Add ldap bind auth method and CAS_TGT_VALIDITY parameter. Fix #18

2016-10-07 15:22:49 +02:00 · 2016-10-07 15:22:49 +02:00 · f1fed48b21
parent e77dbbcd03
commit f1fed48b21
12 changed files with 289 additions and 9 deletions
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@ -12,6 +12,9 @@ Unreleased
 Added
 -----
 * Add a test for login with missing parameter (username or password or both)
 * Add ldap auth using bind method (use the user credentials to bind the the ldap server and let the
  server check the credentials)
 * Add CAS_TGT_VALIDITY parameter: Max time after with the user MUST reauthenticate.
 Fixed
 -----
--- a/README.rst
+++ b/README.rst
@ -268,6 +268,11 @@ Authentication settings
  which inactive users are logged out. The default is ``1209600`` (2 weeks). You probably should
  reduce it to something like ``86400`` seconds (1 day).
 * ``CAS_TGT_VALIDITY``: Max time after with the user MUST reauthenticate. Let it to `None` for no
  max time.This can be used to force refreshing cached informations only available upon user
  authentication like the user attributes in federation mode or with the ldap auth in bind mode.
  The default is ``None``.
 * ``CAS_PROXY_CA_CERTIFICATE_PATH``: Path to certificate authorities file. Usually on linux
  the local CAs are in ``/etc/ssl/certs/ca-certificates.crt``. The default is ``True`` which
  tell requests to use its internal certificat authorities. Settings it to ``False`` should
@ -416,6 +421,14 @@ Only usefull if you are using the ldap authentication backend:
    The hashed password in the database is compare to the hexadecimal digest of the clear
    password hashed with the corresponding algorithm.
  * ``"plain"``, the password in the database must be in clear.
  * ``"bind``, the user credentials are used to bind to the ldap database and retreive the user
    attribute. In this mode, the settings ``CAS_LDAP_PASSWORD_ATTR`` and ``CAS_LDAP_PASSWORD_CHARSET``
    are ignored, and it is the ldap server that perform password check. The counterpart is that
    the user attributes are only available upon user password check and so are cached for later
    use. All the other modes directly fetch the user attributes from the database whenever there
    are needed. This mean that is you use this mode, they can be some difference between the
    attributes in database and the cached ones if changes happend in the database after the user
    authentiate. See the parameter ``CAS_TGT_VALIDITY`` to force user to reauthenticate periodically.
  The default is ``"ldap"``.
 * ``CAS_LDAP_PASSWORD_CHARSET``: Charset the LDAP users passwords was hash with. This is needed to
@ -585,6 +598,10 @@ to the provider CAS to authenticate. This provider transmit to ``django-cas-serv
 username and attributes. The user is now logged in on ``django-cas-server`` and can use
 services using ``django-cas-server`` as CAS.
 In federation mode, the user attributes are cached upon user authentication. See the settings
 ``CAS_TGT_VALIDITY`` to force users to reauthenticate periodically and allow ``django-cas-server``
 to refresh cached attributes.
 The list of allowed identity providers is defined using the django admin application.
 With the development server started, visit http://127.0.0.1:8000/admin/ to add identity providers.
--- a/cas_server/admin.py
+++ b/cas_server/admin.py
@ -9,10 +9,12 @@
 #
 # (c) 2015-2016 Valentin Samir
 """module for the admin interface of the app"""
 from .default_settings import settings
 from django.contrib import admin
 from .models import ServiceTicket, ProxyTicket, ProxyGrantingTicket, User, ServicePattern
 from .models import Username, ReplaceAttributName, ReplaceAttributValue, FilterAttributValue
-from .models import FederatedIendityProvider
+from .models import FederatedIendityProvider, FederatedUser, UserAttributes
 from .forms import TicketForm
@ -167,6 +169,33 @@ class FederatedIendityProviderAdmin(admin.ModelAdmin):
    list_display = ('verbose_name', 'suffix', 'display')
-admin.site.register(User, UserAdmin)
+class FederatedUserAdmin(admin.ModelAdmin):
    """
        Bases: :class:`django.contrib.admin.ModelAdmin`
        :class:`FederatedUser<cas_server.models.FederatedUser>` in admin
        interface
    """
    #: Fields to display on a object.
