Extended validity for PGT

This commit is contained in:
Valentin Samir 2015-06-08 02:51:22 +02:00
parent 8fe1738183
commit a4ff5c3d64
3 changed files with 47 additions and 38 deletions

View File

@ -33,7 +33,8 @@ setting_default('CAS_PT_LEN', settings.CAS_TICKET_LEN)
setting_default('CAS_PGT_LEN', settings.CAS_TICKET_LEN) setting_default('CAS_PGT_LEN', settings.CAS_TICKET_LEN)
setting_default('CAS_PGTIOU_LEN', settings.CAS_TICKET_LEN) setting_default('CAS_PGTIOU_LEN', settings.CAS_TICKET_LEN)
setting_default('CAS_TICKET_VALIDITY', 300) setting_default('CAS_TICKET_VALIDITY', 60)
setting_default('CAS_PGT_VALIDITY', 3600)
setting_default('CAS_TICKET_TIMEOUT', 24*3600) setting_default('CAS_TICKET_TIMEOUT', 24*3600)
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True) setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False) setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)

View File

@ -292,6 +292,9 @@ class Ticket(models.Model):
renew = models.BooleanField(default=False) renew = models.BooleanField(default=False)
single_log_out = models.BooleanField(default=False) single_log_out = models.BooleanField(default=False)
VALIDITY = settings.CAS_TICKET_VALIDITY
TIMEOUT = settings.CAS_TICKET_TIMEOUT
def __unicode__(self): def __unicode__(self):
return u"Ticket(%s, %s)" % (self.user, self.service) return u"Ticket(%s, %s)" % (self.user, self.service)
@ -304,19 +307,18 @@ class Ticket(models.Model):
Q(single_log_out=False)&Q(validate=True) Q(single_log_out=False)&Q(validate=True)
)|( )|(
Q(validate=False)&\ Q(validate=False)&\
Q(creation__lt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))) Q(creation__lt=(timezone.now() - timedelta(seconds=cls.VALIDITY)))
) )
).delete() ).delete()
# sending SLO to timed-out validated tickets # sending SLO to timed-out validated tickets
if settings.CAS_TICKET_TIMEOUT and \ if cls.TIMEOUT and cls.TIMEOUT > 0:
settings.CAS_TICKET_TIMEOUT >= settings.CAS_TICKET_VALIDITY:
async_list = [] async_list = []
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10)) session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
queryset = cls.objects.filter( queryset = cls.objects.filter(
single_log_out=True, single_log_out=True,
validate=True, validate=True,
creation__lt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_TIMEOUT)) creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT))
) )
for ticket in queryset: for ticket in queryset:
async_list.append(ticket.logout(None, session)) async_list.append(ticket.logout(None, session))
@ -373,7 +375,10 @@ class ProxyTicket(Ticket):
class ProxyGrantingTicket(Ticket): class ProxyGrantingTicket(Ticket):
"""A Proxy Granting Ticket""" """A Proxy Granting Ticket"""
PREFIX = settings.CAS_PROXY_GRANTING_TICKET_PREFIX PREFIX = settings.CAS_PROXY_GRANTING_TICKET_PREFIX
VALIDITY = settings.CAS_PGT_VALIDITY
value = models.CharField(max_length=255, default=utils.gen_pgt, unique=True) value = models.CharField(max_length=255, default=utils.gen_pgt, unique=True)
def __unicode__(self): def __unicode__(self):
return u"ProxyGrantingTicket(%s, %s, %s)" % (self.user, self.value, self.service) return u"ProxyGrantingTicket(%s, %s, %s)" % (self.user, self.value, self.service)

