From b168e0a6423c53de31aae6c444fa1d1c5083afa6 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Wed, 27 Jul 2016 16:03:11 +0200
Subject: [PATCH 01/31] typo in setup.py classifiers

---
 setup.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup.py b/setup.py
index b27f5b4..eb0af62 100644
--- a/setup.py
+++ b/setup.py
@@ -30,7 +30,7 @@ if __name__ == '__main__':
         author_email='valentin.samir@crans.org',
         classifiers=[
             'Environment :: Web Environment',
-            'evelopment Status :: 5 - Production/Stable',
+            'Development Status :: 5 - Production/Stable',
             'Framework :: Django',
             'Framework :: Django :: 1.7',
             'Framework :: Django :: 1.8',

From 6eea76d984ae920c9c33185d3a945f5e5ac9333e Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Fri, 29 Jul 2016 13:56:23 +0200
Subject: [PATCH 02/31] Add pytest-warning to tests and correct some warnings,
 complete coverage (essentially branch)

---
 Makefile                                      |  2 +-
 cas_server/forms.py                           |  2 +-
 .../cas_server/{login.css => styles.css}      |  0
 cas_server/templates/cas_server/base.html     | 13 +++---
 cas_server/tests/settings.py                  | 16 ++++++++
 cas_server/tests/test_models.py               | 40 +++++++++++++++++++
 cas_server/tests/utils.py                     | 11 +++--
 cas_server/urls.py                            |  4 +-
 requirements-dev.txt                          |  1 +
 setup.py                                      |  2 +-
 tox.ini                                       |  2 +-
 11 files changed, 78 insertions(+), 15 deletions(-)
 rename cas_server/static/cas_server/{login.css => styles.css} (100%)

diff --git a/Makefile b/Makefile
index c719834..d802dc0 100644
--- a/Makefile
+++ b/Makefile
@@ -62,7 +62,7 @@ run_server: test_project
 
 run_tests: test_venv
 	python setup.py check --restructuredtext --stric
-	test_venv/bin/py.test --cov=cas_server --cov-report html
+	test_venv/bin/py.test -rw -x --cov=cas_server --cov-report html
 	rm htmlcov/coverage_html.js  # I am really pissed off by those keybord shortcuts
 
 test_venv/bin/sphinx-build: test_venv
diff --git a/cas_server/forms.py b/cas_server/forms.py
index 03c7515..2f18ed9 100644
--- a/cas_server/forms.py
+++ b/cas_server/forms.py
@@ -32,7 +32,7 @@ class BootsrapForm(forms.Form):
                     self[name].checkbox = True
                 else:
                     attrs['class'] = "form-control"
-                    if field.label:
+                    if field.label:  # pragma: no branch (currently all field are hidden or labeled)
                         attrs["placeholder"] = field.label
                 if field.required:
                     attrs["required"] = "required"
diff --git a/cas_server/static/cas_server/login.css b/cas_server/static/cas_server/styles.css
similarity index 100%
rename from cas_server/static/cas_server/login.css
rename to cas_server/static/cas_server/styles.css
diff --git a/cas_server/templates/cas_server/base.html b/cas_server/templates/cas_server/base.html
index db61e1b..bd8663a 100644
--- a/cas_server/templates/cas_server/base.html
+++ b/cas_server/templates/cas_server/base.html
@@ -15,7 +15,7 @@
         <script src="{{settings.CAS_COMPONENT_URLS.respond}}"></script>
         <![endif]-->
         <link rel="shortcut icon" href="{% static "cas_server/favicon.ico?v=1" %}" />
-        <link href="{% static "cas_server/login.css" %}" rel="stylesheet">
+        <link href="{% static "cas_server/styles.css" %}" rel="stylesheet">
     </head>
     <body>
         <div class="container">
@@ -36,18 +36,17 @@
             {% for message in messages %}
                 <div {% spaceless %}
                     {% if message.level == message_levels.DEBUG %}
-                        class="alert alert-warning alert-dismissable"
+                        class="alert alert-warning"
                     {% elif message.level == message_levels.INFO %}
-                        class="alert alert-info alert-dismissable"
+                        class="alert alert-info"
                     {% elif message.level == message_levels.SUCCESS %}
-                        class="alert alert-success alert-dismissable"
+                        class="alert alert-success"
                     {% elif message.level == message_levels.WARNING %}
-                        class="alert alert-warning alert-dismissable"
+                        class="alert alert-warning"
                     {% else %}
-                        class="alert alert-danger alert-dismissable"
+                        class="alert alert-danger"
                     {% endif %}
                 {% endspaceless %}>
-                    <button type="button" class="close" data-dismiss="alert" aria-hidden="true">&#215;</button>
                     {{ message }}
                 </div>
             {% endfor %}
diff --git a/cas_server/tests/settings.py b/cas_server/tests/settings.py
index 4e17ceb..c873ea2 100644
--- a/cas_server/tests/settings.py
+++ b/cas_server/tests/settings.py
@@ -51,6 +51,22 @@ MIDDLEWARE_CLASSES = [
     'django.middleware.locale.LocaleMiddleware',
 ]
 
+TEMPLATES = [
+    {
+        'APP_DIRS': True,
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages'
+            ]
+        }
+    }
+]
+
 ROOT_URLCONF = 'cas_server.tests.urls'
 
 # Database
diff --git a/cas_server/tests/test_models.py b/cas_server/tests/test_models.py
index 7a4403c..49f9c75 100644
--- a/cas_server/tests/test_models.py
+++ b/cas_server/tests/test_models.py
@@ -60,6 +60,24 @@ class FederatedUserTestCase(TestCase, UserModels, FederatedIendityProviderModel)
         with self.assertRaises(models.FederatedUser.DoesNotExist):
             models.FederatedUser.objects.get(username="test2")
 
+    def test_json_attributes(self):
+        """test the json storage of ``atrributs`` in ``_attributs``"""
+        provider = models.FederatedIendityProvider.objects.get(suffix="example.com")
+        user = models.FederatedUser.objects.create(
+            username=settings.CAS_TEST_USER,
+            provider=provider,
+            attributs=settings.CAS_TEST_ATTRIBUTES,
+            ticket=""
+        )
+        self.assertEqual(utils.json_encode(settings.CAS_TEST_ATTRIBUTES), user._attributs)
+        user.delete()
+        user = models.FederatedUser.objects.create(
+            username=settings.CAS_TEST_USER,
+            provider=provider,
+            ticket=""
+        )
+        self.assertIsNone(user._attributs)
+        self.assertIsNone(user.attributs)
 
 class FederateSLOTestCase(TestCase, UserModels):
     """test for the federated SLO model"""
@@ -231,3 +249,25 @@ class TicketTestCase(TestCase, UserModels, BaseServicePattern):
         self.assertTrue(b'logoutRequest' in params and params[b'logoutRequest'])
         # only 1 ticket remain in the db
         self.assertEqual(len(models.ServiceTicket.objects.all()), 1)
+
+    def test_json_attributes(self):
+        """test the json storage of ``atrributs`` in ``_attributs``"""
+        # ge an authenticated client
+        client = get_auth_client()
+        # get the user associated to the client
+        user = self.get_user(client)
+        ticket = models.ServiceTicket.objects.create(
+            user=user,
+            service=self.service,
+            attributs=settings.CAS_TEST_ATTRIBUTES,
+            service_pattern=self.service_pattern
+        )
+        self.assertEqual(utils.json_encode(settings.CAS_TEST_ATTRIBUTES), ticket._attributs)
+        ticket.delete()
+        ticket = models.ServiceTicket.objects.create(
+            user=user,
+            service=self.service,
+            service_pattern=self.service_pattern
+        )
+        self.assertIsNone(ticket._attributs)
+        self.assertIsNone(ticket.attributs)
diff --git a/cas_server/tests/utils.py b/cas_server/tests/utils.py
index 515b653..d020724 100644
--- a/cas_server/tests/utils.py
+++ b/cas_server/tests/utils.py
@@ -12,16 +12,21 @@
 """Some utils functions for tests"""
 from cas_server.default_settings import settings
 
+import django
 from django.test import Client
-from django.template import loader, Context
+from django.template import loader
 from django.utils import timezone
+if django.VERSION < (1, 8):
+    from django.template import Context
+else:
+    Context = lambda x:x
 
 import cgi
 import six
 from threading import Thread
 from lxml import etree
 from six.moves import BaseHTTPServer
-from six.moves.urllib.parse import urlparse, parse_qsl
+from six.moves.urllib.parse import urlparse, parse_qsl, parse_qs
 from datetime import timedelta
 
 from cas_server import models
@@ -166,7 +171,7 @@ class HttpParamsHandler(BaseHTTPServer.BaseHTTPRequestHandler):
             postvars = cgi.parse_multipart(self.rfile, pdict)
         elif ctype == 'application/x-www-form-urlencoded':
             length = int(self.headers.get('content-length'))
-            postvars = cgi.parse_qs(self.rfile.read(length), keep_blank_values=1)
+            postvars = parse_qs(self.rfile.read(length), keep_blank_values=1)
         else:
             postvars = {}
         self.server.PARAMS = postvars
diff --git a/cas_server/urls.py b/cas_server/urls.py
index aa014f2..d4e691c 100644
--- a/cas_server/urls.py
+++ b/cas_server/urls.py
@@ -16,8 +16,10 @@ from django.views.decorators.debug import sensitive_post_parameters, sensitive_v
 
 from cas_server import views
 
+app_name = "cas_server"
+
 urlpatterns = [
-    url(r'^$', RedirectView.as_view(pattern_name="cas_server:login")),
+    url(r'^$', RedirectView.as_view(pattern_name="cas_server:login", permanent=False)),
     url(
         '^login$',
         sensitive_post_parameters('password')(
diff --git a/requirements-dev.txt b/requirements-dev.txt
index c394fb1..d2d3902 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -3,6 +3,7 @@ tox>=1.8.1
 pytest>=2.6.4
 pytest-django>=2.8.0
 pytest-pythonpath>=0.3
+pytest-warnings
 pytest-cov>=2.2.1
 requests>=2.4
 requests_futures>=0.9.5
diff --git a/setup.py b/setup.py
index eb0af62..a8a5a8d 100644
--- a/setup.py
+++ b/setup.py
@@ -66,5 +66,5 @@ if __name__ == '__main__':
         download_url="https://github.com/nitmir/django-cas-server/releases",
         zip_safe=False,
         setup_requires=['pytest-runner'],
-        tests_require=['pytest', 'pytest-django', 'pytest-pythonpath'],
+        tests_require=['pytest', 'pytest-django', 'pytest-pythonpath', 'pytest-warnings', 'mock>=1'],
     )
diff --git a/tox.ini b/tox.ini
index bdf50f0..401c249 100644
--- a/tox.ini
+++ b/tox.ini
@@ -31,7 +31,7 @@ whitelist_externals=
 
 [testenv]
 commands=
-    py.test {posargs:cas_server/tests/}
+    py.test -rw {posargs:cas_server/tests/}
     {[post_cmd]commands}
 whitelist_externals={[post_cmd]whitelist_externals}
 

From b6cffcf482ed7df0ba4ebb5f946c474debc6d15e Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Fri, 29 Jul 2016 14:33:02 +0200
Subject: [PATCH 03/31] Add new version email and info box then new version is
 available

---
 README.rst                                    | 10 +++
 cas_server/__init__.py                        |  4 ++
 cas_server/default_settings.py                |  9 +++
 .../management/commands/cas_clean_sessions.py |  1 +
 .../migrations/0008_newversionwarning.py      | 22 +++++++
 cas_server/models.py                          | 61 +++++++++++++++++
 cas_server/static/cas_server/alert-version.js | 25 +++++++
 cas_server/templates/cas_server/base.html     | 12 +++-
 cas_server/tests/settings.py                  |  3 +
 cas_server/tests/test_models.py               | 38 +++++++++++
 cas_server/tests/test_utils.py                | 26 ++++++++
 cas_server/tests/test_view.py                 | 23 +++++++
 cas_server/utils.py                           | 66 +++++++++++++++++++
 requirements-dev.txt                          |  1 +
 setup.py                                      |  3 +-
 15 files changed, 301 insertions(+), 3 deletions(-)
 create mode 100644 cas_server/migrations/0008_newversionwarning.py
 create mode 100644 cas_server/static/cas_server/alert-version.js

diff --git a/README.rst b/README.rst
index 59b9ba1..9cb5573 100644
--- a/README.rst
+++ b/README.rst
@@ -219,6 +219,16 @@ Federation settings
   ``_remember_provider``.
 
 
+New version warnings settings
+-----------------------------
+
+* ``CAS_NEW_VERSION_HTML_WARNING``: A boolean for diplaying a warning on html pages then a new
+  version of the application is avaible. Once closed by a user, it is not displayed to this user
+  until the next new version. The default is ``True``.
+* ``CAS_NEW_VERSION_EMAIL_WARNING``: A bolean sot sending a email to ``settings.ADMINS`` when a new
+  version is available. The default is ``True``.
+
+
 Tickets validity settings
 -------------------------
 
diff --git a/cas_server/__init__.py b/cas_server/__init__.py
index 085927b..c138255 100644
--- a/cas_server/__init__.py
+++ b/cas_server/__init__.py
@@ -9,5 +9,9 @@
 #
 # (c) 2015-2016 Valentin Samir
 """A django CAS server application"""
+
+#: version of the application
+VERSION = '0.6.1'
+
 #: path the the application configuration class
 default_app_config = 'cas_server.apps.CasAppConfig'
diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py
index c7b2b12..69a2fdf 100644
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@@ -140,6 +140,15 @@ CAS_FEDERATE = False
 #: Time after witch the cookie use for “remember my identity provider” expire (one week).
 CAS_FEDERATE_REMEMBER_TIMEOUT = 604800
 
+#: A :class:`bool` for diplaying a warning on html pages then a new version of the application
+#: is avaible. Once closed by a user, it is not displayed to this user until the next new version.
+CAS_NEW_VERSION_HTML_WARNING = True
+#: A :class:`bool` for sending emails to ``settings.ADMINS`` when a new version is available.
+CAS_NEW_VERSION_EMAIL_WARNING = True
+#: URL to the pypi json of the application. Used to retreive the version number of the last version.
+#: You should not change it.
+CAS_NEW_VERSION_JSON_URL = "https://pypi.python.org/pypi/django-cas-server/json"
+
 GLOBALS = globals().copy()
 for name, default_value in GLOBALS.items():
     # get the current setting value, falling back to default_value
diff --git a/cas_server/management/commands/cas_clean_sessions.py b/cas_server/management/commands/cas_clean_sessions.py
index 437bcb5..5de4ebf 100644
--- a/cas_server/management/commands/cas_clean_sessions.py
+++ b/cas_server/management/commands/cas_clean_sessions.py
@@ -23,3 +23,4 @@ class Command(BaseCommand):
 
     def handle(self, *args, **options):
         models.User.clean_deleted_sessions()
+        models.NewVersionWarning.send_mails()
diff --git a/cas_server/migrations/0008_newversionwarning.py b/cas_server/migrations/0008_newversionwarning.py
new file mode 100644
index 0000000..f5e4b19
--- /dev/null
+++ b/cas_server/migrations/0008_newversionwarning.py
@@ -0,0 +1,22 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.9.7 on 2016-07-27 21:59
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('cas_server', '0007_auto_20160723_2252'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='NewVersionWarning',
+            fields=[
+                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('version', models.CharField(max_length=255)),
+            ],
+        ),
+    ]
diff --git a/cas_server/models.py b/cas_server/models.py
index 6e87d40..0c44f6f 100644
--- a/cas_server/models.py
+++ b/cas_server/models.py
@@ -18,15 +18,19 @@ from django.contrib import messages
 from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone
 from django.utils.encoding import python_2_unicode_compatible
+from django.core.exceptions import ValidationError
+from django.core.mail import send_mail
 
 import re
 import sys
+import smtplib
 import logging
 from datetime import timedelta
 from concurrent.futures import ThreadPoolExecutor
 from requests_futures.sessions import FuturesSession
 
 import cas_server.utils as utils
+from . import VERSION
 
 #: logger facility
 logger = logging.getLogger(__name__)
@@ -1003,3 +1007,60 @@ class Proxy(models.Model):
 
     def __str__(self):
         return self.url
+
+
+class NewVersionWarning(models.Model):
+    """
+        Bases: :class:`django.db.models.Model`
+
+        The last new version available version sent
+    """
+    version = models.CharField(max_length=255)
+
+    @classmethod
+    def send_mails(cls):
+        """
+            For each new django-cas-server version, if the current instance is not up to date
+            send one mail to ``settings.ADMINS``.
+        """
+        if settings.CAS_NEW_VERSION_EMAIL_WARNING and settings.ADMINS:
+            try:
+                obj = cls.objects.get()
+            except cls.DoesNotExist:
+                obj = NewVersionWarning.objects.create(version=VERSION)
+            LAST_VERSION = utils.last_version()
+            if LAST_VERSION is not None and LAST_VERSION != obj.version:
+                if utils.decode_version(VERSION) < utils.decode_version(LAST_VERSION):
+                    try:
+                        send_mail(
+                            (
+                                '%sA new version of django-cas-server is available'
+                            ) % settings.EMAIL_SUBJECT_PREFIX,
+                            u'''
+A new version of the django-cas-server is available.
+
+Your version: %s
+New version: %s
+
+Upgrade using:
+    * pip install -U django-cas-server
+    * fetching the last release on
+      https://github.com/nitmir/django-cas-server/ or on
+      https://pypi.python.org/pypi/django-cas-server
+
+After upgrade, do not forget to run:
+    * ./manage.py migrate
+    * ./manage.py collectstatic
+and to reload your wsgi server (apache2, uwsgi, gunicord, etc…)
+
+--\u0020
+django-cas-server
+'''.strip() % (VERSION, LAST_VERSION),
+                            settings.SERVER_EMAIL,
+                            ["%s <%s>" % admin for admin in settings.ADMINS],
+                            fail_silently=False,
+                        )
+                        obj.version = LAST_VERSION
+                        obj.save()
+                    except smtplib.SMTPException as error:  # pragma: no cover (should not happen)
+                        logger.error("Unable to send new version mail: %s" % error)
diff --git a/cas_server/static/cas_server/alert-version.js b/cas_server/static/cas_server/alert-version.js
new file mode 100644
index 0000000..fb277a1
--- /dev/null
+++ b/cas_server/static/cas_server/alert-version.js
@@ -0,0 +1,25 @@
+function alert_version(last_version){
+    jQuery(function( $ ){
+        $('#alert-version').click(function( e ){
+            e.preventDefault();
+            var date = new Date();
+            date.setTime(date.getTime()+(10*365*24*60*60*1000));
+            var expires = "; expires="+date.toGMTString();
+            document.cookie = "cas-alert-version=" + last_version + expires + "; path=/";
+        });
+
+        var nameEQ="cas-alert-version="
+        var ca = document.cookie.split(';');
+        var value;
+        for(var i=0;i < ca.length;i++) {
+            var c = ca[i];
+            while (c.charAt(0)==' ')
+                c = c.substring(1,c.length);
+            if (c.indexOf(nameEQ) == 0)
+                value = c.substring(nameEQ.length,c.length);
+        }
+        if(value === last_version){
+            $('#alert-version').parent().hide();
+        }
+    });
+}
diff --git a/cas_server/templates/cas_server/base.html b/cas_server/templates/cas_server/base.html
index bd8663a..5abc8bd 100644
--- a/cas_server/templates/cas_server/base.html
+++ b/cas_server/templates/cas_server/base.html
@@ -31,8 +31,14 @@
             <div class="row">
             <div class="col-lg-3 col-md-3 col-sm-2 col-xs-12"></div>
             <div class="col-lg-6 col-md-6 col-sm-8 col-xs-12">
-            {% block ante_messages %}{% endblock %}
             {% if auto_submit %}<noscript>{% endif %}
+            {% if settings.CAS_NEW_VERSION_HTML_WARNING and upgrade_available %}
+              <div class="alert alert-info alert-dismissable">
+                <button type="button" class="close" data-dismiss="alert" aria-hidden="true" id="alert-version">&#215;</button>
+                {% blocktrans %}A new version of the application is available. This instance runs {{VERSION}} and the last version is {{LAST_VERSION}}. Please consider upgrading.{% endblocktrans %}
+              </div>
+            {% endif %}
+            {% block ante_messages %}{% endblock %}
             {% for message in messages %}
                 <div {% spaceless %}
                     {% if message.level == message_levels.DEBUG %}
@@ -58,5 +64,9 @@
         </div> <!-- /container -->
         <script src="{{settings.CAS_COMPONENT_URLS.jquery}}"></script>
         <script src="{{settings.CAS_COMPONENT_URLS.bootstrap3_js}}"></script>
+        {% if settings.CAS_NEW_VERSION_HTML_WARNING and upgrade_available %}
+        <script src="{% static "cas_server/alert-version.js" %}"></script>
+        <script>alert_version("{{LAST_VERSION}}")</script>
+        {% endif %}
     </body>
 </html>
diff --git a/cas_server/tests/settings.py b/cas_server/tests/settings.py
index c873ea2..76594da 100644
--- a/cas_server/tests/settings.py
+++ b/cas_server/tests/settings.py
@@ -97,3 +97,6 @@ USE_TZ = True
 # https://docs.djangoproject.com/en/1.9/howto/static-files/
 
 STATIC_URL = '/static/'
+
+CAS_NEW_VERSION_HTML_WARNING = False
+CAS_NEW_VERSION_EMAIL_WARNING = False
diff --git a/cas_server/tests/test_models.py b/cas_server/tests/test_models.py
index 49f9c75..29a9dd4 100644
--- a/cas_server/tests/test_models.py
+++ b/cas_server/tests/test_models.py
@@ -16,7 +16,9 @@ import django
 from django.test import TestCase, Client
 from django.test.utils import override_settings
 from django.utils import timezone
+from django.core import mail
 
+import mock
 from datetime import timedelta
 from importlib import import_module
 
@@ -271,3 +273,39 @@ class TicketTestCase(TestCase, UserModels, BaseServicePattern):
         )
         self.assertIsNone(ticket._attributs)
         self.assertIsNone(ticket.attributs)
+
+
+@mock.patch("cas_server.utils.last_version", lambda:"1.2.3")
+@override_settings(ADMINS=[("Ano Nymous", "ano.nymous@example.net")])
+@override_settings(CAS_NEW_VERSION_EMAIL_WARNING=True)
+class NewVersionWarningTestCase(TestCase):
+    """tests for the new version warning model"""
+
+    @mock.patch("cas_server.models.VERSION", "0.1.2")
+    def test_send_mails(self):
+        models.NewVersionWarning.send_mails()
+
+        self.assertEqual(len(mail.outbox), 1)
+        self.assertEqual(
+            mail.outbox[0].subject,
+            '%sA new version of django-cas-server is available' % settings.EMAIL_SUBJECT_PREFIX
+        )
+
+        models.NewVersionWarning.send_mails()
+        self.assertEqual(len(mail.outbox), 1)
+
+    @mock.patch("cas_server.models.VERSION", "1.2.3")
+    def test_send_mails_same_version(self):
+        models.NewVersionWarning.objects.create(version="0.1.2")
+        models.NewVersionWarning.send_mails()
+        self.assertEqual(len(mail.outbox), 0)
+
+    @override_settings(ADMINS=[])
+    def test_send_mails_no_admins(self):
+        models.NewVersionWarning.send_mails()
+        self.assertEqual(len(mail.outbox), 0)
+
+    @override_settings(CAS_NEW_VERSION_EMAIL_WARNING=False)
+    def test_send_mails_disabled(self):
+        models.NewVersionWarning.send_mails()
+        self.assertEqual(len(mail.outbox), 0)
diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py
index f2fcbfc..d33d78c 100644
--- a/cas_server/tests/test_utils.py
+++ b/cas_server/tests/test_utils.py
@@ -13,6 +13,7 @@
 from django.test import TestCase, RequestFactory
 
 import six
+import warnings
 
 from cas_server import utils
 
@@ -208,3 +209,28 @@ class UtilsTestCase(TestCase):
         self.assertEqual(utils.get_tuple(test_tuple, 3), None)
         self.assertEqual(utils.get_tuple(test_tuple, 3, 'toto'), 'toto')
         self.assertEqual(utils.get_tuple(None, 3), None)
+
+    def test_last_version(self):
+        """
+            test the function last_version. An internet connection is needed, if you do not have
+            one, this test will fail and you should ignore it.
+        """
+        try:
+            # first check if pypi is available
+            utils.requests.get("https://pypi.python.org/simple/django-cas-server/")
+        except utils.requests.exceptions.RequestException:
+            warnings.warn(
+                (
+                    "Pypi seems not available, perhaps you do not have internet access. "
+                    "Consequently, the test cas_server.tests.test_utils.UtilsTestCase.test_last_"
+                    "version is ignored"
+                ),
+                RuntimeWarning
+            )
+        else:
+            version = utils.last_version()
+            self.assertIsInstance(version, six.text_type)
+            self.assertEqual(len(version.split('.')), 3)
+
+            # version is cached 24h so calling it a second time should return the save value
+            self.assertEqual(version, utils.last_version())
diff --git a/cas_server/tests/test_view.py b/cas_server/tests/test_view.py
index 7ae0888..3d561a6 100644
--- a/cas_server/tests/test_view.py
+++ b/cas_server/tests/test_view.py
@@ -20,6 +20,7 @@ from django.utils import timezone
 
 import random
 import json
+import mock
 from lxml import etree
 from six.moves import range
 
