def decorator(request, *args, **kwargs): # Do nothing if the remoteuser backend isn't activated if (('shibboleth.backends.ShibbolethRemoteUserBackend' not in settings.AUTHENTICATION_BACKENDS)): pass else: shib = ShibbolethRemoteUserMiddleware() # Process the request with the Shib middlemare, # which will log the user in if we can. shib.process_request(request) return func(request, *args, **kwargs)
def setUp(self): self.remove_user('*****@*****.**') self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/foo/') self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = self.client.session self.request.META = {} self.request.META['Shibboleth-eppn'] = '*****@*****.**' self.request.META['REMOTE_USER'] = '******' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname'
def test_get_role_by_affiliation(self): obj = ShibbolethRemoteUserMiddleware() assert obj._get_role_by_affiliation('*****@*****.**') == 'staff' assert obj._get_role_by_affiliation('*****@*****.**') == 'staff' assert obj._get_role_by_affiliation('*****@*****.**') == 'student' # test jokers assert obj._get_role_by_affiliation('*****@*****.**') == 'student' assert obj._get_role_by_affiliation('*****@*****.**') == 'aaa' assert obj._get_role_by_affiliation('*****@*****.**') == 'guest'
def setUp(self): self.remove_user('*****@*****.**') self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/sso/') self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = self.client.session self.request.META = {} self.request.META['Shibboleth-eppn'] = '*****@*****.**' self.request.META['REMOTE_USER'] = '******' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname' self.request.META['Shibboleth-displayName'] = 'Sample Developer' self.request.META['Shibboleth-affiliation'] = '[email protected];[email protected];[email protected];[email protected]' # default settings assert getattr(settings, 'SHIB_ACTIVATE_AFTER_CREATION', True) is True
def setUp(self): self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/foo/') # self.request = Mock() self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = {} self.request.META = {} self.request.META['REMOTE_USER'] = self.user.username self.request.META['eppn'] = 'test eppn' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname'
def setUp(self): self.remove_user('*****@*****.**') self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/foo/') self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = self.client.session self.request.META = {} self.request.META['Shibboleth-eppn'] = '*****@*****.**' self.request.META['REMOTE_USER'] = '******' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname' # default settings assert getattr(settings, 'SHIB_ACTIVATE_AFTER_CREATION', True) is True
def test_inheritance_middleware(self): from shibboleth.middleware import ShibbolethRemoteUserMiddleware middleware = ShibbolethRemoteUserMiddleware() assert hasattr(middleware, "_remove_invalid_user") assert hasattr(middleware, "clean_username")
class ShibbolethRemoteUserMiddlewareTest(BaseTestCase): def setUp(self): self.remove_user('*****@*****.**') self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/foo/') self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = self.client.session self.request.META = {} self.request.META['Shibboleth-eppn'] = '*****@*****.**' self.request.META['REMOTE_USER'] = '******' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname' self.request.META['Shibboleth-displayName'] = 'Sample Developer' self.request.META[ 'Shibboleth-affiliation'] = '[email protected];[email protected];[email protected];[email protected]' # default settings assert getattr(settings, 'SHIB_ACTIVATE_AFTER_CREATION', True) is True @patch( 'shibboleth.middleware.SHIB_ATTRIBUTE_MAP', { "Shibboleth-eppn": (True, "username"), "givenname": (False, "givenname"), "surname": (False, "surname"), "emailaddress": (False, "contact_email"), "organization": (False, "institution"), "Shibboleth-displayName": (False, "display_name"), }) def test_can_process(self): assert len(Profile.objects.all()) == 0 self.middleware.process_request(self.request) assert self.request.user.username == '*****@*****.**' assert len(Profile.objects.all()) == 1 assert self.request.shib_login is True assert Profile.objects.all()[0].user == '*****@*****.**' assert Profile.objects.all()[0].nickname == 'Sample Developer' @override_settings( SHIBBOLETH_AFFILIATION_ROLE_MAP={ '*****@*****.**': 'staff', '*****@*****.**': 'staff', '*****@*****.**': 'student', }) @patch( 'shibboleth.middleware.SHIB_ATTRIBUTE_MAP', { "Shibboleth-eppn": (True, "username"), "givenname": (False, "givenname"), "surname": (False, "surname"), "emailaddress": (False, "contact_email"), "organization": (False, "institution"), "Shibboleth-affiliation": (False, "affiliation"), "Shibboleth-displayName": (False, "display_name"), }) def test_can_process_user_role(self): assert len(Profile.objects.all()) == 0 self.middleware.process_request(self.request) assert self.request.user.username == '*****@*****.