def create_session_token(sender, user, request, issuer="Django-Session", **kwargs): auth_token = create_token(user, issuer=issuer) auth_token.update_expiration() # 2hr default expiry auth_token.save() request.session['username'] = auth_token.user.username request.session['token'] = auth_token.key return auth_token
def globus_validate_code(request): """ Validate 'code' returned from the IdP If valid: Return new AuthToken else: Return None """ code = request.GET['code'] if not code: return HttpResponse("NO Code found!") if type(code) == list: code = code[0] flow = globus_initFlow() try: credentials = flow.step2_exchange(code) except OAuthError as err: logger.exception("Error exchanging code w/ globus") return None token_profile = credentials.id_token username = token_profile['username'] username = _extract_username_from_email(username) email = token_profile['username'] full_name = token_profile['name'] issuer = token_profile['iss'] access_token = credentials.access_token expiry_date = credentials.token_expiry auth_token = create_token(username, access_token, expiry_date, issuer) return auth_token
def cas_callback_authorize(request): """ Authorize a callback (From CAS IdP) """ if "code" not in request.GET: # TODO - Maybe: Redirect into a login return HttpResponse("") oauth_client = get_cas_oauth_client() oauth_code = request.GET["code"] # Exchange code for ticket access_token, expiry_date = oauth_client.get_access_token(oauth_code) if not access_token: logger.warn("The Code %s is invalid/expired. Attempting another login." % oauth_code) return o_login_redirect(request) # Exchange token for profile user_profile = oauth_client.get_profile(access_token) if not user_profile or "id" not in user_profile: logger.error( "AccessToken is producing an INVALID profile!" " Check the CAS server and caslib.py for more" " information." ) # NOTE: Make sure this redirects the user OUT of the loop! return login(request) # ASSERT: A valid OAuth token gave us the Users Profile. # Now create an AuthToken and return it username = user_profile["id"] auth_token = create_token(username, access_token, expiry_date, issuer="CAS+OAuth") # Set the username to the user to be emulated # to whom the token also belongs request.session["username"] = username request.session["token"] = auth_token.key return HttpResponseRedirect(settings.REDIRECT_URL + "/application/")
def get(self, request, username): """ Create a new token in the database on behalf of 'username' Returns success 201 Created - Body is JSON and contains """ params = request.DATA user = request.user if not username: return Response("Username was not provided", status=status.HTTP_400_BAD_REQUEST) if user.username is not 'admin' and not user.is_superuser: logger.error("URGENT! User: %s is attempting to emulate a user!" % user.username) return Response("Only admin and superusers can emulate accounts. " "This offense has been reported", status=status.HTTP_401_UNAUTHORIZED) if not AtmosphereUser.objects.filter(username=username): return Response("Username %s does not exist as an AtmosphereUser" % username, status=status.HTTP_404_NOT_FOUND) # User is authenticated, username exists. Make a token for them. token = create_token(username, issuer="DRF-EmulatedUser") expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { # Extra data passed only on emulation.. "emulated_by": request.user.username, # Normal token data.. "token": token.key, "username": token.user.username, "expires": expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def create_token_from_jwt(self, jwt_assertion): """ This method point represents the 'entry point' """ decoded_assertion = self.decode_assertion(jwt_assertion) user, expiration = self.validate_assertion(decoded_assertion) auth_token = create_token(user.username, expiration) return auth_token
def _token_for_username(self, username): token = create_token(username, issuer="DRF") expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME auth_json = { 'token': token.key, 'username': token.user.username, 'expires': expireTime.strftime("%b %d, %Y %H:%M:%S") } return Response(auth_json, status=status.HTTP_201_CREATED)
def get(self, request): user = request.user if not user.is_authenticated(): return Response("Logged-in User or POST required " "to retrieve AuthToken", status=status.HTTP_403_FORBIDDEN) token = lookupSessionToken(request) if not token: token = create_token(user.username) serialized_data = TokenSerializer(token).data return Response(serialized_data, status=status.HTTP_200_OK)
def validate_oauth_token(token, request=None): """ Validates the token attached to the request (SessionStorage, GET/POST) On every request, ask OAuth to authorize the token """ # Attempt to contact CAS try: user_profile = cas_profile_for_token(token) except ConnectionError: logger.exception("CAS could not be reached!") user_profile = None if not user_profile: return False username = user_profile.get("id") if not username: # logger.info("Invalid Profile:%s does not have username/attributes" # % user_profile) return False # NOTE: REMOVE this when it is no longer true! # Force any username lookup to be in lowercase if not username: return None username = username.lower() # TEST 1 : Must be in the group 'atmo-user' # NOTE: Test 1 will be IGNORED until we can verify it returns 'entitlement' # EVERY TIME! # raise Unauthorized("User %s is not a member of group 'atmo-user'" # % username) # TODO: TEST 2 : Must have an identity (?) if not User.objects.filter(username=username): raise Unauthorized("User %s does not exist as an User" % username) auth_token = create_token(username, token) if not auth_token: return False return True
def token_auth(request): """ VERSION 2 AUTH Authentication is based on the POST parameters: * Username (Required) * Password (Not Required if CAS authenticated previously) NOTE: This authentication is SEPARATE from django model authentication Use this to give out tokens to access the API """ token = request.POST.get("token", None) username = request.POST.get("username", None) # CAS authenticated user already has session data # without passing any parameters if not username: username = request.session.get("username", None) password = request.POST.get("password", None) # LDAP Authenticate if password provided. if username and password: if ldap_validate(username, password): token = create_token(username, issuer="API") expireTime = token.issuedTime + auth_settings.TOKEN_EXPIRY_TIME auth_json = { "token": token.key, "username": token.user.username, "expires": expireTime.strftime("%b %d, %Y %H:%M:%S"), } return HttpResponse(content=json.dumps(auth_json), status=201, content_type="application/json") else: logger.debug("[LDAP] Failed to validate %s" % username) return HttpResponse("LDAP login failed", status=401) # logger.info("User %s already authenticated, renewing token" # % username) # ASSERT: Token exists here if token: expireTime = token.issuedTime + auth_settings.TOKEN_EXPIRY_TIME auth_json = { "token": token.key, "username": token.user.username, "expires": expireTime.strftime("%b %d, %Y %H:%M:%S"), } return HttpResponse(content=json.dumps(auth_json), content_type="application/json") if not username and not password: # The user and password were not found # force user to login via CAS return cas_loginRedirect(request, "/auth/") if cas_validateUser(username): logger.info("CAS User %s validated. Creating auth token" % username) token = createAuthToken(username) expireTime = token.issuedTime + auth_settings.TOKEN_EXPIRY_TIME auth_json = { "token": token.key, "username": token.user.username, "expires": expireTime.strftime("%b %d, %Y %H:%M:%S"), } return HttpResponse(content=json.dumps(auth_json), content_type="application/json") else: logger.debug("[CAS] Failed to validate - %s" % username) return HttpResponse("CAS Login Failure", status=401)