def get(self, request, username):
"""
Create a new token in the database on behalf of 'username'
Returns success 201 Created - Body is JSON and contains
"""
params = request.DATA
user = request.user
if user.username is not 'admin' and not user.is_superuser:
logger.error("URGENT! User: %s is attempting to emulate a user!"
% user.username)
return Response('Only admin and superusers can emulate accounts. '
'This offense has been reported',
status=status.HTTP_401_UNAUTHORIZED)
if not AtmosphereUser.objects.filter(username=username):
return Response("Username %s does not exist as an AtmosphereUser"
% username, status=status.HTTP_404_NOT_FOUND)
#User is authenticated, username exists. Make a token for them.
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
#Extra data passed only on emulation..
'emulated_by': request.user.username,
#Normal token data..
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request, username):
"""
Create a new token in the database on behalf of 'username'
Returns success 201 Created - Body is JSON and contains
"""
params = request.DATA
user = request.user
if not username:
return Response("Username was not provided",
status=status.HTTP_400_BAD_REQUEST)
if user.username is not 'admin' and not user.is_superuser:
logger.error("URGENT! User: %s is attempting to emulate a user!" %
user.username)
return Response(
'Only admin and superusers can emulate accounts. '
'This offense has been reported',
status=status.HTTP_401_UNAUTHORIZED)
if not AtmosphereUser.objects.filter(username=username):
return Response("Username %s does not exist as an AtmosphereUser" %
username,
status=status.HTTP_404_NOT_FOUND)
#User is authenticated, username exists. Make a token for them.
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
#Extra data passed only on emulation..
'emulated_by': request.user.username,
#Normal token data..
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def _token_for_username(self, username):
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def _token_for_username(self, username):
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request):
user = request.user
if not user.is_authenticated():
return Response("Logged-in User or POST required to retrieve AuthToken",
status=status.HTTP_403_FORBIDDEN)
# Authenticated users have tokens
token = lookupSessionToken(request)
if token.is_expired():
# Sanity Check: New tokens should be created
# when auth token is expired.
token = createAuthToken(user.username)
serialized_data = TokenSerializer(token).data
return Response(serialized_data, status=status.HTTP_200_OK)
def get(self, request):
user = request.user
if not user.is_authenticated():
return Response("Logged-in User or POST required "
"to retrieve AuthToken",
status=status.HTTP_403_FORBIDDEN)
# Authenticated users have tokens
token = lookupSessionToken(request)
if token.is_expired():
# Sanity Check: New tokens should be created
# when auth token is expired.
token = createAuthToken(user.username)
serialized_data = TokenSerializer(token).data
return Response(serialized_data, status=status.HTTP_200_OK)
def saml_validateTicket(request):
"""
Method expects 2 GET parameters: 'ticket' & 'sendback'
After a CAS Login:
Redirects the request based on the GET param 'ticket'
Unauthorized Users are redirected to '/' In the event of failure.
Authorized Users are redirected to the GET param 'sendback'
"""
redirect_logout_url = settings.REDIRECT_URL + "/login/"
no_user_url = settings.REDIRECT_URL + "/no_user/"
logger.debug('GET Variables:%s' % request.GET)
ticket = request.GET.get('ticket', None)
sendback = request.GET.get('sendback', None)
if not ticket:
logger.info("No Ticket received in GET string "
"-- Logout user: %s" % redirect_logout_url)
return HttpResponseRedirect(redirect_logout_url)
logger.debug("ServiceValidate endpoint includes a ticket."
" Ticket must now be validated with SAML")
# ReturnLocation set, apply on successful authentication
saml_client = get_saml_client()
saml_response = saml_client.saml_serviceValidate(ticket)
if not saml_response.success:
logger.debug("CAS Server did NOT validate ticket:%s"
" and included this response:%s" %
(ticket, saml_response.xml))
return HttpResponseRedirect(redirect_logout_url)
try:
auth_token = createAuthToken(saml_response.user)
except User.DoesNotExist:
return HttpResponseRedirect(no_user_url)
if auth_token is None:
logger.info("Failed to create AuthToken")
HttpResponseRedirect(redirect_logout_url)
createSessionToken(request, auth_token)
return_to = request.GET.get('sendback')
if not return_to:
return HttpResponse(saml_response.response,
content_type="text/xml; charset=utf-8")
logger.info("Session token created, return to: %s" % return_to)
return_to += "?token=%s" % auth_token
return HttpResponseRedirect(return_to)
def saml_validateTicket(request):
"""
Method expects 2 GET parameters: 'ticket' & 'sendback'
After a CAS Login:
Redirects the request based on the GET param 'ticket'
Unauthorized Users are redirected to '/' In the event of failure.
