:-1])
return crypt.crypt(password, salt) == self.user["password"]
else:
return crypt.crypt(password, self.user["password"][:2]) == self.user["password"]
def attributs(self):
if not self.user:
return {}
else:
return self.user
class DjangoAuthUser(DummyAuthUser):
user = None
def __init__(self, username):
try:
self.user = User.objects.get(username=username)
except User.DoesNotExist:
pass
super(DjangoAuthUser, self).__init__(username)
def test_password(self, password):
if not self.user:
return False
else:
return self.user.check_password(password)
def attributs(self):
if not self.user:
return {}
else:
attr = {}
for field in self.user._meta.fields:
attr[field.attname]=getattr(self.user, field.attname)
return attr

View File

@ -1,24 +1,23 @@
from django.conf import settings from django.conf import settings
import auth
def setting_default(name, default_value): def setting_default(name, default_value):
value = getattr(settings, name, default_value) value = getattr(settings, name, default_value)
setattr(settings, name, value) setattr(settings, name, value)
class AuthUser(object):
def __init__(self, username):
self.username = username
def test_password(self, password):
return self.username == "test" and password == "test"
def attributs(self):
return {'nom':'Nymous', 'prenom':'Ano', 'email':'anonymous@example.net'}
setting_default('CAS_LOGIN_TEMPLATE', 'cas_server/login.html') setting_default('CAS_LOGIN_TEMPLATE', 'cas_server/login.html')
setting_default('CAS_WARN_TEMPLATE', 'cas_server/warn.html') setting_default('CAS_WARN_TEMPLATE', 'cas_server/warn.html')
setting_default('CAS_LOGGED_TEMPLATE', 'cas_server/logged.html') setting_default('CAS_LOGGED_TEMPLATE', 'cas_server/logged.html')
setting_default('CAS_AUTH_CLASS', AuthUser) setting_default('CAS_AUTH_CLASS', auth.DjangoAuthUser)
setting_default('CAS_ST_LEN', 30) setting_default('CAS_ST_LEN', 30)
setting_default('CAS_TICKET_VALIDITY', 300) setting_default('CAS_TICKET_VALIDITY', 300)
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True) setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
setting_default('CAS_SQL_HOST', 'localhost')
setting_default('CAS_SQL_USERNAME', '')
setting_default('CAS_SQL_PASSWORD', '')
setting_default('CAS_SQL_DBNAME', '')
setting_default('CAS_SQL_DBCHARSET', 'utf8')
setting_default('CAS_SQL_USER_QUERY', 'SELECT user AS usersame, pass AS password, users.* FROM users WHERE user = %s')
setting_default('CAS_SQL_PASSWORD_CHECK', 'crypt') # crypt or plain

View File

@ -1,3 +1,5 @@
import default_settings
from django import forms from django import forms
from django.conf import settings from django.conf import settings

View File

@ -0,0 +1,32 @@
# -*- coding: utf-8 -*-
from __future__ import unicode_literals
from django.db import models, migrations
class Migration(migrations.Migration):
dependencies = [
('cas_server', '0001_initial'),
]
operations = [
migrations.AddField(
model_name='proxygrantingticket',
name='service_pattern',
field=models.ForeignKey(related_name='proxygrantingticket', default=1, to='cas_server.ServicePattern'),
preserve_default=False,
),
migrations.AddField(
model_name='proxyticket',
name='service_pattern',
field=models.ForeignKey(related_name='proxyticket', default=1, to='cas_server.ServicePattern'),
preserve_default=False,
),
migrations.AddField(
model_name='serviceticket',
name='service_pattern',
field=models.ForeignKey(related_name='serviceticket', default=1, to='cas_server.ServicePattern'),
preserve_default=False,
),
]