**' assert len(Profile.objects.all()) == 1 assert self.request.shib_login is True assert Profile.objects.all()[0].user == '*****@*****.**' assert Profile.objects.all()[0].nickname == 'Sample Developer' assert User.objects.get(self.request.user.username).role == 'staff' @pytest.mark.skipif( TRAVIS, reason= "TODO: this test can only be run seperately due to the url module init in django, we may need to reload url conf: https://gist.github.com/anentropic/9ac47f6518c88fa8d2b0" ) def test_process_inactive_user(self): """Inactive user is created, and no profile is created. """ assert len(Profile.objects.all()) == 0 with self.settings(SHIB_ACTIVATE_AFTER_CREATION=False): # reload our shibboleth.backends module, so it picks up the settings change reload(backends) resp = self.middleware.process_request(self.request) assert resp.url == '/shib-complete/' assert len(Profile.objects.all()) == 0 # now reload again, so it reverts to original settings reload(backends) def test_make_profile_for_display_name(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile( self.user, { 'display_name': 'display name', 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'display name' def test_make_profile_for_givenname_surname(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile( self.user, { 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'g s' def test_make_profile_for_name_missing(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == ''
class ShibbolethRemoteUserMiddlewareTest(BaseTestCase): def setUp(self): self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/foo/') # self.request = Mock() self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = {} self.request.META = {} self.request.META['REMOTE_USER'] = self.user.username self.request.META['eppn'] = 'test eppn' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname' # def test_can_process(self): # assert len(Profile.objects.all()) == 0 # self.middleware.process_request(self.request) # assert len(Profile.objects.all()) == 1 # assert self.request.shib_login is True def test_make_profile_for_display_name(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'display_name': 'display name', 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'display name' def test_make_profile_for_givenname_surname(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'g s' def test_make_profile_for_name_missing(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == ''
class ShibbolethRemoteUserMiddlewareTest(BaseTestCase): def setUp(self): self.remove_user('*****@*****.**') self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/foo/') self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = self.client.session self.request.META = {} self.request.META['Shibboleth-eppn'] = '*****@*****.**' self.request.META['REMOTE_USER'] = '******' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname' def test_can_process(self): assert len(Profile.objects.all()) == 0 self.middleware.process_request(self.request) assert len(Profile.objects.all()) == 1 assert self.request.shib_login is True def test_process_inactive_user(self): """Inactive user is created, and no profile is created. """ assert len(Profile.objects.all()) == 0 with self.settings(SHIB_ACTIVATE_AFTER_CREATION=False): # reload our shibboleth.backends module, so it picks up the settings change reload(backends) resp = self.middleware.process_request(self.request) assert resp.url == 'shib-complete' assert len(Profile.objects.all()) == 0 # now reload again, so it reverts to original settings reload(backends) def test_make_profile_for_display_name(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile( self.user, { 'display_name': 'display name', 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'display name' def test_make_profile_for_givenname_surname(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile( self.user, { 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'g s' def test_make_profile_for_name_missing(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == ''
