def create_ticket(self, ticket=None, **kwargs):

"""

Create a new ``Ticket``. Additional arguments are passed to the

``create()`` function. Return the newly created ``Ticket``.

"""

if not ticket:

ticket = self.create_ticket_str()

if 'service' in kwargs:

kwargs['service'] = clean_service_url(kwargs['service'])

if 'expires' not in kwargs:

expires = now() + timedelta(seconds=self.model.TICKET_EXPIRE)

kwargs['expires'] = expires

t = self.create(ticket=ticket, **kwargs)

logger.debug("Created %s %s" % (t.name, t.ticket))

return t

def create_ticket_str(self, prefix=None):

"""

Generate a sufficiently opaque ticket string to ensure the ticket is

not guessable. If a prefix is provided, prepend it to the string.

"""

if not prefix:

prefix = self.model.TICKET_PREFIX

return "%s-%d-%s" % (prefix, int(time.time()),

get_random_string(length=self.model.TICKET_RAND_LEN))

def validate_ticket(self, ticket, service, renew=False, require_https=False):

"""

Given a ticket string and service identifier, validate the

corresponding ``Ticket``. If validation succeeds, return the

``Ticket``. If validation fails, raise an appropriate error.

If ``renew`` is ``True``, ``ServiceTicket`` validation will

only succeed if the ticket was issued from the presentation

of the user's primary credentials.

If ``require_https`` is ``True``, ``ServiceTicket`` validation

will only succeed if the service URL scheme is HTTPS.

"""

if not ticket:

raise InvalidRequest("No ticket string provided")

if not self.model.TICKET_RE.match(ticket):

raise InvalidTicket("Ticket string %s is invalid" % ticket)

try:

t = self.get(ticket=ticket)

except self.model.DoesNotExist:

raise InvalidTicket("Ticket %s does not exist" % ticket)

if t.is_consumed():

raise InvalidTicket("%s %s has already been used" %

(t.name, ticket))

if t.is_expired():

raise InvalidTicket("%s %s has expired" % (t.name, ticket))

if not service:

raise InvalidRequest("No service identifier provided")

if require_https and not is_scheme_https(service):

raise InvalidService("Service %s is not HTTPS" % service)

if not is_valid_service_url(service):

raise InvalidService("Service %s is not a valid %s URL" %

(service, t.name))

try:

if not same_origin(t.service, service):

raise InvalidService("%s %s for service %s is invalid for "

"service %s" % (t.name, ticket, t.service, service))

except AttributeError:

pass

try:

if renew and not t.is_primary():

raise InvalidTicket("%s %s was not issued via primary "

"credentials" % (t.name, ticket))

except AttributeError:

pass

logger.debug("Validated %s %s" % (t.name, ticket))

return t

def delete_invalid_tickets(self):

"""

Delete consumed or expired ``Ticket``s that are not referenced

by other ``Ticket``s. Invalid tickets are no longer valid for

authentication and can be safely deleted.

A custom management command is provided that executes this method

on all applicable models by running ``manage.py cleanupcas``.

"""

for ticket in self.filter(Q(consumed__isnull=False) |

Q(expires__lte=now())).order_by('-expires'):

try:

ticket.delete()

except models.ProtectedError:

pass

def consume_tickets(self, user):

"""

Consume all valid ``Ticket``s for a specified user. This is run

when the user logs out to ensure all issued tickets are no longer

valid for future authentication attempts.

"""

for ticket in self.filter(user=user, consumed__isnull=True,

expires__gt=now()):

"""

``Ticket`` is an abstract base class implementing common methods

and fields for CAS tickets.

"""

TICKET_EXPIRE = getattr(settings, 'MAMA_CAS_TICKET_EXPIRE', 90)

TICKET_RAND_LEN = getattr(settings, 'MAMA_CAS_TICKET_RAND_LEN', 32)

TICKET_RE = re.compile("^[A-Z]{2,3}-[0-9]{10,}-[a-zA-Z0-9]{%d}$" % TICKET_RAND_LEN)

ticket = models.CharField(_('ticket'), max_length=255, unique=True)

user = models.ForeignKey(user_model, verbose_name=_('user'))

expires = models.DateTimeField(_('expires'))

consumed = models.DateTimeField(_('consumed'), null=True)

objects = TicketManager()

class Meta:

abstract = True

def __str__(self):

return self.ticket

@property

def name(self):

return self._meta.verbose_name

def consume(self):

"""

Consume a ``Ticket`` by populating the ``consumed`` field with

the current datetime. A consumed ``Ticket`` is invalid for future

authentication attempts.

"""

self.consumed = now()

self.save()

def is_consumed(self):

"""

Check a ``Ticket``s consumed state, consuming it in the process.

"""

if self.consumed is None:

self.consume()

return False

return True

def is_expired(self):

"""

Check a ``Ticket``s expired state. Return ``True`` if the ticket is

expired, and ``False`` otherwise.

"""

def request_sign_out(self, user):

"""

Send a single logout request to each service accessed by a

specified user. This is called at logout when single logout

is enabled.

If gevent is installed, asynchronous requests will be sent.

Otherwise, synchronous requests will be sent. Setting

``MAMA_CAS_ASYNC_CONCURRENCY`` limits concurrent requests for

a logout event to the specified value.