Authorized Users are redirected to the GET param 'sendback'
"""
redirect_logout_url = settings.REDIRECT_URL+"/login/"
no_user_url = settings.REDIRECT_URL + "/no_user/"
logger.debug('GET Variables:%s' % request.GET)
ticket = request.GET.get('ticket', None)
sendback = request.GET.get('sendback', None)
if not ticket:
logger.info("No Ticket received in GET string "
"-- Logout user: %s" % redirect_logout_url)
return HttpResponseRedirect(redirect_logout_url)
logger.debug("ServiceValidate endpoint includes a ticket."
" Ticket must now be validated with SAML")
# ReturnLocation set, apply on successful authentication
saml_client = get_saml_client()
saml_response = saml_client.saml_serviceValidate(ticket)
if not saml_response.success:
logger.debug("CAS Server did NOT validate ticket:%s"
" and included this response:%s"
% (ticket, saml_response.xml))
return HttpResponseRedirect(redirect_logout_url)
try:
auth_token = createAuthToken(saml_response.user)
except User.DoesNotExist:
return HttpResponseRedirect(no_user_url)
if auth_token is None:
logger.info("Failed to create AuthToken")
HttpResponseRedirect(redirect_logout_url)
createSessionToken(request, auth_token)
return_to = request.GET.get('sendback')
if not return_to:
return HttpResponse(saml_response.response,
content_type="text/xml; charset=utf-8")
logger.info("Session token created, return to: %s" % return_to)
return_to += "?token=%s" % auth_token
return HttpResponseRedirect(return_to)
def token_auth(request):
"""
VERSION 2 AUTH
Authentication is based on the POST parameters:
* Username (Required)
* Password (Not Required if CAS authenticated previously)
NOTE: This authentication is SEPARATE from
django model authentication
Use this to give out tokens to access the API
"""
logger.info('Request to auth')
logger.info(request)
token = request.POST.get('token', None)
emulate_user = request.POST.get('emulate_user', None)
username = request.POST.get('username', None)
#CAS authenticated user already has session data
#without passing any parameters
if not username:
username = request.session.get('username', None)
password = request.POST.get('password', None)
#LDAP Authenticate if password provided.
if username and password:
if ldap_validate(username, password):
logger.info("LDAP User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
status=status.HTTP_201_CREATED,
content_type='application/json')
else:
logger.debug("[LDAP] Failed to validate %s" % username)
return HttpResponse("LDAP login failed", status=401)
#if request.session and request.session.get('token'):
# logger.info("User %s already authenticated, renewing token" % username)
# token = validateToken(username, request.session.get('token'))
#ASSERT: Token exists here
if token:
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
if not username and not password:
#The user and password were not found
#force user to login via CAS
return cas_loginRedirect(request, '/auth/')
#CAS Authenticate by Proxy (Password not necessary):
if cas_validateUser(username):
logger.info("CAS User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
else:
logger.debug("[CAS] Failed to validate - %s" % username)
return HttpResponse("CAS Login Failure", status=401)
def cas_validateTicket(request):
"""
Method expects 2 GET parameters: 'ticket' & 'sendback'
After a CAS Login:
Redirects the request based on the GET param 'ticket'
Unauthorized Users are redirected to '/' In the event of failure.
Authorized Users are redirected to the GET param 'sendback'
"""
redirect_logout_url = settings.REDIRECT_URL + "/login/"
no_user_url = settings.REDIRECT_URL + "/no_user/"
logger.debug("GET Variables:%s" % request.GET)
ticket = request.GET.get("ticket", None)
sendback = request.GET.get("sendback", None)
if not ticket:
logger.info("No Ticket received in GET string " "-- Logout user: %s" % redirect_logout_url)
return HttpResponseRedirect(redirect_logout_url)
logger.debug("ServiceValidate endpoint includes a ticket." " Ticket must now be validated with CAS")
# ReturnLocation set, apply on successful authentication
caslib = get_cas_client()
caslib.service_url = _set_redirect_url(sendback, request)
cas_response = caslib.cas_serviceValidate(ticket)
if not cas_response.success:
logger.debug(
"CAS Server did NOT validate ticket:%s" " and included this response:%s" % (ticket, cas_response.object)
)
return HttpResponseRedirect(redirect_logout_url)
if not cas_response.user:
logger.debug("User attribute missing from cas response!" "This may require a fix to caslib.py")
return HttpResponseRedirect(redirect_logout_url)
if not cas_response.proxy_granting_ticket:
logger.error(
"""Proxy Granting Ticket missing!
Atmosphere requires CAS proxy as a service to authenticate users.
Possible Causes:
* ServerName variable is wrong in /etc/apache2/apache2.conf
* Proxy URL does not exist
* Proxy URL is not a valid RSA-2/VeriSigned SSL certificate
* /etc/host and hostname do not match machine."""