@@ -47,6 +48,28 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
         # we prepare a bunch a service url and service patterns for tests
         self.setup_service_patterns()
 
+    @override_settings(CAS_NEW_VERSION_HTML_WARNING=True)
+    @mock.patch("cas_server.utils.last_version", lambda:"1.2.3")
+    @mock.patch("cas_server.utils.VERSION", "0.1.2")
+    def test_new_version_available_ok(self):
+        client = Client()
+        response = client.get("/login")
+        self.assertIn(b"A new version of the application is available", response.content)
+
+    @override_settings(CAS_NEW_VERSION_HTML_WARNING=True)
+    @mock.patch("cas_server.utils.last_version", lambda:None)
+    @mock.patch("cas_server.utils.VERSION", "0.1.2")
+    def test_new_version_available_badpypi(self):
+        client = Client()
+        response = client.get("/login")
+        self.assertNotIn(b"A new version of the application is available", response.content)
+
+    @override_settings(CAS_NEW_VERSION_HTML_WARNING=False)
+    def test_new_version_available_disabled(self):
+        client = Client()
+        response = client.get("/login")
+        self.assertNotIn(b"A new version of the application is available", response.content)
+
     def test_login_view_post_goodpass_goodlt(self):
         """Test a successul login"""
         # we get a client who fetch a frist time the login page and the login form default
diff --git a/cas_server/utils.py b/cas_server/utils.py
index 6b7f842..d842e4a 100644
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@@ -25,11 +25,19 @@ import hashlib
 import crypt
 import base64
 import six
+import requests
+import time
+import logging
 
 from importlib import import_module
 from datetime import datetime, timedelta
 from six.moves.urllib.parse import urlparse, urlunparse, parse_qsl, urlencode
 
+from . import VERSION
+
+#: logger facility
+logger = logging.getLogger(__name__)
+
 
 def json_encode(obj):
     """Encode a python object to json"""
@@ -51,6 +59,16 @@ def context(params):
     """
     params["settings"] = settings
     params["message_levels"] = DEFAULT_MESSAGE_LEVELS
+    if settings.CAS_NEW_VERSION_HTML_WARNING:
+        LAST_VERSION = last_version()
+        params["VERSION"] = VERSION
+        params["LAST_VERSION"] = LAST_VERSION
+        if LAST_VERSION is not None:
+            t_version = decode_version(VERSION)
+            t_last_version = decode_version(LAST_VERSION)
+            params["upgrade_available"] = t_version < t_last_version
+        else:
+            params["upgrade_available"] = False
     return params
 
 
@@ -603,3 +621,51 @@ def check_password(method, password, hashed_password, charset):
         )(password).hexdigest().encode("ascii") == hashed_password.lower()
     else:
         raise ValueError("Unknown password method check %r" % method)
+
+
+def decode_version(version):
+    """
+        decode a version string following version semantic http://semver.org/ input a tuple of int
+
+        :param unicode version: A dotted version
+        :return: A tuple a int
+        :rtype: tuple
+    """
+    return tuple(int(sub_version) for sub_version in version.split('.'))
+
+
+def last_version():
+    """
+        Fetch the last version from pypi and return it. On successful fetch from pypi, the response
+        is cached 24h, on error, it is cached 10 min.
+
+        :return: the last django-cas-server version
+        :rtype: unicode
+    """
+    try:
+        last_update, version, success = last_version._cache
+    except AttributeError:
+        last_update = 0
+        version = None
+        success = False
+    cache_delta = 24 * 3600 if success else 600
+    if (time.time() - last_update) < cache_delta:
+        return version
+    else:
+        try:
+            req = requests.get(settings.CAS_NEW_VERSION_JSON_URL)
+            data = json.loads(req.content)
+            versions = data["releases"].keys()
+            versions.sort()
+            version = versions[-1]
+            last_version._cache = (time.time(), version, True)
+            return version
+        except (
+            KeyError,
+            ValueError,
+            requests.exceptions.RequestException
+        ) as error: # pragma: no cover (should not happen unless pypi is not available)
+            logger.error(
+                "Unable to fetch %s: %s" % (settings.CAS_NEW_VERSION_JSON_URL, error)
+            )
+            last_version._cache = (time.time(), version, False)
diff --git a/requirements-dev.txt b/requirements-dev.txt
index d2d3902..241e789 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -9,3 +9,4 @@ requests>=2.4
 requests_futures>=0.9.5
 lxml>=3.4
 six>=1
+mock>=1
diff --git a/setup.py b/setup.py
index a8a5a8d..e33f30e 100644
--- a/setup.py
+++ b/setup.py
@@ -1,8 +1,7 @@
 import os
 import pkg_resources
 from setuptools import setup
-
-VERSION = '0.6.1'
+from cas_server import VERSION
 
 with open(os.path.join(os.path.dirname(__file__), 'README.rst')) as readme:
     README = readme.read()

From 3063cf116b17c47bc43323f08455745bee226420 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Fri, 29 Jul 2016 14:55:52 +0200
Subject: [PATCH 04/31] few flake8 and python3 problems corrected

---
 cas_server/models.py            |  1 -
 cas_server/tests/test_models.py |  3 ++-
 cas_server/tests/test_view.py   |  4 ++--
 cas_server/tests/utils.py       | 11 +++++++----
 cas_server/utils.py             |  6 +++---
 5 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/cas_server/models.py b/cas_server/models.py
index 0c44f6f..4626cce 100644
--- a/cas_server/models.py
+++ b/cas_server/models.py
@@ -18,7 +18,6 @@ from django.contrib import messages
 from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone
 from django.utils.encoding import python_2_unicode_compatible
-from django.core.exceptions import ValidationError
 from django.core.mail import send_mail
 
 import re
diff --git a/cas_server/tests/test_models.py b/cas_server/tests/test_models.py
index 29a9dd4..bb338dd 100644
--- a/cas_server/tests/test_models.py
+++ b/cas_server/tests/test_models.py
@@ -81,6 +81,7 @@ class FederatedUserTestCase(TestCase, UserModels, FederatedIendityProviderModel)
         self.assertIsNone(user._attributs)
         self.assertIsNone(user.attributs)
 
+
 class FederateSLOTestCase(TestCase, UserModels):
     """test for the federated SLO model"""
     def test_clean_deleted_sessions(self):
@@ -275,7 +276,7 @@ class TicketTestCase(TestCase, UserModels, BaseServicePattern):
         self.assertIsNone(ticket.attributs)
 
 
-@mock.patch("cas_server.utils.last_version", lambda:"1.2.3")
+@mock.patch("cas_server.utils.last_version", lambda: "1.2.3")
 @override_settings(ADMINS=[("Ano Nymous", "ano.nymous@example.net")])
 @override_settings(CAS_NEW_VERSION_EMAIL_WARNING=True)
 class NewVersionWarningTestCase(TestCase):
diff --git a/cas_server/tests/test_view.py b/cas_server/tests/test_view.py
index 3d561a6..3ae6d17 100644
--- a/cas_server/tests/test_view.py
+++ b/cas_server/tests/test_view.py
@@ -49,7 +49,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
         self.setup_service_patterns()
 
     @override_settings(CAS_NEW_VERSION_HTML_WARNING=True)
-    @mock.patch("cas_server.utils.last_version", lambda:"1.2.3")
+    @mock.patch("cas_server.utils.last_version", lambda: "1.2.3")
     @mock.patch("cas_server.utils.VERSION", "0.1.2")
     def test_new_version_available_ok(self):
         client = Client()
@@ -57,7 +57,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
         self.assertIn(b"A new version of the application is available", response.content)
 
     @override_settings(CAS_NEW_VERSION_HTML_WARNING=True)
-    @mock.patch("cas_server.utils.last_version", lambda:None)
+    @mock.patch("cas_server.utils.last_version", lambda: None)
     @mock.patch("cas_server.utils.VERSION", "0.1.2")
     def test_new_version_available_badpypi(self):
         client = Client()
diff --git a/cas_server/tests/utils.py b/cas_server/tests/utils.py
index d020724..d8c781b 100644
--- a/cas_server/tests/utils.py
+++ b/cas_server/tests/utils.py
@@ -16,10 +16,6 @@ import django
 from django.test import Client
 from django.template import loader
 from django.utils import timezone
-if django.VERSION < (1, 8):
-    from django.template import Context
-else:
-    Context = lambda x:x
 
 import cgi
 import six
@@ -33,6 +29,13 @@ from cas_server import models
 from cas_server import utils
 
 
+if django.VERSION < (1, 8):
+    from django.template import Context
+else:
+    def Context(arg):
+        return arg
+
+
 def return_unicode(string, charset):
     """make `string` a unicode if `string` is a unicode or bytes encoded with `charset`"""
     if not isinstance(string, six.text_type):
diff --git a/cas_server/utils.py b/cas_server/utils.py
index d842e4a..4d1a554 100644
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@@ -654,8 +654,8 @@ def last_version():
     else:
         try:
             req = requests.get(settings.CAS_NEW_VERSION_JSON_URL)
-            data = json.loads(req.content)
-            versions = data["releases"].keys()
+            data = json.loads(req.text)
+            versions = list(data["releases"].keys())
             versions.sort()
             version = versions[-1]
             last_version._cache = (time.time(), version, True)
@@ -664,7 +664,7 @@ def last_version():
             KeyError,
             ValueError,
             requests.exceptions.RequestException
-        ) as error: # pragma: no cover (should not happen unless pypi is not available)
+        ) as error:  # pragma: no cover (should not happen unless pypi is not available)
             logger.error(
                 "Unable to fetch %s: %s" % (settings.CAS_NEW_VERSION_JSON_URL, error)
             )

From 570676f5b01b2db7caaef3cf5446e32614ff0dbf Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Fri, 29 Jul 2016 15:11:43 +0200
Subject: [PATCH 05/31] fix some codacy errors

---
 cas_server/static/cas_server/alert-version.js | 14 ++++++++------
 cas_server/tests/test_models.py               |  4 ++++
 cas_server/tests/test_utils.py                |  7 +++++--
 cas_server/tests/test_view.py                 |  5 +++++
 cas_server/tests/utils.py                     |  5 +++++
 cas_server/utils.py                           |  4 +---
 6 files changed, 28 insertions(+), 11 deletions(-)

diff --git a/cas_server/static/cas_server/alert-version.js b/cas_server/static/cas_server/alert-version.js
index fb277a1..7b4fef5 100644
--- a/cas_server/static/cas_server/alert-version.js
+++ b/cas_server/static/cas_server/alert-version.js
@@ -1,6 +1,6 @@
 function alert_version(last_version){
     jQuery(function( $ ){
-        $('#alert-version').click(function( e ){
+        $("#alert-version").click(function( e ){
             e.preventDefault();
             var date = new Date();
             date.setTime(date.getTime()+(10*365*24*60*60*1000));
@@ -8,18 +8,20 @@ function alert_version(last_version){
             document.cookie = "cas-alert-version=" + last_version + expires + "; path=/";
         });
 
-        var nameEQ="cas-alert-version="
-        var ca = document.cookie.split(';');
+        var nameEQ="cas-alert-version=";
+        var ca = document.cookie.split(";");
         var value;
         for(var i=0;i < ca.length;i++) {
             var c = ca[i];
-            while (c.charAt(0)==' ')
+            while(c.charAt(0) === " "){
                 c = c.substring(1,c.length);
-            if (c.indexOf(nameEQ) == 0)
+            }
+            if(c.indexOf(nameEQ) === 0){
                 value = c.substring(nameEQ.length,c.length);
+            }
         }
         if(value === last_version){
-            $('#alert-version').parent().hide();
+            $("#alert-version").parent().hide();
         }
     });
 }
diff --git a/cas_server/tests/test_models.py b/cas_server/tests/test_models.py
index bb338dd..e0d417e 100644
--- a/cas_server/tests/test_models.py
+++ b/cas_server/tests/test_models.py
@@ -284,6 +284,7 @@ class NewVersionWarningTestCase(TestCase):
 
     @mock.patch("cas_server.models.VERSION", "0.1.2")
     def test_send_mails(self):
+        """test the send_mails method with ADMINS and a new version available"""
         models.NewVersionWarning.send_mails()
 
         self.assertEqual(len(mail.outbox), 1)
@@ -297,16 +298,19 @@ class NewVersionWarningTestCase(TestCase):
 
     @mock.patch("cas_server.models.VERSION", "1.2.3")
     def test_send_mails_same_version(self):
+        """test the send_mails method with with current version being the last"""
         models.NewVersionWarning.objects.create(version="0.1.2")
         models.NewVersionWarning.send_mails()
         self.assertEqual(len(mail.outbox), 0)
 
     @override_settings(ADMINS=[])
     def test_send_mails_no_admins(self):
+        """test the send_mails method without ADMINS"""
         models.NewVersionWarning.send_mails()
         self.assertEqual(len(mail.outbox), 0)
 
     @override_settings(CAS_NEW_VERSION_EMAIL_WARNING=False)
     def test_send_mails_disabled(self):
+        """test the send_mails method if disabled"""
         models.NewVersionWarning.send_mails()
         self.assertEqual(len(mail.outbox), 0)
diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py
index d33d78c..e46459f 100644
--- a/cas_server/tests/test_utils.py
+++ b/cas_server/tests/test_utils.py
@@ -136,9 +136,12 @@ class CheckPasswordCase(TestCase):
         """test all the hex_HASH method: the hashed password is a simple hash of the password"""
         hashes = ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]
         hashed_password1 = []
-        for hash in hashes:
+        for hash_scheme in hashes:
             hashed_password1.append(
-                ("hex_%s" % hash, getattr(utils.hashlib, hash)(self.password1).hexdigest())
+                (
+                    "hex_%s" % hash_scheme,
+                    getattr(utils.hashlib, hash_scheme)(self.password1).hexdigest()
+                )
             )
         for (method, hp1) in hashed_password1:
             self.assertTrue(utils.check_password(method, self.password1, hp1, "utf8"))
diff --git a/cas_server/tests/test_view.py b/cas_server/tests/test_view.py
index 3ae6d17..80aa29c 100644
--- a/cas_server/tests/test_view.py
+++ b/cas_server/tests/test_view.py
@@ -52,6 +52,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
     @mock.patch("cas_server.utils.last_version", lambda: "1.2.3")
     @mock.patch("cas_server.utils.VERSION", "0.1.2")
     def test_new_version_available_ok(self):
+        """test the new version info box"""
         client = Client()
         response = client.get("/login")
         self.assertIn(b"A new version of the application is available", response.content)
@@ -60,12 +61,16 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
     @mock.patch("cas_server.utils.last_version", lambda: None)
     @mock.patch("cas_server.utils.VERSION", "0.1.2")
     def test_new_version_available_badpypi(self):
+        """
+            test the new version info box if pypi is not available (unable to retreive last version)
+        """
         client = Client()
         response = client.get("/login")
         self.assertNotIn(b"A new version of the application is available", response.content)
 
     @override_settings(CAS_NEW_VERSION_HTML_WARNING=False)
     def test_new_version_available_disabled(self):
+        """test the new version info box is disabled"""
         client = Client()
         response = client.get("/login")
         self.assertNotIn(b"A new version of the application is available", response.content)
diff --git a/cas_server/tests/utils.py b/cas_server/tests/utils.py
index d8c781b..b13874c 100644
--- a/cas_server/tests/utils.py
+++ b/cas_server/tests/utils.py
@@ -33,6 +33,11 @@ if django.VERSION < (1, 8):
     from django.template import Context
 else:
     def Context(arg):
+        """
+            Starting from django 1.8 render take a dict and deprecated the use of a Context.
+            So this is the identity function, only use for compatibility with django 1.7 where
+            render MUST take a Context as argument.
+        """
         return arg
 
 
diff --git a/cas_server/utils.py b/cas_server/utils.py
index 4d1a554..c6a56ef 100644
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@@ -64,9 +64,7 @@ def context(params):
         params["VERSION"] = VERSION
         params["LAST_VERSION"] = LAST_VERSION
         if LAST_VERSION is not None:
-            t_version = decode_version(VERSION)
-            t_last_version = decode_version(LAST_VERSION)
-            params["upgrade_available"] = t_version < t_last_version
+            params["upgrade_available"] = decode_version(VERSION) < decode_version(LAST_VERSION)
         else:
             params["upgrade_available"] = False
     return params

From 2cc31ce5f5dccb23ef9a816a0201029dbe31222d Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Fri, 29 Jul 2016 16:34:39 +0200
Subject: [PATCH 06/31] [cas.py] factor the charset detection in a function

---
 cas_server/cas.py | 26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/cas_server/cas.py b/cas_server/cas.py
index 2c5178e..818cf0f 100644
--- a/cas_server/cas.py
+++ b/cas_server/cas.py
@@ -134,6 +134,14 @@ class CASClientBase(object):
                 raise CASError(errors[0].attrib['code'], errors[0].text)
         raise CASError("Bad http code %s" % response.code)
 
+    @staticmethod
+    def get_page_charset(page, default="utf-8"):
+        content_type = page.info().get('Content-type')
+        if content_type and "charset=" in content_type:
+            return content_type.split("charset=")[-1]
+        else:
+            return default
+
 
 class CASClientV1(CASClientBase, ReturnUnicode):
     """CAS Client Version 1"""
@@ -152,11 +160,7 @@ class CASClientV1(CASClientBase, ReturnUnicode):
         try:
             verified = page.readline().strip()
             if verified == b'yes':
-                content_type = page.info().get('Content-type')
-                if "charset=" in content_type:
-                    charset = content_type.split("charset=")[-1]
-                else:
-                    charset = "ascii"
+                charset = self.get_page_charset(page, default="ascii")
                 user = self.u(page.readline().strip(), charset)
                 return user, None, None
             else:
@@ -189,11 +193,7 @@ class CASClientV2(CASClientBase, ReturnUnicode):
         url = base_url + '?' + urllib_parse.urlencode(params)
         page = urllib_request.urlopen(url)
         try:
-            content_type = page.info().get('Content-type')
-            if "charset=" in content_type:
-                charset = content_type.split("charset=")[-1]
-            else:
-                charset = "ascii"
+            charset = self.get_page_charset(page)
             return (page.read(), charset)
         finally:
             page.close()
@@ -306,11 +306,7 @@ class CASClientWithSAMLV1(CASClientV2, SingleLogoutMixin):
             from elementtree import ElementTree
 
         page = self.fetch_saml_validation(ticket)
-        content_type = page.info().get('Content-type')
-        if "charset=" in content_type:
-            charset = content_type.split("charset=")[-1]
-        else:
-            charset = "ascii"
+        charset = self.get_page_charset(page)
 
         try:
             user = None

From 34118833bfb6fda8e9145bcb59f53deb703a14da Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Fri, 29 Jul 2016 16:35:21 +0200
Subject: [PATCH 07/31] Display an error message on bad response from identity
 provider in federate mode. fix #7.

If the identity provider CAS do not return an XML document as specified on ticket validation,
an XML parsing error is raised. We now catch it and display a message to the user.
---
 cas_server/tests/test_federate.py | 15 +++++++-
 cas_server/views.py               | 62 ++++++++++++++++++++-----------
 2 files changed, 54 insertions(+), 23 deletions(-)

diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
index 3731dc5..324f0bc 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@@ -183,7 +183,8 @@ class FederateAuthLoginLogoutTestCase(
         """
             The federated view should redirect to /login if the provider is unknown or not provided,
             try to fetch a new ticket if the provided ticket validation fail
-            (network error or bad ticket)
+            (network error or bad ticket), redirect to /login with a error message if identity
+            provider CAS return a bad response (invalid XML document)
         """
         good_provider = "example.com"
         bad_provider = "exemple.fr"
@@ -229,6 +230,18 @@ class FederateAuthLoginLogoutTestCase(
             'http://testserver' if django.VERSION < (1, 9) else ""
         ))
 
+        # test CAS avaible but return a bad XML doc, should redirect to /login with a error message
+        # use "example.net" as it is CASv3
+        tests_utils.HttpParamsHandler.run(8082)
+        response = client.get("/federate/%s" % "example.net", {'ticket': utils.gen_st()})
+        self.assertEqual(response.status_code, 302)
+        self.assertEqual(response["Location"], "%s/login" % (
+            'http://testserver' if django.VERSION < (1, 9) else ""
+        ))
+        response = client.get("/login")
+        self.assertEqual(response.status_code, 200)
+        self.assertIn(b"Invalid response from your identity provider CAS", response.content)
+
     def test_auth_federate_slo(self):
         """test that SLO receive from backend CAS log out the users"""
         # get tickets and connected clients
diff --git a/cas_server/views.py b/cas_server/views.py
index 0a3b24f..93c6a47 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -312,31 +312,49 @@ class FederateAuth(View):
                 return HttpResponseRedirect(auth.get_login_url())
             else:
                 ticket = request.GET['ticket']
-                # if the ticket validation succeed
-                if auth.verify_ticket(ticket):
-                    logger.info(
-                        "Got a valid ticket for %s from %s" % (
-                            auth.username,
-                            auth.provider.server_url
+                try:
+                    # if the ticket validation succeed
+                    if auth.verify_ticket(ticket):
+                        logger.info(
+                            "Got a valid ticket for %s from %s" % (
+                                auth.username,
+                                auth.provider.server_url
+                            )
                         )
-                    )
-                    params = utils.copy_params(request.GET, ignore={"ticket"})
-                    request.session["federate_username"] = auth.federated_username
-                    request.session["federate_ticket"] = ticket
-                    auth.register_slo(auth.federated_username, request.session.session_key, ticket)
-                    # redirect to the the login page for the user to become authenticated
-                    # thanks to the `federate_username` and `federate_ticket` session parameters
-                    url = utils.reverse_params("cas_server:login", params)
-                    return HttpResponseRedirect(url)
-                # else redirect to the identity provider CAS login page
-                else:
-                    logger.info(
-                        "Got a invalid ticket for %s from %s. Retrying to authenticate" % (
-                            auth.username,
-                            auth.provider.server_url
+                        params = utils.copy_params(request.GET, ignore={"ticket"})
+                        request.session["federate_username"] = auth.federated_username
+                        request.session["federate_ticket"] = ticket
+                        auth.register_slo(
+                            auth.federated_username,
+                            request.session.session_key,
+                            ticket
                         )
+                        # redirect to the the login page for the user to become authenticated
+                        # thanks to the `federate_username` and `federate_ticket` session parameters
+                        url = utils.reverse_params("cas_server:login", params)
+                        return HttpResponseRedirect(url)
+                    # else redirect to the identity provider CAS login page
+                    else:
+                        logger.info(
+                            "Got a invalid ticket for %s from %s. Retrying to authenticate" % (
+                                auth.username,
+                                auth.provider.server_url
+                            )
+                        )
+                        return HttpResponseRedirect(auth.get_login_url())
+                # both xml.etree.ElementTree and lxml.etree exceptions inherit from SyntaxError
+                except SyntaxError as error:
+                    messages.add_message(
+                        request,
+                        messages.ERROR,
+                        _(
+                            u"Invalid response from your identity provider CAS upon "
+                            u"ticket %s validation: %r"
+                        ) % (ticket, error)
                     )
-                    return HttpResponseRedirect(auth.get_login_url())
+                    response = redirect("cas_server:login")
+                    response.delete_cookie("_remember_provider")
+                    return response
         except FederatedIendityProvider.DoesNotExist:
             logger.warning("Identity provider suffix %s not found" % provider)
             # if the identity provider is not found, redirect to the login page

From fe90b7fed0007a0d92b97f80ef765be7caea025b Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Fri, 29 Jul 2016 16:51:46 +0200
Subject: [PATCH 08/31] Since we drop django-boostrap3 dependancies, Django
 default minimal version is 1.7

---
 requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements.txt b/requirements.txt
index 3e1c140..23dbf75 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,4 @@
-Django >= 1.8,<1.10
+Django >= 1.7,<1.10
 setuptools>=5.5
 requests>=2.4
 requests_futures>=0.9.5

From 3d0f2496dd930639398207f9283d1ccee3846921 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sat, 30 Jul 2016 00:46:57 +0200
Subject: [PATCH 09/31] Put favicon (shortcut icon) URL in settings

---
 README.rst                                | 2 ++
 cas_server/default_settings.py            | 2 ++
 cas_server/templates/cas_server/base.html | 2 +-
 3 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.rst b/README.rst
index 9cb5573..85a4427 100644
--- a/README.rst
+++ b/README.rst
@@ -163,6 +163,8 @@ Template settings
 
 * ``CAS_LOGO_URL``: URL to the logo showed in the up left corner on the default
   templates. Set it to ``False`` to disable it.
+* ``CAS_FAVICON_URL``: URL to the favicon (shortcut icon) used by the default templates.
+  Default is a key icon. Set it to ``False`` to disable it.
 * ``CAS_COMPONENT_URLS``: URLs to css and javascript external components. It is a dictionnary
   and it must have the five following keys: ``"bootstrap3_css"``, ``"bootstrap3_js"``,
   ``"html5shiv"``, ``"respond"``, ``"jquery"``. The default is::
diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py
index 69a2fdf..ed9efc2 100644
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@@ -18,6 +18,8 @@ from importlib import import_module
 
 #: URL to the logo showed in the up left corner on the default templates.
 CAS_LOGO_URL = static("cas_server/logo.png")
+#: URL to the favicon (shortcut icon) used by the default templates. Default is a key icon.
+CAS_FAVICON_URL = static("cas_server/favicon.ico")
 #: URLs to css and javascript external components.
 CAS_COMPONENT_URLS = {
     "bootstrap3_css": "//maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css",
diff --git a/cas_server/templates/cas_server/base.html b/cas_server/templates/cas_server/base.html
index 5abc8bd..87b9a6d 100644
--- a/cas_server/templates/cas_server/base.html
+++ b/cas_server/templates/cas_server/base.html
@@ -14,7 +14,7 @@
         <script src="{{settings.CAS_COMPONENT_URLS.html5shiv}}"></script>
         <script src="{{settings.CAS_COMPONENT_URLS.respond}}"></script>
         <![endif]-->
-        <link rel="shortcut icon" href="{% static "cas_server/favicon.ico?v=1" %}" />
+        {% if settings.CAS_FAVICON_URL %}<link rel="shortcut icon" href="{{settings.CAS_FAVICON_URL}}" />{% endif %}
         <link href="{% static "cas_server/styles.css" %}" rel="stylesheet">
     </head>
     <body>

From b45f8df09e1dd763576c2b116ef282f96e4bb81c Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sat, 30 Jul 2016 01:31:43 +0200
Subject: [PATCH 10/31] Remove english "translation" and use full english text
 in the sources. Update french translation.

