def cas_validateTicket(request):
"""
CAS Login : Phase 2/3 After returning from a CAS Login, this request will contain a ticket
cas_serviceValidate is called to validate the user's ticket
and the user is returned to 'sendback' (Authorized) or 'login' (Unauthorized) screen
(Optional - Phase 3/3 - With the username and proxyTicket, a user can be re-authorized.)
"""
import caslib
if not request.GET.has_key('ticket'):
return False
caslib.cas_setReturnLocation(request.GET['sendback'])
cas_response = caslib.cas_serviceValidate(request.GET['ticket'])
(truth, user, pgtIou) = (cas_response.success, cas_response.map[cas_response.type].get('user',None), cas_response.map[cas_response.type].get('proxyGrantingTicket',""))
if not truth or not user:
return False
return user, pgtIou
def cas_validateTicket(request):
"""
Phase 2/3 Call CAS serviceValidate
Phase 3/3 - Return result and original request
"""
ticket = request.META["HTTP_X_AUTH_TICKET"] if "HTTP_X_AUTH_TICKET" in request.META else None
(result, username) = caslib.cas_serviceValidate(ticket)
if result is True:
logger.info("Username for CAS Ticket= " + username)
if "HTTP_X_AUTH_USER" in request.META:
checkUser = request.META["HTTP_X_AUTH_USER"]
logger.info("Existing user found in header, checking for match")
if checkUser != username:
logger.info("Existing user doesn't match new user")
return (False, None)
request.META["HTTP_X_AUTH_USER"] = username
return (result, request)
def cas_validateTicket(request):
"""
Phase 2/3 Call CAS serviceValidate
Phase 3/3 - Return result and original request
"""
ticket = request.META['HTTP_X_AUTH_TICKET'] \
if 'HTTP_X_AUTH_TICKET' in request.META else None
(result, username) = caslib.cas_serviceValidate(ticket)
if result is True:
logger.info("Username for CAS Ticket= " + username)
if 'HTTP_X_AUTH_USER' in request.META:
checkUser = request.META['HTTP_X_AUTH_USER']
logger.info("Existing user found in header, checking for match")
if checkUser != username:
logger.info("Existing user doesn't match new user")
return (False, None)
request.META['HTTP_X_AUTH_USER'] = username
return (result, request)
def cas_validateTicket(request):
"""
Method expects 2 GET parameters: 'ticket' & 'sendback'
After a CAS Login:
Redirects the request based on the GET param 'ticket'
Unauthorized Users are redirected to '/' In the event of failure.
Authorized Users are redirected to the GET param 'sendback'
"""
redirect_logout_url = settings.REDIRECT_URL+"/login/"
no_user_url = settings.REDIRECT_URL + "/no_user/"
logger.debug('GET Variables:%s' % request.GET)
ticket = request.GET.get('ticket', None)
sendback = request.GET.get('sendback', None)
if not ticket:
logger.info("No Ticket received in GET string "
"-- Logout user: %s" % redirect_logout_url)
return HttpResponseRedirect(redirect_logout_url)
logger.debug("ServiceValidate endpoint includes a ticket."
" Ticket must now be validated with CAS")
# ReturnLocation set, apply on successful authentication
cas_setReturnLocation(sendback)
cas_response = caslib.cas_serviceValidate(ticket)
if not cas_response.success:
logger.debug("CAS Server did NOT validate ticket:%s"
" and included this response:%s"
% (ticket, cas_response))
return HttpResponseRedirect(redirect_logout_url)
(user, pgtIou) = parse_cas_response(cas_response)
if not user:
logger.debug("User attribute missing from cas response!"
"This may require a fix to caslib.py")
return HttpResponseRedirect(redirect_logout_url)
if not pgtIou or pgtIou == "":
logger.error("""Proxy Granting Ticket missing!
Atmosphere requires CAS proxy as a service to authenticate users.
