def _generate_response(request, processor):
"""
Generate a SAML response using processor and return it in the proper Django
response.
"""
try:
tv = processor.generate_response()
except exceptions.UserNotAuthorized:
custom_log(request, "Unauthorized to sign in", level="warn")
return render_to_response('saml2idp/invalid_user.html',
context_instance=RequestContext(request))
return_url = get_destination_service(tv["acs_url"])
# Update/add BrowserLogin
try:
(browser_login, created) = BrowserLogin.objects.get_or_create(user=request.browser.user, browser=request.browser, sso_provider="saml2", signed_out=False, remote_service=str(tv["acs_url"]), defaults={"auth_timestamp": timezone.now()})
if not created:
browser_login.auth_timestamp = timezone.now()
browser_login.save()
except BrowserLogin.MultipleObjectsReturned:
custom_log(request, "Multiple BrowserLogin objects for user=%s, browser=%s, sso_provider=saml2, remote_service=%s" % (request.browser.user.username, request.browser.bid_public, tv["acs_url"]), level="error")
custom_log(request, "Signed in with SAML to %s" % return_url, level="info")
add_user_log(request, "Signed in with SAML to %s" % return_url, "share-square-o")
custom_log(request, "Rendering login.html with tv=%s" % tv, level="debug")
return render_to_response('saml2idp/login.html', tv,
context_instance=RequestContext(request))
def _generate_response(request, processor):
"""
Generate a SAML response using processor and return it in the proper Django
response.
"""
try:
tv = processor.generate_response()
except exceptions.UserNotAuthorized:
custom_log(request, "Unauthorized to sign in", level="warn")
return render_to_response('saml2idp/invalid_user.html',
context_instance=RequestContext(request))
return_url = get_destination_service(tv["acs_url"])
saml_id = request.GET.get("saml_id")
if saml_id:
tmp = dcache.get("saml-return-%s" % saml_id)
if tmp:
return_url = "%s - %s" % (return_url, tmp)
dcache.delete([
"saml-return-%s" % saml_id,
"saml-SAMLRequest-%s" % saml_id,
"saml-RelayState-%s" % saml_id
])
# Update/add BrowserLogin
try:
(browser_login, created) = BrowserLogin.objects.get_or_create(
user=request.browser.user,
browser=request.browser,
sso_provider="saml2",
message=return_url,
signed_out=False,
remote_service=str(tv["acs_url"]),
defaults={"auth_timestamp": timezone.now()})
if not created:
browser_login.auth_timestamp = timezone.now()
browser_login.save()
except BrowserLogin.MultipleObjectsReturned:
custom_log(
request,
"Multiple BrowserLogin objects for user=%s, browser=%s, sso_provider=saml2, remote_service=%s"
% (request.browser.user.username, request.browser.bid_public,
tv["acs_url"]),
level="error")
custom_log(request, "Signed in with SAML to %s" % return_url, level="info")
add_user_log(request, "Signed in with SAML to %s" % return_url,
"share-square-o")
custom_log(request, "Rendering login.html with tv=%s" % tv, level="debug")
return render_to_response('saml2idp/login.html',
tv,
context_instance=RequestContext(request))
if conf.AX_EXTENSION:
add_ax_data(request, orequest, oresponse)
custom_log(request, "Added AX data", level="debug")
if (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
# Add/update BrowserLogin object.
msg = None
if orequest.trust_root.startswith("https://online.planmill.com/futurice/"):
msg = "Planmill (futurice)"
(browser_login, _) = BrowserLogin.objects.get_or_create(user=request.browser.user, browser=request.browser, sso_provider="openid", signed_out=False, message=msg, remote_service=str(orequest.trust_root), defaults={"auth_timestamp": timezone.now()})
browser_login.auth_timestamp = timezone.now()
browser_login.save()
# Add entry to user log
if msg:
add_user_log(request, "Signed in with OpenID to %s" % msg, "share-square-o")
else:
add_user_log(request, "Signed in with OpenID to %s" % orequest.trust_root, "share-square-o")
custom_log(request, "Signed in with OpenID to %s" % orequest.trust_root, level="info")
# Convert a webresponse from the OpenID library in to a Django HttpResponse
webresponse = server.encodeResponse(oresponse)
custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")
custom_log(request, "webresponse.code: %s" % webresponse.code, level="debug")
if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
response = render_to_response('openid_provider/response.html', {
'body': webresponse.body,
}, context_instance=RequestContext(request))
custom_log(request, 'rendering browser response', level="debug")
else:
response = HttpResponse(webresponse.body)
def pubtkt(request):
""" pubtkt login """
def is_valid_back_url(back_url):
""" Returns true if back_url should be okay """
if not back_url:
return
valid_domains = settings.PUBTKT_ALLOWED_DOMAINS
parsed_url = urlparse(back_url)
if parsed_url.scheme != "https":
return "wrong_protocol"
if parsed_url.hostname:
for domain in valid_domains:
if parsed_url.hostname.endswith(domain):
break
else:
return "invalid_domain"
else:
return "no_hostname"
return True
custom_log(request,
"pubtkt provider initialized. Cookies: %s" % request.COOKIES)
ret = {}
cookies = []
params = request.GET.dict()
params["_sso"] = "pubtkt"
ret["get_params"] = urllib.urlencode(params)
browser = request.browser
if browser is None:
custom_log(
request,
"pubtkt: Browser is not set. Redirect to first step authentication"
)
return redirect_with_get_params(
"login_frontend.authentication_views.firststepauth", params)
show_error_page = False
back_url = request.GET.get("back")
custom_log(request, "Requested back_url=%s" % back_url, level="info")
back_url_status = is_valid_back_url(back_url)
if "unauth" in request.GET:
ret["unauth"] = True
ret["back_url"] = back_url
show_error_page = True
custom_log(request,
"pubtkt: User is not authorized to access %s" % back_url,
level="info")
elif back_url is None:
# No back url is defined. Show error page.
show_error_page = True
ret["back_url_not_defined"] = True
custom_log(request, "pubtkt: back url is not defined", level="info")
elif back_url_status != True:
show_error_page = True
ret["invalid_back_url"] = True
ret["invalid_back_url_reason"] = back_url_status
ret["back_url"] = back_url
custom_log(request,
"pubtkt: back url is invalid: %s" % back_url_status,
level="info")
if show_error_page:
return render_to_response("login_frontend/pubtkt_error.html",
ret,
context_instance=RequestContext(request))
# TODO: static auth level
if browser.get_auth_level() >= Browser.L_STRONG:
# TODO: ticket expiration time
expiration_in_seconds = 3600 * 9
valid_until = int(time.time() + expiration_in_seconds)
tokens = json.loads(browser.user.user_tokens)
ticket = auth_pubtkt.create_ticket(privkey,
browser.user.username,
valid_until,
tokens=tokens)
cookies.append(("auth_pubtkt", {
"value": urllib.quote(ticket),
"secure": True,
"httponly": True,
"domain": ".futurice.com"
}))
ret["back_url"] = back_url
invalid_extensions = (".jpg", ".png", ".js", ".json")
for extension in invalid_extensions:
if back_url.endswith(extension):
break
else:
(obj, created) = UserService.objects.get_or_create(
user=browser.user,
service_url=back_url,
defaults={"access_count": 1})
if not created:
obj.access_count += 1
obj.save()
response = render_to_response("login_frontend/html_redirect.html",
ret,
context_instance=RequestContext(request))
# Add/update BrowserLogin
d_valid_until = timezone.now() + datetime.timedelta(
seconds=expiration_in_seconds)
try:
(browser_login,
_) = BrowserLogin.objects.get_or_create(user=browser.user,
browser=browser,
sso_provider="pubtkt",
signed_out=False,
defaults={
"auth_timestamp":
timezone.now(),
"expires_at":
d_valid_until,
"remote_service":
back_url
})
browser_login.auth_timestamp = timezone.now()
browser_login.expires_at = d_valid_until
browser_login.save()
except:
pass
add_user_log(request, "Granted pubtkt access (%s)" % back_url,
"share-square-o")
# Set cookies
for cookie_name, cookie in cookies:
custom_log(request,
"pubtkt: Setting cookie: %s=%s" % (cookie_name, cookie),
level="debug")
response.set_cookie(cookie_name, **cookie)
custom_log(request,
"pubtkt: redirecting back to %s with html redirect",
level="info")
return response
custom_log(
request,
"pubtkt: additional authentication is required. Redirect to first step authentication"
)
return redirect_with_get_params(
"login_frontend.authentication_views.firststepauth", params)
if conf.AX_EXTENSION:
add_ax_data(request, orequest, oresponse)
custom_log(request, "Added AX data", level="debug")
if (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
# Add/update BrowserLogin object.
msg = None
if orequest.trust_root.startswith("https://online.planmill.com/futurice/"):
msg = "Planmill (futurice)"
(browser_login, _) = BrowserLogin.objects.get_or_create(user=request.browser.user, browser=request.browser, sso_provider="openid", signed_out=False, message=msg, remote_service=str(orequest.trust_root), defaults={"auth_timestamp": timezone.now()})
browser_login.auth_timestamp = timezone.now()
browser_login.save()
# Add entry to user log
if msg:
add_user_log(request, "Signed in with OpenID to %s" % msg, "share-square-o")
else:
add_user_log(request, "Signed in with OpenID to %s" % orequest.trust_root, "share-square-o")
custom_log(request, "Signed in with OpenID to %s" % orequest.trust_root, level="info")
# Convert a webresponse from the OpenID library in to a Django HttpResponse
webresponse = server.encodeResponse(oresponse)
custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")
custom_log(request, "webresponse.code: %s" % webresponse.code, level="debug")
if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
response = render_to_response('openid_provider/response.html', {
'body': webresponse.body,
}, context_instance=RequestContext(request))
custom_log(request, 'rendering browser response', level="debug")
else:
response = HttpResponse(webresponse.body)
def pubtkt(request):
""" pubtkt login """
def is_valid_back_url(back_url):
""" Returns true if back_url should be okay """
if not back_url:
return
valid_domains = settings.PUBTKT_ALLOWED_DOMAINS
parsed_url = urlparse(back_url)
if parsed_url.scheme != "https":
return "wrong_protocol"
if parsed_url.hostname:
for domain in valid_domains:
if parsed_url.hostname.endswith(domain):
break
else:
return "invalid_domain"
else:
return "no_hostname"
return True
custom_log(request, "pubtkt provider initialized. Cookies: %s" % request.COOKIES)
ret = {}
cookies = []
params = request.GET.dict()
params["_sso"] = "pubtkt"
ret["get_params"] = urllib.urlencode(params)
browser = request.browser
if browser is None:
custom_log(request, "pubtkt: Browser is not set. Redirect to first step authentication")
return redirect_with_get_params("login_frontend.authentication_views.firststepauth", params)
show_error_page = False
back_url = request.GET.get("back")
custom_log(request, "Requested back_url=%s" % back_url, level="info")
back_url_status = is_valid_back_url(back_url)
if "unauth" in request.GET:
ret["unauth"] = True
ret["back_url"] = back_url
show_error_page = True
custom_log(request, "pubtkt: User is not authorized to access %s" % back_url, level="info")
elif back_url is None:
# No back url is defined. Show error page.
show_error_page = True
ret["back_url_not_defined"] = True
custom_log(request, "pubtkt: back url is not defined", level="info")
elif back_url_status != True:
show_error_page = True
ret["invalid_back_url"] = True
ret["invalid_back_url_reason"] = back_url_status
ret["back_url"] = back_url
custom_log(request, "pubtkt: back url is invalid: %s" % back_url_status, level="info")
if show_error_page:
return render_to_response("login_frontend/pubtkt_error.html", ret, context_instance=RequestContext(request))
# TODO: static auth level
if browser.get_auth_level() >= Browser.L_STRONG:
# TODO: ticket expiration time
expiration_in_seconds = 3600 * 9
valid_until = int(time.time() + expiration_in_seconds)
tokens = json.loads(browser.user.user_tokens)
ticket = auth_pubtkt.create_ticket(privkey, browser.user.username, valid_until, tokens=tokens)
cookies.append(("auth_pubtkt", {"value": urllib.quote(ticket), "secure": True, "httponly": True, "domain": ".futurice.com"}))
ret["back_url"] = back_url
invalid_extensions = (".jpg", ".png", ".js", ".json")
for extension in invalid_extensions:
if back_url.endswith(extension):
break
else:
(obj, created) = UserService.objects.get_or_create(user=browser.user, service_url=back_url, defaults={"access_count": 1})
if not created:
obj.access_count += 1
obj.save()
response = render_to_response("login_frontend/html_redirect.html", ret, context_instance=RequestContext(request))
# Add/update BrowserLogin
d_valid_until = timezone.now() + datetime.timedelta(seconds=expiration_in_seconds)
try:
(browser_login, _) = BrowserLogin.objects.get_or_create(user=browser.user, browser=browser, sso_provider="pubtkt", signed_out=False, defaults={"auth_timestamp": timezone.now(), "expires_at": d_valid_until, "remote_service": back_url})
browser_login.auth_timestamp = timezone.now()
browser_login.expires_at = d_valid_until
browser_login.save()
except:
pass
add_user_log(request, "Granted pubtkt access (%s)" % back_url, "share-square-o")
# Set cookies
for cookie_name, cookie in cookies:
custom_log(request, "pubtkt: Setting cookie: %s=%s" % (cookie_name, cookie), level="debug")
response.set_cookie(cookie_name, **cookie)
custom_log(request, "pubtkt: redirecting back to %s with html redirect", level="info")
return response
custom_log(request, "pubtkt: additional authentication is required. Redirect to first step authentication")
return redirect_with_get_params("login_frontend.authentication_views.firststepauth", params)