---
 cas_server/forms.py                         |  16 +-
 cas_server/locale/en/LC_MESSAGES/django.mo  | Bin 6105 -> 0 bytes
 cas_server/locale/en/LC_MESSAGES/django.po  | 371 --------------------
 cas_server/locale/fr/LC_MESSAGES/django.mo  | Bin 8496 -> 9574 bytes
 cas_server/locale/fr/LC_MESSAGES/django.po  | 243 +++++++------
 cas_server/models.py                        |  16 +-
 cas_server/templates/cas_server/logged.html |   2 +-
 cas_server/tests/test_view.py               |   6 +-
 cas_server/views.py                         |  10 +-
 9 files changed, 169 insertions(+), 495 deletions(-)
 delete mode 100644 cas_server/locale/en/LC_MESSAGES/django.mo
 delete mode 100644 cas_server/locale/en/LC_MESSAGES/django.po

diff --git a/cas_server/forms.py b/cas_server/forms.py
index 2f18ed9..2e554bb 100644
--- a/cas_server/forms.py
+++ b/cas_server/forms.py
@@ -82,7 +82,10 @@ class FederateSelect(BootsrapForm):
     #: A checkbox to remember the user choices of :attr:`provider<FederateSelect.provider>`
     remember = forms.BooleanField(label=_('Remember the identity provider'), required=False)
     #: A checkbox to ask to be warn before emiting a ticket for another service
-    warn = forms.BooleanField(label=_('warn'), required=False)
+    warn = forms.BooleanField(
+        label=_('Warn me before logging me into other sites.'),
+        required=False
+    )
     #: Is the service asking the authentication renewal ?
     renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
 
@@ -94,7 +97,7 @@ class UserCredential(BootsrapForm):
          Form used on the login page to retrive user credentials
      """
     #: The user username
-    username = forms.CharField(label=_('login'))
+    username = forms.CharField(label=_('username'))
     #: The service url for which the user want a ticket
     service = forms.CharField(label=_('service'), widget=forms.HiddenInput(), required=False)
     #: The user password
@@ -103,7 +106,10 @@ class UserCredential(BootsrapForm):
     lt = forms.CharField(widget=forms.HiddenInput(), required=False)
     method = forms.CharField(widget=forms.HiddenInput(), required=False)
     #: A checkbox to ask to be warn before emiting a ticket for another service
-    warn = forms.BooleanField(label=_('warn'), required=False)
+    warn = forms.BooleanField(
+        label=_('Warn me before logging me into other sites.'),
+        required=False
+    )
     #: Is the service asking the authentication renewal ?
     renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
 
@@ -124,7 +130,9 @@ class UserCredential(BootsrapForm):
         if auth.test_password(cleaned_data.get("password")):
             cleaned_data["username"] = auth.username
         else:
-            raise forms.ValidationError(_(u"Bad user"))
+            raise forms.ValidationError(
+                _(u"The credentials you provided cannot be determined to be authentic.")
+            )
         return cleaned_data
 
 
diff --git a/cas_server/locale/en/LC_MESSAGES/django.mo b/cas_server/locale/en/LC_MESSAGES/django.mo
deleted file mode 100644
index 8a9dda44316919636e9d665a5eb9f42f8da97fcf..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 6105
zcmeI0OKc=Z8GwrrLSi0)gzzR?3+vds@w6YiSsTZ;;@$PGEWE7oItdSJp{Bb$)7hTx
zNmaLJ4FQD%3Q{=00Y&1HTtFNUFF_<E1P3mh5l4j33M2#)0ugcM`@4I_<Fyrn7C0cc
zRP(vJtE&H3{q>iBd*7X3S6s8S_tSp;I;B?OS6<H#*Z1#K>P7ei_*M9^Hz@Tyyb0e4
z)4P=VA^Z}QIp*G|)DrC0{2n~Z{a@hSaFm}1VE|?PW%wQ#!TaDB>gQjB@8$m6Q2PG@
zz8&6#?|`qsMR?CWN*#ljAR?$1L^PGw_c@&7{&VnA_#+s=zrwe`V<Sp6U<1l`J_W@N
zpM@gd3-Dg}U3dom49fTZ4n>ap-&AoNB9dB!GXF&=@)l6^dJc+Q-+-7>y#z17Z^CQv
zPf*6MzF8?ur8c14e-g^L5WW@0_4^x8<arjJf<J~b@9&_+hkt<Lw~sJL{Pt(~JbVUa
zM6bKwR{8B16u<onF2NCm7Oq0^+n3=v_;V=sxdUZn{BbCLn}ed?M*ZAE@!K;{`o91f
zs$PZ<!(T%2+bdA)ICH;JzlR%8^qj@0;>SfOe!Bq0Z=Z)^*PlS~+aIC$?H^FSbK-%@
zZ|9-N_ZcXD>%lYdIVj)zDP)NHP0hbSvGZLFlKJn2BJUDJM70j(eF(+A2^7CQ4X?qM
z>-P`5tMc1}Q2IXvMW0EC>D43k`wLLyS%c!YFTx4<9f;c$VL7;PiF$}esFkvO0G_6e
z(j-Ru*CX{G?}IX@T%yAmO?1A4CbFEMou!?m4PVpTNX%;*VWTE#Gc@so$S&7$8X>CQ
zO%uQOFVR)(KUF^v8_6|G6TQZ15)a}F@jq@>sH*DpqCUjmVh_2*uj11W%1wRYp3*Pk
zGfb`2Li_a6TGq;nT>Bynt@qnSvM|ZhPh^E|n;kp!JlWMr)@s>EOaE<`b@Zs$o<VVz
zdYx_SylwS)o950Wdb!{(&EwGIyw+E(+lfOP=!=<SOjx)$-__0<&)5lVZ^XIY%?hV`
zwyB#g>v`*f+m`QtEKtunt4)Gd(Lr1N$7Na8sp(j~jX`B@3?>#<%UHElB*tOXuB*JG
zJ0=g?aoXzl@_~LbP7+=C!X%|*v+G_b@pY@muC?>L>*psYeb%vCfy`^&RuE>L$*#%U
zlfkJIW5Kf5cr5nX9P+sd?YlONiGr|goC$O5bf@sSZdz@9Xu8BuFV5Qx9@`oV)N*>r
zB*<Ke+-sZM>(nwR&twW`yNL;Hq;83^w(-2SGTGBb?C9Uz?JKND$HiJFy&fMOFI;lc
zpS*Rrv#ISN^J^Q8)cYg+wGKOHBFt``di9l}&L`HSI<kq)(WJl3>c?3U>1`WXXXK?!
z=ZD_pE)K8ToJU!j+AtTp4Ts1|YMP1FSJ$o_h@KVah^L6<xfd+5>}AQ1dbJwKnr7v8
zUA7bReYKkIm?Vy*Pn>GjJ0DhSafj#-vC0r7#Ij!HzHq-pNlaAKbKx#49Tgc#6WD_+
z!*JaZPga>m-jjs{aVo!bR3DY4P^Tc1V}PdQC{*dS<FH+7kDP@a#9<vohYu8cIg@(P
zf}rXvLZ0e$QGT(~_VBUQ2g`70-Nf723W2bMTF0Z_%2<uy>n^*oTN}*l5MLA8xI1Q4
zWvgMAZP<?OG+9UT5X0Z%g{#%#C(6s%)+s5swtAojFIh!<&j*kD;%zeXz;vVI+p$d|
z)(dM~)?OtNmOui-c2Q@W$N8gL<*0}=<8c2+<b4?f!(TouXQ=+CRc#7B6^ZeU#0QoN
z(Why`>k`bhne_UlO?A*12cCF^%`v$MQvOJ!VDSDYWlC?;GQSKNeL@_sPnBULG1%{J
zeKkpuvH*qxtpA?eMsK|7+gWe_(hCL=6xnT4Bzcv?ZwXx0HQx6!7x70GI^E32vX83L
z7S->-BB~$DHHQ-agl@U4=wd~7CK7L6K(gZ2^n~7;(Kny{mO{sWwMzTW?iq<<mpw&J
zX{<(#CrCR8HP6ic)6&Vhkqz6;T;90sTXEDlSG0U%Gn>~V>sK}#=h+xViN*!8*1VpX
znm*f@nr%#-(bKc@r_Vk-H8V9u$Hs=;iDlly`+d0Tw`P3a*px+@m^^dy`U#WBs-V;`
zo!IFGmV0?0c)5Qpl&(SMT1z8qCT$g_WgDB;bmn#R6!)24SX+B6iTC%I*ESuwyn1<M
zPu1yQYJ{|!Gk0Tiw~HRRy^&9{BgN^X<x222UwnM?Vq<QvpL~1Uy2eTxW)YcnUe7h-
zeB|SeOYAx1aFKsKvk~cLI+zRQMsB<EIjYR|m9j^bS+#i{Rc3>YQZ|F(axhS`0fy|o
zk~U1@<vg-io3JaTSy{nG6lAUwr`3)~nm7GIF!(>N=_YiyDqoz<9d%1q*FgW>Qm;Os
z>Q&PEzi~i~(|X%|^%^@^Xu8Rz!%w8Owv?Cp3Z<l>I#@aEkjnngi9<p~w%903iHGte
zJybyZs%ENB2z&8T?uN&Y3fZCK#MQz2JSt=lmbQLStsT{}w^_^TCn;v-nAx-(6U$Q>
VM}+d=S!R!ng8=`jigW7&^-nj7FsT3l

diff --git a/cas_server/locale/en/LC_MESSAGES/django.po b/cas_server/locale/en/LC_MESSAGES/django.po
deleted file mode 100644
index 6d4de34..0000000
--- a/cas_server/locale/en/LC_MESSAGES/django.po
+++ /dev/null
@@ -1,371 +0,0 @@
-# SOME DESCRIPTIVE TITLE.
-# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
-# This file is distributed under the same license as the PACKAGE package.
-# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
-#
-msgid ""
-msgstr ""
-"Project-Id-Version: cas_server\n"
-"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-07-04 17:36+0200\n"
-"PO-Revision-Date: 2016-07-04 17:39+0200\n"
-"Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
-"Language-Team: django <LL@li.org>\n"
-"Language: en\n"
-"MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=UTF-8\n"
-"Content-Transfer-Encoding: 8bit\n"
-"X-Generator: Poedit 1.8.8\n"
-
-#: apps.py:19 templates/cas_server/base.html:3
-#: templates/cas_server/base.html:20
-msgid "Central Authentication Service"
-msgstr "Central Authentication Service"
-
-#: forms.py:43
-msgid "Identity provider"
-msgstr "Identity provider"
-
-#: forms.py:45 forms.py:55 forms.py:106
-msgid "service"
-msgstr ""
-
-#: forms.py:47
-msgid "Remember the identity provider"
-msgstr "Remember the identity provider"
-
-#: forms.py:48 forms.py:59
-msgid "warn"
-msgstr " Warn me before logging me into other sites."
-
-#: forms.py:54
-msgid "login"
-msgstr "username"
-
-#: forms.py:56
-msgid "password"
-msgstr "password"
-
-#: forms.py:71
-msgid "Bad user"
-msgstr "The credentials you provided cannot be determined to be authentic."
-
-#: forms.py:96
-msgid "User not found in the temporary database, please try to reconnect"
-msgstr ""
-
-#: management/commands/cas_clean_federate.py:20
-msgid "Clean old federated users"
-msgstr "Clean old federated users"
-
-#: management/commands/cas_clean_sessions.py:22
-msgid "Clean deleted sessions"
-msgstr "Clean deleted sessions"
-
-#: management/commands/cas_clean_tickets.py:22
-msgid "Clean old trickets"
-msgstr "Clean old trickets"
-
-#: models.py:42
-msgid "identity provider"
-msgstr "identity provider"
-
-#: models.py:43
-msgid "identity providers"
-msgstr "identity providers"
-
-#: models.py:47
-msgid "suffix"
-msgstr ""
-
-#: models.py:48
-msgid ""
-"Suffix append to backend CAS returner username: `returned_username`@`suffix`"
-msgstr ""
-
-#: models.py:50
-msgid "server url"
-msgstr ""
-
-#: models.py:59
-msgid "CAS protocol version"
-msgstr ""
-
-#: models.py:60
-msgid ""
-"Version of the CAS protocol to use when sending requests the the backend CAS"
-msgstr ""
-
-#: models.py:65
-msgid "verbose name"
-msgstr ""
-
-#: models.py:66
-msgid "Name for this identity provider displayed on the login page"
-msgstr ""
-
-#: models.py:70 models.py:317
-msgid "position"
-msgstr "position"
-
-#: models.py:80
-msgid "display"
-msgstr ""
-
-#: models.py:81
-msgid "Display the provider on the login page"
-msgstr ""
-
-#: models.py:164
-msgid "User"
-msgstr ""
-
-#: models.py:165
-msgid "Users"
-msgstr ""
-
-#: models.py:234
-#, python-format
-msgid "Error during service logout %s"
-msgstr "Error during service logout %s"
-
-#: models.py:312
-msgid "Service pattern"
-msgstr "Service pattern"
-
-#: models.py:313
-msgid "Services patterns"
-msgstr ""
-
-#: models.py:318
-msgid "service patterns are sorted using the position attribute"
-msgstr ""
-
-#: models.py:325 models.py:449
-msgid "name"
-msgstr "name"
-
-#: models.py:326
-msgid "A name for the service"
-msgstr "A name for the service"
-
-#: models.py:331 models.py:478 models.py:497
-msgid "pattern"
-msgstr "pattern"
-
-#: models.py:333
-msgid ""
-"A regular expression matching services. Will usually looks like '^https://"
-"some\\.server\\.com/path/.*$'.As it is a regular expression, special "
-"character must be escaped with a '\\'."
-msgstr ""
-"A regular expression matching services. Will usually looks like '^https://"
-"some\\.server\\.com/path/.*$'.As it is a regular expression, special "
-"character must be escaped with a '\\'."
-
-#: models.py:342
-msgid "user field"
-msgstr ""
-
-#: models.py:343
-msgid "Name of the attribut to transmit as username, empty = login"
-msgstr "Name of the attribut to transmit as username, empty = login"
-
-#: models.py:347
-msgid "restrict username"
-msgstr ""
-
-#: models.py:348
-msgid "Limit username allowed to connect to the list provided bellow"
-msgstr "Limit username allowed to connect to the list provided bellow"
-
-#: models.py:352
-msgid "proxy"
-msgstr "proxy"
-
-#: models.py:353
-msgid "Proxy tickets can be delivered to the service"
-msgstr "Proxy tickets can be delivered to the service"
-
-#: models.py:357
-msgid "proxy callback"
-msgstr "proxy callback"
-
-#: models.py:358
-msgid "can be used as a proxy callback to deliver PGT"
-msgstr "can be used as a proxy callback to deliver PGT"
-
-#: models.py:362
-msgid "single log out"
-msgstr ""
-
-#: models.py:363
-msgid "Enable SLO for the service"
-msgstr "Enable SLO for the service"
-
-#: models.py:370
-msgid "single log out callback"
-msgstr ""
-
-#: models.py:371
-msgid ""
-"URL where the SLO request will be POST. empty = service url\n"
-"This is usefull for non HTTP proxied services."
-msgstr ""
-
-#: models.py:433
-msgid "username"
-msgstr ""
-
-#: models.py:434
-msgid "username allowed to connect to the service"
-msgstr "username allowed to connect to the service"
-
-#: models.py:450
-msgid "name of an attribut to send to the service, use * for all attributes"
-msgstr "name of an attribut to send to the service, use * for all attributes"
-
-#: models.py:455 models.py:503
-msgid "replace"
-msgstr "replace"
-
-#: models.py:456
-msgid ""
-"name under which the attribut will be showto the service. empty = default "
-"name of the attribut"
-msgstr ""
-"name under which the attribut will be showto the service. empty = default "
-"name of the attribut"
-
-#: models.py:473 models.py:492
-msgid "attribut"
-msgstr "attribut"
-
-#: models.py:474
-msgid "Name of the attribut which must verify pattern"
-msgstr "Name of the attribut which must verify pattern"
-
-#: models.py:479
-msgid "a regular expression"
-msgstr "a regular expression"
-
-#: models.py:493
-msgid "Name of the attribut for which the value must be replace"
-msgstr "Name of the attribut for which the value must be replace"
-
-#: models.py:498
-msgid "An regular expression maching whats need to be replaced"
-msgstr "An regular expression maching whats need to be replaced"
-
-#: models.py:504
-msgid "replace expression, groups are capture by \\1, \\2 …"
-msgstr "replace expression, groups are capture by \\1, \\2 …"
-
-#: templates/cas_server/logged.html:6
-msgid "Logged"
-msgstr ""
-"<h3>Log In Successful</h3>You have successfully logged into the Central "
-"Authentication Service.<br/>For security reasons, please Log Out and Exit "
-"your web browser when you are done accessing services that require "
-"authentication!"
-
-#: templates/cas_server/logged.html:10
-msgid "Log me out from all my sessions"
-msgstr "Log me out from all my sessions"
-
-#: templates/cas_server/logged.html:13
-msgid "Logout"
-msgstr "Logout"
-
-#: templates/cas_server/login.html:8
-msgid "Please log in"
-msgstr "Please log in"
-
-#: templates/cas_server/login.html:13
-msgid "Login"
-msgstr "Login"
-
-#: templates/cas_server/warn.html:10
-msgid "Connect to the service"
-msgstr "Connect to the service"
-
-#: views.py:152
-msgid ""
-"<h3>Logout successful</h3>You have successfully logged out from the Central "
-"Authentication Service. For security reasons, exit your web browser."
-msgstr ""
-"<h3>Logout successful</h3>You have successfully logged out from the Central "
-"Authentication Service. For security reasons, exit your web browser."
-
-#: views.py:158
-#, python-format
-msgid ""
-"<h3>Logout successful</h3>You have successfully logged out from %s sessions "
-"of the Central Authentication Service. For security reasons, exit your web "
-"browser."
-msgstr ""
-"<h3>Logout successful</h3>You have successfully logged out from %s sessions "
-"of the Central Authentication Service. For security reasons, exit your web "
-"browser."
-
-#: views.py:165
-msgid ""
-"<h3>Logout successful</h3>You were already logged out from the Central "
-"Authentication Service. For security reasons, exit your web browser."
-msgstr ""
-"<h3>Logout successful</h3>You were already logged out from the Central "
-"Authentication Service. For security reasons, exit your web browser."
-
-#: views.py:349
-msgid "Invalid login ticket"
-msgstr "Invalid login ticket, please retry to login"
-
-#: views.py:470
-#, python-format
-msgid "Authentication has been required by service %(name)s (%(url)s)"
-msgstr "Authentication has been required by service %(name)s (%(url)s)"
-
-#: views.py:508
-#, python-format
-msgid "Service %(url)s non allowed."
-msgstr "Service %(url)s non allowed."
-
-#: views.py:515
-msgid "Username non allowed"
-msgstr "Username non allowed"
-
-#: views.py:522
-msgid "User charateristics non allowed"
-msgstr "User charateristics non allowed"
-
-#: views.py:529
-#, python-format
-msgid "The attribut %(field)s is needed to use that service"
-msgstr "The attribut %(field)s is needed to use that service"
-
-#: views.py:599
-#, python-format
-msgid "Authentication renewal required by service %(name)s (%(url)s)."
-msgstr "Authentication renewal required by service %(name)s (%(url)s)."
-
-#: views.py:606
-#, python-format
-msgid "Authentication required by service %(name)s (%(url)s)."
-msgstr "Authentication required by service %(name)s (%(url)s)."
-
-#: views.py:613
-#, python-format
-msgid "Service %s non allowed"
-msgstr "Service %s non allowed"
-
-#~ msgid ""
-#~ "Error during service logout %(service)s:\n"
-#~ "%(error)s"
-#~ msgstr ""
-#~ "Error during service logout %(service)s:\n"
-#~ "%(error)s"
-
-#~ msgid "Successfully logout"
-#~ msgstr ""
-#~ "<h3>Logout successful</h3>You have successfully logged out of the Central "
-#~ "Authentication Service.</br>For security reasons, exit your web browser."
diff --git a/cas_server/locale/fr/LC_MESSAGES/django.mo b/cas_server/locale/fr/LC_MESSAGES/django.mo
index cd54e7aeb82557f437c101613f1562769afc3463..6d5f83a00e705097d3b638b3b6e59b2e00407cd4 100644
GIT binary patch
delta 2846
zcmZXUTWl3Y7{}*eZ&FHumRqSXm1_YHmqNL<NGYf#g#sli8bi0|%xSlr?v~v>r3CfF
z#3+V%i5p*xmuQFqA$U2#7&Q^ChQuh*7ZV@!!5GvRB;FEG6Mx^HZ6P{2v%i_ynb~jt
z-+#`VTQBX%e>bh<IYrq)t*2%uC}rRWB|Ip*%ar;7?tw4E=5nQ;fnUSpu&+X?8Sppw
zESz|=Qg6c-;X1f`qEegTv6vTNGySqkrD~PRt5zCw8Q2SDqeF1EEP&JCtMT|bxS0Ou
zunztXWnJ|orKZ9pTn4wm2VfSq!p|VFtBNY6N?|pW{&d*F_f<WO4Gip$29yfn3i@9{
zeo9SN>NWwC54J#2>V7BzkHBj9G?YMIhTZTjxE7Z3ax2^f2jIg{#Qhm+zOOFRXoJ;L
zB1zO9D3NC1PMC#qviIWmmmun@zhDxU@>Q~-)<6lMg@-7&3(AKqxE*HT0eA+IEj5Wr
zd09A}h78;S<-?1hj4y|4;2OvpWkb@Zj>hjFgX`%(1x3;e@%xKV_WK4dh2KN6psH$6
zDM9++uk>H9MgMa&UYxGfYp@$VPr++Yq&+cHsk88Xco`1NQfeFAk3sgpm!L>{1#W^(
z7=tOwg}1_EumPTiqTm;hpSsF}EmiFt^cRyXpTp_l0BnKBpiKA_w!?3s4I4=Oz3@0p
zaFQROq~a2b$)dUf?|@<y+2>A}f{#K8;3vpgRqec@H<spUEMlMsin||&67d_5^s28Q
z>Z$MHA@~Or1^RUH<Y(ZM^nZbs@F5n<hn|4<z;lpSstP$I1xeTsH$h2l{saw?<QphC
z`yFnC|HS?E^NUKfK~z@z;Z4woJK*7%AHyie3yL19gR-BF`;AcEuYkA17RXuh>OmTl
z8F&GT=}tolpb+;jLowf<F)J1pO;-m+nQoYX64XknloDz?RX!+kZ>LHTrKPYWD)Z$2
zj}^&x6IIesO6{PEq*YY$hMY!9V-eARgajaEEmeZX4$<kBLs7MrDn1a8Y^5ftH<oSk
zeNE*?M1L+I`m<Rj4T^X`42A!qA|{iYA*pDKMlcy{j@y#^Ez~7(e*+Zt$Yyjy*1<CB
zT~sM{5yfjGcUw{*cUFqzSMK)&s-%bvM1@pGrGe+_xV;&Qp~edT?Hs+oX>+IBr#l?o
z9k!M&E3uux4X2bZC~fKWR%{MGDxWbhlr@%bv`p*D1=@1bdi#hS=p$~<(}zv3?)BWm
zzM<W392wP?XLQ<ijJ8rK<NLPLr+GhY)6qe{6==^K%Gpe^asg`sJ7op7>okN``Mg3`
z*}I9nV-D+K<N1tgH^U<44h?1FiQ4wHHEh{gt2b+sdS5?%+wlX-Ng3_s9A7V7a`*PV
z-5p)K8ktGJvO(7JgYivSv2aOeTlc;L;}es5ck!etcdFytX-<?I>hr8L@h1x<6|W@1
zvp1hhB*WB1E5BUFvUn!&j_APES+~!2REINcW$iR4^oLvr*)pCxSd@w#Icji34|(oz
zw0(P9H=p2$C~(jOL{w}LbhJyP%0`Bb=eb^^r#kIHgwOdVyf|@vxTvyoW>W342F<ue
zLEzcFxxj>vS8hm{@O)(p&%Z0Lw5Da1=P-Ap?&%@uoadPIfw94!9=(NeKbOhaBRxGy
zwNDfu->splajT4^JQE$l%KA~F<CCOy%5oex(7oi{1jZY**<3_nU_8gku%qf|A{Bm8
z^<igH-D7!<Ch}gBad86bAzz=2hy}Gv#ysuYf$@{dLe9Qi*7CF&8A4gHg}NTyE0Z6X
zEhkg*5GgF@hS=+?yAq~wuzGhQJU?YmMbk>Xa@EGwYs1-7b=+xMS!kQOD-r%uli7*Q
zywQ_lFW2^T#&&F-UW|=LPl+Eaj^|(Za@q`HF3TY$V)od~nK73(6uPF(pOAOl+_1@J
z&A9i{9Cz`Jb~YF@ZHr;-$k6R32t<e2(Ye6R+E^)Tjc;+IzcCJP2+y%cPa@^my^&q<
z__F_)e5dhJ9Ey2v&PQ*OOze7q+ng*6)|O2O-<fe0m%lOd-I~3lr;0ANi?$}cVcT52
zmUMZ(>>(kE-y^5$bngF7zHZ;p%(}l+{&3pE$u)}#(`Gj(YLd#~dK3kT-4@<gcRVpt
j__6Mh1X1+Y-x2yV+6!mv3(~!&o5S9@&lf7@{g(I_DRwYE