    fields = ('username', 'provider', 'last_update')
    #: Fields to display on the list of class:`FederatedUserAdmin` objects.
    list_display = ('username', 'provider', 'last_update')
 class UserAttributesAdmin(admin.ModelAdmin):
    """
        Bases: :class:`django.contrib.admin.ModelAdmin`
        :class:`UserAttributes<cas_server.models.UserAttributes>` in admin
        interface
    """
    #: Fields to display on a object.
    fields = ('username', '_attributs')
 admin.site.register(ServicePattern, ServicePatternAdmin)
 admin.site.register(FederatedIendityProvider, FederatedIendityProviderAdmin)
 if settings.DEBUG:  # pragma: no branch (we always test with DEBUG True)
    admin.site.register(User, UserAdmin)
    admin.site.register(FederatedUser, FederatedUserAdmin)
    admin.site.register(UserAttributes, UserAttributesAdmin)
--- a/cas_server/auth.py
+++ b/cas_server/auth.py
@ -30,7 +30,7 @@ try:  # pragma: no cover
 except ImportError:
    ldap3 = None
-from .models import FederatedUser
+from .models import FederatedUser, UserAttributes
 from .utils import check_password, dictfetchall
@ -284,6 +284,10 @@ class LdapAuthUser(DBAuthUser):  # pragma: no cover
    def __init__(self, username):
        if not ldap3:
            raise RuntimeError("Please install ldap3 before using the LdapAuthUser backend")
        if not settings.CAS_LDAP_BASE_DN:
            raise ValueError(
                "You must define CAS_LDAP_BASE_DN for using the ldap authentication backend"
            )
        # in case we got deconnected from the database, retry to connect 2 times
        for retry_nb in range(3):
            try:
@ -294,6 +298,8 @@ class LdapAuthUser(DBAuthUser):  # pragma: no cover
                    attributes=ldap3.ALL_ATTRIBUTES
                ) and len(conn.entries) == 1:
                    user = conn.entries[0].entry_get_attributes_dict()
                    # store the user dn
                    user["dn"] = conn.entries[0].entry_get_dn()
                    if user.get(settings.CAS_LDAP_USERNAME_ATTR):
                        self.user = user
                        super(LdapAuthUser, self).__init__(user[settings.CAS_LDAP_USERNAME_ATTR][0])
@ -315,7 +321,34 @@ class LdapAuthUser(DBAuthUser):  # pragma: no cover
                correct, ``False`` otherwise.
            :rtype: bool
        """
-        if self.user and self.user.get(settings.CAS_LDAP_PASSWORD_ATTR):
+        if settings.CAS_LDAP_PASSWORD_CHECK == "bind":
            try:
                conn = ldap3.Connection(
                    settings.CAS_LDAP_SERVER,
                    self.user["dn"],
                    password,
                    auto_bind=True
                )
                try:
                    # fetch the user attribute
                    if conn.search(
                        settings.CAS_LDAP_BASE_DN,
                        settings.CAS_LDAP_USER_QUERY % ldap3.utils.conv.escape_bytes(self.username),
                        attributes=ldap3.ALL_ATTRIBUTES
                    ) and len(conn.entries) == 1:
                        attributes = conn.entries[0].entry_get_attributes_dict()
                        attributes["dn"] = conn.entries[0].entry_get_dn()
                        # cache the attributes locally as we wont have access to the user password
                        # later.
                        user = UserAttributes.objects.get_or_create(username=self.username)[0]
                        user.attributs = attributes
                        user.save()
                finally:
                    conn.unbind()
                return True
            except (ldap3.LDAPBindError, ldap3.LDAPCommunicationError):
                return False
        elif self.user and self.user.get(settings.CAS_LDAP_PASSWORD_ATTR):
            return check_password(
                settings.CAS_LDAP_PASSWORD_CHECK,
                password,
@ -325,6 +358,22 @@ class LdapAuthUser(DBAuthUser):  # pragma: no cover
        else:
            return False
    def attributs(self):
        """
            The user attributes.