"""

session = Session()

for ticket in self.filter(user=user, consumed__gte=user.last_login):

"""

(3.1) A ``ServiceTicket`` is used by the client as a credential to

obtain access to a service. It is obtained upon a client's presentation

of credentials and a service identifier to /login.

"""

TICKET_PREFIX = 'ST'

service = models.CharField(_('service'), max_length=255)

primary = models.BooleanField(_('primary'), default=False)

objects = ServiceTicketManager()

class Meta:

verbose_name = _('service ticket')

verbose_name_plural = _('service tickets')

def is_primary(self):

"""

Check the credential origin for a ``ServiceTicket``. If the ticket was

issued from the presentation of the user's primary credentials,

return ``True``, otherwise return ``False``.

"""

if self.primary:

return True

return False

def request_sign_out(self, session=requests):

"""

Send a POST request to the ``ServiceTicket``s service URL to

request sign-out. The remote session is identified by the

service ticket string that instantiated the session.

"""

request = SingleSignOutRequest(context={'ticket': self})

try:

resp = requests.post(self.service, data=request.render_content(),

headers=request.headers())

resp.raise_for_status()

except requests.exceptions.RequestException as e:

logger.warning("Single sign-out request to %s returned %s" %

(self.service, e))

else:

"""

(3.2) A ``ProxyTicket`` is used by a service as a credential to obtain

access to a back-end service on behalf of a client. It is obtained upon

a service's presentation of a ``ProxyGrantingTicket`` and a service

identifier.

"""

TICKET_PREFIX = 'PT'

service = models.CharField(_('service'), max_length=255)

granted_by_pgt = models.ForeignKey('ProxyGrantingTicket',

verbose_name=_('granted by proxy-granting ticket'))

class Meta:

verbose_name = _('proxy ticket')

def create_ticket(self, pgturl, **kwargs):

"""

When a ``pgtUrl`` parameter is provided to ``/serviceValidate`` or

``/proxyValidate``, attempt to create a new ``ProxyGrantingTicket``.

If PGT URL validation succeeds, create and return the

``ProxyGrantingTicket``. If validation fails, return ``None``.

"""

pgtid = self.create_ticket_str()

pgtiou = self.create_ticket_str(prefix=self.model.IOU_PREFIX)

try:

self.validate_callback(pgturl, pgtid, pgtiou)

except InvalidProxyCallback as e:

logger.warning("%s %s" % (e.code, e))

return None

else:

# pgtUrl validation succeeded, so create a new PGT with the

# previously generated ticket strings

return super(ProxyGrantingTicketManager, self).create_ticket(ticket=pgtid,

iou=pgtiou,

**kwargs)

def validate_callback(self, url, pgtid, pgtiou):

"""

Verify the provided proxy callback URL. This verification process

requires three steps:

1. The URL scheme must be HTTPS

2. The SSL certificate must be valid and its name must match that

of the service

3. The callback URL must respond with a 200 or 3xx response code

It is not required for validation that 3xx redirects be followed.

"""

# Ensure the scheme is HTTPS before proceeding

if not is_scheme_https(url):

raise InvalidProxyCallback("Proxy callback %s is not HTTPS" % url)

# Connect to proxy callback URL, checking the SSL certificate

url_params = add_query_params(url, {'pgtId': pgtid, 'pgtIou': pgtiou})

verify = os.environ.get('REQUESTS_CA_BUNDLE', True)

try:

r = requests.get(url_params, verify=verify, timeout=3.0)

except requests.exceptions.SSLError:

msg = "SSL cert validation failed for proxy callback %s" % url

raise InvalidProxyCallback(msg)

except requests.exceptions.ConnectionError:

msg = "Error connecting to proxy callback %s" % url

raise InvalidProxyCallback(msg)

except requests.exceptions.Timeout:

msg = "Timeout connecting to proxy callback %s" % url

raise InvalidProxyCallback(msg)

# Check the returned HTTP status code

try:

r.raise_for_status()

except requests.exceptions.HTTPError as e:

msg = "Proxy callback %s returned %s" % (url, e)

"""

(3.3) A ``ProxyGrantingTicket`` is used by a service to obtain proxy

tickets for obtaining access to a back-end service on behalf of a

client. It is obtained upon validation of a ``ServiceTicket`` or a

``ProxyTicket``.

"""

TICKET_PREFIX = 'PGT'

IOU_PREFIX = 'PGTIOU'

TICKET_EXPIRE = getattr(settings, 'SESSION_COOKIE_AGE')

iou = models.CharField(_('iou'), max_length=255, unique=True)

granted_by_st = models.ForeignKey(ServiceTicket, null=True, blank=True,

on_delete=models.PROTECT,

verbose_name=_('granted by service ticket'))

granted_by_pt = models.ForeignKey(ProxyTicket, null=True, blank=True,

on_delete=models.PROTECT,

verbose_name=_('granted by proxy ticket'))

objects = ProxyGrantingTicketManager()

class Meta:

verbose_name = _('proxy-granting ticket')

verbose_name_plural = _('proxy-granting tickets')

def is_consumed(self):

"""Check a ``ProxyGrantingTicket``s consumed state."""