delta 2031
zcmYk+Yitx%6u|K_^i5k!TS_S{Wo&uKV_^%l3uTM7MQjN|MH5H}+HH4Q*0i%^cB@E&
z8w25kjlp>12SbFUQ6fnx4I3Jw31X0_#7CNFqQ>|EMKO&?gb!AY@qf0HhMPV6n>#ym
z@11kc>@PdU+fqN4Wxpx3PNIg0&Jl^=Xf|K8V6Mm+Y{1uX5{I!TPh<h!!HbxaFA~Db
zxE1gEt}75}qVFQ7<XxPPV^}Mal4~63KsT`pr?Cvn=gyp8j?3w{;3AA7H%bai@igjy
z<Jf}NaS3J>im+Cx#~fVc_k*~Feh4=)za;z<qqvqIZeuZ47KsFK8R~>jqh`oMUGPaP
z!Lz6fnZTX+DQ?6H26-NLpeFMY>cZZ~$MAcc&-_yJ(98-OPzMO1KGAX1l)Z&(aRkY>
zOrlQs9cregP@nKW)QPfL)ix}^XK@$mIOkFCpYZ!vFr_zs;{Wgk>dL=ConY=f0&7rj
zT!EW#9cpS1`oG6fCpdzu@EDQ=8ADyr2YAvFxr&$Qcd_cTm|IT%&v9_Rd?uxPdF(s%
zUDPKyP$BXZj$j+!$IRZ5f9)r5Ax>Z&euWR?pST+5SI*Q-EAo;3e1$QAi*dY?{OgG?
z{R;{it(|^7?!$i6;=76#Pw*>JpYj`(N|NLrK8{&brjFBzQ9OaVfGK3nQduq1hym2`
zdT|B5n&LoLd=bfxe2u!Nx9|}Dg_?;NmG>HsA@wO?mah|Z;9g9kjh~~Y{&(!hzmYXa
z4;8FibQGKMgx^nn!~qX4H&9={o2V1~i&>aY$?m`+-@T|4jG)%e1=N8r`TZ;Y?;qo%
zoS#HKQfiA(pVEL@ORdO4Qqtj{IEGqu!@h6hCi)jpGjbcXIR8O*Vz%id+Jb~$w}x0t
ztS7XQfK09Ey}Gs9w5YX}==-nx_h5U(@94g1Yaz7Sb>G>IOgi<6I|=GE^Db-V<`7!#
z+BAdu)YM^SpY=g>yR@w%mJ+Q*i1{;ZJKrk_eSNkNy64)oHaZAR^=4uN!ON2QLxS11
zj3Y`T^H-}U>j~Y~dD@|A$~FDk8i*%|twdN~n+Kcjd6>{D4G{cEWhz(q+$MMdGTWp@
zWcu=#n0RhgdNA*dl|EB&+RAT>MD3x3<C$>bgt=E3F`pH+)!2iM9Un^CeO`RfjtmUg
zgD=?$Cy|K7-Gs?2?lNx_R~WZ=vw5#LY;G0bZS*o@xRF7p+3xn7<dEk&(dTqrJ=fjZ
zofzutiyiKkXAU}cB$@PLJwr)TR<hE(Tyn%rmwZ?&5!-Y6hXx{^?HoSj%}ge<mu8n9
z$Qg+D$6V80T4j!u?oQt*?Xt38jCii8D&G?fZnPUh%^R9l2iFIKbGvp2_Bb!ZbiILX
zktB;+A8cp}1VaJ;x={L5`7SH{L&Z;)v8ooNk1w3E%&6UN;)|wDtopLG(;Qt|YXZxv
z&GnikYo2uM=(Tgbao2Tvla6Oc9Xm;WoCJwV%w|Ty2RCeOH~SYXPnRrivdY9Idt5rO
z!ha0M?5iD~)0<5HT>FY;`t0rLKkT$+zO6e|*co-)WUMb1ag%AU{=Q}2scZZnvJM@r

diff --git a/cas_server/locale/fr/LC_MESSAGES/django.po b/cas_server/locale/fr/LC_MESSAGES/django.po
index 8a7e606..b57dcce 100644
--- a/cas_server/locale/fr/LC_MESSAGES/django.po
+++ b/cas_server/locale/fr/LC_MESSAGES/django.po
@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-07-04 17:36+0200\n"
-"PO-Revision-Date: 2016-07-04 17:37+0200\n"
+"POT-Creation-Date: 2016-07-30 01:25+0200\n"
+"PO-Revision-Date: 2016-07-30 01:30+0200\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
 "Language: fr\n"
@@ -18,40 +18,40 @@ msgstr ""
 "Plural-Forms: nplurals=2; plural=(n > 1);\n"
 "X-Generator: Poedit 1.8.8\n"
 
-#: apps.py:19 templates/cas_server/base.html:3
-#: templates/cas_server/base.html:20
+#: apps.py:25 templates/cas_server/base.html:9
+#: templates/cas_server/base.html:27
 msgid "Central Authentication Service"
 msgstr "Service Central d'Authentification"
 
-#: forms.py:43
+#: forms.py:77
 msgid "Identity provider"
 msgstr "fournisseur d'identité"
 
-#: forms.py:45 forms.py:55 forms.py:106
+#: forms.py:80 forms.py:102 forms.py:205
 msgid "service"
 msgstr "service"
 
-#: forms.py:47
+#: forms.py:83
 msgid "Remember the identity provider"
 msgstr "Se souvenir du fournisseur d'identité"
 
-#: forms.py:48 forms.py:59
-msgid "warn"
+#: forms.py:86 forms.py:109
+msgid "Warn me before logging me into other sites."
 msgstr "Prévenez-moi avant d'accéder à d'autres services."
 
-#: forms.py:54
-msgid "login"
-msgstr "Identifiant"
+#: forms.py:100 models.py:600
+msgid "username"
+msgstr "nom d'utilisateur"
 
-#: forms.py:56
+#: forms.py:104
 msgid "password"
 msgstr "mot de passe"
 
-#: forms.py:71
-msgid "Bad user"
+#: forms.py:131
+msgid "The credentials you provided cannot be determined to be authentic."
 msgstr "Les informations transmises n'ont pas permis de vous authentifier."
 
-#: forms.py:96
+#: forms.py:191
 msgid "User not found in the temporary database, please try to reconnect"
 msgstr ""
 "Utilisateur non trouvé dans la base de donnée temporaire, essayez de vous "
@@ -69,98 +69,99 @@ msgstr "Nettoyer les sessions supprimées"
 msgid "Clean old trickets"
 msgstr "Nettoyer les vieux tickets"
 
-#: models.py:42
+#: models.py:46
 msgid "identity provider"
 msgstr "fournisseur d'identité"
 
-#: models.py:43
+#: models.py:47
 msgid "identity providers"
 msgstr "fournisseurs d'identités"
 
-#: models.py:47
+#: models.py:53
 msgid "suffix"
 msgstr "suffixe"
 
-#: models.py:48
+#: models.py:55
 msgid ""
-"Suffix append to backend CAS returner username: `returned_username`@`suffix`"
+"Suffix append to backend CAS returned username: ``returned_username`` @ "
+"``suffix``."
 msgstr ""
 "Suffixe ajouté au nom d'utilisateur retourné par le CAS du fournisseur "
-"d'identité : `nom retourné`@`suffixe`"
+"d'identité : `nom retourné`@`suffixe`."
 
-#: models.py:50
+#: models.py:62
 msgid "server url"
 msgstr "url du serveur"
 
-#: models.py:59
+#: models.py:72
 msgid "CAS protocol version"
 msgstr "Version du protocole CAS"
 
-#: models.py:60
+#: models.py:74
 msgid ""
-"Version of the CAS protocol to use when sending requests the the backend CAS"
+"Version of the CAS protocol to use when sending requests the the backend CAS."
 msgstr ""
 "Version du protocole CAS à utiliser lorsque l'on envoie des requête au CAS "
-"du fournisseur d'identité"
+"du fournisseur d'identité."
 
-#: models.py:65
+#: models.py:81
 msgid "verbose name"
 msgstr "Nom du fournisseur"
 
-#: models.py:66
-msgid "Name for this identity provider displayed on the login page"
-msgstr "Nom affiché pour ce fournisseur d'identité sur la page de connexion"
+#: models.py:82
+msgid "Name for this identity provider displayed on the login page."
+msgstr "Nom affiché pour ce fournisseur d'identité sur la page de connexion."
 
-#: models.py:70 models.py:317
+#: models.py:88 models.py:446
 msgid "position"
 msgstr "position"
 
-#: models.py:80
+#: models.py:102
 msgid "display"
 msgstr "afficher"
 
-#: models.py:81
-msgid "Display the provider on the login page"
-msgstr "Afficher le fournisseur d'identité sur la page de connexion"
+#: models.py:103
+msgid "Display the provider on the login page."
+msgstr "Afficher le fournisseur d'identité sur la page de connexion."
 
-#: models.py:164
+#: models.py:233
 msgid "User"
 msgstr "Utilisateur"
 
-#: models.py:165
+#: models.py:234
 msgid "Users"
 msgstr "Utilisateurs"
 
-#: models.py:234
+#: models.py:320
 #, python-format
 msgid "Error during service logout %s"
 msgstr "Une erreur est survenue durant la déconnexion du service %s"
 
-#: models.py:312
+#: models.py:440
 msgid "Service pattern"
 msgstr "Motif de service"
 
-#: models.py:313
+#: models.py:441
 msgid "Services patterns"
 msgstr "Motifs de services"
 
-#: models.py:318
+#: models.py:447
 msgid "service patterns are sorted using the position attribute"
 msgstr "Les motifs de service sont trié selon l'attribut position"
 
-#: models.py:325 models.py:449
+#: models.py:455 models.py:626
 msgid "name"
 msgstr "nom"
 
-#: models.py:326
+#: models.py:456
 msgid "A name for the service"
 msgstr "Un nom pour le service"
 
-#: models.py:331 models.py:478 models.py:497
+#: models.py:464 models.py:669 models.py:698
 msgid "pattern"
 msgstr "motif"
 
-#: models.py:333
+#: models.py:466
 msgid ""
 "A regular expression matching services. Will usually looks like '^https://"
 "some\\.server\\.com/path/.*$'.As it is a regular expression, special "
@@ -171,55 +172,55 @@ msgstr ""
 "expression rationnelle, les caractères spéciaux doivent être échappés avec "
 "un '\\'."
 
-#: models.py:342
+#: models.py:476
 msgid "user field"
 msgstr "champ utilisateur"
 
-#: models.py:343
-msgid "Name of the attribut to transmit as username, empty = login"
+#: models.py:477
+msgid "Name of the attribute to transmit as username, empty = login"
 msgstr ""
 "Nom de l'attribut devant être transmis comme nom d'utilisateur au service. "
-"vide = nom de connection"
+"vide = nom de connexion"
 
-#: models.py:347
+#: models.py:482
 msgid "restrict username"
 msgstr "limiter les noms d'utilisateurs"
 
-#: models.py:348
+#: models.py:483
 msgid "Limit username allowed to connect to the list provided bellow"
 msgstr ""
 "Limiter les noms d'utilisateurs autorisé à se connecter à la liste fournie "
 "ci-dessous"
 
-#: models.py:352
+#: models.py:488
 msgid "proxy"
 msgstr "proxy"
 
-#: models.py:353
+#: models.py:489
 msgid "Proxy tickets can be delivered to the service"
 msgstr "des proxy tickets peuvent être délivrés au service"
 
-#: models.py:357
+#: models.py:495
 msgid "proxy callback"
 msgstr ""
 
-#: models.py:358
+#: models.py:496
 msgid "can be used as a proxy callback to deliver PGT"
 msgstr "peut être utilisé comme un callback pour recevoir un PGT"
 
-#: models.py:362
+#: models.py:503
 msgid "single log out"
 msgstr ""
 
-#: models.py:363
+#: models.py:504
 msgid "Enable SLO for the service"
 msgstr "Active le SLO pour le service"
 
-#: models.py:370
+#: models.py:512
 msgid "single log out callback"
 msgstr ""
 
-#: models.py:371
+#: models.py:513
 msgid ""
 "URL where the SLO request will be POST. empty = service url\n"
 "This is usefull for non HTTP proxied services."
@@ -228,55 +229,62 @@ msgstr ""
 "service\n"
 "Ceci n'est utilise que pour des services non HTTP proxifiés"
 
-#: models.py:433
-msgid "username"
-msgstr "nom d'utilisateur"
-
-#: models.py:434
+#: models.py:601
 msgid "username allowed to connect to the service"
 msgstr "noms d'utilisateurs autorisé à se connecter au service"
 
-#: models.py:450
-msgid "name of an attribut to send to the service, use * for all attributes"
+#: models.py:627
+msgid "name of an attribute to send to the service, use * for all attributes"
 msgstr ""
 "nom d'un attribut a envoyer au service, utiliser * pour tous les attributs"
 
-#: models.py:455 models.py:503
+#: models.py:634 models.py:705
 msgid "replace"
 msgstr "remplacement"
 
-#: models.py:456
+#: models.py:635
 msgid ""
-"name under which the attribut will be showto the service. empty = default "
+"name under which the attribute will be showto the service. empty = default "
 "name of the attribut"
 msgstr ""
 "nom sous lequel l'attribut sera rendu visible au service. vide = inchangé"
 
-#: models.py:473 models.py:492
-msgid "attribut"
+#: models.py:662 models.py:692
+msgid "attribute"
 msgstr "attribut"
 
-#: models.py:474
-msgid "Name of the attribut which must verify pattern"
+#: models.py:663
+msgid "Name of the attribute which must verify pattern"
 msgstr "Nom de l'attribut devant vérifier un motif"
 
-#: models.py:479
+#: models.py:670
 msgid "a regular expression"
 msgstr "une expression régulière"
 
-#: models.py:493
-msgid "Name of the attribut for which the value must be replace"
-msgstr "nom de l'attribue pour lequel la valeur doit être remplacé"
+#: models.py:693
+msgid "Name of the attribute for which the value must be replace"
+msgstr "nom de l'attribut pour lequel la valeur doit être remplacé"
 
-#: models.py:498
+#: models.py:699
 msgid "An regular expression maching whats need to be replaced"
 msgstr "une expression régulière reconnaissant ce qui doit être remplacé"
 
-#: models.py:504
+#: models.py:706
 msgid "replace expression, groups are capture by \\1, \\2 …"
 msgstr "expression de remplacement, les groupe sont capturé par \\1, \\2"
 
-#: templates/cas_server/logged.html:6
+#: templates/cas_server/base.html:38
+#, python-format
+msgid ""
+"A new version of the application is available. This instance runs "
+"%(VERSION)s and the last version is %(LAST_VERSION)s. Please consider "
+"upgrading."
+msgstr ""
+"Une nouvelle version de l'application est disponible. Cette instance utilise "
+"la version %(VERSION)s et la dernière version est %(LAST_VERSION)s. Merci de "
+"vous mettre a jour."
+
+#: templates/cas_server/logged.html:4
 msgid "Logged"
 msgstr ""
 "<h3>Connexion réussie</h3>Vous vous êtes authentifié(e) auprès du Service "
@@ -284,27 +292,35 @@ msgstr ""
 "déconnecter et fermer votre navigateur lorsque vous avez fini d'accéder aux "
 "services authentifiés."
 
-#: templates/cas_server/logged.html:10
-msgid "Log me out from all my sessions"
-msgstr "Me déconnecter de toutes mes sessions"
+#: templates/cas_server/logged.html:8
+msgid ""
+"<h3>Log In Successful</h3>You have successfully logged into the Central "
+"Authentication Service.<br/>For security reasons, please Log Out and Exit "
+"your web browser when you are done accessing services that require "
+"authentication!"
+msgstr ""
+"<h3>Déconnexion réussie</h3>Vous vous êtes déconnecté(e) du Service Central "
+"d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
+"navigateur après avoir fini d'accéder a des services demandant une "
+"authentification !"
 
-#: templates/cas_server/logged.html:13
+#: templates/cas_server/logged.html:11
 msgid "Logout"
 msgstr "Se déconnecter"
 
-#: templates/cas_server/login.html:8
+#: templates/cas_server/login.html:6
 msgid "Please log in"
 msgstr "Merci de se connecter"
 
-#: templates/cas_server/login.html:13
+#: templates/cas_server/login.html:14
 msgid "Login"
 msgstr "Connexion"
 
-#: templates/cas_server/warn.html:10
+#: templates/cas_server/warn.html:9
 msgid "Connect to the service"
 msgstr "Se connecter au service"
 
-#: views.py:152
+#: views.py:165
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@@ -313,7 +329,7 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
 
-#: views.py:158
+#: views.py:171
 #, python-format
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from %s sessions "
@@ -324,7 +340,7 @@ msgstr ""
 "Service Central d'Authentification. Pour des raisons de sécurité, veuillez "
 "fermer votre navigateur."
 
-#: views.py:165
+#: views.py:178
 msgid ""
 "<h3>Logout successful</h3>You were already logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@@ -333,50 +349,71 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
 
-#: views.py:349
-msgid "Invalid login ticket"
+#: views.py:351
+#, python-format
+msgid ""
+"Invalid response from your identity provider CAS upon ticket %(ticket)s "
+"validation: %(error)r"
+msgstr ""
+"Réponse invalide du CAS du fournisseur d'identité lors de la validation du "
+"ticket %(ticket)s: %(error)r"
+
+#: views.py:472
+msgid "Invalid login ticket, please retry to login"
 msgstr "Ticket de connexion invalide, merci de réessayé de vous connecter"
 
-#: views.py:470
+#: views.py:652
 #, python-format
 msgid "Authentication has been required by service %(name)s (%(url)s)"
 msgstr ""
 "Une demande d'authentification a été émise pour le service %(name)s "
 "(%(url)s)."
 
-#: views.py:508
+#: views.py:690
 #, python-format
 msgid "Service %(url)s non allowed."
 msgstr "le service %(url)s n'est pas autorisé."
 
-#: views.py:515
+#: views.py:697
 msgid "Username non allowed"
 msgstr "Nom d'utilisateur non authorisé"
 
-#: views.py:522
-msgid "User charateristics non allowed"
+#: views.py:704
+msgid "User characteristics non allowed"
 msgstr "Caractéristique utilisateur non autorisée"
 
-#: views.py:529
+#: views.py:711
 #, python-format
-msgid "The attribut %(field)s is needed to use that service"
+msgid "The attribute %(field)s is needed to use that service"
 msgstr "L'attribut %(field)s est nécessaire pour se connecter à ce service"
 
-#: views.py:599
+#: views.py:801
 #, python-format
 msgid "Authentication renewal required by service %(name)s (%(url)s)."
 msgstr "Demande de réauthentification pour le service %(name)s (%(url)s)."
 
-#: views.py:606
+#: views.py:808
 #, python-format
 msgid "Authentication required by service %(name)s (%(url)s)."
 msgstr "Authentification requise par le service %(name)s (%(url)s)."
 
