def is_authenticated(self, request):
if not request.external_auth_info:
return False
req_headers = request_headers(request)
macaroon_bakery = _get_bakery(request)
auth_checker = macaroon_bakery.checker.auth(
httpbakery.extract_macaroons(req_headers))
try:
auth_info = auth_checker.allow(
checkers.AuthContext(), [bakery.LOGIN_OP])
except (bakery.DischargeRequiredError, bakery.PermissionDenied):
return False
# set the user in the request so that it's considered authenticated. If
# a user is not found with the username from the identity, it's
# created.
user, created = User.objects.get_or_create(
username=auth_info.identity.id(), defaults={'is_superuser': True})
# Only check the user with IDM again if it wasn't just created
if not created and not validate_user_external_auth(user):
return False
request.user = user
return True
def is_authenticated(self, request):
if not request.external_auth_info:
return False
req_headers = request_headers(request)
macaroon_bakery = _get_bakery(request)
auth_checker = macaroon_bakery.checker.auth(
httpbakery.extract_macaroons(req_headers))
try:
auth_info = auth_checker.allow(checkers.AuthContext(),
[bakery.LOGIN_OP])
except (bakery.DischargeRequiredError, bakery.PermissionDenied):
return False
# set the user in the request so that it's considered authenticated. If
# a user is not found with the username from the identity, it's
# created.
username = auth_info.identity.id()
try:
user = User.objects.get(username=username)
if user.userprofile.is_local:
return False
except User.DoesNotExist:
user = User(username=username)
user.save()
if not validate_user_external_auth(user, request.external_auth_info):
return False
request.user = user
return True
def __call__(self, request):
if not request.external_auth_info:
return HttpResponseNotFound('Not found')
macaroon_bakery = _get_bakery(request)
req_headers = request_headers(request)
auth_checker = macaroon_bakery.checker.auth(
httpbakery.extract_macaroons(req_headers))
try:
auth_info = auth_checker.allow(
checkers.AuthContext(), [bakery.LOGIN_OP])
except bakery.DischargeRequiredError as err:
return _authorization_request(
macaroon_bakery, derr=err, req_headers=req_headers)
except bakery.VerificationError:
return _authorization_request(
macaroon_bakery, req_headers=req_headers,
auth_endpoint=request.external_auth_info.url,
auth_domain=request.external_auth_info.domain)
except bakery.PermissionDenied:
return HttpResponseForbidden()
user = authenticate(request, identity=auth_info.identity)
if user is None:
# macaroon authentication can return None if the user exists but
# doesn't have permission to log in
return HttpResponseForbidden('User login not allowed')
login(
request, user,
backend='maasserver.macaroon_auth.MacaroonAuthorizationBackend')
return JsonResponse(
{attr: getattr(user, attr)
for attr in ('id', 'username', 'is_superuser')})
def __call__(self, request):
if not request.external_auth_info:
return HttpResponseNotFound('Not found')
macaroon_bakery = _get_bakery(request)
req_headers = request_headers(request)
auth_checker = macaroon_bakery.checker.auth(
httpbakery.extract_macaroons(req_headers))
try:
auth_info = auth_checker.allow(
checkers.AuthContext(), [bakery.LOGIN_OP])
except bakery.DischargeRequiredError as err:
return _authorization_request(
macaroon_bakery, derr=err, req_headers=req_headers)
except bakery.VerificationError:
return _authorization_request(
macaroon_bakery, req_headers=req_headers,
auth_endpoint=request.external_auth_info.url)
except bakery.PermissionDenied:
return HttpResponseForbidden()
# a user is always returned since the authentication middleware creates
# one if not found
user = authenticate(request, identity=auth_info.identity)
login(
request, user,
backend='maasserver.macaroon_auth.MacaroonAuthorizationBackend')
return JsonResponse({'id': user.id, 'username': user.username})
def __call__(self, request):
auth_endpoint = Config.objects.get_config('external_auth_url')
if not auth_endpoint:
return HttpResponseNotFound('Not found')
macaroon_bakery = self._setup_bakery(auth_endpoint, request)
req_headers = request_headers(request)
auth_checker = macaroon_bakery.checker.auth(
httpbakery.extract_macaroons(req_headers))
try:
auth_info = auth_checker.allow(
checkers.AuthContext(), [bakery.LOGIN_OP])
except bakery.DischargeRequiredError as err:
return self._authorization_request(
request, req_headers, macaroon_bakery, err)
except bakery.PermissionDenied:
return HttpResponseForbidden()
# a user is always returned since the authentication middleware creates
# one if not found
user = authenticate(request, identity=auth_info.identity)
backend = (
'maasserver.views.macaroon_auth.MacaroonAuthenticationBackend')
login(request, user, backend=backend)
return JsonResponse({'id': user.id, 'username': user.username})
def test_non_http_headers_ignored(self):
request = HttpRequest()
request.META.update({
"HTTP_HOST": "www.example.com",
"SERVER_NAME": "myserver"
})
self.assertEqual(views.request_headers(request),
{"host": "www.example.com"})
def test_non_http_headers_ignored(self):
request = HttpRequest()
request.META.update({
'HTTP_HOST': 'www.example.com',
'SERVER_NAME': 'myserver'
})
self.assertEqual(views.request_headers(request),
{'host': 'www.example.com'})
def test_headers(self):
request = HttpRequest()
request.META.update({
'HTTP_HOST': 'www.example.com',
'HTTP_CONTENT_TYPE': 'text/plain'
})
self.assertEqual(views.request_headers(request), {
'host': 'www.example.com',
'content-type': 'text/plain'
})
def test_headers(self):
request = HttpRequest()
request.META.update({
"HTTP_HOST": "www.example.com",
"HTTP_CONTENT_TYPE": "text/plain"
})
self.assertEqual(
views.request_headers(request),
{
"host": "www.example.com",
"content-type": "text/plain"
},
)
def test_case_insensitive(self):
request = HttpRequest()
request.META["HTTP_CONTENT_TYPE"] = "text/plain"
headers = views.request_headers(request)
self.assertEqual(headers["Content-type"], "text/plain")
def test_case_insensitive(self):
request = HttpRequest()
request.META['HTTP_CONTENT_TYPE'] = 'text/plain'
headers = views.request_headers(request)
self.assertEqual(headers['Content-type'], 'text/plain')