            :return: a :class:`dict` with the user attributes. Attributes may be :func:`unicode`
                or :class:`list` of :func:`unicode`. If the user do not exists, the returned
                :class:`dict` is empty.
            :rtype: dict
            :raises NotImplementedError: if the password check method in `CAS_LDAP_PASSWORD_CHECK`
                do not allow to fetch the attributes without the user credentials.
        """
        if settings.CAS_LDAP_PASSWORD_CHECK == "bind":
            raise NotImplementedError()
        else:
            return super(LdapAuthUser, self).attributs()
 class DjangoAuthUser(AuthUser):  # pragma: no cover
    """
--- a/cas_server/default_settings.py
+++ b/cas_server/default_settings.py
@ -58,6 +58,10 @@ CAS_SLO_MAX_PARALLEL_REQUESTS = 10
 CAS_SLO_TIMEOUT = 5
 #: Shared to transmit then using the view :class:`cas_server.views.Auth`
 CAS_AUTH_SHARED_SECRET = ''
 #: Max time after with the user MUST reauthenticate. Let it to `None` for no max time.
 #: This can be used to force refreshing cached informations only available upon user authentication
 #: like the user attributes in federation mode or with the ldap auth in bind mode.
 CAS_TGT_VALIDITY = None
 #: Number of seconds the service tickets and proxy tickets are valid. This is the maximal time
--- a/cas_server/management/commands/cas_clean_sessions.py
+++ b/cas_server/management/commands/cas_clean_sessions.py
@ -23,4 +23,5 @@ class Command(BaseCommand):
    def handle(self, *args, **options):
        models.User.clean_deleted_sessions()
        models.UserAttributes.clean_old_entries()
        models.NewVersionWarning.send_mails()
--- a/cas_server/migrations/0011_auto_20161007_1258.py
+++ b/cas_server/migrations/0011_auto_20161007_1258.py
@ -0,0 +1,38 @@
 # -*- coding: utf-8 -*-
 # Generated by Django 1.10.1 on 2016-10-07 12:58
 from __future__ import unicode_literals
 from django.db import migrations, models
 import django.utils.timezone
 class Migration(migrations.Migration):
    dependencies = [
        ('cas_server', '0010_auto_20160824_2112'),
    ]
    operations = [
        migrations.CreateModel(
            name='UserAttributes',
            fields=[
                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
                ('_attributs', models.TextField(blank=True, default=None, null=True)),
                ('username', models.CharField(max_length=155, unique=True)),
            ],
            options={
                'verbose_name': 'User attributes cache',
                'verbose_name_plural': 'User attributes caches',
            },
        ),
        migrations.AlterModelOptions(
            name='federateduser',
            options={'verbose_name': 'Federated user', 'verbose_name_plural': 'Federated users'},
        ),
        migrations.AddField(
            model_name='user',
            name='last_login',
            field=models.DateTimeField(auto_now_add=True, default=django.utils.timezone.now),
            preserve_default=False,
        ),
    ]
--- a/cas_server/models.py
+++ b/cas_server/models.py
@ -163,6 +163,8 @@ class FederatedUser(JsonAttributes):
    """
    class Meta:
        unique_together = ("username", "provider")
        verbose_name = _("Federated user")
        verbose_name_plural = _("Federated users")
    #: The user username returned by the CAS backend on successful ticket validation
    username = models.CharField(max_length=124)
    #: A foreign key to :class:`FederatedIendityProvider`
@ -233,6 +235,30 @@ class FederateSLO(models.Model):
                federate_slo.delete()
@python_2_unicode_compatible
 class UserAttributes(JsonAttributes):
    """
        Bases: :class:`JsonAttributes`
        Local cache of the user attributes, used then needed
    """
    class Meta:
        verbose_name = _("User attributes cache")
        verbose_name_plural = _("User attributes caches")
    #: The username of the user for which we cache attributes
    username = models.CharField(max_length=155, unique=True)
    def __str__(self):
        return self.username
    @classmethod
    def clean_old_entries(cls):
        """Remove :class:`UserAttributes` for which no more :class:`User` exists."""
