def login(request):
if request.GET.get(REDIRECT_FIELD_NAME):
next_path = request.GET[REDIRECT_FIELD_NAME]
else:
next_path = settings.LOGIN_REDIRECT_URL
# fullfill domain for tequila, and for security reasons
if next_path and next_path[0] == '/':
next_path = next_path[1:]
next_path = request.get_host() + '/' + next_path
if request.is_secure():
next_path = 'https://' + next_path
else:
next_path = 'http://' + next_path
if request.user.is_authenticated:
return HttpResponseRedirect(next_path)
try:
server_url = settings.TEQUILA_SERVER_URL
except AttributeError:
server_url = ""
try:
additional_params = settings.TEQUILA_CONFIG_ADDITIONAL
except AttributeError:
additional_params = None
try:
allows_needed = settings.TEQUILA_CONFIG_ALLOW
except AttributeError:
allows_needed = None
try:
service_name = settings.TEQUILA_SERVICE_NAME
except AttributeError:
service_name = 'Unknown application'
try:
strong_authentication = settings.TEQUILA_STRONG_AUTHENTICATION
except AttributeError:
strong_authentication = False
tequila_client = TequilaClient(
EPFLConfig(
server_url=server_url,
additional_params=additional_params,
redirect_to=next_path,
allows=allows_needed,
service=service_name,
allow_guests=True,
strong_authentication=strong_authentication,
))
request.session.set_test_cookie()
return HttpResponseRedirect(tequila_client.login_url())
def authenticate(self, request, token=None, auth_check=None):
"""
The username passed as ``remote_user`` is considered trusted. This
method simply returns the ``User`` object with the given username,
creating a new ``User`` object if ``create_unknown_user`` is ``True``.
Returns None if ``create_unknown_user`` is ``False`` and a ``User``
object with the given username is not found in the database.
"""
tequila_key = token
if not tequila_key:
return
user = None
try:
allowedrequesthosts = settings.TEQUILA_ALLOWED_REQUEST_HOSTS
except AttributeError:
allowedrequesthosts = None
if self.tequila_server_url:
user_attributes = TequilaClient(
EPFLConfig(server_url=self.tequila_server_url)).get_attributes(
tequila_key, allowedrequesthosts, auth_check)
else:
user_attributes = TequilaClient(EPFLConfig()).get_attributes(
tequila_key, allowedrequesthosts, auth_check)
# username has a tricky format, fix it
if user_attributes.get('username'):
u_name = user_attributes['username']
if u_name.find(","):
u_name = u_name.split(",")[0]
if u_name.find("@"):
u_name = u_name.split("@")[0]
user_attributes['username'] = u_name
# Note that this could be accomplished in one try-except clause,
# but instead we use get_or_create when creating unknown users since
# it has built-in safeguards for multiple threads.
if self.create_unknown_user:
# fetching a unique user, it should be the user.profile.sciper if available
user, created = self.get_user_from_db(user_attributes, create=True)
if created:
user = self.configure_user(user)
else:
user, created = self.get_user_from_db(user_attributes,
create=False)
if user:
# updates data in all cases
self.update_attributes_from_tequila(user, user_attributes)
if self.user_can_authenticate(user):
# all good !
return user
def authenticate(self, request, token=None):
"""
The username passed as ``remote_user`` is considered trusted. This
method simply returns the ``User`` object with the given username,
creating a new ``User`` object if ``create_unknown_user`` is ``True``.
Returns None if ``create_unknown_user`` is ``False`` and a ``User``
object with the given username is not found in the database.
"""
tequila_key = token
if not tequila_key:
return
user = None
if self.tequila_server_url:
user_attributes = TequilaClient(
EPFLConfig(server_url=self.tequila_server_url)).get_attributes(
tequila_key)
else:
user_attributes = TequilaClient(
EPFLConfig()).get_attributes(tequila_key)
# Give de possibility to choose a cusom value for the local username field
custom_username_field = getattr(settings,
'TEQUILA_CUSTOM_USERNAME_ATTRIBUTE',
'username')
username = user_attributes[custom_username_field]
# keep only the first username, not the user@unit or the multiple users
if username.find(","):
username = username.split(",")[0]
if username.find("@"):
username = username.split("@")[0]
# Note that this could be accomplished in one try-except clause,
# but instead we use get_or_create when creating unknown users since
# it has built-in safeguards for multiple threads.
if self.create_unknown_user:
user, created = User.objects.get_or_create(
**{User.USERNAME_FIELD: username})
if created:
user = self.configure_user(user)
else:
try:
user = User.objects.get(**{User.USERNAME_FIELD: username})
except User.DoesNotExist:
pass
if user:
# updates data in all cases
self.update_attributes_from_tequila(user, user_attributes)
if self.user_can_authenticate(user):
# all good !
return user
def authenticate(self, tequila_key):
"""
The username passed as ``remote_user`` is considered trusted. This
method simply returns the ``User`` object with the given username,
creating a new ``User`` object if ``create_unknown_user`` is ``True``.
Returns None if ``create_unknown_user`` is ``False`` and a ``User``
object with the given username is not found in the database.
"""
if not tequila_key:
return
user = None
if self.tequila_server_url:
user_attributes = TequilaClient(
EPFLConfig(server_url=self.tequila_server_url)).get_attributes(
tequila_key)
else:
user_attributes = TequilaClient(
EPFLConfig()).get_attributes(tequila_key)
username = user_attributes['username']
#keep only the first username, not the user@unit or the multiple users
if username.find(","):
username = username.split(",")[0]
if username.find("@"):
username = username.split("@")[0]
# Note that this could be accomplished in one try-except clause, but
# instead we use get_or_create when creating unknown users since it has
# built-in safeguards for multiple threads.
if self.create_unknown_user:
user, created = User.objects.get_or_create(username=username)
if created:
user = self.configure_user(user)
else:
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
pass
if user:
self.update_attributes_from_tequila(user, user_attributes)
return user
def auth_user(self, username, password, req=None):
"""Authenticate user-supplied USERNAME and PASSWORD. Return
None if authentication failed, or the email address of the
person if the authentication was successful. In order to do
this you may perhaps have to keep a translation table between
usernames and email addresses.
Raise InvenioWebAccessExternalAuthError in case of external troubles.
"""
"""step done after we come back from the tequila process.
we should have the tequila key as username, and password should
be at None
"""
try:
tequila_client = TequilaClient(EPFLConfig(allow_guests=True))
user_attributes = tequila_client.get_attributes(username)
return user_attributes['email']
except:
# if we cannot get the user attributes, take it as a fail
return None