def get(self, request, username): """ Create a new token in the database on behalf of 'username' Returns success 201 Created - Body is JSON and contains """ params = request.DATA user = request.user if user.username is not 'admin' and not user.is_superuser: logger.error("URGENT! User: %s is attempting to emulate a user!" % user.username) return Response('Only admin and superusers can emulate accounts. ' 'This offense has been reported', status=status.HTTP_401_UNAUTHORIZED) if not AtmosphereUser.objects.filter(username=username): return Response("Username %s does not exist as an AtmosphereUser" % username, status=status.HTTP_404_NOT_FOUND) #User is authenticated, username exists. Make a token for them. token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { #Extra data passed only on emulation.. 'emulated_by': request.user.username, #Normal token data.. 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request, username): """ Create a new token in the database on behalf of 'username' Returns success 201 Created - Body is JSON and contains """ params = request.DATA user = request.user if not username: return Response("Username was not provided", status=status.HTTP_400_BAD_REQUEST) if user.username is not 'admin' and not user.is_superuser: logger.error("URGENT! User: %s is attempting to emulate a user!" % user.username) return Response( 'Only admin and superusers can emulate accounts. ' 'This offense has been reported', status=status.HTTP_401_UNAUTHORIZED) if not AtmosphereUser.objects.filter(username=username): return Response("Username %s does not exist as an AtmosphereUser" % username, status=status.HTTP_404_NOT_FOUND) #User is authenticated, username exists. Make a token for them. token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { #Extra data passed only on emulation.. 'emulated_by': request.user.username, #Normal token data.. 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def _token_for_username(self, username): token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def _token_for_username(self, username): token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request): user = request.user if not user.is_authenticated(): return Response("Logged-in User or POST required to retrieve AuthToken", status=status.HTTP_403_FORBIDDEN) # Authenticated users have tokens token = lookupSessionToken(request) if token.is_expired(): # Sanity Check: New tokens should be created # when auth token is expired. token = createAuthToken(user.username) serialized_data = TokenSerializer(token).data return Response(serialized_data, status=status.HTTP_200_OK)
def get(self, request): user = request.user if not user.is_authenticated(): return Response("Logged-in User or POST required " "to retrieve AuthToken", status=status.HTTP_403_FORBIDDEN) # Authenticated users have tokens token = lookupSessionToken(request) if token.is_expired(): # Sanity Check: New tokens should be created # when auth token is expired. token = createAuthToken(user.username) serialized_data = TokenSerializer(token).data return Response(serialized_data, status=status.HTTP_200_OK)
def saml_validateTicket(request): """ Method expects 2 GET parameters: 'ticket' & 'sendback' After a CAS Login: Redirects the request based on the GET param 'ticket' Unauthorized Users are redirected to '/' In the event of failure. Authorized Users are redirected to the GET param 'sendback' """ redirect_logout_url = settings.REDIRECT_URL + "/login/" no_user_url = settings.REDIRECT_URL + "/no_user/" logger.debug('GET Variables:%s' % request.GET) ticket = request.GET.get('ticket', None) sendback = request.GET.get('sendback', None) if not ticket: logger.info("No Ticket received in GET string " "-- Logout user: %s" % redirect_logout_url) return HttpResponseRedirect(redirect_logout_url) logger.debug("ServiceValidate endpoint includes a ticket." " Ticket must now be validated with SAML") # ReturnLocation set, apply on successful authentication saml_client = get_saml_client() saml_response = saml_client.saml_serviceValidate(ticket) if not saml_response.success: logger.debug("CAS Server did NOT validate ticket:%s" " and included this response:%s" % (ticket, saml_response.xml)) return HttpResponseRedirect(redirect_logout_url) try: auth_token = createAuthToken(saml_response.user) except User.DoesNotExist: return HttpResponseRedirect(no_user_url) if auth_token is None: logger.info("Failed to create AuthToken") HttpResponseRedirect(redirect_logout_url) createSessionToken(request, auth_token) return_to = request.GET.get('sendback') if not return_to: return HttpResponse(saml_response.response, content_type="text/xml; charset=utf-8") logger.info("Session token created, return to: %s" % return_to) return_to += "?token=%s" % auth_token return HttpResponseRedirect(return_to)