-#: views.py:613
+#: views.py:815
 #, python-format
 msgid "Service %s non allowed"
 msgstr "Le service %s n'est pas autorisé"
 
+#~ msgid "warn"
+#~ msgstr "Prévenez-moi avant d'accéder à d'autres services."
+
+#~ msgid "login"
+#~ msgstr "Identifiant"
+
+#~ msgid "Bad user"
+#~ msgstr "Les informations transmises n'ont pas permis de vous authentifier."
+
+#~ msgid "Log me out from all my sessions"
+#~ msgstr "Me déconnecter de toutes mes sessions"
+
 #~ msgid ""
 #~ "Error during service logout %(service)s:\n"
 #~ "%(error)s"
diff --git a/cas_server/models.py b/cas_server/models.py
index 4626cce..dfedb1e 100644
--- a/cas_server/models.py
+++ b/cas_server/models.py
@@ -468,13 +468,13 @@ class ServicePattern(models.Model):
             "As it is a regular expression, special character must be escaped with a '\\'."
         )
     )
-    #: Name of the attribut to transmit as username, if empty the user login is used
+    #: Name of the attribute to transmit as username, if empty the user login is used
     user_field = models.CharField(
         max_length=255,
         default="",
         blank=True,
         verbose_name=_(u"user field"),
-        help_text=_("Name of the attribut to transmit as username, empty = login")
+        help_text=_("Name of the attribute to transmit as username, empty = login")
     )
     #: A boolean allowing to limit username allowed to connect to :attr:`usernames`.
     restrict_users = models.BooleanField(
@@ -624,7 +624,7 @@ class ReplaceAttributName(models.Model):
     name = models.CharField(
         max_length=255,
         verbose_name=_(u"name"),
-        help_text=_(u"name of an attribut to send to the service, use * for all attributes")
+        help_text=_(u"name of an attribute to send to the service, use * for all attributes")
     )
     #: The name of the attribute to transmit to the service. If empty, the value of :attr:`name`
     #: is used.
@@ -632,7 +632,7 @@ class ReplaceAttributName(models.Model):
         max_length=255,
         blank=True,
         verbose_name=_(u"replace"),
-        help_text=_(u"name under which the attribut will be show"
+        help_text=_(u"name under which the attribute will be show"
                     u"to the service. empty = default name of the attribut")
     )
     #: ForeignKey to a :class:`ServicePattern`. :class:`ReplaceAttributName` instances for a
@@ -659,8 +659,8 @@ class FilterAttributValue(models.Model):
     #: The name of a user attribute
     attribut = models.CharField(
         max_length=255,
-        verbose_name=_(u"attribut"),
-        help_text=_(u"Name of the attribut which must verify pattern")
+        verbose_name=_(u"attribute"),
+        help_text=_(u"Name of the attribute which must verify pattern")
     )
     #: A regular expression the attribute :attr:`attribut` value must verify. If :attr:`attribut`
     #: if a list, only one of the list values needs to match.
@@ -689,8 +689,8 @@ class ReplaceAttributValue(models.Model):
     #: Name the attribute: a key of :attr:`User.attributs`
     attribut = models.CharField(
         max_length=255,
-        verbose_name=_(u"attribut"),
-        help_text=_(u"Name of the attribut for which the value must be replace")
+        verbose_name=_(u"attribute"),
+        help_text=_(u"Name of the attribute for which the value must be replace")
     )
     #: A regular expression matching the part of the attribute value that need to be changed
     pattern = models.CharField(
diff --git a/cas_server/templates/cas_server/logged.html b/cas_server/templates/cas_server/logged.html
index f29445b..6e117aa 100644
--- a/cas_server/templates/cas_server/logged.html
+++ b/cas_server/templates/cas_server/logged.html
@@ -5,7 +5,7 @@
 <form class="form-signin" method="get" action="logout">
   <div class="checkbox">
     <label>
-      <input type="checkbox" name="all" value="1"> {% trans "Log me out from all my sessions" %}
+      <input type="checkbox" name="all" value="1">{% blocktrans %}<h3>Log In Successful</h3>You have successfully logged into the Central Authentication Service.<br/>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!{% endblocktrans %}
     </label>
   </div>
   <button class="btn btn-danger btn-block btn-lg" type="submit">{% trans "Logout" %}</button>
diff --git a/cas_server/tests/test_view.py b/cas_server/tests/test_view.py
index 80aa29c..1297e4a 100644
--- a/cas_server/tests/test_view.py
+++ b/cas_server/tests/test_view.py
@@ -337,7 +337,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
             response = client.get("/login", {'service': service})
             # the ticket is not created and a warning is displayed to the user
             self.assertEqual(response.status_code, 200)
-            self.assertTrue(b"User charateristics non allowed" in response.content)
+            self.assertTrue(b"User characteristics non allowed" in response.content)
 
         # same but with rectriction that a valid upon the test user attributes
         response = client.get("/login", {'service': self.service_filter_success})
@@ -355,7 +355,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
         response = client.get("/login", {'service': self.service_field_needed_fail})
         # the ticket is not created and a warning is displayed to the user
         self.assertEqual(response.status_code, 200)
-        self.assertTrue(b"The attribut uid is needed to use that service" in response.content)
+        self.assertTrue(b"The attribute uid is needed to use that service" in response.content)
 
         # same but with a attribute that the test user has
         response = client.get("/login", {'service': self.service_field_needed_success})
@@ -379,7 +379,7 @@ class LoginTestCase(TestCase, BaseServicePattern, CanLogin):
         response = client.get("/login", {"service": self.service_field_needed_success})
         # the ticket is not created and a warning is displayed to the user
         self.assertEqual(response.status_code, 200)
-        self.assertTrue(b"The attribut alias is needed to use that service" in response.content)
+        self.assertTrue(b"The attribute alias is needed to use that service" in response.content)
 
     def test_gateway(self):
         """test gateway parameter"""
diff --git a/cas_server/views.py b/cas_server/views.py
index 93c6a47..f1c2f75 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -349,8 +349,8 @@ class FederateAuth(View):
                         messages.ERROR,
                         _(
                             u"Invalid response from your identity provider CAS upon "
-                            u"ticket %s validation: %r"
-                        ) % (ticket, error)
+                            u"ticket %(ticket)s validation: %(error)r"
+                        ) % {'ticket': ticket, 'error': error}
                     )
                     response = redirect("cas_server:login")
                     response.delete_cookie("_remember_provider")
@@ -469,7 +469,7 @@ class LoginView(View, LogoutMixin):
             messages.add_message(
                 self.request,
                 messages.ERROR,
-                _(u"Invalid login ticket")
+                _(u"Invalid login ticket, please retry to login")
             )
         elif ret == self.USER_LOGIN_OK:
             # On successful login, update the :class:`models.User<cas_server.models.User>` ``date``
@@ -701,14 +701,14 @@ class LoginView(View, LogoutMixin):
             messages.add_message(
                 self.request,
                 messages.ERROR,
-                _(u"User charateristics non allowed")
+                _(u"User characteristics non allowed")
             )
         except models.UserFieldNotDefined:
             error = 4
             messages.add_message(
                 self.request,
                 messages.ERROR,
-                _(u"The attribut %(field)s is needed to use"
+                _(u"The attribute %(field)s is needed to use"
                   u" that service") % {'field': service_pattern.user_field}
             )
 

From fbc977c6bdb464765504065d6dce05b7bc3313c5 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sat, 30 Jul 2016 19:20:52 +0200
Subject: [PATCH 11/31] Fix inversion between two gettext string

---
 cas_server/locale/fr/LC_MESSAGES/django.mo  | Bin 9574 -> 9380 bytes
 cas_server/locale/fr/LC_MESSAGES/django.po  |  34 ++++++++++----------
 cas_server/templates/cas_server/logged.html |   4 +--
 3 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/cas_server/locale/fr/LC_MESSAGES/django.mo b/cas_server/locale/fr/LC_MESSAGES/django.mo
index 6d5f83a00e705097d3b638b3b6e59b2e00407cd4..a86d7a3c503179aba649596e3200fdf281ede2dd 100644
GIT binary patch
delta 1135
zcmYMzOGs2<6u|LgIgV4Q=~$+zeWi_3&4jPYv63DNX|u4B-1I_kKA3T6?iA?eQX;g8
zl8J;C#ehA82tuqd+GG;6tyPPND8ry2gEkTMKX{?xa(~~skMn)^d}rp{CJtTu<ZKX;
z>>LpfR$~^1a5pw!BPQJV0d6N=Kn^L+6$xS$mSZQDViMQl80O)9%*UsA6klTlmgk8h
z`xzYLsR10vOkB2F#Gn`VVKo-w0O~>=jNmA4#W(K#zvv?_WVR5NqZcEn3+UujfW4^m
z4Cgx{EesqkoWeQG#?3sXFNRR#9jFsGyVqN=o;ZTMBA0LlUU%=`#$CksP%HYuz5fL@
z-y&|o-wuOS3<7?Us~IA7xJW$9=T76}H6nL0N<AmhU$j)(=lGELEq=$5bs`5bQ7qDd
zPf#oCD-mhJ!^k6Y88=}XH=^^BftGL{Iiz5{2stH)d$0w|a0Im{((e8Dc!2m9_G6fh
z@4^WT;2+ejsN`ksfe^OhUer9J*v<U%f`Kj|KnL-$as;(G`cM<y!YZ6YUGX<$n<bCV
zrFdfS9M+*$;124Sf5j^pG$JeU8R|T*@HqZN!~D`tR^5Uq_Tdof-hM=_ND=kYJ*&kq
zHo5Ty)Ji!>wPhTa<0EXtX;-OO%HNLKLtUu(PHKFDL9hEj44a9Ek;Tgl@=uX>sLi;5
zx_}>UysdJn`RZL;QJby{wK8LsshP|h8NpPCXQwVuYV^cU%cpz6)=9}!+B4uSH8IP?
z&nL~<L_B8BM587)WNgc}`{RT5RBq1cEKf~ixTY~>`ztaT)lS{?xA_7Q%k<1ncE<+?
Yt?s0iFg=z@lEtz~Xa9fybJ<1jKlIj$sQ>@~

delta 1205
zcmYMzOGs2<6u|K#IzGxr=8WZ}b<NZ?(@Z7P(J*_EP$Vu&B61q9I)lvQJWP5GL6p%G
z23qwXkjRuG1~&#Rl4w=r(nT8)sf|fgP!aS$&V`1V`}@wl-~Arvd^2`vvE%MSG*v{>
zvqWr|gBm-~g@w2qyRA5eHN+p0uSmAYb_F-03k&fC=Hm$F;2q4xN7#igu>oy45|zC)
zn(5`kOPGRR(7+{Z!<;oDcI-r5XdfQNLEMJZ*7HToApV2ZXk*qitVdmdi_2O(f;x{o
zH!8B9Mjtm$;UuPGCcX4U2Wnh|I&qnGzY6P#>ycN)i>vUw_53O}65mG6=sWBA2h{QA
zuoCB^G%{&q<&mZ&5hs2le#UmE@PR|*33idsar}*%+Oc&a&+!#5p>Ms&KI|?aOZX5q
zv&-0wbxskwNB}qEC>CRMf`+E>J@S=bTo_aA8$?>L3X9N(dL~9upTEU+{DfXCrtrt{
z1}3qQ1=Lb3@-kJFWjug-P;{Jw=wW`jLPHnu8QHAZHzf{7C6*EQU^!kxUGWQ~yfTX<
zPv&t5f1qZd-$?9y5^oWI#npI`mvx@&cnqh|V1CIWA6kNH9KdGO+K!=SWDd1v-?0h*
zT5)4ZA`@*$mZck$F@zm>*76Omlz2<x3^`H9Gc-O)qk@KZsKGtxLN+58FdOfq9>xjO
z1;nj*3H9*(v`jBe96BdzX1Ypa(<%3ooUu;Zt^)m^*7DPjrcY}@=@{*?&6k$kZ}!H^
zvwBi(J8GMDHpFh`m88(Bi^uaiGHkAay4LpCYe!kWI}#o+{b6sPcV>L6Sz)*%XM!_N
zV@dg2ZLZV7n%3BCeuaHF5D6K*Gvl6s-*0-tX3#Lhv7?THmcc+UG!!w7l@9J<^PJJ=
l^?Qxpa<|7bGu}%_cVxr}nZaSN#|#ntpDa`zFDbg5_77Ftq?Z5y

diff --git a/cas_server/locale/fr/LC_MESSAGES/django.po b/cas_server/locale/fr/LC_MESSAGES/django.po
index b57dcce..c3ac888 100644
--- a/cas_server/locale/fr/LC_MESSAGES/django.po
+++ b/cas_server/locale/fr/LC_MESSAGES/django.po
@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-07-30 01:25+0200\n"
-"PO-Revision-Date: 2016-07-30 01:30+0200\n"
+"POT-Creation-Date: 2016-07-30 19:19+0200\n"
+"PO-Revision-Date: 2016-07-30 19:20+0200\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
 "Language: fr\n"
@@ -27,7 +27,7 @@ msgstr "Service Central d'Authentification"
 msgid "Identity provider"
 msgstr "fournisseur d'identité"
 
-#: forms.py:80 forms.py:102 forms.py:205
+#: forms.py:80 forms.py:102 forms.py:208
 msgid "service"
 msgstr "service"
 
@@ -35,7 +35,7 @@ msgstr "service"
 msgid "Remember the identity provider"
 msgstr "Se souvenir du fournisseur d'identité"
 
-#: forms.py:86 forms.py:109
+#: forms.py:86 forms.py:110
 msgid "Warn me before logging me into other sites."
 msgstr "Prévenez-moi avant d'accéder à d'autres services."
 
@@ -47,11 +47,11 @@ msgstr "nom d'utilisateur"
 msgid "password"
 msgstr "mot de passe"
 
-#: forms.py:131
+#: forms.py:134
 msgid "The credentials you provided cannot be determined to be authentic."
 msgstr "Les informations transmises n'ont pas permis de vous authentifier."
 
-#: forms.py:191
+#: forms.py:194
 msgid "User not found in the temporary database, please try to reconnect"
 msgstr ""
 "Utilisateur non trouvé dans la base de donnée temporaire, essayez de vous "
@@ -285,14 +285,6 @@ msgstr ""
 "vous mettre a jour."
 
 #: templates/cas_server/logged.html:4
-msgid "Logged"
-msgstr ""
-"<h3>Connexion réussie</h3>Vous vous êtes authentifié(e) auprès du Service "
-"Central d'Authentification.<br/>Pour des raisons de sécurité, veuillez vous "
-"déconnecter et fermer votre navigateur lorsque vous avez fini d'accéder aux "
-"services authentifiés."
-
-#: templates/cas_server/logged.html:8
 msgid ""
 "<h3>Log In Successful</h3>You have successfully logged into the Central "
 "Authentication Service.<br/>For security reasons, please Log Out and Exit "
@@ -304,6 +296,10 @@ msgstr ""
 "navigateur après avoir fini d'accéder a des services demandant une "
 "authentification !"
 
+#: templates/cas_server/logged.html:8
+msgid "Log me out from all my sessions"
+msgstr "Me déconnecter de toutes mes sessions"
+
 #: templates/cas_server/logged.html:11
 msgid "Logout"
 msgstr "Se déconnecter"
@@ -402,6 +398,13 @@ msgstr "Authentification requise par le service %(name)s (%(url)s)."
 msgid "Service %s non allowed"
 msgstr "Le service %s n'est pas autorisé"
 
+#~ msgid "Logged"
+#~ msgstr ""
+#~ "<h3>Connexion réussie</h3>Vous vous êtes authentifié(e) auprès du Service "
+#~ "Central d'Authentification.<br/>Pour des raisons de sécurité, veuillez "
+#~ "vous déconnecter et fermer votre navigateur lorsque vous avez fini "
+#~ "d'accéder aux services authentifiés."
+
 #~ msgid "warn"
 #~ msgstr "Prévenez-moi avant d'accéder à d'autres services."
 
@@ -411,9 +414,6 @@ msgstr "Le service %s n'est pas autorisé"
 #~ msgid "Bad user"
 #~ msgstr "Les informations transmises n'ont pas permis de vous authentifier."
 
-#~ msgid "Log me out from all my sessions"
-#~ msgstr "Me déconnecter de toutes mes sessions"
-
 #~ msgid ""
 #~ "Error during service logout %(service)s:\n"
 #~ "%(error)s"
diff --git a/cas_server/templates/cas_server/logged.html b/cas_server/templates/cas_server/logged.html
index 6e117aa..3a23b16 100644
--- a/cas_server/templates/cas_server/logged.html
+++ b/cas_server/templates/cas_server/logged.html
@@ -1,11 +1,11 @@
 {% extends "cas_server/base.html" %}
 {% load i18n %}
 {% block content %}
-<div class="alert alert-success" role="alert">{% trans "Logged" %}</div>
+<div class="alert alert-success" role="alert">{% blocktrans %}<h3>Log In Successful</h3>You have successfully logged into the Central Authentication Service.<br/>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!{% endblocktrans %}</div>
 <form class="form-signin" method="get" action="logout">
   <div class="checkbox">
     <label>
-      <input type="checkbox" name="all" value="1">{% blocktrans %}<h3>Log In Successful</h3>You have successfully logged into the Central Authentication Service.<br/>For security reasons, please Log Out and Exit your web browser when you are done accessing services that require authentication!{% endblocktrans %}
+      <input type="checkbox" name="all" value="1">{% trans "Log me out from all my sessions" %}
     </label>
   </div>
   <button class="btn btn-danger btn-block btn-lg" type="submit">{% trans "Logout" %}</button>

From 4721eb4f8118d0071e8a20177151217898f04b25 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sun, 31 Jul 2016 12:27:14 +0200
Subject: [PATCH 12/31] Catch base64 decode error on b64decode to raise our
 custom exception BadHash

---
 cas_server/utils.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cas_server/utils.py b/cas_server/utils.py
index c6a56ef..6142c21 100644
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@@ -561,7 +561,10 @@ class LdapHashUserPassword(object):
         elif scheme == b'{CRYPT}':
             return b'$'.join(hashed_passord.split(b'$', 3)[:-1])[len(scheme):]
         else:
-            hashed_passord = base64.b64decode(hashed_passord[len(scheme):])
+            try:
+                hashed_passord = base64.b64decode(hashed_passord[len(scheme):])
+            except TypeError as error:
+                raise cls.BadHash("Bad base64: %s" % error)
             if len(hashed_passord) < cls._schemes_to_len[scheme]:
                 raise cls.BadHash("Hash too short for the scheme %s" % scheme)
             return hashed_passord[cls._schemes_to_len[scheme]:]

From f0922e030077c0b23e8ca43f18c92b02907784f0 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sun, 31 Jul 2016 12:28:10 +0200
Subject: [PATCH 13/31] Add secret as sensitive variables/post parameter for
 /auth

---
 cas_server/urls.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cas_server/urls.py b/cas_server/urls.py
index d4e691c..a9cac30 100644
--- a/cas_server/urls.py
+++ b/cas_server/urls.py
@@ -53,8 +53,8 @@ urlpatterns = [
     url('^samlValidate$', views.SamlValidate.as_view(), name='samlValidate'),
     url(
         '^auth$',
-        sensitive_variables('password')(
-            sensitive_post_parameters('password')(
+        sensitive_variables('password', 'secret')(
+            sensitive_post_parameters('password', 'secret')(
                 views.Auth.as_view()
             )
         ),

From 2298b94f782c15b68abbbd9c86448bf01917b50f Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sun, 31 Jul 2016 16:52:19 +0200
Subject: [PATCH 14/31] Add SqlAuthUser and LdapAuthUser auth classes.
 Deprecate the usage of SqlAuthUser in favor of SqlAuthUser.

SqlAuthUser use django databases management, and thus is compatible with all SQL databases supported
by django: postgresql, mysql, sqlite3 and oracle.

LdapAuthUser use the full pythonic ldap3 module
---
 README.rst                     |  83 ++++++++++++++--
 cas_server/auth.py             | 172 ++++++++++++++++++++++++++++++---
 cas_server/default_settings.py |  31 +++++-
 cas_server/utils.py            |  11 ++-
 4 files changed, 271 insertions(+), 26 deletions(-)

diff --git a/README.rst b/README.rst
index 85a4427..c66f092 100644
--- a/README.rst
+++ b/README.rst
@@ -193,12 +193,14 @@ Template settings
 Authentication settings
 -----------------------
 
-*  ``CAS_AUTH_CLASS``: A dotted path to a class or a class implementing
-   ``cas_server.auth.AuthUser``. The default is ``"cas_server.auth.DjangoAuthUser"``
+* ``CAS_AUTH_CLASS``: A dotted path to a class or a class implementing
+  ``cas_server.auth.AuthUser``. The default is ``"cas_server.auth.DjangoAuthUser"``
+  Available classes bundled with ``django-cas-server`` are listed below in the
+  `Authentication backend`_ section.
 
-*  ``SESSION_COOKIE_AGE``: This is a django settings. Here, it control the delay in seconds after
-   which inactive users are logged out. The default is ``1209600`` (2 weeks). You probably should
-   reduce it to something like ``86400`` seconds (1 day).
+* ``SESSION_COOKIE_AGE``: This is a django settings. Here, it control the delay in seconds after
+  which inactive users are logged out. The default is ``1209600`` (2 weeks). You probably should
+  reduce it to something like ``86400`` seconds (1 day).
 
 * ``CAS_PROXY_CA_CERTIFICATE_PATH``: Path to certificate authorities file. Usually on linux
   the local CAs are in ``/etc/ssl/certs/ca-certificates.crt``. The default is ``True`` which
@@ -214,8 +216,8 @@ Authentication settings
 Federation settings
 -------------------
 
-* ``CAS_FEDERATE``: A boolean for activating the federated mode (see the federate section below).
-  The default is ``False``.
+* ``CAS_FEDERATE``: A boolean for activating the federated mode (see the `Federation mode`_
+  section below). The default is ``False``.
 * ``CAS_FEDERATE_REMEMBER_TIMEOUT``: Time after witch the cookie use for "remember my identity
   provider" expire. The default is ``604800``, one week. The cookie is called
   ``_remember_provider``.
@@ -269,6 +271,7 @@ Tickets miscellaneous settings
 
 Mysql backend settings
 ----------------------
+Deprecated, see the Sql backend settings.
 Only usefull if you are using the mysql authentication backend:
 
 * ``CAS_SQL_HOST``: Host for the SQL server. The default is ``"localhost"``.
@@ -295,6 +298,64 @@ Only usefull if you are using the mysql authentication backend:
   The default is ``"crypt"``.
 
