async def middleware_token_auth(request):
try:
token_key, token = request.headers.get('Authorization').split()
if not token_key == 'Token':
return
user = AuthToken.get(AuthToken.token == token).user
auth_user(request, user)
except (AttributeError, ValueError, AuthToken.DoesNotExist):
pass
def test_report_success(self):
record = Record(student_id=self.student_id)
record.state = Record.LOCKED
record.save()
vote_token = AuthToken.generate(self.student_id, str(self.station.external_id), '70')
vote_token.save()
url = reverse('report')
data = {
'uid': self.student_id,
'vote_token': vote_token.code,
'token': self.token,
'api_key': settings.API_KEY, 'version': settings.API_VERSION,
}
response = self.client.post(url, data)
self.assertEqual(response.data, {'status': 'success'})
def test_complete_success(self):
record = Record(student_id=self.student_id)
record.state = Record.VOTING
record.save()
token = AuthToken.generate(self.student_id, str(self.station.external_id), '70')
token.save()
url = 'https://{0}{1}?callback={2}'.format(
settings.CALLBACK_DOMAIN, reverse('callback'), token.confirm_code)
response = self.client.get(url)
record = Record.objects.get(student_id=self.student_id)
self.assertEqual(record.state, Record.USED)
self.assertEqual(response.status_code, status.HTTP_200_OK)
self.assertEqual(response.data, {
'status': 'success',
'message': 'all correct',
})
def test_confirm_success(self):
record = Record(student_id=self.student_id)
record.state = Record.LOCKED
record.save()
vote_token = AuthToken.generate(self.student_id, str(self.station.external_id), '70')
vote_token.save()
url = reverse('confirm')
data = {'uid': self.student_id,
'vote_token': vote_token.code, 'token': self.token,
'api_key': settings.API_KEY, 'version': settings.API_VERSION}
response = self.client.post(url, data)
callback = 'https://{0}{1}?callback={2}'.format(
settings.CALLBACK_DOMAIN, reverse('callback'), vote_token.confirm_code)
self.assertEqual(response.data, {
'status': 'success',
'ballot': self.authcode.code,
'callback': callback,
})
def authenticate(request):
# Check parameters
internal_id = request.data['cid']
raw_student_id = request.data['uid']
station_id = request.station
if settings.ENFORCE_CARD_VALIDATION:
# Parse student ID
if re.match(r'[A-Z]\d{2}[0-9A-Z]\d{6}', raw_student_id) and re.match(r'[0-9a-f]{8}', internal_id) and re.match(r'\d+', station_id):
# Extract parameters
student_id = raw_student_id[:-1]
revision = int(raw_student_id[-1:])
logger.info('Station %s request for card %s[%s]', station_id, student_id, revision)
else:
# Malformed card information
logger.info('Station %s request for card %s (%s)', station_id, raw_student_id, internal_id)
return error('card_invalid')
else:
# Do not reveal full internal ID as ACA requested
logger.info('Station %s request for card (%s****)', station_id, internal_id[:4])
# Call ACA API
try:
aca_info = service.to_student_id(internal_id)
except URLError:
logger.exception('Failed to connect to ACA server')
return error('external_error', status.HTTP_502_BAD_GATEWAY)
except service.ExternalError as e:
if not settings.ENFORCE_CARD_VALIDATION:
# We can only reveal full internal ID if it’s an invalid card
logger.exception('Card rejected by ACA server (%s), reason %s', internal_id, e.reason)
else:
logger.exception('Card rejected by ACA server, reason %s', e.reason)
# Tell clients the exact reason of error
if e.reason == 'card_invalid' or e.reason == 'student_not_found':
return error('card_invalid')
elif e.reason == 'card_blacklisted':
return error('card_suspicious')
return error('external_error', status.HTTP_502_BAD_GATEWAY)
else:
if settings.ENFORCE_CARD_VALIDATION:
student_id = aca_info.id
revision = 0
logger.info('User %s (%s) checked', student_id, aca_info.type)
elif aca_info.id != student_id:
logger.info('ID %s returned instead', aca_info.id)
return error('card_suspicious')
# Check vote record
try:
record = Record.objects.get(student_id=student_id)
if settings.ENFORCE_CARD_VALIDATION and record.revision != revision:
# ACA claim the card valid!
logger.info('Expect revision %s, recorded %s', revision, record.revision)
return error('card_suspicious')
if record.state == Record.VOTING:
# Automaticlly unlock stuck record
record.state = Record.AVAILABLE
record.save()
logger.info('Reset %s state from VOTING', student_id)
if record.state != Record.AVAILABLE:
logger.error('Duplicate entry (%s)', student_id)
return error('duplicate_entry')
except Record.DoesNotExist:
record = Record(student_id=student_id, revision=revision)
# Build up kind identifier
try:
college = settings.COLLEGE_IDS[aca_info.college]
except KeyError:
# Use student ID as an alternative
logger.warning('No matching college for ACA entry %s', aca_info.college)
college = student_id[3]
# In rare cases, we may encounter students without colleges
if college not in settings.COLLEGE_NAMES:
logger.warning('No matching college for ID %s', college)
college = '0'
# Determine graduate status
type_code = student_id[0]
kind = college
try:
override = OverrideEntry.objects.get(student_id=student_id)
kind = override.kind
except OverrideEntry.DoesNotExist:
if type_code in settings.GRADUATE_CODES:
if aca_info.department in settings.JOINT_DEPARTMENT_CODES:
kind += 'B'
else:
kind += '1'
elif type_code in settings.UNDERGRADUATE_CODES:
if aca_info.department in settings.JOINT_DEPARTMENT_CODES:
kind += 'A'
else:
kind += '0'
# Check if student has eligible identity
if kind not in settings.KINDS:
return error('unqualified')
# Generate record and token
record.state = Record.LOCKED
record.save()
token = AuthToken.generate(student_id, station_id, kind)
token.save()
logger.info('Auth token issued: %s', token.code)
return Response({'status': 'success', 'uid': student_id, 'type': settings.KINDS[kind], 'vote_token': token.code})
def authenticate(request):
# Check parameters
internal_id = request.data['cid']
raw_student_id = request.data['uid']
station_id = request.station
if settings.ENFORCE_CARD_VALIDATION:
# Parse student ID
if re.match(r'[A-Z]\d{2}[0-9A-Z]\d{6}', raw_student_id) and re.match(r'[0-9a-f]{8}', internal_id) and re.match(r'\d+', station_id):
# Extract parameters
student_id = raw_student_id[:-1]
revision = int(raw_student_id[-1:])
logger.info('Station %s request for card %s[%s]', station_id, student_id, revision)
else:
# Malformed card information
logger.info('Station %s request for card %s (%s)', station_id, raw_student_id, internal_id)
return error('card_invalid')
else:
# Do not reveal full internal ID as ACA requested
logger.info('Station %s request for card (%s****)', station_id, internal_id[:4])
# Call ACA API
try:
aca_info = service.to_student_id(internal_id)
except URLError:
logger.exception('Failed to connect to ACA server')
return error('external_error', status.HTTP_502_BAD_GATEWAY)
except service.ExternalError as e:
if not settings.ENFORCE_CARD_VALIDATION:
# We can only reveal full internal ID if it’s an invalid card
logger.exception('Card rejected by ACA server (%s), reason %s', internal_id, e.reason)
else:
logger.exception('Card rejected by ACA server, reason %s', e.reason)
# Tell clients the exact reason of error
if e.reason == 'card_invalid' or e.reason == 'student_not_found':
return error('card_invalid')
elif e.reason == 'card_blacklisted':
return error('card_suspicious')
return error('external_error', status.HTTP_502_BAD_GATEWAY)
else:
if not settings.ENFORCE_CARD_VALIDATION:
student_id = aca_info.id
revision = 0
logger.info('User %s (%s) checked', student_id, aca_info.type)
elif aca_info.id != student_id:
logger.info('ID %s returned instead', aca_info.id)
return error('card_suspicious')
# Check vote record
try:
record = Record.objects.get(student_id=student_id)
if settings.ENFORCE_CARD_VALIDATION and record.revision != revision:
# ACA claim the card valid!
logger.info('Expect revision %s, recorded %s', revision, record.revision)
return error('card_suspicious')
if record.state == Record.VOTING:
# Automaticlly unlock stuck record
record.state = Record.AVAILABLE
record.save()
logger.info('Reset %s state from VOTING', student_id)
if record.state != Record.AVAILABLE:
logger.error('Duplicate entry (%s)', student_id)
return error('duplicate_entry')
except Record.DoesNotExist:
record = Record(student_id=student_id, revision=revision)
# Determine graduate status
kind = kind_classifier.get_kind(aca_info)
if kind is None:
return error('unqualified')
# Generate record and token
record.state = Record.LOCKED
record.save()
token = AuthToken.generate(student_id, station_id, kind)
token.save()
logger.info('Auth token issued: %s', token.code)
return Response({'status': 'success', 'uid': student_id, 'type': aca_info.college,
'college': settings.DPTCODE_NAME[aca_info.department], 'vote_token': token.code})
