def _generate_response(request, processor): """ Generate a SAML response using processor and return it in the proper Django response. """ try: tv = processor.generate_response() except exceptions.UserNotAuthorized: custom_log(request, "Unauthorized to sign in", level="warn") return render_to_response('saml2idp/invalid_user.html', context_instance=RequestContext(request)) return_url = get_destination_service(tv["acs_url"]) # Update/add BrowserLogin try: (browser_login, created) = BrowserLogin.objects.get_or_create(user=request.browser.user, browser=request.browser, sso_provider="saml2", signed_out=False, remote_service=str(tv["acs_url"]), defaults={"auth_timestamp": timezone.now()}) if not created: browser_login.auth_timestamp = timezone.now() browser_login.save() except BrowserLogin.MultipleObjectsReturned: custom_log(request, "Multiple BrowserLogin objects for user=%s, browser=%s, sso_provider=saml2, remote_service=%s" % (request.browser.user.username, request.browser.bid_public, tv["acs_url"]), level="error") custom_log(request, "Signed in with SAML to %s" % return_url, level="info") add_user_log(request, "Signed in with SAML to %s" % return_url, "share-square-o") custom_log(request, "Rendering login.html with tv=%s" % tv, level="debug") return render_to_response('saml2idp/login.html', tv, context_instance=RequestContext(request))
def _generate_response(request, processor): """ Generate a SAML response using processor and return it in the proper Django response. """ try: tv = processor.generate_response() except exceptions.UserNotAuthorized: custom_log(request, "Unauthorized to sign in", level="warn") return render_to_response('saml2idp/invalid_user.html', context_instance=RequestContext(request)) return_url = get_destination_service(tv["acs_url"]) saml_id = request.GET.get("saml_id") if saml_id: tmp = dcache.get("saml-return-%s" % saml_id) if tmp: return_url = "%s - %s" % (return_url, tmp) dcache.delete([ "saml-return-%s" % saml_id, "saml-SAMLRequest-%s" % saml_id, "saml-RelayState-%s" % saml_id ]) # Update/add BrowserLogin try: (browser_login, created) = BrowserLogin.objects.get_or_create( user=request.browser.user, browser=request.browser, sso_provider="saml2", message=return_url, signed_out=False, remote_service=str(tv["acs_url"]), defaults={"auth_timestamp": timezone.now()}) if not created: browser_login.auth_timestamp = timezone.now() browser_login.save() except BrowserLogin.MultipleObjectsReturned: custom_log( request, "Multiple BrowserLogin objects for user=%s, browser=%s, sso_provider=saml2, remote_service=%s" % (request.browser.user.username, request.browser.bid_public, tv["acs_url"]), level="error") custom_log(request, "Signed in with SAML to %s" % return_url, level="info") add_user_log(request, "Signed in with SAML to %s" % return_url, "share-square-o") custom_log(request, "Rendering login.html with tv=%s" % tv, level="debug") return render_to_response('saml2idp/login.html', tv, context_instance=RequestContext(request))
if conf.AX_EXTENSION: add_ax_data(request, orequest, oresponse) custom_log(request, "Added AX data", level="debug") if (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()): # Add/update BrowserLogin object. msg = None if orequest.trust_root.startswith("https://online.planmill.com/futurice/"): msg = "Planmill (futurice)" (browser_login, _) = BrowserLogin.objects.get_or_create(user=request.browser.user, browser=request.browser, sso_provider="openid", signed_out=False, message=msg, remote_service=str(orequest.trust_root), defaults={"auth_timestamp": timezone.now()}) browser_login.auth_timestamp = timezone.now() browser_login.save() # Add entry to user log if msg: add_user_log(request, "Signed in with OpenID to %s" % msg, "share-square-o") else: add_user_log(request, "Signed in with OpenID to %s" % orequest.trust_root, "share-square-o") custom_log(request, "Signed in with OpenID to %s" % orequest.trust_root, level="info") # Convert a webresponse from the OpenID library in to a Django HttpResponse webresponse = server.encodeResponse(oresponse) custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug") custom_log(request, "webresponse.code: %s" % webresponse.code, level="debug") if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES: response = render_to_response('openid_provider/response.html', { 'body': webresponse.body, }, context_instance=RequestContext(request)) custom_log(request, 'rendering browser response', level="debug") else: response = HttpResponse(webresponse.body)