 
+Sql backend settings
+--------------------
+Only usefull if you are using the sql authentication backend. You must add a ``"cas_server"``
+database to `settings.DATABASES <https://docs.djangoproject.com/fr/1.9/ref/settings/#std:setting-DATABASES>`__
+as defined in the django documentation. It is then the database
+use by the sql backend.
+
+* ``CAS_SQL_USER_QUERY``: The query performed upon user authentication.
+  The username must be in field ``username``, the password in ``password``,
+  additional fields are used as the user attributes.
+  The default is ``"SELECT user AS username, pass AS password, users.* FROM users WHERE user = %s"``
+* ``CAS_SQL_PASSWORD_CHECK``: The method used to check the user password. Must be one of the following:
+
+  * ``"crypt"`` (see <https://en.wikipedia.org/wiki/Crypt_(C)>), the password in the database
+    should begin this $
+  * ``"ldap"`` (see https://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html)
+    the password in the database must begin with one of {MD5}, {SMD5}, {SHA}, {SSHA}, {SHA256},
+    {SSHA256}, {SHA384}, {SSHA384}, {SHA512}, {SSHA512}, {CRYPT}.
+  * ``"hex_HASH_NAME"`` with ``HASH_NAME`` in md5, sha1, sha224, sha256, sha384, sha512.
+    The hashed password in the database is compare to the hexadecimal digest of the clear
+    password hashed with the corresponding algorithm.
+  * ``"plain"``, the password in the database must be in clear.
+
+  The default is ``"crypt"``.
+* ``CAS_SQL_PASSWORD_CHARSET``: Charset the SQL users passwords was hash with. This is needed to
+  encode the user sended password before hashing it for comparison. The default is ``"utf-8"``.
+
+
+Ldap backend settings
+---------------------
+Only usefull if you are using the ldap authentication backend:
+
+* ``CAS_LDAP_SERVER``: Address of the LDAP server. The default is ``"localhost"``.
+* ``CAS_LDAP_USER``: User bind address, for example ``"cn=admin,dc=crans,dc=org"`` for
+  connecting to the LDAP server.
+* ``CAS_LDAP_PASSWORD``: Password for connecting to the LDAP server.
+* ``CAS_LDAP_BASE_DN``: LDAP search base DN, for example ``"ou=data,dc=crans,dc=org"``.
+* ``CAS_LDAP_USER_QUERY``: Search filter for searching user by username. User inputed usernames are
+  escaped using ``ldap3.utils.conv.escape_bytes``. The default is ``"(uid=%s)"``
+* ``CAS_LDAP_USERNAME_ATTR``: Attribute used for users usernames. The default is ``"uid"``
+* ``CAS_LDAP_PASSWORD_ATTR``: Attribute used for users passwords. The default is ``"userPassword"``
+* ``CAS_LDAP_PASSWORD_CHECK``: The method used to check the user password. Must be one of the following:
+
+  * ``"crypt"`` (see <https://en.wikipedia.org/wiki/Crypt_(C)>), the password in the database
+    should begin this $
+  * ``"ldap"`` (see https://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html)
+    the password in the database must begin with one of {MD5}, {SMD5}, {SHA}, {SSHA}, {SHA256},
+    {SSHA256}, {SHA384}, {SSHA384}, {SHA512}, {SSHA512}, {CRYPT}.
+  * ``"hex_HASH_NAME"`` with ``HASH_NAME`` in md5, sha1, sha224, sha256, sha384, sha512.
+    The hashed password in the database is compare to the hexadecimal digest of the clear
+    password hashed with the corresponding algorithm.
+  * ``"plain"``, the password in the database must be in clear.
+
+  The default is ``"ldap"``.
+* ``CAS_LDAP_PASSWORD_CHARSET``: Charset the LDAP users passwords was hash with. This is needed to
+  encode the user sended password before hashing it for comparison. The default is ``"utf-8"``.
+
+
 Test backend settings
 ---------------------
 Only usefull if you are using the test authentication backend:
@@ -316,11 +377,17 @@ Authentication backend
   for the user are defined by the ``CAS_TEST_*`` settings.
 * django backend ``cas_server.auth.DjangoAuthUser``: Users are authenticated against django users system.
   This is the default backend. The returned attributes are the fields available on the user model.
-* mysql backend ``cas_server.auth.MysqlAuthUser``: see the 'Mysql backend settings' section.
+* mysql backend ``cas_server.auth.MysqlAuthUser``: Deprecated, use the sql backend instead.
+  see the `Mysql backend settings`_ section. The returned attributes are those return by sql query
+  ``CAS_SQL_USER_QUERY``.
+* sql backend ``cas_server.auth.SqlAuthUser``: see the `Sql backend settings`_ section.
   The returned attributes are those return by sql query ``CAS_SQL_USER_QUERY``.
+* ldap backend ``cas_server.auth.LdapAuthUser``: see the `Ldap backend settings`_ section.
+  The returned attributes are those of the ldap node returned by the query filter ``CAS_LDAP_USER_QUERY``.
 * federated backend ``cas_server.auth.CASFederateAuth``: It is automatically used then ``CAS_FEDERATE`` is ``True``.
   You should not set it manually without setting ``CAS_FEDERATE`` to ``True``.
 
+
 Logs
 ====
 
diff --git a/cas_server/auth.py b/cas_server/auth.py
index 31aa4f2..ab0c664 100644
--- a/cas_server/auth.py
+++ b/cas_server/auth.py
@@ -13,16 +13,25 @@
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.utils import timezone
+from django.db import connections, DatabaseError
 
+import warnings
 from datetime import timedelta
+from six.moves import range
 try:  # pragma: no cover
     import MySQLdb
     import MySQLdb.cursors
-    from utils import check_password
 except ImportError:
     MySQLdb = None
 
+
+try:  # pragma: no cover
+    import ldap3
+except ImportError:
+    ldap3 = None
+
 from .models import FederatedUser
+from .utils import check_password, dictfetchall
 
 
 class AuthUser(object):
@@ -116,19 +125,46 @@ class TestAuthUser(AuthUser):
             return {}
 
 
-class MysqlAuthUser(AuthUser):  # pragma: no cover
+class DBAuthUser(AuthUser):  # pragma: no cover
+    """base class for databate based auth classes"""
+    #: DB user attributes as a :class:`dict` if the username is found in the database.
+    user = None
+
+    def attributs(self):
+        """
+            The user attributes.
+
+            :return: a :class:`dict` with the user attributes. Attributes may be :func:`unicode`
+                or :class:`list` of :func:`unicode`. If the user do not exists, the returned
+                :class:`dict` is empty.
+            :rtype: dict
+        """
+        if self.user:
+            return self.user
+        else:
+            return {}
+
+
+class MysqlAuthUser(DBAuthUser):  # pragma: no cover
     """
-        A mysql authentication class: authentication user agains a mysql database
+        DEPRECATED, use :class:`SqlAuthUser` instead.
+
+        A mysql authentication class: authenticate user agains a mysql database
 
         :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
             class attribute. Valid value are fetched from the MySQL database set with
             ``settings.CAS_SQL_*`` settings parameters using the query
             ``settings.CAS_SQL_USER_QUERY``.
     """
-    #: Mysql user attributes as a :class:`dict` if the username is found in the database.
-    user = None
 
     def __init__(self, username):
+        warnings.warn(
+            (
+                "MysqlAuthUser authentication class is deprecated: "
+                "use cas_server.auth.SqlAuthUser instead"
+            ),
+            UserWarning
+        )
         # see the connect function at
         # http://mysql-python.sourceforge.net/MySQLdb.html#functions-and-attributes
         # for possible mysql config parameters.
@@ -169,24 +205,130 @@ class MysqlAuthUser(AuthUser):  # pragma: no cover
         else:
             return False
 
-    def attributs(self):
-        """
-            The user attributes.
 
-            :return: a :class:`dict` with the user attributes. Attributes may be :func:`unicode`
-                or :class:`list` of :func:`unicode`. If the user do not exists, the returned
-                :class:`dict` is empty.
-            :rtype: dict
+class SqlAuthUser(DBAuthUser):  # pragma: no cover
+    """
+        A SQL authentication class: authenticate user agains a SQL database. The SQL database
+        must be configures in settings.py as ``settings.DATABASES['cas_server']``.
+
+        :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
+            class attribute. Valid value are fetched from the MySQL database set with
+            ``settings.CAS_SQL_*`` settings parameters using the query
+            ``settings.CAS_SQL_USER_QUERY``.
+    """
+
+    def __init__(self, username):
+        if "cas_server" not in connections:
+            raise RuntimeError("Please configure the 'cas_server' database in settings.DATABASES")
+        for retry_nb in range(3):
+            try:
+                with connections["cas_server"].cursor() as curs:
+                    curs.execute(settings.CAS_SQL_USER_QUERY, (username,))
+                    results = dictfetchall(curs)
+                    if len(results) == 1:
+                        self.user = results[0]
+                        super(SqlAuthUser, self).__init__(self.user['username'])
+                    else:
+                        super(SqlAuthUser, self).__init__(username)
+                break
+            except DatabaseError:
+                connections["cas_server"].close()
+                if retry_nb == 2:
+                    raise
+
+    def test_password(self, password):
+        """
+            Tests ``password`` agains the user password.
+
+            :param unicode password: a clear text password as submited by the user.
+            :return: ``True`` if :attr:`username<AuthUser.username>` is valid and ``password`` is
+                correct, ``False`` otherwise.
+            :rtype: bool
         """
         if self.user:
-            return self.user
+            return check_password(
+                settings.CAS_SQL_PASSWORD_CHECK,
+                password,
+                self.user["password"],
+                settings.CAS_SQL_PASSWORD_CHARSET
+            )
         else:
-            return {}
+            return False
+
+
+class LdapAuthUser(DBAuthUser):  # pragma: no cover
+    """
+        A ldap authentication class: authenticate user against a ldap database
+
+        :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
+            class attribute. Valid value are fetched from the ldap database set with
+            ``settings.CAS_LDAP_*`` settings parameters.
+    """
+
+    _conn = None
+
+    @classmethod
+    def get_conn(cls):
+        """Return a connection object to the ldap database"""
+        conn = cls._conn
+        if conn is None or conn.closed:
+            conn = ldap3.Connection(
+                settings.CAS_LDAP_SERVER,
+                settings.CAS_LDAP_USER,
+                settings.CAS_LDAP_PASSWORD,
+                auto_bind=True
+            )
+            cls._conn = conn
+        return conn
+
+    def __init__(self, username):
+        if not ldap3:
+            raise RuntimeError("Please install ldap3 before using the LdapAuthUser backend")
+        # in case we got deconnected from the database, retry to connect 2 times
+        for retry_nb in range(3):
+            try:
+                conn = self.get_conn()
+                if conn.search(
+                    settings.CAS_LDAP_BASE_DN,
+                    settings.CAS_LDAP_USER_QUERY % ldap3.utils.conv.escape_bytes(username),
+                    attributes=ldap3.ALL_ATTRIBUTES
+                ) and len(conn.entries) == 1:
+                    user = conn.entries[0].entry_get_attributes_dict()
+                    if user.get(settings.CAS_LDAP_USERNAME_ATTR):
+                        self.user = user
+                        super(LdapAuthUser, self).__init__(user[settings.CAS_LDAP_USERNAME_ATTR][0])
+                    else:
+                        super(LdapAuthUser, self).__init__(username)
+                else:
+                    super(LdapAuthUser, self).__init__(username)
+                break
+            except ldap3.LDAPCommunicationError:
+                if retry_nb == 2:
+                    raise
+
+    def test_password(self, password):
+        """
+            Tests ``password`` agains the user password.
+
+            :param unicode password: a clear text password as submited by the user.
+            :return: ``True`` if :attr:`username<AuthUser.username>` is valid and ``password`` is
+                correct, ``False`` otherwise.
+            :rtype: bool
+        """
+        if self.user and self.user.get(settings.CAS_LDAP_PASSWORD_ATTR):
+            return check_password(
+                settings.CAS_LDAP_PASSWORD_CHECK,
+                password,
+                self.user[settings.CAS_LDAP_PASSWORD_ATTR][0],
+                settings.CAS_LDAP_PASSWORD_CHARSET
+            )
+        else:
+            return False
 
 
 class DjangoAuthUser(AuthUser):  # pragma: no cover
     """
-        A django auth class: authenticate user agains django internal users
+        A django auth class: authenticate user against django internal users
 
         :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
             class attribute. Valid value are usernames of django internal users.
diff --git a/cas_server/default_settings.py b/cas_server/default_settings.py
index ed9efc2..bfa6a54 100644
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@@ -112,12 +112,39 @@ CAS_SQL_PASSWORD = ''
 CAS_SQL_DBNAME = ''
 #: Database charset.
 CAS_SQL_DBCHARSET = 'utf8'
+
 #: The query performed upon user authentication.
-CAS_SQL_USER_QUERY = 'SELECT user AS usersame, pass AS password, users.* FROM users WHERE user = %s'
+CAS_SQL_USER_QUERY = 'SELECT user AS username, pass AS password, users.* FROM users WHERE user = %s'
 #: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
 #: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
 #: ``"hex_sha512"``, ``"plain"``.
-CAS_SQL_PASSWORD_CHECK = 'crypt'  # crypt or plain
+CAS_SQL_PASSWORD_CHECK = 'crypt'
+#: charset the SQL users passwords was hash with
+CAS_SQL_PASSWORD_CHARSET = "utf-8"
+
+
+#: Address of the LDAP server
+CAS_LDAP_SERVER = 'localhost'
+#: LDAP user bind address, for example ``"cn=admin,dc=crans,dc=org"`` for connecting to the LDAP
+#: server.
+CAS_LDAP_USER = None
+#: LDAP connection password
+CAS_LDAP_PASSWORD = None
+#: LDAP seach base DN, for example ``"ou=data,dc=crans,dc=org"``.
+CAS_LDAP_BASE_DN = None
+#: LDAP search filter for searching user by username. User inputed usernames are escaped using
+#: :func:`ldap3.utils.conv.escape_bytes`.
+CAS_LDAP_USER_QUERY = "(uid=%s)"
+#: LDAP attribute used for users usernames
+CAS_LDAP_USERNAME_ATTR = "uid"
+#: LDAP attribute used for users passwords
+CAS_LDAP_PASSWORD_ATTR = "userPassword"
+#: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
+#: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
+#: ``"hex_sha512"``, ``"plain"``.
+CAS_LDAP_PASSWORD_CHECK = "ldap"
+#: charset the LDAP users passwords was hash with
+CAS_LDAP_PASSWORD_CHARSET = "utf-8"
 
 
 #: Username of the test user.
diff --git a/cas_server/utils.py b/cas_server/utils.py
index 6142c21..23f7b14 100644
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@@ -582,7 +582,7 @@ def check_password(method, password, hashed_password, charset):
         :param hashed_password: The hashed password as stored in the database
         :type hashed_password: :obj:`str` or :obj:`unicode`
         :param str charset: The used char encoding (also used internally, so it must be valid for
-            the charset used by ``password`` even if it is inputed as an :obj:`unicode`)
+            the charset used by ``password`` when it was initially )
         :return: True if ``password`` match ``hashed_password`` using ``method``,
             ``False`` otherwise
         :rtype: bool
@@ -670,3 +670,12 @@ def last_version():
                 "Unable to fetch %s: %s" % (settings.CAS_NEW_VERSION_JSON_URL, error)
             )
             last_version._cache = (time.time(), version, False)
+
+
+def dictfetchall(cursor):
+    "Return all rows from a django cursor as a dict"
+    columns = [col[0] for col in cursor.description]
+    return [
+        dict(zip(columns, row))
+        for row in cursor.fetchall()
+    ]

From aae3a0186e81a67a660d1e8985cd9df503e2229c Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Sun, 31 Jul 2016 20:30:27 +0200
Subject: [PATCH 15/31] Factorize froms.py

---
 cas_server/forms.py               | 72 +++++++++++++------------------
 cas_server/tests/test_federate.py | 14 ++----
 cas_server/views.py               |  7 ++-
 3 files changed, 39 insertions(+), 54 deletions(-)

diff --git a/cas_server/forms.py b/cas_server/forms.py
index 2e554bb..b0d8ad4 100644
--- a/cas_server/forms.py
+++ b/cas_server/forms.py
@@ -19,7 +19,11 @@ import cas_server.models as models
 
 
 class BootsrapForm(forms.Form):
-    """Form base class to use boostrap then rendering the form fields"""
+    """
+        Bases: :class:`django.forms.Form`
+
+        Form base class to use boostrap then rendering the form fields
+    """
     def __init__(self, *args, **kwargs):
         super(BootsrapForm, self).__init__(*args, **kwargs)
         for (name, field) in self.fields.items():
@@ -39,29 +43,36 @@ class BootsrapForm(forms.Form):
                 field.widget.attrs.update(attrs)
 
 
-class WarnForm(BootsrapForm):
+class BaseLogin(BootsrapForm):
     """
-        Bases: :class:`django.forms.Form`
+        Bases: :class:`BootsrapForm`
 
-        Form used on warn page before emiting a ticket
+        Base form with all field possibly hidden on the login pages
     """
-
     #: The service url for which the user want a ticket
     service = forms.CharField(widget=forms.HiddenInput(), required=False)
+    #: A valid LoginTicket to prevent POST replay
+    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
     #: Is the service asking the authentication renewal ?
     renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
     #: Url to redirect to if the authentication fail (user not authenticated or bad service)
     gateway = forms.CharField(widget=forms.HiddenInput(), required=False)
     method = forms.CharField(widget=forms.HiddenInput(), required=False)
+
+
+class WarnForm(BaseLogin):
+    """
+        Bases: :class:`BaseLogin`
+
+        Form used on warn page before emiting a ticket
+    """
     #: ``True`` if the user has been warned of the ticket emission
     warned = forms.BooleanField(widget=forms.HiddenInput(), required=False)
-    #: A valid LoginTicket to prevent POST replay
-    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
 
 
-class FederateSelect(BootsrapForm):
+class FederateSelect(BaseLogin):
     """
-        Bases: :class:`django.forms.Form`
+        Bases: :class:`BaseLogin`
 
         Form used on the login page when ``settings.CAS_FEDERATE`` is ``True``
         allowing the user to choose an identity provider.
@@ -76,9 +87,6 @@ class FederateSelect(BootsrapForm):
         to_field_name="suffix",
         label=_('Identity provider'),
     )
-    #: The service url for which the user want a ticket
-    service = forms.CharField(label=_('service'), widget=forms.HiddenInput(), required=False)
-    method = forms.CharField(widget=forms.HiddenInput(), required=False)
     #: A checkbox to remember the user choices of :attr:`provider<FederateSelect.provider>`
     remember = forms.BooleanField(label=_('Remember the identity provider'), required=False)
     #: A checkbox to ask to be warn before emiting a ticket for another service
@@ -86,35 +94,23 @@ class FederateSelect(BootsrapForm):
         label=_('Warn me before logging me into other sites.'),
         required=False
     )
-    #: Is the service asking the authentication renewal ?
-    renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
 
 
-class UserCredential(BootsrapForm):
+class UserCredential(BaseLogin):
     """
-         Bases: :class:`django.forms.Form`
+         Bases: :class:`BaseLogin`
 
          Form used on the login page to retrive user credentials
      """
     #: The user username
     username = forms.CharField(label=_('username'))
-    #: The service url for which the user want a ticket
-    service = forms.CharField(label=_('service'), widget=forms.HiddenInput(), required=False)
     #: The user password
     password = forms.CharField(label=_('password'), widget=forms.PasswordInput)
-    #: A valid LoginTicket to prevent POST replay
-    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
-    method = forms.CharField(widget=forms.HiddenInput(), required=False)
     #: A checkbox to ask to be warn before emiting a ticket for another service
     warn = forms.BooleanField(
         label=_('Warn me before logging me into other sites.'),
         required=False
     )
-    #: Is the service asking the authentication renewal ?
-    renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
-
-    def __init__(self, *args, **kwargs):
-        super(UserCredential, self).__init__(*args, **kwargs)
 
     def clean(self):
         """
@@ -138,7 +134,7 @@ class UserCredential(BootsrapForm):
 
 class FederateUserCredential(UserCredential):
     """
-        Bases: :class:`UserCredential`
+        Bases: :class:`BaseLogin`, :class:`UserCredential`
 
         Form used on a auto submited page for linking the views
         :class:`FederateAuth<cas_server.views.FederateAuth>` and
@@ -156,21 +152,13 @@ class FederateUserCredential(UserCredential):
         This stub authentication form, allow to implement the federated mode with very few
         modificatons to the :class:`LoginView<cas_server.views.LoginView>` view.
     """
-    #: the user username with the ``@`` component
-    username = forms.CharField(widget=forms.HiddenInput())
-    #: The service url for which the user want a ticket
-    service = forms.CharField(widget=forms.HiddenInput(), required=False)
-    #: The ``ticket`` used to authenticate the user against a provider
-    password = forms.CharField(widget=forms.HiddenInput())
-    #: alias of :attr:`password`
-    ticket = forms.CharField(widget=forms.HiddenInput())
-    #: A valid LoginTicket to prevent POST replay
-    lt = forms.CharField(widget=forms.HiddenInput(), required=False)
-    method = forms.CharField(widget=forms.HiddenInput(), required=False)
-    #: Has the user asked to be warn before emiting a ticket for another service
-    warn = forms.BooleanField(widget=forms.HiddenInput(), required=False)
-    #: Is the service asking the authentication renewal ?
-    renew = forms.BooleanField(widget=forms.HiddenInput(), required=False)
+
+    def __init__(self, *args, **kwargs):
+        super(FederateUserCredential, self).__init__(*args, **kwargs)
+        # All fields are hidden and auto filled by the /login view logic
+        for name, field in self.fields.items():
+            field.widget = forms.HiddenInput()
+            self[name].display = False
 
     def clean(self):
         """
diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
index 324f0bc..1418b15 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@@ -88,16 +88,10 @@ class FederateAuthLoginLogoutTestCase(
             response = client.post('/federate', params)
             # we are redirected to the provider CAS client url
             self.assertEqual(response.status_code, 302)
-            if remember:
-                self.assertEqual(response["Location"], '%s/federate/%s?remember=on' % (
-                    'http://testserver' if django.VERSION < (1, 9) else "",
-                    provider.suffix
-                ))
-            else:
-                self.assertEqual(response["Location"], '%s/federate/%s' % (
-                    'http://testserver' if django.VERSION < (1, 9) else "",
-                    provider.suffix
-                ))
+            self.assertEqual(response["Location"], '%s/federate/%s' % (
+                'http://testserver' if django.VERSION < (1, 9) else "",
+                provider.suffix
+            ))
             # let's follow the redirect
             response = client.get('/federate/%s' % provider.suffix)
             # we are redirected to the provider CAS for authentication
diff --git a/cas_server/views.py b/cas_server/views.py
index f1c2f75..54fec53 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -264,8 +264,10 @@ class FederateAuth(View):
             if form.is_valid():
                 params = utils.copy_params(
                     request.POST,
-                    ignore={"provider", "csrfmiddlewaretoken", "ticket"}
+                    ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt", "remember"}
                 )
+                if params.get("renew") == "False":
+                    del params["renew"]
                 url = utils.reverse_params(
                     "cas_server:federateAuth",
                     kwargs=dict(provider=form.cleaned_data["provider"].suffix),
@@ -425,7 +427,8 @@ class LoginView(View, LogoutMixin):
         self.warn = request.POST.get('warn')
         if settings.CAS_FEDERATE:
             self.username = request.POST.get('username')
-            self.ticket = request.POST.get('ticket')
+            # in federated mode, the valdated indentity provider CAS ticket is used as password
+            self.ticket = request.POST.get('password')
 
     def gen_lt(self):
         """Generate a new LoginTicket and add it to the list of valid LT for the user"""

From 13c7359294c6fffaacba65cf9ff35683274caac3 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 02:07:50 +0200
Subject: [PATCH 16/31] Remember warn using a cookie

---
 cas_server/forms.py |  4 ++--
 cas_server/views.py | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/cas_server/forms.py b/cas_server/forms.py
index b0d8ad4..c7b2d76 100644
--- a/cas_server/forms.py
+++ b/cas_server/forms.py
@@ -87,13 +87,13 @@ class FederateSelect(BaseLogin):
         to_field_name="suffix",
         label=_('Identity provider'),
     )
-    #: A checkbox to remember the user choices of :attr:`provider<FederateSelect.provider>`
-    remember = forms.BooleanField(label=_('Remember the identity provider'), required=False)
     #: A checkbox to ask to be warn before emiting a ticket for another service
     warn = forms.BooleanField(
         label=_('Warn me before logging me into other sites.'),
         required=False
     )
+    #: A checkbox to remember the user choices of :attr:`provider<FederateSelect.provider>`
+    remember = forms.BooleanField(label=_('Remember the identity provider'), required=False)
 
 
 class UserCredential(BaseLogin):
diff --git a/cas_server/views.py b/cas_server/views.py
index 54fec53..b6a8e5f 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -498,7 +498,17 @@ class LoginView(View, LogoutMixin):
         else:  # pragma: no cover (should no happen)
             raise EnvironmentError("invalid output for LoginView.process_post")
         # call the GET/POST common part
-        return self.common()
+        response = self.common()
+        if self.warn:
+            utils.set_cookie(
+                response,
+                "warn",
+                "on",
+                10 * 365 * 24 * 3600
+            )
+        else:
+            response.delete_cookie("warn")
+        return response
 
     def process_post(self):
         """
@@ -607,7 +617,9 @@ class LoginView(View, LogoutMixin):
         form_initial = {
             'service': self.service,
             'method': self.method,
-            'warn': self.warn or self.request.session.get("warn"),
+            'warn': (
+                self.warn or self.request.session.get("warn") or self.request.COOKIES.get('warn')
+            ),
             'lt': self.request.session['lt'][-1],
             'renew': self.renew
         }

From 0466d397f3d77ab0ff740458d8ddbaa4ad6b80a2 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 02:10:53 +0200
Subject: [PATCH 17/31] Move coverage computation last in travis