View File

@ -30,6 +30,9 @@ import utils
import forms import forms
import models import models
from .models import ServiceTicket, ProxyTicket, ProxyGrantingTicket
from .models import ServicePattern
class AttributesMixin(object): class AttributesMixin(object):
"""mixin for the attributs methode""" """mixin for the attributs methode"""
@ -189,7 +192,7 @@ class LoginView(View, LogoutMixin):
"""Perform login agains a service""" """Perform login agains a service"""
try: try:
# is the service allowed # is the service allowed
service_pattern = models.ServicePattern.validate(self.service) service_pattern = ServicePattern.validate(self.service)
# is the current user allowed on this service # is the current user allowed on this service
service_pattern.check_user(self.user) service_pattern.check_user(self.user)
# if the user has asked to be warned before any login to a service # if the user has asked to be warned before any login to a service
@ -215,7 +218,7 @@ class LoginView(View, LogoutMixin):
return HttpResponseRedirect( return HttpResponseRedirect(
self.user.get_service_url(self.service, service_pattern, renew=self.renew) self.user.get_service_url(self.service, service_pattern, renew=self.renew)
) )
except models.ServicePattern.DoesNotExist: except ServicePattern.DoesNotExist:
messages.add_message( messages.add_message(
self.request, self.request,
messages.ERROR, messages.ERROR,
@ -270,7 +273,7 @@ class LoginView(View, LogoutMixin):
"""Processing non authenticated users""" """Processing non authenticated users"""
if self.service: if self.service:
try: try:
service_pattern = models.ServicePattern.validate(self.service) service_pattern = ServicePattern.validate(self.service)
if self.gateway: if self.gateway:
list(messages.get_messages(self.request))# clean messages before leaving django list(messages.get_messages(self.request))# clean messages before leaving django
return HttpResponseRedirect(self.service) return HttpResponseRedirect(self.service)
@ -288,7 +291,7 @@ class LoginView(View, LogoutMixin):
_(u"Authentication required by service %(name)s (%(url)s).") % _(u"Authentication required by service %(name)s (%(url)s).") %
{'name':service_pattern.name, 'url':self.service} {'name':service_pattern.name, 'url':self.service}
) )
except models.ServicePattern.DoesNotExist: except ServicePattern.DoesNotExist:
messages.add_message( messages.add_message(
self.request, self.request,
messages.ERROR, messages.ERROR,
@ -337,12 +340,12 @@ class Auth(View):
try: try:
user = models.User.objects.get(username=form.cleaned_data['username']) user = models.User.objects.get(username=form.cleaned_data['username'])
# is the service allowed # is the service allowed
service_pattern = models.ServicePattern.validate(service) service_pattern = ServicePattern.validate(service)
# is the current user allowed on this service # is the current user allowed on this service
service_pattern.check_user(user) service_pattern.check_user(user)
# if the user has asked to be warned before any login to a service # if the user has asked to be warned before any login to a service
return HttpResponse("yes\n", content_type="text/plain") return HttpResponse("yes\n", content_type="text/plain")
except (models.ServicePattern.DoesNotExist, models.ServicePatternException) as error: except (ServicePattern.DoesNotExist, ServicePatternException) as error:
print "error: %r" % error print "error: %r" % error
return HttpResponse("no\n", content_type="text/plain") return HttpResponse("no\n", content_type="text/plain")
else: else:
@ -359,17 +362,17 @@ class Validate(View):
renew = True if request.GET.get('renew') else False renew = True if request.GET.get('renew') else False
if service and ticket: if service and ticket:
try: try:
ticket = models.ServiceTicket.objects.get( ticket = ServiceTicket.objects.get(