        for user in cls.objects.all():
            if User.objects.filter(username=user.username).count() == 0:
                user.delete()
@python_2_unicode_compatible
 class User(models.Model):
    """
@ -250,6 +276,8 @@ class User(models.Model):
    username = models.CharField(max_length=30)
    #: Last time the authenticated user has do something (auth, fetch ticket, etc…)
    date = models.DateTimeField(auto_now=True)
    #: last time the user logged
    last_login = models.DateTimeField(auto_now_add=True)
    def delete(self, *args, **kwargs):
        """
@ -269,9 +297,12 @@ class User(models.Model):
            Remove :class:`User` objects inactive since more that
            :django:setting:`SESSION_COOKIE_AGE` and send corresponding SingleLogOut requests.
        """
-        users = cls.objects.filter(
+        filter = Q(date__lt=(timezone.now() - timedelta(seconds=settings.SESSION_COOKIE_AGE)))
-            date__lt=(timezone.now() - timedelta(seconds=settings.SESSION_COOKIE_AGE))
+        if settings.CAS_TGT_VALIDITY is not None:
-        )
+            filter |= Q(
                last_login__lt=(timezone.now() - timedelta(seconds=settings.CAS_TGT_VALIDITY))
            )
        users = cls.objects.filter(filter)
        for user in users:
            user.logout()
        users.delete()
@ -288,9 +319,22 @@ class User(models.Model):
    def attributs(self):
        """
            Property.
-            A fresh :class:`dict` for the user attributes, using ``settings.CAS_AUTH_CLASS``
+            A fresh :class:`dict` for the user attributes, using ``settings.CAS_AUTH_CLASS`` if
            possible, and if not, try to fallback to cached attributes (actually only used for ldap
            auth class with bind password check mthode).
        """
-        return utils.import_attr(settings.CAS_AUTH_CLASS)(self.username).attributs()
+        try:
            return utils.import_attr(settings.CAS_AUTH_CLASS)(self.username).attributs()
        except NotImplementedError:
            try:
                user = UserAttributes.objects.get(username=self.username)
                attributes = user.attributs
                if attributes is not None:
                    return attributes
                else:
                    return {}
            except UserAttributes.DoesNotExist:
                return {}
    def __str__(self):
        return u"%s - %s" % (self.username, self.session_key)
--- a/cas_server/tests/auth.py
+++ b/cas_server/tests/auth.py
@ -0,0 +1,29 @@
 # -*- coding: utf-8 -*-
 # This program is distributed in the hope that it will be useful, but WITHOUT
 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 # FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
 # more details.
 #
 # You should have received a copy of the GNU General Public License version 3
 # along with this program; if not, write to the Free Software Foundation, Inc., 51
 # Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # (c) 2016 Valentin Samir
 from cas_server import auth
 class TestCachedAttributesAuthUser(auth.TestAuthUser):
    """
        A test authentication class only working for one unique user.
        :param unicode username: A username, stored in the :attr:`username<AuthUser.username>`
            class attribute. The uniq valid value is ``settings.CAS_TEST_USER``.
    """
    def attributs(self):
        """
            The user attributes.