---
 .travis.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.travis.yml b/.travis.yml
index e7583b2..70393e6 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,8 +1,6 @@
 language: python
 matrix:
   include:
-  - python: "2.7"
-    env: TOX_ENV=coverage
   - python: "2.7"
     env: TOX_ENV=flake8
   - python: "2.7"
@@ -23,6 +21,8 @@ matrix:
     env: TOX_ENV=py35-django18
   - python: "3.5"
     env: TOX_ENV=py35-django19
+  - python: "2.7"
+    env: TOX_ENV=coverage
 cache:
   directories:
     - $HOME/.cache/pip/http/

From 0237364d8e87cf07dec604397d5d3d5d357ec64e Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 11:30:41 +0200
Subject: [PATCH 18/31] Only set "remember my provider" in federated mode upon
 successful authentication

---
 cas_server/tests/test_federate.py | 27 ++++++++++++++-----
 cas_server/views.py               | 43 +++++++++++++++++--------------
 2 files changed, 44 insertions(+), 26 deletions(-)

diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
index 1418b15..42bef71 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@@ -88,19 +88,23 @@ class FederateAuthLoginLogoutTestCase(
             response = client.post('/federate', params)
             # we are redirected to the provider CAS client url
             self.assertEqual(response.status_code, 302)
-            self.assertEqual(response["Location"], '%s/federate/%s' % (
+            self.assertEqual(response["Location"], '%s/federate/%s%s' % (
                 'http://testserver' if django.VERSION < (1, 9) else "",
-                provider.suffix
+                provider.suffix,
+                "?remember=on" if remember else ""
             ))
             # let's follow the redirect
-            response = client.get('/federate/%s' % provider.suffix)
+            response = client.get(
+                '/federate/%s%s' % (provider.suffix, "?remember=on" if remember else "")
+            )
             # we are redirected to the provider CAS for authentication
             self.assertEqual(response.status_code, 302)
             self.assertEqual(
                 response["Location"],
-                "%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s" % (
+                "%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s%s" % (
                     provider.server_url,
-                    provider.suffix
+                    provider.suffix,
+                    "%3Fremember%3Don" if remember else ""
                 )
             )
             # let's generate a ticket
@@ -108,7 +112,10 @@ class FederateAuthLoginLogoutTestCase(
             # we lauch a dummy CAS server that only validate once for the service
             # http://testserver/federate/example.com with `ticket`
             tests_utils.DummyCAS.run(
-                ("http://testserver/federate/%s" % provider.suffix).encode("ascii"),
+                ("http://testserver/federate/%s%s" % (
+                    provider.suffix,
+                    "?remember=on" if remember else ""
+                )).encode("ascii"),
                 ticket.encode("ascii"),
                 settings.CAS_TEST_USER.encode("utf8"),
                 [],
@@ -116,7 +123,13 @@ class FederateAuthLoginLogoutTestCase(
             )
             # we normally provide a good ticket and should be redirected to /login as the ticket
             # get successfully validated again the dummy CAS
-            response = client.get('/federate/%s' % provider.suffix, {'ticket': ticket})
+            response = client.get(
+                '/federate/%s' % provider.suffix,
+                {'ticket': ticket, 'remember': 'on' if remember else ''}
+            )
+            if remember:
+                self.assertIn("_remember_provider", client.cookies)
+                self.assertEqual(client.cookies["_remember_provider"].value, provider.suffix)
             self.assertEqual(response.status_code, 302)
             self.assertEqual(response["Location"], "%s/login" % (
                 'http://testserver' if django.VERSION < (1, 9) else ""
diff --git a/cas_server/views.py b/cas_server/views.py
index b6a8e5f..2a74c4f 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -218,8 +218,7 @@ class FederateAuth(View):
         """
         return super(FederateAuth, self).dispatch(request, *args, **kwargs)
 
-    @staticmethod
-    def get_cas_client(request, provider):
+    def get_cas_client(self, request, provider):
         """
             return a CAS client object matching provider
 
@@ -231,6 +230,7 @@ class FederateAuth(View):
         """
         # compute the current url, ignoring ticket dans provider GET parameters
         service_url = utils.get_current_url(request, {"ticket", "provider"})
+        self.service_url = service_url
         return CASFederateValidateUser(provider, service_url)
 
     def post(self, request, provider=None):
@@ -264,7 +264,7 @@ class FederateAuth(View):
             if form.is_valid():
                 params = utils.copy_params(
                     request.POST,
-                    ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt", "remember"}
+                    ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt"}
                 )
                 if params.get("renew") == "False":
                     del params["renew"]
@@ -273,17 +273,7 @@ class FederateAuth(View):
                     kwargs=dict(provider=form.cleaned_data["provider"].suffix),
                     params=params
                 )
-                response = HttpResponseRedirect(url)
-                # If the user has checked "remember my identity provider" store it in a cookie
-                if form.cleaned_data["remember"]:
-                    max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
-                    utils.set_cookie(
-                        response,
-                        "_remember_provider",
-                        form.cleaned_data["provider"].suffix,
-                        max_age
-                    )
-                return response
+                return HttpResponseRedirect(url)
             else:
                 return redirect("cas_server:login")
 
@@ -323,7 +313,7 @@ class FederateAuth(View):
                                 auth.provider.server_url
                             )
                         )
-                        params = utils.copy_params(request.GET, ignore={"ticket"})
+                        params = utils.copy_params(request.GET, ignore={"ticket", "remember"})
                         request.session["federate_username"] = auth.federated_username
                         request.session["federate_ticket"] = ticket
                         auth.register_slo(
@@ -334,13 +324,28 @@ class FederateAuth(View):
                         # redirect to the the login page for the user to become authenticated
                         # thanks to the `federate_username` and `federate_ticket` session parameters
                         url = utils.reverse_params("cas_server:login", params)
-                        return HttpResponseRedirect(url)
+                        response = HttpResponseRedirect(url)
+                        # If the user has checked "remember my identity provider" store it in a
+                        # cookie
+                        if request.GET.get("remember"):
+                            max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
+                            utils.set_cookie(
+                                response,
+                                "_remember_provider",
+                                provider.suffix,
+                                max_age
+                            )
+                        return response
                     # else redirect to the identity provider CAS login page
                     else:
                         logger.info(
-                            "Got a invalid ticket for %s from %s. Retrying to authenticate" % (
-                                auth.username,
-                                auth.provider.server_url
+                            (
+                                "Got a invalid ticket %s from %s for service %s. "
+                                "Retrying to authenticate"
+                            ) % (
+                                ticket,
+                                auth.provider.server_url,
+                                self.service_url
                             )
                         )
                         return HttpResponseRedirect(auth.get_login_url())

From 2a1c90965ce8a326015d6d5d8c3a1afa03134918 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 11:50:15 +0200
Subject: [PATCH 19/31] Add a checkbox to forget the identity provider if we
 checked "remember the identity provider"

---
 cas_server/locale/fr/LC_MESSAGES/django.mo  | Bin 9380 -> 9460 bytes
 cas_server/locale/fr/LC_MESSAGES/django.po  |  64 +++++++++++---------
 cas_server/templates/cas_server/logged.html |   7 +++
 cas_server/tests/test_federate.py           |   4 +-
 cas_server/views.py                         |  17 +++---
 5 files changed, 53 insertions(+), 39 deletions(-)

diff --git a/cas_server/locale/fr/LC_MESSAGES/django.mo b/cas_server/locale/fr/LC_MESSAGES/django.mo
index a86d7a3c503179aba649596e3200fdf281ede2dd..d0f80edbb5787b491eb6c002ad9d48a14579dcbb 100644
GIT binary patch
delta 1711
zcmYk+duWYu9LMqRv9q(;Tz724aE?1;H_R?<oNW$sTFfP~mf2b^O;|&O)5c%!nQQ)7
zB&KGx5r3c*io`!8B_+2~gslDR{W;I`hhO`i*YEc{dv4$F_j#^V{;iCDNb#OAMuZqc
zv<xt7#1~$E7<E3g&$t0QFq~j^62IaR+?{BahH(SUPT^?m!5dhBbxCHWc;59b&SjmJ
zY&OCyYE?|ev7sJyqE;NG126@9-0e?rD(m++8oh&@;{vD~FU8?lgEMd|*5U;$!F~*2
z{$R6sT#Y`iZ#7Kjv!Nb~u)|%y!yMLWL(G_37_)E{>W14;7runL@rO7R-=J>f3$Da|
z%*O~j%di!<;A8Z1eajhU7Q{Ii!qrG>>>TP&yRZs-P*0|_YyV6n%ND|Hj38C9y~v-n
z@uLi$Mpg3~F2XKckAE;q`D_LMr2}hF>ju<?o80ZqIEVFK<QTh&l+hl!`(I!o>(@w|
z*kHf2e+24$0nEf{NEK`)p778ce)9i^4ZnDtJNPNp>?&R$pVx6=x|7=P*v;BA((EVR
z!V2u5QL6DXDz$TIjCr^R`4_u`6YwRD$KR+7`ZJs!T985hIk&B2gPNon$KowiPrO8(
zAelnz|FW?h!?+m_<68WSQ?QDIRgxA|FC4%y9>@9k1{*Mi2GWh}iZbD$?J}xK?x9Zf
z6V>gh0q4$3kn-DlB+IrPci=%(Ci+krC=Qw(!~K|y$vn0$l#Xk#9NA?TQKg99XR?XO
zGgOUd@wjBkHlk|RhQ)ZqT|Y%-;uY#O{f2SqnP|2Y<6W1dE^ramOP#3mb-U}k&i<%9
zV6uQ6&yk0)q)BGHF_wvH$|BSagxvK$R1+R@J&T2`J5ibWh#rh1@(2wtQ9<a2lx>wn
zW2)YN4W(Qo82fd8)IiF}G(u0Hr&CJxEucEFr-4{!%UnV?prJ3^Jc4rDLPFmSy`rT=
z385Y-Cvx2DGj)dEPby)&A+c;YTPce>Q4cI8=r^M`V@;-VsAOe?#uB0+Hsc$CAwnN0
z4P{c<BiXTrtX1lKL?!Y6P;K>&s|0GG=|qGmA_fpD(PTn{jK>D8V6)x1N}Asr^8JYS
zg|{_tY;0+-9g^OgJ!n-zQejqZUNCP~ac*AwQUAFAmc6(AnTZ3J?W}Lw+}Ip!YOfwU
Q%46--8R@-!88;LE0W#p9O#lD@

delta 1668
zcmYk+Sx8h-9LMp0YC73sIhL6=PK##COzPO!XliLwsR`ObLR1eCR!k2{1o?6y5rT-a
zg`O&kR*0eo+k<F9klu<OdXS1J3JO~2C8EB+JD2D%XFliLJ9F>3|NsBoAI;~Qosry(
z<3?+t7ts@GX4~+724A%HOtW{`fu}K=Wp)@};sNaPnN7j(cm%V@nBBmWSdH!3X7#w=
za|ol%Gsl|cnK@R+Ai#k&s0(#tf&PHGc-A{Uh;x`f!)f>f^}n2PW|J_C^KmI|!UWdg
zFczb4yxC|hL!QOLxP<%LA_g%I^tcDiuHZuEACZq0OfU=K9Mlchqaw8%wcr8F!Aq!x
z+{U#yjEgY9$wpj<JMjc6xM>s3g52M-7%amwBqX*IwNeM$upjkg&%N`1kmy<-cMD?x
z$%eI|7O<W#MXn2Vqh5@ogIn+^k}WIYM~?m&W}pL6)QuZZ$KzOqZODIYACf*h=AA!{
zi<w_Uh4i&|{sZcI-*6uOLb70`ezQZP%p&-W`Qtp|Kgi(bWU~vHAfA`epPvft1H8)o
z1%AQ4sb<TuhXU!qTd2^Ep&)8;HS!bNk2CQM&cG+A2);)?mRo4XB`s7){8c1z4ot^B
zT!Lr3AB<oV^Pji_Ye;-2p2Jf7jY`FA{;V1Z;|i=tU8f(n;v>`oN+}?o)z+YDW4psZ
z7dnNi?x&~~e@4=5ImM}52C<uY1Qmhvs3-q~2Qd^h8;kc)HyXkX_#OFJD;HG?61W}r
zqEhR;WuTDc6EEeg5^J#5o9{t|%0X?*6PS+Iu>}V`ZC2_At*9F6L|t#QH}CS!@4^O-
z_abX|>@EX#ioHS=-AB{{zIyWovs1-a<+%b?be%|D*#M5hbb2{mErZ@f*Apw;s(v*^
zTCF4n3vj#<=qV#~r9n^7Ojk(t4j_H*(}2y@7i}S33s6%owP?!0eYypxcSapub)Xt)
zq-(qW-<IqCK{`9aeYt?!Dm+yKDk$pDO_PdDFCC>~8C`89J?f59xnIh-%$vthTbC@k
zJER&j>8t2!dcU|$+eUj^DbSu(Q+^fdG`dnmq}@hl+(zkGr8lm}s$@sz=h4ZH<JM(m
kSBE0y!HQT-MeOJuf8gJ=vOM|5KhJmcVR3#kUUbd(7nPoqod5s;

diff --git a/cas_server/locale/fr/LC_MESSAGES/django.po b/cas_server/locale/fr/LC_MESSAGES/django.po
index c3ac888..bdcc3a7 100644
--- a/cas_server/locale/fr/LC_MESSAGES/django.po
+++ b/cas_server/locale/fr/LC_MESSAGES/django.po
@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2016-07-30 19:19+0200\n"
-"PO-Revision-Date: 2016-07-30 19:20+0200\n"
+"POT-Creation-Date: 2016-08-01 12:01+0200\n"
+"PO-Revision-Date: 2016-08-01 12:01+0200\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
 "Language: fr\n"
@@ -23,40 +23,40 @@ msgstr ""
 msgid "Central Authentication Service"
 msgstr "Service Central d'Authentification"
 
-#: forms.py:77
+#: forms.py:88
 msgid "Identity provider"
 msgstr "fournisseur d'identité"
 
-#: forms.py:80 forms.py:102 forms.py:208
-msgid "service"
-msgstr "service"
-
-#: forms.py:83
-msgid "Remember the identity provider"
-msgstr "Se souvenir du fournisseur d'identité"
-
-#: forms.py:86 forms.py:110
+#: forms.py:92 forms.py:111
 msgid "Warn me before logging me into other sites."
 msgstr "Prévenez-moi avant d'accéder à d'autres services."
 
-#: forms.py:100 models.py:600
+#: forms.py:96
+msgid "Remember the identity provider"
+msgstr "Se souvenir du fournisseur d'identité"
+
+#: forms.py:106 models.py:600
 msgid "username"
 msgstr "nom d'utilisateur"
 
-#: forms.py:104
+#: forms.py:108
 msgid "password"
 msgstr "mot de passe"
 
-#: forms.py:134
+#: forms.py:130
 msgid "The credentials you provided cannot be determined to be authentic."
 msgstr "Les informations transmises n'ont pas permis de vous authentifier."
 
-#: forms.py:194
+#: forms.py:182
 msgid "User not found in the temporary database, please try to reconnect"
 msgstr ""
 "Utilisateur non trouvé dans la base de donnée temporaire, essayez de vous "
 "reconnecter"
 
+#: forms.py:196
+msgid "service"
+msgstr "service"
+
 #: management/commands/cas_clean_federate.py:20
 msgid "Clean old federated users"
 msgstr "Nettoyer les anciens utilisateurs fédéré"
@@ -300,7 +300,11 @@ msgstr ""
 msgid "Log me out from all my sessions"
 msgstr "Me déconnecter de toutes mes sessions"
 
-#: templates/cas_server/logged.html:11
+#: templates/cas_server/logged.html:14
+msgid "Forget the identity provider"
+msgstr "Oublier le fournisseur d'identité"
+
+#: templates/cas_server/logged.html:18
 msgid "Logout"
 msgstr "Se déconnecter"
 
@@ -316,7 +320,7 @@ msgstr "Connexion"
 msgid "Connect to the service"
 msgstr "Se connecter au service"
 
-#: views.py:165
+#: views.py:168
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@@ -325,7 +329,7 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
 
-#: views.py:171
+#: views.py:174
 #, python-format
 msgid ""
 "<h3>Logout successful</h3>You have successfully logged out from %s sessions "
@@ -336,7 +340,7 @@ msgstr ""
 "Service Central d'Authentification. Pour des raisons de sécurité, veuillez "
 "fermer votre navigateur."
 
-#: views.py:178
+#: views.py:181
 msgid ""
 "<h3>Logout successful</h3>You were already logged out from the Central "
 "Authentication Service. For security reasons, exit your web browser."
@@ -345,7 +349,7 @@ msgstr ""
 "d'Authentification. Pour des raisons de sécurité, veuillez fermer votre "
 "navigateur."
 
-#: views.py:351
+#: views.py:361
 #, python-format
 msgid ""
 "Invalid response from your identity provider CAS upon ticket %(ticket)s "
@@ -354,46 +358,46 @@ msgstr ""
 "Réponse invalide du CAS du fournisseur d'identité lors de la validation du "
 "ticket %(ticket)s: %(error)r"
 
-#: views.py:472
+#: views.py:483
 msgid "Invalid login ticket, please retry to login"
 msgstr "Ticket de connexion invalide, merci de réessayé de vous connecter"
 
-#: views.py:652
+#: views.py:675
 #, python-format
 msgid "Authentication has been required by service %(name)s (%(url)s)"
 msgstr ""
 "Une demande d'authentification a été émise pour le service %(name)s "
 "(%(url)s)."
 
-#: views.py:690
+#: views.py:713
 #, python-format
 msgid "Service %(url)s non allowed."
 msgstr "le service %(url)s n'est pas autorisé."
 
-#: views.py:697
+#: views.py:720
 msgid "Username non allowed"
 msgstr "Nom d'utilisateur non authorisé"
 
-#: views.py:704
+#: views.py:727
 msgid "User characteristics non allowed"
 msgstr "Caractéristique utilisateur non autorisée"
 
-#: views.py:711
+#: views.py:734
 #, python-format
 msgid "The attribute %(field)s is needed to use that service"
 msgstr "L'attribut %(field)s est nécessaire pour se connecter à ce service"
 
-#: views.py:801
+#: views.py:824
 #, python-format
 msgid "Authentication renewal required by service %(name)s (%(url)s)."
 msgstr "Demande de réauthentification pour le service %(name)s (%(url)s)."
 
-#: views.py:808
+#: views.py:831
 #, python-format
 msgid "Authentication required by service %(name)s (%(url)s)."
 msgstr "Authentification requise par le service %(name)s (%(url)s)."
 
-#: views.py:815
+#: views.py:838
 #, python-format
 msgid "Service %s non allowed"
 msgstr "Le service %s n'est pas autorisé"
diff --git a/cas_server/templates/cas_server/logged.html b/cas_server/templates/cas_server/logged.html
index 3a23b16..46e1c9a 100644
--- a/cas_server/templates/cas_server/logged.html
+++ b/cas_server/templates/cas_server/logged.html
@@ -8,6 +8,13 @@
       <input type="checkbox" name="all" value="1">{% trans "Log me out from all my sessions" %}
     </label>
   </div>
+  {% if settings.CAS_FEDERATE and request.COOKIES.remember_provider %}
+  <div class="checkbox">
+    <label>
+      <input type="checkbox" name="forget_provider" value="1">{% trans "Forget the identity provider" %}
+    </label>
+  </div>
+  {% endif %}
   <button class="btn btn-danger btn-block btn-lg" type="submit">{% trans "Logout" %}</button>
 </form>
 {% endblock %}
diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
index 42bef71..b6fa3f9 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@@ -128,8 +128,8 @@ class FederateAuthLoginLogoutTestCase(
                 {'ticket': ticket, 'remember': 'on' if remember else ''}
             )
             if remember:
-                self.assertIn("_remember_provider", client.cookies)
-                self.assertEqual(client.cookies["_remember_provider"].value, provider.suffix)
+                self.assertIn("remember_provider", client.cookies)
+                self.assertEqual(client.cookies["remember_provider"].value, provider.suffix)
             self.assertEqual(response.status_code, 302)
             self.assertEqual(response["Location"], "%s/login" % (
                 'http://testserver' if django.VERSION < (1, 9) else ""
diff --git a/cas_server/views.py b/cas_server/views.py
index 2a74c4f..04de6d3 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -147,9 +147,12 @@ class LogoutView(View, LogoutMixin):
         # current querystring
         if settings.CAS_FEDERATE:
             if auth is not None:
-                params = utils.copy_params(request.GET)
+                params = utils.copy_params(request.GET, ignore={"forget_provider"})
                 url = auth.get_logout_url()
-                return HttpResponseRedirect(utils.update_url(url, params))
+                response = HttpResponseRedirect(utils.update_url(url, params))
+                if request.GET.get("forget_provider"):
+                    response.delete_cookie("remember_provider")
+                return response
         # if service is set, redirect to service after logout
         if self.service:
             list(messages.get_messages(request))  # clean messages before leaving the django app
@@ -331,7 +334,7 @@ class FederateAuth(View):
                             max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
                             utils.set_cookie(
                                 response,
-                                "_remember_provider",
+                                "remember_provider",
                                 provider.suffix,
                                 max_age
                             )
@@ -360,7 +363,7 @@ class FederateAuth(View):
                         ) % {'ticket': ticket, 'error': error}
                     )
                     response = redirect("cas_server:login")
-                    response.delete_cookie("_remember_provider")
+                    response.delete_cookie("remember_provider")
                     return response
         except FederatedIendityProvider.DoesNotExist:
             logger.warning("Identity provider suffix %s not found" % provider)
@@ -855,16 +858,16 @@ class LoginView(View, LogoutMixin):
                     )
                 else:
                     if (
-                        self.request.COOKIES.get('_remember_provider') and
+                        self.request.COOKIES.get('remember_provider') and
                         FederatedIendityProvider.objects.filter(
-                            suffix=self.request.COOKIES['_remember_provider']
+                            suffix=self.request.COOKIES['remember_provider']
                         )
                     ):
                         params = utils.copy_params(self.request.GET)
                         url = utils.reverse_params(
                             "cas_server:federateAuth",
                             params=params,
-                            kwargs=dict(provider=self.request.COOKIES['_remember_provider'])
+                            kwargs=dict(provider=self.request.COOKIES['remember_provider'])
                         )
                         return HttpResponseRedirect(url)
                     else:

From ed3e382ef19aaca807c7adb96d3532eef2e8b1fb Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 16:56:41 +0200
Subject: [PATCH 20/31] [cas.py] Append renew=true when validating tickets

---
 cas_server/cas.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/cas_server/cas.py b/cas_server/cas.py
index 818cf0f..06ce8d2 100644
--- a/cas_server/cas.py
+++ b/cas_server/cas.py
@@ -154,6 +154,8 @@ class CASClientV1(CASClientBase, ReturnUnicode):
         Returns username on success and None on failure.
         """
         params = [('ticket', ticket), ('service', self.service_url)]
+        if self.renew:
+            params.append(('renew', 'true'))
         url = (urllib_parse.urljoin(self.server_url, 'validate') + '?' +
                urllib_parse.urlencode(params))
         page = urllib_request.urlopen(url)
@@ -187,6 +189,8 @@ class CASClientV2(CASClientBase, ReturnUnicode):
 
     def get_verification_response(self, ticket):
         params = [('ticket', ticket), ('service', self.service_url)]
+        if self.renew:
+            params.append(('renew', 'true'))
         if self.proxy_callback:
             params.append(('pgtUrl', self.proxy_callback))
         base_url = urllib_parse.urljoin(self.server_url, self.url_suffix)

From c6583c925e19ee3e10b56c02e47652dd44794bc0 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 17:01:44 +0200
Subject: [PATCH 21/31] Support authentication renewal in federate mode

---
 cas_server/federate.py            |  4 +-
 cas_server/tests/test_federate.py | 74 +++++++++++++++++++++++++++++++
 cas_server/views.py               | 28 ++++++++++--
 3 files changed, 100 insertions(+), 6 deletions(-)

diff --git a/cas_server/federate.py b/cas_server/federate.py
index 2cfd90e..d977771 100644
--- a/cas_server/federate.py
+++ b/cas_server/federate.py
@@ -42,13 +42,13 @@ class CASFederateValidateUser(object):
     #: the identity provider
     provider = None
 