value=ticket, value=ticket,
service=service, service=service,
validate=False, validate=False,
renew=renew, renew=renew,
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)) creation__gt=(timezone.now() - timedelta(seconds=ServiceTicket.VALIDITY))
) )
ticket.validate = True ticket.validate = True
ticket.save() ticket.save()
return HttpResponse("yes\n", content_type="text/plain") return HttpResponse("yes\n", content_type="text/plain")
except models.ServiceTicket.DoesNotExist: except ServiceTicket.DoesNotExist:
return HttpResponse("no\n", content_type="text/plain") return HttpResponse("no\n", content_type="text/plain")
else: else:
return HttpResponse("no\n", content_type="text/plain") return HttpResponse("no\n", content_type="text/plain")
@ -447,19 +450,19 @@ class ValidateService(View, AttributesMixin):
"""fetch the ticket angains the database and check its validity""" """fetch the ticket angains the database and check its validity"""
try: try:
proxies = [] proxies = []
if self.ticket.startswith(models.ServiceTicket.PREFIX): if self.ticket.startswith(ServiceTicket.PREFIX):
ticket = models.ServiceTicket.objects.get( ticket = ServiceTicket.objects.get(
value=self.ticket, value=self.ticket,
validate=False, validate=False,
renew=self.renew, renew=self.renew,
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)) creation__gt=(timezone.now() - timedelta(seconds=ServiceTicket.VALIDITY))
) )
elif self.allow_proxy_ticket and self.ticket.startswith(models.ProxyTicket.PREFIX): elif self.allow_proxy_ticket and self.ticket.startswith(ProxyTicket.PREFIX):
ticket = models.ProxyTicket.objects.get( ticket = ProxyTicket.objects.get(
value=self.ticket, value=self.ticket,
validate=False, validate=False,
renew=self.renew, renew=self.renew,
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)) creation__gt=(timezone.now() - timedelta(seconds=ProxyTicket.VALIDITY))
) )
for prox in ticket.proxies.all(): for prox in ticket.proxies.all():
proxies.append(prox.url) proxies.append(prox.url)
@ -470,17 +473,17 @@ class ValidateService(View, AttributesMixin):
if ticket.service != self.service: if ticket.service != self.service:
raise ValidateError('INVALID_SERVICE') raise ValidateError('INVALID_SERVICE')
return ticket, proxies return ticket, proxies
except (models.ServiceTicket.DoesNotExist, models.ProxyTicket.DoesNotExist): except (ServiceTicket.DoesNotExist, ProxyTicket.DoesNotExist):
raise ValidateError('INVALID_TICKET', 'ticket not found') raise ValidateError('INVALID_TICKET', 'ticket not found')
def process_pgturl(self, params): def process_pgturl(self, params):
"""Handle PGT request""" """Handle PGT request"""
try: try:
pattern = models.ServicePattern.validate(self.pgt_url) pattern = ServicePattern.validate(self.pgt_url)
if pattern.proxy_callback: if pattern.proxy_callback:
proxyid = utils.gen_pgtiou() proxyid = utils.gen_pgtiou()
pticket = models.ProxyGrantingTicket.objects.create( pticket = ProxyGrantingTicket.objects.create(
user=self.ticket.user, user=self.ticket.user,
service=self.pgt_url, service=self.pgt_url,
service_pattern=pattern, service_pattern=pattern,
@ -507,7 +510,7 @@ class ValidateService(View, AttributesMixin):
'INVALID_PROXY_CALLBACK', 'INVALID_PROXY_CALLBACK',
"callback url not allowed by configuration" "callback url not allowed by configuration"
) )
except models.ServicePattern.DoesNotExist: except ServicePattern.DoesNotExist:
raise ValidateError( raise ValidateError(
'INVALID_PROXY_CALLBACK', 'INVALID_PROXY_CALLBACK',
'callback url not allowed by configuration' 'callback url not allowed by configuration'
@ -541,21 +544,21 @@ class Proxy(View):
"""handle PT request""" """handle PT request"""
try: try:
# is the target service allowed # is the target service allowed
pattern = models.ServicePattern.validate(self.target_service) pattern = ServicePattern.validate(self.target_service)
if not pattern.proxy: if not pattern.proxy:
raise ValidateError( raise ValidateError(
'UNAUTHORIZED_SERVICE', 'UNAUTHORIZED_SERVICE',
'the service do not allow proxy ticket' 'the service do not allow proxy ticket'
) )
# is the proxy granting ticket valid # is the proxy granting ticket valid
ticket = models.ProxyGrantingTicket.objects.get( ticket = ProxyGrantingTicket.objects.get(
value=self.pgt, value=self.pgt,
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)) creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY))
) )
# is the pgt user allowed on the target service # is the pgt user allowed on the target service
pattern.check_user(ticket.user) pattern.check_user(ticket.user)
pticket = ticket.user.get_ticket( pticket = ticket.user.get_ticket(
models.ProxyTicket, ProxyTicket,
self.target_service, self.target_service,
pattern, pattern,
renew=False) renew=False)
@ -566,9 +569,9 @@ class Proxy(View):
{'ticket':pticket.value}, {'ticket':pticket.value},
content_type="text/xml; charset=utf-8" content_type="text/xml; charset=utf-8"
) )
except models.ProxyGrantingTicket.DoesNotExist: except ProxyGrantingTicket.DoesNotExist:
raise ValidateError('INVALID_TICKET', 'PGT not found') raise ValidateError('INVALID_TICKET', 'PGT not found')
except models.ServicePattern.DoesNotExist: except ServicePattern.DoesNotExist:
raise ValidateError('UNAUTHORIZED_SERVICE') raise ValidateError('UNAUTHORIZED_SERVICE')
except (models.BadUsername, models.BadFilter, models.UserFieldNotDefined): except (models.BadUsername, models.BadFilter, models.UserFieldNotDefined):
raise ValidateError( raise ValidateError(
@ -636,7 +639,7 @@ class SamlValidate(View, AttributesMixin):
try: try:
self.ticket = self.process_ticket() self.ticket = self.process_ticket()
expire_instant = (self.ticket.creation + \ expire_instant = (self.ticket.creation + \
timedelta(seconds=settings.CAS_TICKET_VALIDITY)).isoformat() timedelta(seconds=self.ticket.VALIDITY)).isoformat()
attributes = self.attributes() attributes = self.attributes()
params = { params = {
'IssueInstant':timezone.now().isoformat(), 'IssueInstant':timezone.now().isoformat(),
@ -665,17 +668,17 @@ class SamlValidate(View, AttributesMixin):
try: try:
auth_req = self.root.getchildren()[1].getchildren()[0] auth_req = self.root.getchildren()[1].getchildren()[0]
ticket = auth_req.getchildren()[0].text ticket = auth_req.getchildren()[0].text
if ticket.startswith(models.ServiceTicket.PREFIX): if ticket.startswith(ServiceTicket.PREFIX):
ticket = models.ServiceTicket.objects.get( ticket = ServiceTicket.objects.get(
value=ticket, value=ticket,
validate=False, validate=False,
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)) creation__gt=(timezone.now() - timedelta(seconds=ServiceTicket.VALIDITY))
) )
elif ticket.startswith(models.ProxyTicket.PREFIX): elif ticket.startswith(ProxyTicket.PREFIX):
ticket = models.ProxyTicket.objects.get( ticket = ProxyTicket.objects.get(
value=ticket, value=ticket,
validate=False, validate=False,
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)) creation__gt=(timezone.now() - timedelta(seconds=ProxyTicket.VALIDITY))
) )
else: else:
raise SamlValidateError( raise SamlValidateError(
@ -692,5 +695,5 @@ class SamlValidate(View, AttributesMixin):
return ticket return ticket
except (IndexError, KeyError): except (IndexError, KeyError):
raise SamlValidateError('VersionMismatch') raise SamlValidateError('VersionMismatch')
except (models.ServiceTicket.DoesNotExist, models.ProxyTicket.DoesNotExist): except (ServiceTicket.DoesNotExist, ProxyTicket.DoesNotExist):
raise SamlValidateError('AuthnFailed', 'ticket not found') raise SamlValidateError('AuthnFailed', 'ticket not found')