View File

@ -1,4 +1,5 @@
# ⁻*- coding: utf-8 -*- # ⁻*- coding: utf-8 -*-
import default_settings
from django.conf import settings from django.conf import settings
from django.db import models from django.db import models
@ -50,11 +51,53 @@ class User(models.Model):
def get_service_url(self, service, service_pattern, renew): def get_service_url(self, service, service_pattern, renew):
attributs = [s.strip() for s in service_pattern.attributs.split(',')] attributs = [s.strip() for s in service_pattern.attributs.split(',')]
ticket = ServiceTicket.objects.create(user=self, attributs = dict([(k, v) for (k, v) in self.attributs.items() if k in attributs]), service=service, renew=renew) ticket = ServiceTicket.objects.create(user=self, attributs = dict([(k, v) for (k, v) in self.attributs.items() if k in attributs]), service=service, renew=renew, service_pattern=service_pattern)
ticket.save() ticket.save()
url = utils.update_url(service, {'ticket':ticket.value}) url = utils.update_url(service, {'ticket':ticket.value})
return url return url
class BadUsername(Exception):
pass
class BadFilter(Exception):
pass
class UserFieldNotDefined(Exception):
pass
class ServicePattern(models.Model):
class Meta:
ordering = ("pos", )
pos = models.IntegerField(default=100)
pattern = models.CharField(max_length=255, unique=True)
user_field = models.CharField(max_length=255, default="", blank=True, help_text="Nom de l'attribut transmit comme username, vide = login")
usernames = models.CharField(max_length=255, default="", blank=True, help_text="Liste d'utilisateurs acceptés séparé par des virgules, vide = tous les utilisateur")
attributs = models.CharField(max_length=255, default="", blank=True, help_text="Liste des nom d'attributs à transmettre au service, séparé par une virgule. vide = aucun")
proxy = models.BooleanField(default=False, help_text="Un ProxyGrantingTicket peut être délivré au service pour s'authentifier en temps que l'utilisateur sur d'autres services")
filter = models.CharField(max_length=255, default="", blank=True, help_text="Une lambda fonction pour filtrer sur les utilisateur où leurs attribut, arg1: username, arg2:attrs_dict. vide = pas de filtre")
def __unicode__(self):
return u"%s: %s" % (self.pos, self.pattern)
def check_user(self, user):
if self.usernames and not user.username in self.usernames.split(','):
raise BadUsername()
if self.filter and self.filter.startswith("lambda") and not eval(str(self.filter))(user.username, user.attributs):
raise BadFilter()
print self.user_field
print user.attributs.get(self.user_field)
if self.user_field and not user.attributs.get(self.user_field):
raise UserFieldNotDefined()
return True
@classmethod
def validate(cls, service):
for s in cls.objects.all().order_by('pos'):
if re.match(s.pattern, service):
return s
raise cls.DoesNotExist()
class Ticket(models.Model): class Ticket(models.Model):
class Meta: class Meta:
abstract = True abstract = True
@ -62,6 +105,7 @@ class Ticket(models.Model):
attributs = PickledObjectField() attributs = PickledObjectField()
validate = models.BooleanField(default=False) validate = models.BooleanField(default=False)
service = models.TextField() service = models.TextField()
service_pattern = models.ForeignKey(ServicePattern, related_name="%(class)s")
creation = models.DateTimeField(auto_now_add=True) creation = models.DateTimeField(auto_now_add=True)
renew = models.BooleanField(default=False) renew = models.BooleanField(default=False)
@ -96,36 +140,3 @@ class Proxy(models.Model):
url = models.CharField(max_length=255) url = models.CharField(max_length=255)
proxy_ticket = models.ForeignKey(ProxyTicket, related_name="proxies") proxy_ticket = models.ForeignKey(ProxyTicket, related_name="proxies")
class BadUsername(Exception):
pass
class BadFilter(Exception):
pass
class ServicePattern(models.Model):
class Meta:
ordering = ("pos", )
pos = models.IntegerField(default=100)
pattern = models.CharField(max_length=255, unique=True)
user_field = models.CharField(max_length=255, default="", blank=True, help_text="Nom de l'attribut transmit comme username, vide = login")
usernames = models.CharField(max_length=255, default="", blank=True, help_text="Liste d'utilisateurs acceptés séparé par des virgules, vide = tous les utilisateur")
attributs = models.CharField(max_length=255, default="", blank=True, help_text="Liste des nom d'attributs à transmettre au service, séparé par une virgule. vide = aucun")
proxy = models.BooleanField(default=False, help_text="Un ProxyGrantingTicket peut être délivré au service pour s'authentifier en temps que l'utilisateur sur d'autres services")
filter = models.CharField(max_length=255, default="", blank=True, help_text="Une lambda fonction pour filtrer sur les utilisateur où leurs attribut, arg1: username, arg2:attrs_dict. vide = pas de filtre")
def __unicode__(self):
return u"%s: %s" % (self.pos, self.pattern)
def check_user(self, user):
if self.usernames and not user.username in self.usernames.split(','):
raise BadUsername()
if self.filter and self.filter.startswith("lambda") and not eval(str(self.filter))(user.username, user.attributs):
raise BadFilter()
return True
@classmethod
def validate(cls, service):
for s in cls.objects.all():
if re.match(s.pattern, service):
return s
raise cls.DoesNotExist()