def pubtkt(request): """ pubtkt login """ def is_valid_back_url(back_url): """ Returns true if back_url should be okay """ if not back_url: return valid_domains = settings.PUBTKT_ALLOWED_DOMAINS parsed_url = urlparse(back_url) if parsed_url.scheme != "https": return "wrong_protocol" if parsed_url.hostname: for domain in valid_domains: if parsed_url.hostname.endswith(domain): break else: return "invalid_domain" else: return "no_hostname" return True custom_log(request, "pubtkt provider initialized. Cookies: %s" % request.COOKIES) ret = {} cookies = [] params = request.GET.dict() params["_sso"] = "pubtkt" ret["get_params"] = urllib.urlencode(params) browser = request.browser if browser is None: custom_log( request, "pubtkt: Browser is not set. Redirect to first step authentication" ) return redirect_with_get_params( "login_frontend.authentication_views.firststepauth", params) show_error_page = False back_url = request.GET.get("back") custom_log(request, "Requested back_url=%s" % back_url, level="info") back_url_status = is_valid_back_url(back_url) if "unauth" in request.GET: ret["unauth"] = True ret["back_url"] = back_url show_error_page = True custom_log(request, "pubtkt: User is not authorized to access %s" % back_url, level="info") elif back_url is None: # No back url is defined. Show error page. show_error_page = True ret["back_url_not_defined"] = True custom_log(request, "pubtkt: back url is not defined", level="info") elif back_url_status != True: show_error_page = True ret["invalid_back_url"] = True ret["invalid_back_url_reason"] = back_url_status ret["back_url"] = back_url custom_log(request, "pubtkt: back url is invalid: %s" % back_url_status, level="info") if show_error_page: return render_to_response("login_frontend/pubtkt_error.html", ret, context_instance=RequestContext(request)) # TODO: static auth level if browser.get_auth_level() >= Browser.L_STRONG: # TODO: ticket expiration time expiration_in_seconds = 3600 * 9 valid_until = int(time.time() + expiration_in_seconds) tokens = json.loads(browser.user.user_tokens) ticket = auth_pubtkt.create_ticket(privkey, browser.user.username, valid_until, tokens=tokens) cookies.append(("auth_pubtkt", { "value": urllib.quote(ticket), "secure": True, "httponly": True, "domain": ".futurice.com" })) ret["back_url"] = back_url invalid_extensions = (".jpg", ".png", ".js", ".json") for extension in invalid_extensions: if back_url.endswith(extension): break else: (obj, created) = UserService.objects.get_or_create( user=browser.user, service_url=back_url, defaults={"access_count": 1}) if not created: obj.access_count += 1 obj.save() response = render_to_response("login_frontend/html_redirect.html", ret, context_instance=RequestContext(request)) # Add/update BrowserLogin d_valid_until = timezone.now() + datetime.timedelta( seconds=expiration_in_seconds) try: (browser_login, _) = BrowserLogin.objects.get_or_create(user=browser.user, browser=browser, sso_provider="pubtkt", signed_out=False, defaults={ "auth_timestamp": timezone.now(), "expires_at": d_valid_until, "remote_service": back_url }) browser_login.auth_timestamp = timezone.now() browser_login.expires_at = d_valid_until browser_login.save() except: pass add_user_log(request, "Granted pubtkt access (%s)" % back_url, "share-square-o") # Set cookies for cookie_name, cookie in cookies: custom_log(request, "pubtkt: Setting cookie: %s=%s" % (cookie_name, cookie), level="debug") response.set_cookie(cookie_name, **cookie) custom_log(request, "pubtkt: redirecting back to %s with html redirect", level="info") return response custom_log( request, "pubtkt: additional authentication is required. Redirect to first step authentication" ) return redirect_with_get_params( "login_frontend.authentication_views.firststepauth", params)