)
return HttpResponseRedirect(redirect_logout_url)
updated = updateUserProxy(cas_response.user, cas_response.proxy_granting_ticket)
if not updated:
return HttpResponseRedirect(redirect_logout_url)
logger.info("Updated proxy for <%s> -- Auth success!" % cas_response.user)
try:
auth_token = createAuthToken(cas_response.user)
except User.DoesNotExist:
return HttpResponseRedirect(no_user_url)
if auth_token is None:
logger.info("Failed to create AuthToken")
HttpResponseRedirect(redirect_logout_url)
createSessionToken(request, auth_token)
return_to = request.GET["sendback"]
logger.info("Session token created, return to: %s" % return_to)
return HttpResponseRedirect(return_to)
def cas_validateTicket(request):
"""
Method expects 2 GET parameters: 'ticket' & 'sendback'
After a CAS Login:
Redirects the request based on the GET param 'ticket'
Unauthorized Users are redirected to '/' In the event of failure.
Authorized Users are redirected to the GET param 'sendback'
"""
redirect_logout_url = settings.REDIRECT_URL+"/login/"
no_user_url = settings.REDIRECT_URL + "/no_user/"
logger.debug('GET Variables:%s' % request.GET)
ticket = request.GET.get('ticket', None)
sendback = request.GET.get('sendback', None)
if not ticket:
logger.info("No Ticket received in GET string "
"-- Logout user: %s" % redirect_logout_url)
return HttpResponseRedirect(redirect_logout_url)
logger.debug("ServiceValidate endpoint includes a ticket."
" Ticket must now be validated with CAS")
# ReturnLocation set, apply on successful authentication
cas_setReturnLocation(sendback)
cas_response = caslib.cas_serviceValidate(ticket)
if not cas_response.success:
logger.debug("CAS Server did NOT validate ticket:%s"
" and included this response:%s"
% (ticket, cas_response))
return HttpResponseRedirect(redirect_logout_url)
(user, pgtIou) = parse_cas_response(cas_response)
if not user:
logger.debug("User attribute missing from cas response!"
"This may require a fix to caslib.py")
return HttpResponseRedirect(redirect_logout_url)
if not pgtIou or pgtIou == "":
logger.error("""Proxy Granting Ticket missing!
Atmosphere requires CAS proxy as a service to authenticate users.
Possible Causes:
* ServerName variable is wrong in /etc/apache2/apache2.conf
* Proxy URL does not exist
* Proxy URL is not a valid RSA-2/VeriSigned SSL certificate
* /etc/host and hostname do not match machine.""")
return HttpResponseRedirect(redirect_logout_url)
updated = updateUserProxy(user, pgtIou)
if not updated:
return HttpResponseRedirect(redirect_logout_url)
logger.info("Updated proxy for <%s> -- Auth success!" % user)
try:
auth_token = createAuthToken(user)
except User.DoesNotExist:
return HttpResponseRedirect(no_user_url)
if auth_token is None:
logger.info("Failed to create AuthToken")
HttpResponseRedirect(redirect_logout_url)
createSessionToken(request, auth_token)
return_to = request.GET['sendback']
logger.info("Session token created, return to: %s" % return_to)
return HttpResponseRedirect(return_to)
def token_auth(request):
"""
VERSION 2 AUTH
Authentication is based on the POST parameters:
* Username (Required)
* Password (Not Required if CAS authenticated previously)
NOTE: This authentication is SEPARATE from
django model authentication
Use this to give out tokens to access the API
"""
logger.info('Request to auth')
logger.info(request)
token = None
username = request.POST.get('username', None)
#CAS authenticated user already has session data
#without passing any parameters
if not username:
username = request.session.get('username', None)
password = request.POST.get('password', None)
#LDAP Authenticate if password provided.
if username and password:
if ldap_validate(username, password):
logger.info("LDAP User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
status=status.HTTP_201_CREATED,
content_type='application/json')
else:
logger.debug("[LDAP] Failed to validate %s" % username)
return HttpResponse("LDAP login failed", status=401)
#if request.session and request.session.get('token'):
# logger.info("User %s already authenticated, renewing token" % username)
# token = validateToken(username, request.session.get('token'))
#ASSERT: Token exists here
if token:
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
if not username and not password:
#The user and password were not found
#force user to login via CAS
return cas_loginRedirect(request, '/auth/')
#CAS Authenticate by Proxy (Password not necessary):
if cas_validateUser(username):
logger.info("CAS User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
else:
logger.debug("[CAS] Failed to validate - %s" % username)
return HttpResponse("CAS Login Failure", status=401)