Possible Causes:
* ServerName variable is wrong in /etc/apache2/apache2.conf
* Proxy URL does not exist
* Proxy URL is not a valid RSA-2/VeriSigned SSL certificate
* /etc/host and hostname do not match machine.""")
return HttpResponseRedirect(redirect_logout_url)
updated = updateUserProxy(user, pgtIou)
if not updated:
return HttpResponseRedirect(redirect_logout_url)
logger.info("Updated proxy for <%s> -- Auth success!" % user)
try:
auth_token = createAuthToken(user)
except User.DoesNotExist:
return HttpResponseRedirect(no_user_url)
if auth_token is None:
logger.info("Failed to create AuthToken")
HttpResponseRedirect(redirect_logout_url)
createSessionToken(request, auth_token)
return_to = request.GET['sendback']
logger.info("Session token created, return to: %s" % return_to)
return HttpResponseRedirect(return_to)
def authenticate(
self,
username = None,#for 'password' and 'ldap'
password = None,#for 'password' and 'ldap'
user_id = None,#for 'force'
provider_name = None,#required with all except email_key
openid_url = None,
email_key = None,
oauth_user_id = None,#used with oauth
facebook_user_id = None,#user with facebook
wordpress_url = None, # required for self hosted wordpress
wp_user_id = None, # required for self hosted wordpress
cas_ticket = None, # the CAS ticket
method = None,#requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
assoc = None # UserAssociation not needed for ldap
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
try:
email_address = username
user = User.objects.get(email = email_address)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
except User.MultipleObjectsReturned:
LOG.critical(
('have more than one user with email %s ' +
'he/she will not be able to authenticate with ' +
'the email address in the place of user name') % email_address
)
return None
else:
if login_providers[provider_name]['check_password'](username, password):
try:
#if have user associated with this username and provider,
#return the user
assoc = UserAssociation.objects.get(
openid_url = username + '@' + provider_name,#a hack - par name is bad
provider_name = provider_name
)
return assoc.user
except UserAssociation.DoesNotExist:
#race condition here a user with this name may exist
user, created = User.objects.get_or_create(username = username)
if created:
user.set_password(password)
user.save()
user_registered.send(None, user = user)
else:
#have username collision - so make up a more unique user name
#bug: - if user already exists with the new username - we are in trouble
new_username = '******' % (username, provider_name)
user = User.objects.create_user(new_username, '', password)
user_registered.send(None, user = user)
message = _(
'Welcome! Please set email address (important!) in your '
'profile and adjust screen name, if necessary.'
)
user.message_set.create(message = message)
else:
return None
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins
elif method == 'openid':
try:
assoc = UserAssociation.objects.get(openid_url=openid_url)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
except UserAssociation.MultipleObjectsReturned:
logging.critical(
'duplicate openid url in the database!!! %s' % openid_url
)
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key = email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url = oauth_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url = facebook_user_id,
provider_name = 'facebook'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
user_info = ldap_authenticate(username, password)
if user_info['success'] == False:
# Maybe a user created internally (django admin user)
try:
user = User.objects.get(username__exact=username)
if user.check_password(password):
return user
else:
return None
except User.DoesNotExist:
return None
else:
#load user by association or maybe auto-create one
ldap_username = user_info['ldap_username']
try:
#todo: provider_name is hardcoded - possible conflict
assoc = UserAssociation.objects.get(
openid_url = ldap_username + '@ldap',
provider_name = 'ldap'
)
user = assoc.user
except UserAssociation.DoesNotExist:
#email address is required
if 'email' in user_info and askbot_settings.LDAP_AUTOCREATE_USERS:
assoc = ldap_create_user(user_info)
user = assoc.user
else:
return None
elif method == 'cas':
import caslib
cas_response = caslib.cas_serviceValidate(cas_ticket)
success, _user = cas_response.map[cas_response.type].get('user',None)
if success:
try:
assoc = UserAssociation.objects.get(
openid_url = _user + '@ldap',
provider_name = 'ldap'
)
user = assoc.user
except UserAssociation.DoesNotExist:
user = User()
user.username = _user
user.set_unusable_password()
user.is_staff = False
user.is_superuser = False
user.is_active = True
user.save()
user_registered.send(None, user = user)
LOG.info('Created New User : [{0}]'.format(_user))
assoc = UserAssociation()
assoc.user = _user
assoc.openid_url = _user + '@ldap'
assoc.provider_name = 'ldap'
assoc.save()
else:
return None
elif method == 'wordpress_site':
try:
custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id)
assoc = UserAssociation.objects.get(
openid_url = custom_wp_openid_url,
provider_name = 'wordpress_site'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
if assoc:
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