def process_request(self, request): # The identity of external collaborators is managed within the django application. # Therefore, exclude the external collaborator login form from the SCW Remote User # Middleware. if request.path.startswith(reverse('external-login')): return # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the authentication middleware to " " be installed. Edit your MIDDLEWARE setting to insert " "'django.contrib.auth.middleware.AuthenticationMiddleware' " "before the RemoteUserMiddleware class.") # Prevent the user from logging in if the django application requires the user to # reauthenticate with their shibboleth identity provider. # This will require the user to close their browser. if request.session.get( settings.SHIBBOLETH_FORCE_REAUTH_SESSION_KEY) == True: return # Locate the required headers. try: username = request.META[self.header] identity_provider = request.META['Shib-Identity-Provider'] except KeyError: # If the required headers do not exist then return, leaving request.user set to # AnonymousUser by the AuthenticationMiddleware. return # If we got an empty value for REMOTE USER header, it's an anonymous user. if not username: if self.force_logout_if_no_header and request.user.is_authenticated: self._remove_invalid_user(request) return # Ensure the Shib-Identity-Provider is supported / valid. try: Institution.is_valid_identity_provider(identity_provider) except InvalidIndentityProvider: return # The REMOTE USER header may return the authenticated user's email address or username. email_regex = r'(^[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+$)' if not re.match(email_regex, username): # Must append the institutions base domain to the username. institution = Institution.objects.get( identity_provider=identity_provider) username = '******'.join([username, institution.base_domain]) # If the user is already authenticated and that user is the user we are getting passed in # the headers, then the correct user is already persisted in the session and we don't need # to continue. if request.user.is_authenticated: if request.user.username == self.clean_username(username, request): return else: self._remove_invalid_user(request) # Make sure we have all required Shibboleth elements before proceeding. shib_meta, error = ShibbolethRemoteUserMiddleware.parse_attributes( request) # Add parsed attributes to the session. request.session['shib'] = shib_meta request.session['shib']['username'] = username # Override if error: raise ShibbolethValidationError( 'All required Shibboleth elements not found. %s' % shib_meta) # We are seeing this user for the first time in this session, attempt to authenticate # the user. user = auth.authenticate(remote_user=username, shib_meta=shib_meta) if user: # Set request.user and persist user in the session by logging the user in. request.user = user auth.login(request, user) else: # Redirect the user to apply for an account. url_name = resolve(request.path_info).url_name if url_name != 'register': return HttpResponseRedirect(reverse('register'))
class ShibbolethRemoteUserMiddlewareTest(BaseTestCase): def setUp(self): self.remove_user('*****@*****.**') self.middleware = ShibbolethRemoteUserMiddleware() self.factory = RequestFactory() # Create an instance of a GET request. self.request = self.factory.get('/foo/') self.request.user = self.user self.request.user.is_authenticated = lambda: False self.request.cloud_mode = False self.request.session = self.client.session self.request.META = {} self.request.META['Shibboleth-eppn'] = '*****@*****.**' self.request.META['REMOTE_USER'] = '******' self.request.META['givenname'] = 'test_gname' self.request.META['surname'] = 'test_sname' # default settings assert getattr(settings, 'SHIB_ACTIVATE_AFTER_CREATION', True) is True def test_can_process(self): assert len(Profile.objects.all()) == 0 self.middleware.process_request(self.request) assert len(Profile.objects.all()) == 1 assert self.request.shib_login is True @pytest.mark.skipif(TRAVIS, reason="TODO: this test can only be run seperately due to the url module init in django, we may need to reload url conf: https://gist.github.com/anentropic/9ac47f6518c88fa8d2b0") def test_process_inactive_user(self): """Inactive user is created, and no profile is created. """ assert len(Profile.objects.all()) == 0 with self.settings(SHIB_ACTIVATE_AFTER_CREATION=False): # reload our shibboleth.backends module, so it picks up the settings change reload(backends) resp = self.middleware.process_request(self.request) assert resp.url == '/shib-complete/' assert len(Profile.objects.all()) == 0 # now reload again, so it reverts to original settings reload(backends) def test_make_profile_for_display_name(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'display_name': 'display name', 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'display name' def test_make_profile_for_givenname_surname(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'givenname': 'g', 'surname': 's', 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == 'g s' def test_make_profile_for_name_missing(self): assert len(Profile.objects.all()) == 0 self.middleware.make_profile(self.user, { 'institution': 'i', 'contact_email': '*****@*****.**' }) assert len(Profile.objects.all()) == 1 assert Profile.objects.all()[0].nickname == ''