def cas_callback_authorize(request): """ Authorize a callback (From CAS IdP) """ if "code" not in request.GET: # TODO - Maybe: Redirect into a login return HttpResponse("") oauth_client = get_cas_oauth_client() oauth_code = request.GET["code"] # Exchange code for ticket access_token, expiry_date = oauth_client.get_access_token(oauth_code) if not access_token: logger.warn("The Code %s is invalid/expired. Attempting another login." % oauth_code) return o_login_redirect(request) # Exchange token for profile user_profile = oauth_client.get_profile(access_token) if not user_profile or "id" not in user_profile: logger.error( "AccessToken is producing an INVALID profile!" " Check the CAS server and caslib.py for more" " information." ) # NOTE: Make sure this redirects the user OUT of the loop! return login(request) # ASSERT: A valid OAuth token gave us the Users Profile. # Now create an AuthToken and return it username = user_profile["id"] auth_token = create_token(username, access_token, expiry_date, issuer="CAS+OAuth") # Set the username to the user to be emulated # to whom the token also belongs request.session["username"] = username request.session["token"] = auth_token.key return HttpResponseRedirect(settings.REDIRECT_URL + "/application/")
def updateUserProxy(user, pgtIou, max_try=3): attempts = 0 while attempts < max_try: try: # If PGTIOU exists, a UserProxy object was created # match the user to this ticket. userProxy = UserProxy.objects.get(proxyIOU=pgtIou) userProxy.username = user userProxy.expiresOn = timezone.now() + PROXY_TICKET_EXPIRY logger.debug("Found a matching proxy IOU for %s" % userProxy.username) userProxy.save() return True except UserProxy.DoesNotExist: logger.error("Could not find UserProxy object!" "ProxyIOU & ID was not saved " "at proxy url endpoint.") time.sleep(min(2**attempts, 8)) attempts += 1 return False
def lookupEmail(userid): """ Grabs email for the user based on LDAP attrs """ try: logger.debug(type(userid)) if isinstance(userid, WSGIRequest): raise Exception("WSGIRequest invalid.") attr = _search_ldap(userid) emailaddr = attr[0][1]['mail'][0] return emailaddr except Exception as e: logger.warn("Error occurred looking up email for user: %s" % userid) logger.exception(e) import traceback import sys import inspect s = inspect.stack() for i in range(0, 4): logger.debug(s[i]) etype, value, tb = sys.exc_info() logger.error("TB = %s" % traceback.format_tb(tb)) return None
def cas_validateTicket(request): """ Method expects 2 GET parameters: 'ticket' & 'sendback' After a CAS Login: Redirects the request based on the GET param 'ticket' Unauthorized Users are redirected to '/' In the event of failure. Authorized Users are redirected to the GET param 'sendback' """ redirect_logout_url = settings.REDIRECT_URL + "/login/" no_user_url = settings.REDIRECT_URL + "/no_user/" logger.debug('GET Variables:%s' % request.GET) ticket = request.GET.get('ticket', None) sendback = request.GET.get('sendback', None) if not ticket: logger.info("No Ticket received in GET string " "-- Logout user: %s" % redirect_logout_url) return HttpResponseRedirect(redirect_logout_url) logger.debug("ServiceValidate endpoint includes a ticket." " Ticket must now be validated with CAS") # ReturnLocation set, apply on successful authentication caslib = get_cas_client() caslib.service_url = _set_redirect_url(sendback, request) cas_response = caslib.cas_serviceValidate(ticket) if not cas_response.success: logger.debug("CAS Server did NOT validate ticket:%s" " and included this response:%s (Err:%s)" % (ticket, cas_response.object, cas_response.error_str)) return HttpResponseRedirect(redirect_logout_url) if not cas_response.user: logger.debug("User attribute missing from cas response!" "This may require a fix to caslib.py") return HttpResponseRedirect(redirect_logout_url) if not cas_response.proxy_granting_ticket: logger.error("""Proxy Granting Ticket missing! Atmosphere requires CAS proxy as a service to authenticate users. Possible Causes: * ServerName variable is wrong in /etc/apache2/apache2.conf * Proxy URL does not exist * Proxy URL is not a valid RSA-2/VeriSigned SSL certificate * /etc/host and hostname do not match machine.""") return HttpResponseRedirect(redirect_logout_url) updated = updateUserProxy( cas_response.user, cas_response.proxy_granting_ticket) if not updated: return HttpResponseRedirect(redirect_logout_url) logger.info("Updated proxy for <%s> -- Auth success!" % cas_response.user) try: user = User.objects.get(username=cas_response.user) except User.DoesNotExist: return HttpResponseRedirect(no_user_url) auth_token = create_session_token(None, user, request) if auth_token is None: logger.info("Failed to create AuthToken") HttpResponseRedirect(redirect_logout_url) return_to = request.GET['sendback'] logger.info("Session token created, User logged in, return to: %s" % return_to) return HttpResponseRedirect(return_to)