def pubtkt(request): """ pubtkt login """ def is_valid_back_url(back_url): """ Returns true if back_url should be okay """ if not back_url: return valid_domains = settings.PUBTKT_ALLOWED_DOMAINS parsed_url = urlparse(back_url) if parsed_url.scheme != "https": return "wrong_protocol" if parsed_url.hostname: for domain in valid_domains: if parsed_url.hostname.endswith(domain): break else: return "invalid_domain" else: return "no_hostname" return True custom_log(request, "pubtkt provider initialized. Cookies: %s" % request.COOKIES) ret = {} cookies = [] params = request.GET.dict() params["_sso"] = "pubtkt" ret["get_params"] = urllib.urlencode(params) browser = request.browser if browser is None: custom_log(request, "pubtkt: Browser is not set. Redirect to first step authentication") return redirect_with_get_params("login_frontend.authentication_views.firststepauth", params) show_error_page = False back_url = request.GET.get("back") custom_log(request, "Requested back_url=%s" % back_url, level="info") back_url_status = is_valid_back_url(back_url) if "unauth" in request.GET: ret["unauth"] = True ret["back_url"] = back_url show_error_page = True custom_log(request, "pubtkt: User is not authorized to access %s" % back_url, level="info") elif back_url is None: # No back url is defined. Show error page. show_error_page = True ret["back_url_not_defined"] = True custom_log(request, "pubtkt: back url is not defined", level="info") elif back_url_status != True: show_error_page = True ret["invalid_back_url"] = True ret["invalid_back_url_reason"] = back_url_status ret["back_url"] = back_url custom_log(request, "pubtkt: back url is invalid: %s" % back_url_status, level="info") if show_error_page: return render_to_response("login_frontend/pubtkt_error.html", ret, context_instance=RequestContext(request)) # TODO: static auth level if browser.get_auth_level() >= Browser.L_STRONG: # TODO: ticket expiration time expiration_in_seconds = 3600 * 9 valid_until = int(time.time() + expiration_in_seconds) tokens = json.loads(browser.user.user_tokens) ticket = auth_pubtkt.create_ticket(privkey, browser.user.username, valid_until, tokens=tokens) cookies.append(("auth_pubtkt", {"value": urllib.quote(ticket), "secure": True, "httponly": True, "domain": ".futurice.com"})) ret["back_url"] = back_url invalid_extensions = (".jpg", ".png", ".js", ".json") for extension in invalid_extensions: if back_url.endswith(extension): break else: (obj, created) = UserService.objects.get_or_create(user=browser.user, service_url=back_url, defaults={"access_count": 1}) if not created: obj.access_count += 1 obj.save() response = render_to_response("login_frontend/html_redirect.html", ret, context_instance=RequestContext(request)) # Add/update BrowserLogin d_valid_until = timezone.now() + datetime.timedelta(seconds=expiration_in_seconds) try: (browser_login, _) = BrowserLogin.objects.get_or_create(user=browser.user, browser=browser, sso_provider="pubtkt", signed_out=False, defaults={"auth_timestamp": timezone.now(), "expires_at": d_valid_until, "remote_service": back_url}) browser_login.auth_timestamp = timezone.now() browser_login.expires_at = d_valid_until browser_login.save() except: pass add_user_log(request, "Granted pubtkt access (%s)" % back_url, "share-square-o") # Set cookies for cookie_name, cookie in cookies: custom_log(request, "pubtkt: Setting cookie: %s=%s" % (cookie_name, cookie), level="debug") response.set_cookie(cookie_name, **cookie) custom_log(request, "pubtkt: redirecting back to %s with html redirect", level="info") return response custom_log(request, "pubtkt: additional authentication is required. Redirect to first step authentication") return redirect_with_get_params("login_frontend.authentication_views.firststepauth", params)