View File

@ -1,4 +1,6 @@
# ⁻*- coding: utf-8 -*- # ⁻*- coding: utf-8 -*-
import default_settings
from django.shortcuts import render, redirect from django.shortcuts import render, redirect
from django.http import HttpResponse, StreamingHttpResponse from django.http import HttpResponse, StreamingHttpResponse
from django.conf import settings from django.conf import settings
@ -76,6 +78,8 @@ def login(request):
messages.add_message(request, messages.ERROR, u"Nom d'utilisateur non autorisé") messages.add_message(request, messages.ERROR, u"Nom d'utilisateur non autorisé")
except models.BadFilter: except models.BadFilter:
messages.add_message(request, messages.ERROR, u"Caractéristique utilisateur non autorisé") messages.add_message(request, messages.ERROR, u"Caractéristique utilisateur non autorisé")
except models.UserFieldNotDefined:
messages.add_message(request, messages.ERROR, u"L'attribut %s est nécessaire pour utiliser ce service" % service_pattern.user_field)
# if gateway is set and auth failed redirect to the service without authentication # if gateway is set and auth failed redirect to the service without authentication
if gateway: if gateway:
@ -155,11 +159,13 @@ def psValidate(request, typ=['ST']):
else: else:
attributes.append((key, value)) attributes.append((key, value))
params = {'username':ticket.user.username, 'attributes':attributes, 'proxies':proxies} params = {'username':ticket.user.username, 'attributes':attributes, 'proxies':proxies}
if ticket.service_pattern.user_field and ticket.user.attributs.get(ticket.service_pattern.user_field):
params['username'] = ticket.user.attributs.get(ticket.service_pattern.user_field)
if pgtUrl and pgtUrl.startswith("https://"): if pgtUrl and pgtUrl.startswith("https://"):
pattern = modele.ServicePattern(pgtUrl) pattern = models.ServicePattern.validate(pgtUrl)
if pattern.proxy: if pattern.proxy:
proxyid = models._gen_ticket('PGTIOU') proxyid = models._gen_ticket('PGTIOU')
pticket = models.ProxyGrantingTicket.objects.create(user=ticket.user, service=pgtUrl) pticket = models.ProxyGrantingTicket.objects.create(user=ticket.user, service=pgtUrl, service_pattern=pattern)
url = utils.update_url(pgtUrl, {'pgtIou':proxyid, 'pgtId':pticket.value}) url = utils.update_url(pgtUrl, {'pgtIou':proxyid, 'pgtId':pticket.value})
try: try:
r = requests.get(url, verify=settings.CAS_PROXY_CA_CERTIFICATE_PATH) r = requests.get(url, verify=settings.CAS_PROXY_CA_CERTIFICATE_PATH)
@ -174,7 +180,7 @@ def psValidate(request, typ=['ST']):
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_PROXY_CALLBACK'}, content_type="text/xml; charset=utf-8") return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_PROXY_CALLBACK'}, content_type="text/xml; charset=utf-8")
else: else:
return render(request, "cas_server/serviceValidate.xml", params, content_type="text/xml; charset=utf-8") return render(request, "cas_server/serviceValidate.xml", params, content_type="text/xml; charset=utf-8")
except (models.ServiceTicket.DoesNotExist, models.ProxyTicket.DoesNotExist): except (models.ServiceTicket.DoesNotExist, models.ProxyTicket.DoesNotExist, models.ServicePattern.DoesNotExist):
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_TICKET'}, content_type="text/xml; charset=utf-8") return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_TICKET'}, content_type="text/xml; charset=utf-8")
else: else:
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_REQUEST'}, content_type="text/xml; charset=utf-8") return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_REQUEST'}, content_type="text/xml; charset=utf-8")
@ -189,11 +195,13 @@ def proxy(request):
targetService = request.GET.get('targetService') targetService = request.GET.get('targetService')
if pgt and targetService: if pgt and targetService:
try: try:
pattern = models.ServicePattern.validate(targetService)
ticket = models.ProxyGrantingTicket.objects.get(value=pgt, creation__gt=(datetime.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))) ticket = models.ProxyGrantingTicket.objects.get(value=pgt, creation__gt=(datetime.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)))
pticket = models.ProxyTicket.objects.create(user=ticket.user, service=targetService) pattern.check_user(ticket.user)
pticket = models.ProxyTicket.objects.create(user=ticket.user, service=targetService, service_pattern=ticket.service_pattern)
pticket.proxies.create(url=ticket.service) pticket.proxies.create(url=ticket.service)
return render(request, "cas_server/proxy.xml", {'ticket':pticket.value}, content_type="text/xml; charset=utf-8") return render(request, "cas_server/proxy.xml", {'ticket':pticket.value}, content_type="text/xml; charset=utf-8")
except models.ProxyGrantingTicket.DoesNotExist: except (models.ProxyGrantingTicket.DoesNotExist, models.ServicePattern.DoesNotExist, models.BadUsername, models.BadFilter):
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_TICKET'}, content_type="text/xml; charset=utf-8") return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_TICKET'}, content_type="text/xml; charset=utf-8")
else: else:
return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_REQUEST'}, content_type="text/xml; charset=utf-8") return render(request, "cas_server/serviceValidateError.xml", {'code':'INVALID_REQUEST'}, content_type="text/xml; charset=utf-8")