def saml_validateTicket(request): """ Method expects 2 GET parameters: 'ticket' & 'sendback' After a CAS Login: Redirects the request based on the GET param 'ticket' Unauthorized Users are redirected to '/' In the event of failure. Authorized Users are redirected to the GET param 'sendback' """ redirect_logout_url = settings.REDIRECT_URL+"/login/" no_user_url = settings.REDIRECT_URL + "/no_user/" logger.debug('GET Variables:%s' % request.GET) ticket = request.GET.get('ticket', None) sendback = request.GET.get('sendback', None) if not ticket: logger.info("No Ticket received in GET string " "-- Logout user: %s" % redirect_logout_url) return HttpResponseRedirect(redirect_logout_url) logger.debug("ServiceValidate endpoint includes a ticket." " Ticket must now be validated with SAML") # ReturnLocation set, apply on successful authentication saml_client = get_saml_client() saml_response = saml_client.saml_serviceValidate(ticket) if not saml_response.success: logger.debug("CAS Server did NOT validate ticket:%s" " and included this response:%s" % (ticket, saml_response.xml)) return HttpResponseRedirect(redirect_logout_url) try: auth_token = createAuthToken(saml_response.user) except User.DoesNotExist: return HttpResponseRedirect(no_user_url) if auth_token is None: logger.info("Failed to create AuthToken") HttpResponseRedirect(redirect_logout_url) createSessionToken(request, auth_token) return_to = request.GET.get('sendback') if not return_to: return HttpResponse(saml_response.response, content_type="text/xml; charset=utf-8") logger.info("Session token created, return to: %s" % return_to) return_to += "?token=%s" % auth_token return HttpResponseRedirect(return_to)
def token_auth(request): """ VERSION 2 AUTH Authentication is based on the POST parameters: * Username (Required) * Password (Not Required if CAS authenticated previously) NOTE: This authentication is SEPARATE from django model authentication Use this to give out tokens to access the API """ logger.info('Request to auth') logger.info(request) token = request.POST.get('token', None) emulate_user = request.POST.get('emulate_user', None) username = request.POST.get('username', None) #CAS authenticated user already has session data #without passing any parameters if not username: username = request.session.get('username', None) password = request.POST.get('password', None) #LDAP Authenticate if password provided. if username and password: if ldap_validate(username, password): logger.info("LDAP User %s validated. Creating auth token" % username) token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return HttpResponse( content=json.dumps(auth_json), status=status.HTTP_201_CREATED, content_type='application/json') else: logger.debug("[LDAP] Failed to validate %s" % username) return HttpResponse("LDAP login failed", status=401) #if request.session and request.session.get('token'): # logger.info("User %s already authenticated, renewing token" % username) # token = validateToken(username, request.session.get('token')) #ASSERT: Token exists here if token: expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return HttpResponse( content=json.dumps(auth_json), content_type='application/json') if not username and not password: #The user and password were not found #force user to login via CAS return cas_loginRedirect(request, '/auth/') #CAS Authenticate by Proxy (Password not necessary): if cas_validateUser(username): logger.info("CAS User %s validated. Creating auth token" % username) token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return HttpResponse( content=json.dumps(auth_json), content_type='application/json') else: logger.debug("[CAS] Failed to validate - %s" % username) return HttpResponse("CAS Login Failure", status=401)
def cas_validateTicket(request): """ Method expects 2 GET parameters: 'ticket' & 'sendback' After a CAS Login: Redirects the request based on the GET param 'ticket' Unauthorized Users are redirected to '/' In the event of failure. Authorized Users are redirected to the GET param 'sendback' """ redirect_logout_url = settings.REDIRECT_URL + "/login/" no_user_url = settings.REDIRECT_URL + "/no_user/" logger.debug("GET Variables:%s" % request.GET) ticket = request.GET.get("ticket", None) sendback = request.GET.get("sendback", None) if not ticket: logger.info("No Ticket received in GET string " "-- Logout user: %s" % redirect_logout_url) return HttpResponseRedirect(redirect_logout_url) logger.debug("ServiceValidate endpoint includes a ticket." " Ticket must now be validated with CAS") # ReturnLocation set, apply on successful authentication caslib = get_cas_client() caslib.service_url = _set_redirect_url(sendback, request) cas_response = caslib.cas_serviceValidate(ticket) if not cas_response.success: logger.debug( "CAS Server did NOT validate ticket:%s" " and included this response:%s" % (ticket, cas_response.object) ) return HttpResponseRedirect(redirect_logout_url) if not cas_response.user: logger.debug("User attribute missing from cas response!" "This may require a fix to caslib.py") return HttpResponseRedirect(redirect_logout_url) if not cas_response.proxy_granting_ticket: logger.error( """Proxy Granting Ticket missing! Atmosphere requires CAS proxy as a service to authenticate users. Possible Causes: * ServerName variable is wrong in /etc/apache2/apache2.conf * Proxy URL does not exist * Proxy URL is not a valid RSA-2/VeriSigned SSL certificate * /etc/host and hostname do not match machine.""" ) return HttpResponseRedirect(redirect_logout_url) updated = updateUserProxy(cas_response.user, cas_response.proxy_granting_ticket) if not updated: return HttpResponseRedirect(redirect_logout_url) logger.info("Updated proxy for <%s> -- Auth success!" % cas_response.user) try: auth_token = createAuthToken(cas_response.user) except User.DoesNotExist: return HttpResponseRedirect(no_user_url) if auth_token is None: logger.info("Failed to create AuthToken") HttpResponseRedirect(redirect_logout_url) createSessionToken(request, auth_token) return_to = request.GET["sendback"] logger.info("Session token created, return to: %s" % return_to) return HttpResponseRedirect(return_to)
def cas_validateTicket(request): """ Method expects 2 GET parameters: 'ticket' & 'sendback' After a CAS Login: Redirects the request based on the GET param 'ticket' Unauthorized Users are redirected to '/' In the event of failure. Authorized Users are redirected to the GET param 'sendback' """ redirect_logout_url = settings.REDIRECT_URL+"/login/" no_user_url = settings.REDIRECT_URL + "/no_user/" logger.debug('GET Variables:%s' % request.GET) ticket = request.GET.get('ticket', None) sendback = request.GET.get('sendback', None) if not ticket: logger.info("No Ticket received in GET string " "-- Logout user: %s" % redirect_logout_url) return HttpResponseRedirect(redirect_logout_url) logger.debug("ServiceValidate endpoint includes a ticket." " Ticket must now be validated with CAS") # ReturnLocation set, apply on successful authentication cas_setReturnLocation(sendback) cas_response = caslib.cas_serviceValidate(ticket) if not cas_response.success: logger.debug("CAS Server did NOT validate ticket:%s" " and included this response:%s" % (ticket, cas_response)) return HttpResponseRedirect(redirect_logout_url) (user, pgtIou) = parse_cas_response(cas_response) if not user: logger.debug("User attribute missing from cas response!" "This may require a fix to caslib.py") return HttpResponseRedirect(redirect_logout_url) if not pgtIou or pgtIou == "": logger.error("""Proxy Granting Ticket missing! Atmosphere requires CAS proxy as a service to authenticate users. Possible Causes: * ServerName variable is wrong in /etc/apache2/apache2.conf * Proxy URL does not exist * Proxy URL is not a valid RSA-2/VeriSigned SSL certificate * /etc/host and hostname do not match machine.""") return HttpResponseRedirect(redirect_logout_url) updated = updateUserProxy(user, pgtIou) if not updated: return HttpResponseRedirect(redirect_logout_url) logger.info("Updated proxy for <%s> -- Auth success!" % user) try: auth_token = createAuthToken(user) except User.DoesNotExist: return HttpResponseRedirect(no_user_url) if auth_token is None: logger.info("Failed to create AuthToken") HttpResponseRedirect(redirect_logout_url) createSessionToken(request, auth_token) return_to = request.GET['sendback'] logger.info("Session token created, return to: %s" % return_to) return HttpResponseRedirect(return_to)
def token_auth(request): """ VERSION 2 AUTH Authentication is based on the POST parameters: * Username (Required) * Password (Not Required if CAS authenticated previously) NOTE: This authentication is SEPARATE from django model authentication Use this to give out tokens to access the API """ logger.info('Request to auth') logger.info(request) token = None username = request.POST.get('username', None) #CAS authenticated user already has session data #without passing any parameters if not username: username = request.session.get('username', None) password = request.POST.get('password', None) #LDAP Authenticate if password provided. if username and password: if ldap_validate(username, password): logger.info("LDAP User %s validated. Creating auth token" % username) token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return HttpResponse( content=json.dumps(auth_json), status=status.HTTP_201_CREATED, content_type='application/json') else: logger.debug("[LDAP] Failed to validate %s" % username) return HttpResponse("LDAP login failed", status=401) #if request.session and request.session.get('token'): # logger.info("User %s already authenticated, renewing token" % username) # token = validateToken(username, request.session.get('token')) #ASSERT: Token exists here if token: expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return HttpResponse( content=json.dumps(auth_json), content_type='application/json') if not username and not password: #The user and password were not found #force user to login via CAS return cas_loginRedirect(request, '/auth/') #CAS Authenticate by Proxy (Password not necessary): if cas_validateUser(username): logger.info("CAS User %s validated. Creating auth token" % username) token = createAuthToken(username) expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return HttpResponse( content=json.dumps(auth_json), content_type='application/json') else: logger.debug("[CAS] Failed to validate - %s" % username) return HttpResponse("CAS Login Failure", status=401)