-    def __init__(self, provider, service_url):
+    def __init__(self, provider, service_url, renew=False):
         self.provider = provider
         self.client = CASClient(
             service_url=service_url,
             version=provider.cas_protocol_version,
             server_url=provider.server_url,
-            renew=False,
+            renew=renew,
         )
 
     def get_login_url(self):
diff --git a/cas_server/tests/test_federate.py b/cas_server/tests/test_federate.py
index b6fa3f9..cfcc5b7 100644
--- a/cas_server/tests/test_federate.py
+++ b/cas_server/tests/test_federate.py
@@ -84,6 +84,10 @@ class FederateAuthLoginLogoutTestCase(
             params['provider'] = provider.suffix
             if remember:
                 params['remember'] = 'on'
+            # just try for one suffix
+            if suffix == "example.com":
+                # if renew=False is posted it should be ignored
+                params["renew"] = False
             # post the choosed provider
             response = client.post('/federate', params)
             # we are redirected to the provider CAS client url
@@ -351,6 +355,76 @@ class FederateAuthLoginLogoutTestCase(
                 provider.suffix
             ))
 
+    def test_forget_provider(self):
+        """Test the logout option to forget remembered provider"""
+        tickets = self.test_login_post_provider(remember=True)
+        for (provider, _, client) in tickets:
+            self.assertIn("remember_provider", client.cookies)
+            self.assertEqual(client.cookies["remember_provider"].value, provider.suffix)
+            self.assertNotEqual(client.cookies["remember_provider"]["max-age"], 0)
+            client.get("/logout?forget_provider=1")
+            self.assertEqual(client.cookies["remember_provider"]["max-age"], 0)
+
+    def test_renew(self):
+        """
+            Test authentication renewal with federation mode
+        """
+        tickets = self.test_login_post_provider()
+        for (provider, _, client) in tickets:
+            # Try to renew authentication(client already authenticated in test_login_post_provider
+            response = client.get("/login?renew=true")
+            # we should be redirected to the user CAS
+            self.assertEqual(response.status_code, 302)
+            self.assertEqual(response["Location"], "%s/federate/%s?renew=true" % (
+                'http://testserver' if django.VERSION < (1, 9) else "",
+                provider.suffix
+            ))
+
+            response = client.get("/federate/%s?renew=true" % provider.suffix)
+            self.assertEqual(response.status_code, 302)
+            service_url = (
+                "service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s%%3Frenew%%3Dtrue"
+            ) % provider.suffix
+            self.assertIn(service_url, response["Location"])
+            self.assertIn("renew=true", response["Location"])
+
+            cas_port = int(provider.server_url.split(':')[-1])
+            # let's generate a ticket
+            ticket = utils.gen_st()
+            # we lauch a dummy CAS server that only validate once for the service
+            # http://testserver/federate/example.com?renew=true with `ticket`
+            tests_utils.DummyCAS.run(
+                ("http://testserver/federate/%s?renew=true" % provider.suffix).encode("ascii"),
+                ticket.encode("ascii"),
+                settings.CAS_TEST_USER.encode("utf8"),
+                [],
+                cas_port
+            )
+            # we normally provide a good ticket and should be redirected to /login as the ticket
+            # get successfully validated again the dummy CAS
+            response = client.get(
+                '/federate/%s' % provider.suffix,
+                {'ticket': ticket, 'renew': 'true'}
+            )
+            self.assertEqual(response.status_code, 302)
+            self.assertEqual(response["Location"], "%s/login?renew=true" % (
+                'http://testserver' if django.VERSION < (1, 9) else ""
+            ))
+            # follow the redirect and try to get a ticket to see is it has renew set to True
+            response = client.get("/login?renew=true&service=%s" % self.service)
+            # we should get a page with a from with all widget hidden that auto POST to /login using
+            # javascript. If javascript is disabled, a "connect" button is showed
+            self.assertTrue(response.context['auto_submit'])
+            self.assertEqual(response.context['post_url'], '/login')
+            params = tests_utils.copy_form(response.context["form"])
+            # POST get prefiled from parameters
+            response = client.post("/login", params)
+            self.assertEqual(response.status_code, 302)
+            self.assertTrue(response["Location"].startswith("%s?ticket=" % self.service))
+            ticket_value = response["Location"].split('ticket=')[-1]
+            ticket = models.ServiceTicket.objects.get(value=ticket_value)
+            self.assertTrue(ticket.renew)
+
     def test_login_bad_ticket(self):
         """
             Try login with a bad ticket:
diff --git a/cas_server/views.py b/cas_server/views.py
index 04de6d3..e810f54 100644
--- a/cas_server/views.py
+++ b/cas_server/views.py
@@ -212,6 +212,7 @@ class LogoutView(View, LogoutMixin):
 
 class FederateAuth(View):
     """view to authenticated user agains a backend CAS then CAS_FEDERATE is True"""
+
     @method_decorator(csrf_exempt)  # csrf is disabled for allowing SLO requests reception
     def dispatch(self, request, *args, **kwargs):
         """
@@ -221,7 +222,7 @@ class FederateAuth(View):
         """
         return super(FederateAuth, self).dispatch(request, *args, **kwargs)
 
-    def get_cas_client(self, request, provider):
+    def get_cas_client(self, request, provider, renew=False):
         """
             return a CAS client object matching provider
 
@@ -234,7 +235,7 @@ class FederateAuth(View):
         # compute the current url, ignoring ticket dans provider GET parameters
         service_url = utils.get_current_url(request, {"ticket", "provider"})
         self.service_url = service_url
-        return CASFederateValidateUser(provider, service_url)
+        return CASFederateValidateUser(provider, service_url, renew=renew)
 
     def post(self, request, provider=None):
         """
@@ -291,16 +292,17 @@ class FederateAuth(View):
         if not settings.CAS_FEDERATE:
             logger.warning("CAS_FEDERATE is False, set it to True to use the federated mode")
             return redirect("cas_server:login")
+        renew = bool(request.GET.get('renew') and request.GET['renew'] != "False")
         # Is the user is already authenticated, no need to request authentication to the user
         # identity provider.
-        if self.request.session.get("authenticated"):
+        if self.request.session.get("authenticated") and not renew:
             logger.warning("User already authenticated, dropping federate authentication request")
             return redirect("cas_server:login")
         try:
             # get the identity provider from its suffix
             provider = FederatedIendityProvider.objects.get(suffix=provider)
             # get a CAS client for the user identity provider
-            auth = self.get_cas_client(request, provider)
+            auth = self.get_cas_client(request, provider, renew)
             # if no ticket submited, redirect to the identity provider CAS login page
             if 'ticket' not in request.GET:
                 logger.info("Trying to authenticate again %s" % auth.provider.server_url)
@@ -871,6 +873,24 @@ class LoginView(View, LogoutMixin):
                         )
                         return HttpResponseRedirect(url)
                     else:
+                        # if user is authenticated and auth renewal is requested, redirect directly
+                        # to the user identity provider
+                        if self.renew and self.request.session.get("authenticated"):
+                            try:
+                                user = FederatedUser.get_from_federated_username(
+                                    self.request.session.get("username")
+                                )
+                                params = utils.copy_params(self.request.GET)
+                                url = utils.reverse_params(
+                                    "cas_server:federateAuth",
+                                    params=params,
+                                    kwargs=dict(provider=user.provider.suffix)
+                                )
+                                return HttpResponseRedirect(url)
+                            # Should normally not happen: if the user is logged, it exists in the
+                            # database.
+                            except FederatedUser.DoesNotExist:  # pragma: no cover
+                                pass
                         return render(
                             self.request,
                             settings.CAS_LOGIN_TEMPLATE,

From d25f738b034b9d7826a3c7f2de6daecbcd90d93b Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 18:29:05 +0200
Subject: [PATCH 22/31] Add unit test for utils.dictfetchall

---
 cas_server/tests/test_utils.py | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py
index e46459f..d0199ce 100644
--- a/cas_server/tests/test_utils.py
+++ b/cas_server/tests/test_utils.py
@@ -11,9 +11,11 @@
 # (c) 2016 Valentin Samir
 """Tests module for utils"""
 from django.test import TestCase, RequestFactory
+from django.db import connection
 
 import six
 import warnings
+import datetime
 
 from cas_server import utils
 
@@ -237,3 +239,15 @@ class UtilsTestCase(TestCase):
 
             # version is cached 24h so calling it a second time should return the save value
             self.assertEqual(version, utils.last_version())
+
+    def test_dictfetchall(self):
+        """test the function dictfetchall"""
+        with connection.cursor() as curs:
+            curs.execute("SELECT * FROM django_migrations")
+            results = utils.dictfetchall(curs)
+            self.assertIsInstance(results, list)
+            self.assertTrue(len(results) > 0)
+            for result in results:
+                self.assertIsInstance(result, dict)
+                self.assertIn('applied', result)
+                self.assertIsInstance(result['applied'], datetime.datetime)

From d0530033446dec92958a8dff223e4eac3e0ff3fb Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 18:29:24 +0200
Subject: [PATCH 23/31] Add test for ldap check password with bad base64 hash

---
 cas_server/tests/test_utils.py | 4 ++++
 cas_server/utils.py            | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/cas_server/tests/test_utils.py b/cas_server/tests/test_utils.py
index d0199ce..79c3cb2 100644
--- a/cas_server/tests/test_utils.py
+++ b/cas_server/tests/test_utils.py
@@ -131,8 +131,12 @@ class CheckPasswordCase(TestCase):
         with self.assertRaises(utils.LdapHashUserPassword.BadHash):
             utils.check_password("ldap", self.password1, b"TOTOssdsdsd", "utf8")
         for scheme in schemes_salt:
+            # bad length
             with self.assertRaises(utils.LdapHashUserPassword.BadHash):
                 utils.check_password("ldap", self.password1, scheme + b"dG90b3E8ZHNkcw==", "utf8")
+            # bad base64
+            with self.assertRaises(utils.LdapHashUserPassword.BadHash):
+                utils.check_password("ldap", self.password1, scheme + b"dG90b3E8ZHNkcw", "utf8")
 
     def test_hex(self):
         """test all the hex_HASH method: the hashed password is a simple hash of the password"""
diff --git a/cas_server/utils.py b/cas_server/utils.py
index 23f7b14..c94ddf5 100644
--- a/cas_server/utils.py
+++ b/cas_server/utils.py
@@ -28,6 +28,7 @@ import six
 import requests
 import time
 import logging
+import binascii
 
 from importlib import import_module
 from datetime import datetime, timedelta
@@ -563,7 +564,7 @@ class LdapHashUserPassword(object):
         else:
             try:
                 hashed_passord = base64.b64decode(hashed_passord[len(scheme):])
-            except TypeError as error:
+            except (TypeError, binascii.Error) as error:
                 raise cls.BadHash("Bad base64: %s" % error)
             if len(hashed_passord) < cls._schemes_to_len[scheme]:
                 raise cls.BadHash("Hash too short for the scheme %s" % scheme)

From 41f7bdade3b72d8150449c8fe1b6b934a86c9913 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 18:36:05 +0200
Subject: [PATCH 24/31] Fix autodoc forms.FederateUserCredential base class

---
 cas_server/forms.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cas_server/forms.py b/cas_server/forms.py
index c7b2d76..bcfaecb 100644
--- a/cas_server/forms.py
+++ b/cas_server/forms.py
@@ -134,7 +134,7 @@ class UserCredential(BaseLogin):
 
 class FederateUserCredential(UserCredential):
     """
-        Bases: :class:`BaseLogin`, :class:`UserCredential`
+        Bases: :class:`UserCredential`
 
         Form used on a auto submited page for linking the views
         :class:`FederateAuth<cas_server.views.FederateAuth>` and

From 99d335e85dd98ef46485c5b0424da5117222961c Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Mon, 1 Aug 2016 18:36:12 +0200
Subject: [PATCH 25/31] Enable logging to stderr then running tests

---
 cas_server/tests/settings.py | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/cas_server/tests/settings.py b/cas_server/tests/settings.py
index 76594da..e332688 100644
--- a/cas_server/tests/settings.py
+++ b/cas_server/tests/settings.py
@@ -100,3 +100,27 @@ STATIC_URL = '/static/'
 
 CAS_NEW_VERSION_HTML_WARNING = False
 CAS_NEW_VERSION_EMAIL_WARNING = False
+
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'formatters': {
+        'cas_file': {
+            'format': '%(asctime)s %(levelname)s %(message)s'
+        },
+    },
+    'handlers': {
+        'cas_stream': {
+            'level': 'INFO',
+            'class': 'logging.StreamHandler',
+            'formatter': 'cas_file',
+        },
+    },
+    'loggers': {
+        'cas_server': {
+            'handlers': ['cas_stream'],
+            'level': 'INFO',
+            'propagate': True,
+        },
+    },
+}

From 15188ba186cf52a7d210fb3ce27014916500bd29 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Tue, 2 Aug 2016 12:02:48 +0200
Subject: [PATCH 26/31] Add internal links to some sections to README.rst

---
 README.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.rst b/README.rst
index c66f092..036add5 100644
--- a/README.rst
+++ b/README.rst
@@ -145,7 +145,7 @@ Quick start
 
 6. Start the development server and visit http://127.0.0.1:8000/admin/
    to add a first service allowed to authenticate user against the CAS
-   (you'll need the Admin app enabled). See the Service Patterns section bellow.
+   (you'll need the Admin app enabled). See the `Service Patterns`_ section bellow.
 
 7. Visit http://127.0.0.1:8000/cas/ to login with your django users.
 
@@ -271,7 +271,7 @@ Tickets miscellaneous settings
 
 Mysql backend settings
 ----------------------
-Deprecated, see the Sql backend settings.
+Deprecated, see the `Sql backend settings`_.
 Only usefull if you are using the mysql authentication backend:
 
 * ``CAS_SQL_HOST``: Host for the SQL server. The default is ``"localhost"``.

From aa98096059413639d53341b02a99d64cda5ed515 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Tue, 2 Aug 2016 13:24:57 +0200
Subject: [PATCH 27/31] Use custom templatetags instead settings custom
 attributes to Boundfields

As it do not work with django 1.7
---
 cas_server/forms.py                       |  8 ++------
 cas_server/templates/cas_server/form.html |  5 +++--
 cas_server/templatetags/__init__.py       |  0
 cas_server/templatetags/cas_server.py     | 14 ++++++++++++++
 4 files changed, 19 insertions(+), 8 deletions(-)
 create mode 100644 cas_server/templatetags/__init__.py
 create mode 100644 cas_server/templatetags/cas_server.py

diff --git a/cas_server/forms.py b/cas_server/forms.py
index bcfaecb..54afb7f 100644
--- a/cas_server/forms.py
+++ b/cas_server/forms.py
@@ -26,15 +26,11 @@ class BootsrapForm(forms.Form):
     """
     def __init__(self, *args, **kwargs):
         super(BootsrapForm, self).__init__(*args, **kwargs)
-        for (name, field) in self.fields.items():
+        for field in self.fields.values():
             # Only tweak the fiel if it will be displayed
             if not isinstance(field.widget, forms.HiddenInput):
-                # tell to display the field (used in form.html)
-                self[name].display = True
                 attrs = {}
-                if isinstance(field.widget, forms.CheckboxInput):
-                    self[name].checkbox = True
-                else:
+                if not isinstance(field.widget, forms.CheckboxInput):
                     attrs['class'] = "form-control"
                     if field.label:  # pragma: no branch (currently all field are hidden or labeled)
                         attrs["placeholder"] = field.label
diff --git a/cas_server/templates/cas_server/form.html b/cas_server/templates/cas_server/form.html
index 5ac1463..f189f6b 100644
--- a/cas_server/templates/cas_server/form.html
+++ b/cas_server/templates/cas_server/form.html
@@ -1,10 +1,11 @@
+{% load cas_server %}
 {% for error in form.non_field_errors %}
 <div class="alert alert-danger alert-dismissable">
   <button type="button" class="close" data-dismiss="alert" aria-hidden="true">&#215;</button>
   {{error}}
 </div>
 {% endfor %}
-{% for field in form %}{% if field.display %}
+{% for field in form %}{% if not field|is_hidden %}
 <div class="form-group{% spaceless %}
   {% if not form.non_field_errors %}
     {% if field.errors %} has-error
@@ -12,7 +13,7 @@
     {% endif %}
   {% endif %}"
 {% endspaceless %}>{% spaceless %}
-  {% if field.checkbox %}
+  {% if field|is_checkbox %}
     <div class="checkbox"><label for="{{field.auto_id}}">{{field}}{{field.label}}</label>
   {% else %}
     <label class="control-label" for="{{field.auto_id}}">{{field.label}}</label>
diff --git a/cas_server/templatetags/__init__.py b/cas_server/templatetags/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/cas_server/templatetags/cas_server.py b/cas_server/templatetags/cas_server.py
new file mode 100644
index 0000000..ec2839e
--- /dev/null
+++ b/cas_server/templatetags/cas_server.py
@@ -0,0 +1,14 @@
+from django import template
+from django import forms
+
+register = template.Library()
+
+
+@register.filter(name='is_checkbox')
+def is_checkbox(field):
+    return isinstance(field.field.widget, forms.CheckboxInput)
+
+
+@register.filter(name='is_hidden')
+def is_hidden(field):
+    return isinstance(field.field.widget, forms.HiddenInput)

From 94fc7d0e2b978e876871e0a12b21617480598852 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Tue, 2 Aug 2016 14:06:52 +0200
Subject: [PATCH 28/31] Add dependancies correspondance between python pypi,
 debian and centos packages

---
 README.rst           | 55 ++++++++++++++++++++++++++++++++++++++------
 requirements-dev.txt |  8 +++----
 requirements.txt     |  4 ++--
 3 files changed, 54 insertions(+), 13 deletions(-)

diff --git a/README.rst b/README.rst
index 036add5..ea6cea9 100644
--- a/README.rst
+++ b/README.rst
@@ -29,11 +29,49 @@ Dependencies
 
 ``django-cas-server`` depends on the following python packages:
 
-* Django >= 1.7 < 1.10
+* Django >= 1.7.1 < 1.10
 * requests >= 2.4
 * requests_futures >= 0.9.5
 * lxml >= 3.4
-* six >= 1
+* six >= 1.8
+
+Minimal version of packages dependancy are just indicative and meens that ``django-cas-server`` has
+been tested with it. Previous versions of dependencies may or may not work.
+
+Additionally, denpending of the authentication backend you plan to use, you may need the following
+python packages:
+
+* ldap3        (debian/centos: python-ldap3)
+* psycopg2     (debian/centos: python-psycopg2)
+* mysql-python (debian: python-mysqldb, centos: python2-mysql)
+
+
+Here there is a table with the name of python packages and the corresponding packages providing
+them on debian like systems and centos like systems.
+You should try as much as possible to use system packages as there are automatically updated then
+you update your system. You can then install Not Available (N/A)
+packages on your system using pip inside a virtualenv as described in the `Installation`_ section.
+For use with python3, just replace python(2) in the table by python3.
+
++------------------+-------------------------+---------------------+
+| python package   | debian like systems     | centos like systems |
++==================+=========================+=====================+
+| Django           | python-django           | python-django       |
++------------------+-------------------------+---------------------+
+| requests         | python-requests         | python-requests     |
++------------------+-------------------------+---------------------+
+| requests_futures | python-requests-futures | N/A                 |
++------------------+-------------------------+---------------------+
+| lxml             | python-lxml             | python-lxml         |
++------------------+-------------------------+---------------------+
+| six              | python-six              | python-six          |
++------------------+-------------------------+---------------------+
+| ldap3            | python-ldap3            | python-ldap3        |
++------------------+-------------------------+---------------------+
+| psycopg2         | python-psycopg2         | python-psycopg2     |
++------------------+-------------------------+---------------------+
+| mysql-python     | python-mysqldb          | python2-mysql       |
++------------------+-------------------------+---------------------+
 
 Installation
 ============
@@ -63,14 +101,17 @@ The recommended installation mode is to use a virtualenv with ``--system-site-pa
     New python executable in cas/bin/python2
     Also creating executable in cas/bin/python
     Installing setuptools, pip...done.
+
+4. And `activate it <https://virtualenv.pypa.io/en/stable/userguide/#activate-script>`__::
+
     $ cd cas_venv/; . bin/activate
 
-4. Create a django project::
+5. Create a django project::
 
    $ django-admin startproject cas_project
    $ cd cas_project
 
-5. Install `django-cas-server`. To use the last published release, run::
+6. Install `django-cas-server`. To use the last published release, run::
 
     $ pip install django-cas-server
 
@@ -81,11 +122,11 @@ The recommended installation mode is to use a virtualenv with ``--system-site-pa
     $ pip install -r requirements.txt
 
    Then, either run ``make install`` to create a python package using the sources of the repository
-   and install it with pip, or place the `cas_server` directory into your
+   and install it with pip, or place the ``cas_server`` directory into your
    `PYTHONPATH <https://docs.python.org/2/using/cmdline.html#envvar-PYTHONPATH>`_
-   (for instance by symlinking `cas_server` to the root of your django project).
+   (for instance by symlinking ``cas_server`` to the root of your django project).
 
-6. Open ``cas_project/settings.py`` in you favourite editor and follow the quick start section.
+7. Open ``cas_project/settings.py`` in you favourite editor and follow the quick start section.
 
 
 Quick start
diff --git a/requirements-dev.txt b/requirements-dev.txt
index 241e789..f92821a 100644
--- a/requirements-dev.txt
+++ b/requirements-dev.txt
@@ -1,12 +1,12 @@
 setuptools>=5.5
+requests>=2.4
+requests_futures>=0.9.5
+lxml>=3.4
+six>=1.8
 tox>=1.8.1
 pytest>=2.6.4
 pytest-django>=2.8.0
 pytest-pythonpath>=0.3
 pytest-warnings
 pytest-cov>=2.2.1
-requests>=2.4
-requests_futures>=0.9.5
-lxml>=3.4
-six>=1
 mock>=1
diff --git a/requirements.txt b/requirements.txt
index 23dbf75..b7518f5 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
-Django >= 1.7,<1.10
+Django >= 1.7.1,<1.10
 setuptools>=5.5
 requests>=2.4
 requests_futures>=0.9.5
 lxml>=3.4
-six>=1
+six>=1.8

From f5031e638895e193cff584c7acb71db651658031 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Tue, 2 Aug 2016 14:13:58 +0200
Subject: [PATCH 29/31] require Django<1.10 in Makefile

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index d802dc0..08d013f 100644
--- a/Makefile
+++ b/Makefile
@@ -38,7 +38,7 @@ dist:
 
 test_venv/bin/python:
 	virtualenv test_venv
-	test_venv/bin/pip install -U --requirement requirements-dev.txt Django
+	test_venv/bin/pip install -U --requirement requirements-dev.txt 'Django<1.10'
 
 test_venv/cas/manage.py: test_venv
 	mkdir -p test_venv/cas

From e9523baf7d71302a4a286e4ce274f8da8810ea51 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Tue, 2 Aug 2016 14:15:15 +0200
Subject: [PATCH 30/31] Forgotten to remove ~comments in README.rst

---
 README.rst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.rst b/README.rst
index ea6cea9..c4d9e48 100644
--- a/README.rst
+++ b/README.rst
@@ -41,9 +41,9 @@ been tested with it. Previous versions of dependencies may or may not work.
 Additionally, denpending of the authentication backend you plan to use, you may need the following
 python packages:
 
-* ldap3        (debian/centos: python-ldap3)
-* psycopg2     (debian/centos: python-psycopg2)
-* mysql-python (debian: python-mysqldb, centos: python2-mysql)
+* ldap3
+* psycopg2
+* mysql-python
 
 
 Here there is a table with the name of python packages and the corresponding packages providing

From 773707e6c3c3fa20f697c946e31cafc591e8fee8 Mon Sep 17 00:00:00 2001
From: Valentin Samir <valentin.samir@crans.org>
Date: Tue, 2 Aug 2016 14:35:24 +0200
Subject: [PATCH 31/31] Update version to 0.6.2

---
 cas_server/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cas_server/__init__.py b/cas_server/__init__.py
index c138255..8d6dd5d 100644
--- a/cas_server/__init__.py
+++ b/cas_server/__init__.py
@@ -11,7 +11,7 @@
 """A django CAS server application"""
 
 #: version of the application
-VERSION = '0.6.1'
+VERSION = '0.6.2'
 
 #: path the the application configuration class
 default_app_config = 'cas_server.apps.CasAppConfig'