def clean(self):
if self.cleaned_data.get('is_shibboleth_login_required'):
try:
Institution.is_valid_email_address(
self.cleaned_data.get('email'))
except InvalidInstitutionalEmailAddress as e:
raise forms.ValidationError(str(e))
def test_invalid_institutional_identity_provider(self):
with self.assertRaises(InvalidInstitutionalIndentityProvider) as e:
Institution.is_valid_identity_provider(
'https://idp.invalid-identity-provider.ac.uk/shibboleth'
)
self.assertEqual(
str(e.exception), 'Identity provider is not supported.'
)
def clean(self):
cleaned_data = super().clean()
is_shibboleth_login_required = cleaned_data.get(
'is_shibboleth_login_required')
email = cleaned_data.get('email')
if is_shibboleth_login_required:
try:
Institution.is_valid_email_address(email)
except InvalidInstitution as e:
raise forms.ValidationError(str(e))
def create_institution(user,
domain='dfva.cr',
name="test institution",
institution_unit='QA'):
save_model = Institution(user=user,
name=name,
active=True,
domain=domain,
institution_unit=institution_unit)
create_certiticate(domain, save_model)
save_model.save()
return save_model
def institution_get_or_create(self, i, row):
try:
Institution(finess=row['finess']).clean_fields()
except ValidationError as e:
if 'finess' in e.message_dict:
self.errors[i + 1] = dict(row=row,
message='FINESS invalide {}'.format(
row['finess']))
return
return Institution.objects.get_or_create(finess=row['finess'])[0]
def test_parse_support_email_from_user_email(self):
"""
Ensure the correct support email address is returned.
"""
institution = Institution.objects.create(
name='Example University',
base_domain='example.ac.uk',
support_email='*****@*****.**',
)
test_cases = {
"*****@*****.**": institution.support_email,
"*****@*****.**": settings.DEFAULT_SUPPORT_EMAIL
}
for user_email, support_email in test_cases.items():
result = Institution.parse_support_email_from_user_email(user_email)
self.assertEqual(result, support_email)
def user_created_notification(user):
"""
Notify support that a user has created an account.
"""
subject = _('{company_name} User Account Created'.format(
company_name=settings.COMPANY_NAME))
support_email = Institution.parse_support_email_from_user_email(user.email)
context = {
'first_name': user.first_name,
'last_name': user.last_name,
'university': user.profile.institution.name,
'reason': user.reason_for_account,
'to': support_email,
}
text_template_path = 'notifications/user/created.txt'
html_template_path = 'notifications/user/created.html'
email_user(subject, context, text_template_path, html_template_path)
def project_created_notification(project):
"""
Notify support that a new project has been created.
"""
subject = _('{company_name} Project Created'.format(
company_name=settings.COMPANY_NAME))
support_email = Institution.parse_support_email_from_user_email(
project.tech_lead.email)
context = {
'code': project.code,
'university': project.tech_lead.profile.institution.name,
'technical_lead': project.tech_lead,
'title': project.title,
'to': support_email,
}
text_template_path = 'notifications/project/created.txt'
html_template_path = 'notifications/project/created.html'
email_user(subject, context, text_template_path, html_template_path)
def test_valid_institutional_identity_provider(self):
self.assertTrue(
Institution.is_valid_identity_provider(
'https://idp.bangor.ac.uk/shibboleth'))
def test_invalid_institutional_email_address(self):
with self.assertRaises(InvalidInstitutionalEmailAddress) as e:
Institution.is_valid_email_address('*****@*****.**')
self.assertEqual(str(e.exception),
'Email address domain is not supported.')
def test_valid_institutional_email_address(self):
self.assertTrue(
Institution.is_valid_email_address('*****@*****.**'))
def test_institution_str():
assert str(Institution(finess=310000000)) == '310000000'
def test_institution_finess():
Institution(finess=310000000, origin='o').full_clean()
with pytest.raises(ValidationError):
Institution(finess=30999999, origin='o').full_clean()
def process_request(self, request):
# The identity of external collaborators is managed within the django application.
# Therefore, exclude the external collaborator login form from the SCW Remote User
# Middleware.
if request.path.startswith(reverse('external-login')):
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the authentication middleware to "
" be installed. Edit your MIDDLEWARE setting to insert "
"'django.contrib.auth.middleware.AuthenticationMiddleware' "
"before the RemoteUserMiddleware class.")
# Prevent the user from logging in if the django application requires the user to
# reauthenticate with their shibboleth identity provider.
# This will require the user to close their browser.
if request.session.get(
settings.SHIBBOLETH_FORCE_REAUTH_SESSION_KEY) == True:
return
# Locate the required headers.
try:
username = request.META[self.header]
identity_provider = request.META['Shib-Identity-Provider']
except KeyError:
# If the required headers do not exist then return, leaving request.user set to
# AnonymousUser by the AuthenticationMiddleware.
return
# If we got an empty value for REMOTE USER header, it's an anonymous user.
if not username:
if self.force_logout_if_no_header and request.user.is_authenticated:
self._remove_invalid_user(request)
return
# Ensure the Shib-Identity-Provider is supported / valid.
try:
Institution.is_valid_identity_provider(identity_provider)
except InvalidIndentityProvider:
return
# The REMOTE USER header may return the authenticated user's email address or username.
email_regex = r'(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)'
if not re.match(email_regex, username):
# Must append the institutions base domain to the username.
institution = Institution.objects.get(
identity_provider=identity_provider)
username = '******'.join([username, institution.base_domain])
# If the user is already authenticated and that user is the user we are getting passed in
# the headers, then the correct user is already persisted in the session and we don't need
# to continue.
if request.user.is_authenticated:
if request.user.username == self.clean_username(username, request):
return
else:
self._remove_invalid_user(request)
# Make sure we have all required Shibboleth elements before proceeding.
shib_meta, error = ShibbolethRemoteUserMiddleware.parse_attributes(
request)
# Add parsed attributes to the session.
request.session['shib'] = shib_meta
request.session['shib']['username'] = username # Override
if error:
raise ShibbolethValidationError(
'All required Shibboleth elements not found. %s' % shib_meta)
# We are seeing this user for the first time in this session, attempt to authenticate
# the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
# Set request.user and persist user in the session by logging the user in.
request.user = user
auth.login(request, user)
else:
# Redirect the user to apply for an account.
url_name = resolve(request.path_info).url_name
if url_name != 'register':
return HttpResponseRedirect(reverse('register'))