            :raises NotImplementedError: as this class do not support fetching user attributes
        """
        raise NotImplementedError()
--- a/cas_server/tests/mixin.py
+++ b/cas_server/tests/mixin.py
@ -185,6 +185,17 @@ class UserModels(object):
        ).update(date=new_date)
        return client
    @staticmethod
    def tgt_expired_user(sec):
        """return a user logged since sec seconds"""
        client = get_auth_client()
        new_date = timezone.now() - timedelta(seconds=(sec))
        models.User.objects.filter(
            username=settings.CAS_TEST_USER,
            session_key=client.session.session_key
        ).update(last_login=new_date)
        return client
    @staticmethod
    def get_user(client):
        """return the user associated with an authenticated client"""
--- a/cas_server/tests/test_models.py
+++ b/cas_server/tests/test_models.py
@ -114,6 +114,24 @@ class FederateSLOTestCase(TestCase, UserModels):
                models.FederateSLO.objects.get(username="test1@example.com")
@override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser')
 class UserAttributesTestCase(TestCase, UserModels):
    """test for the user attributes cache model"""
    def test_clean_old_entries(self):
        """test the clean_old_entries methode"""
        client = get_auth_client()
        user = self.get_user(client)
        models.UserAttributes.objects.create(username=settings.CAS_TEST_USER)
        # test that attribute cache is removed for non existant users
        self.assertEqual(len(models.UserAttributes.objects.all()), 1)
        models.UserAttributes.clean_old_entries()
        self.assertEqual(len(models.UserAttributes.objects.all()), 1)
        user.delete()
        models.UserAttributes.clean_old_entries()
        self.assertEqual(len(models.UserAttributes.objects.all()), 0)
@override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser')
 class UserTestCase(TestCase, UserModels):
    """tests for the user models"""
@ -144,6 +162,24 @@ class UserTestCase(TestCase, UserModels):
        # assert the user has being well delete
        self.assertEqual(len(models.User.objects.all()), 0)
    @override_settings(CAS_TGT_VALIDITY=3600)
    def test_clean_old_entries_tgt_expired(self):
        """test clean_old_entiers with CAS_TGT_VALIDITY set"""
        # get an authenticated client
        client = self.tgt_expired_user(settings.CAS_TGT_VALIDITY + 60)
        # assert the user exists before being cleaned
        self.assertEqual(len(models.User.objects.all()), 1)
        # assert the last lofin date is before the expiry date
        self.assertTrue(
            self.get_user(client).last_login < (
                timezone.now() - timedelta(seconds=settings.CAS_TGT_VALIDITY)
            )
        )
        # delete old inactive users
        models.User.clean_old_entries()
        # assert the user has being well delete
        self.assertEqual(len(models.User.objects.all()), 0)
    def test_clean_deleted_sessions(self):
        """test clean_deleted_sessions"""
        # get an authenticated client
@ -177,6 +213,24 @@ class UserTestCase(TestCase, UserModels):
        self.assertFalse(models.ServiceTicket.objects.all())
        self.assertTrue(client2.session.get("authenticated"))
    @override_settings(CAS_AUTH_CLASS='cas_server.tests.auth.TestCachedAttributesAuthUser')
    def test_cached_attributs(self):
        """
            Test gettting user attributes from cache for auth method that do not support direct
            fetch (link the ldap bind auth methode)
        """
        client = get_auth_client()
        user = self.get_user(client)
        # if no cache is defined, the attributes are empty
        self.assertEqual(user.attributs, {})
        user_attr = models.UserAttributes.objects.create(username=settings.CAS_TEST_USER)
        # if a cache is defined but without atrributes, also empty
        self.assertEqual(user.attributs, {})
        user_attr.attributs = settings.CAS_TEST_ATTRIBUTES
        user_attr.save()
        # attributes are what is found in the cache
        self.assertEqual(user.attributs, settings.CAS_TEST_ATTRIBUTES)
@override_settings(CAS_AUTH_CLASS='cas_server.auth.TestAuthUser')
 class TicketTestCase(TestCase, UserModels, BaseServicePattern):
--- a/cas_server/views.py
+++ b/cas_server/views.py
@ -506,6 +506,7 @@ class LoginView(View, LogoutMixin):
                username=self.request.session['username'],
                session_key=self.request.session.session_key
            )[0]
            self.user.last_login = timezone.now()
            self.user.save()
        elif ret == self.USER_LOGIN_FAILURE:  # bad user login
            if settings.CAS_FEDERATE: