def _get_or_create_user_from_dict(self, user_dict, auth_method): from tardis.tardis_portal.auth.utils import get_or_create_user (user, created) = get_or_create_user(auth_method, user_dict["id"]) if user and created: self._set_user_from_dict(user, user_dict, auth_method) return user
def testLocalUser(self): method = "localdb" user_id = "adminX1" email = "*****@*****.**" targetedID = None (result, created) = get_or_create_user(method, user_id, email) assert result is not None profile = UserProfile.objects.get(user=result) assert profile is not None assert profile.isDjangoAccount is not None assert profile.isDjangoAccount == True assert profile.rapidConnectEduPersonTargetedID is None return
def cas_callback(sender, **kwargs): logger.debug("_cas_callback() start!") for key, value in kwargs.iteritems(): logger.debug("kwargs[%s] = %s" % (str(key), str(value))) if key == "user": try: email = "%s@%s" % (value, settings.LOGIN_HOME_ORGANIZATION) authMethod = "cas" logger.debug("user[%s] authMethod[%s] email[%s]" % (value, authMethod, email)) user, created = get_or_create_user("cas", value, email) if created: logger.debug("user created = %s" % str(user)) else: logger.debug("user creation failed!") except Exception, e: logger.error("get_or_create_user['%s'] failed with %s" % (value, e))
def cas_callback(sender, **kwargs): logger.debug('_cas_callback() start!') for key, value in kwargs.iteritems(): logger.debug('kwargs[%s] = %s' % (str(key), str(value))) if key == 'user': try: email = '%s@%s' % (value, settings.LOGIN_HOME_ORGANIZATION) authMethod = 'cas' logger.debug("user[%s] authMethod[%s] email[%s]" % (value, authMethod, email)) user, created = get_or_create_user('cas', value, email) if created: logger.debug('user created = %s' % str(user)) else: logger.debug('user creation failed!') except Exception, e: logger.error("get_or_create_user['%s'] failed with %s" % (value, e))
def rcauth(request): logger.debug("rcauth() start!") # Only POST is supported on this URL. if request.method != "POST": raise PermissionDenied # Rapid Connect authorization is disabled, so don't process anything. if not settings.LOGIN_FRONTENDS["aaf"]["enabled"] and not settings.LOGIN_FRONTENDS["aafe"]["enabled"]: raise PermissionDenied try: # Verifies signature and expiry time verified_jwt = jwt.decode( request.POST["assertion"], settings.RAPID_CONNECT_CONFIG["secret"], audience=settings.RAPID_CONNECT_CONFIG["aud"], ) # Check for a replay attack using the jti value. jti = verified_jwt["jti"] if JTI.objects.filter(jti=jti).exists(): logger.debug("Replay attack? " + str(jti)) request.session.pop("attributes", None) request.session.pop("jwt", None) request.session.pop("jws", None) django_logout(request) return redirect("/") else: JTI(jti=jti).save() if ( verified_jwt["aud"] == settings.RAPID_CONNECT_CONFIG["aud"] and verified_jwt["iss"] == settings.RAPID_CONNECT_CONFIG["iss"] ): request.session["attributes"] = verified_jwt["https://aaf.edu.au/attributes"] request.session["jwt"] = verified_jwt request.session["jws"] = request.POST["assertion"] institution_email = request.session["attributes"]["mail"] edupersontargetedid = request.session["attributes"]["edupersontargetedid"] principalname = request.session["attributes"]["edupersonprincipalname"] logger.debug("Successfully authenticated %s via Rapid Connect." % institution_email) # Create a user account and profile automatically. In future, # support blacklists and whitelists. first_name = request.session["attributes"]["givenname"] c_name = request.session["attributes"].get("cn", "").split(" ") if not first_name and len(c_name) > 1: first_name = c_name[0] user_args = { "id": institution_email.lower(), "email": institution_email.lower(), "password": pwgen.pwgen(), "first_name": first_name, "last_name": request.session["attributes"]["surname"], } # if a principal domain is set strip domain from # 'edupersonprincipalname' and use remainder as user id. try: if settings.LOGIN_HOME_ORGANIZATION: domain = "@" + settings.LOGIN_HOME_ORGANIZATION if ";" not in principalname and principalname.endswith(domain): user_id = principalname.replace(domain, "").lower() user_args["id"] = user_id except: logger.debug("check principal domain failed with: %s" % sys.exc_info()[0]) # Check for an email collision. for matching_user in UserProfile.objects.filter(user__email__iexact=user_args["email"]): if ( matching_user.rapidConnectEduPersonTargetedID is not None and matching_user.rapidConnectEduPersonTargetedID != edupersontargetedid ): del request.session["attributes"] del request.session["jwt"] del request.session["jws"] django_logout(request) raise PermissionDenied user = get_or_create_user(user_args, authMethod="aaf") if user is not None: user.backend = "django.contrib.auth.backends.ModelBackend" djauth.login(request, user) return redirect("/") else: del request.session["attributes"] del request.session["jwt"] del request.session["jws"] django_logout(request) raise PermissionDenied # Error: Not for this audience except jwt.ExpiredSignature: del request.session["attributes"] del request.session["jwt"] del request.session["jws"] django_logout(request) raise PermissionDenied # Error: Security cookie has expired except Exception, e: logger.debug("rcauth() failed with: %s" % e) raise PermissionDenied
def _get_or_create_user_from_dict(self, user_dict, auth_method): (user, created) = get_or_create_user(auth_method, user_dict['id']) if user and created: self._set_user_from_dict(user, user_dict, auth_method) return user
def _get_or_create_user_from_dict(self, user_dict, auth_method): from tardis.tardis_portal.auth.utils import get_or_create_user (user, created) = get_or_create_user(auth_method, user_dict['id']) if user and created: self._set_user_from_dict(user, user_dict, auth_method) return user
def rcauth(request): logger.debug('rcauth() start!') # Only POST is supported on this URL. if request.method != 'POST': raise PermissionDenied # Rapid Connect authorization is disabled, so don't process anything. if (not settings.LOGIN_FRONTENDS['aaf']['enabled'] and not settings.LOGIN_FRONTENDS['aafe']['enabled']): raise PermissionDenied try: # Verifies signature and expiry time verified_jwt = jwt.decode( request.POST['assertion'], settings.RAPID_CONNECT_CONFIG['secret'], audience=settings.RAPID_CONNECT_CONFIG['aud']) # Check for a replay attack using the jti value. jti = verified_jwt['jti'] if JTI.objects.filter(jti=jti).exists(): logger.debug('Replay attack? ' + str(jti)) request.session.pop('attributes', None) request.session.pop('jwt', None) request.session.pop('jws', None) django_logout(request) return redirect('/') else: JTI(jti=jti).save() if verified_jwt['aud'] == settings.RAPID_CONNECT_CONFIG['aud'] and \ verified_jwt['iss'] == settings.RAPID_CONNECT_CONFIG['iss']: request.session['attributes'] = verified_jwt[ 'https://aaf.edu.au/attributes'] request.session['jwt'] = verified_jwt request.session['jws'] = request.POST['assertion'] institution_email = request.session['attributes']['mail'] edupersontargetedid = request.session['attributes'][ 'edupersontargetedid'] principalname = request.session['attributes'][ 'edupersonprincipalname'] logger.debug('Successfully authenticated %s via Rapid Connect.' % institution_email) # Create a user account and profile automatically. In future, # support blacklists and whitelists. first_name = request.session['attributes']['givenname'] c_name = request.session['attributes'].get('cn', '').split(' ') if not first_name and len(c_name) > 1: first_name = c_name[0] user_args = { 'id': institution_email.lower(), 'email': institution_email.lower(), 'password': pwgen.pwgen(), 'first_name': first_name, 'last_name': request.session['attributes']['surname'], } # if a principal domain is set strip domain from # 'edupersonprincipalname' and use remainder as user id. try: if settings.LOGIN_HOME_ORGANIZATION: domain = "@" + settings.LOGIN_HOME_ORGANIZATION if ';' not in principalname and \ principalname.endswith(domain): user_id = principalname.replace(domain, '').lower() user_args['id'] = user_id except: logger.debug('check principal domain failed with: %s' % sys.exc_info()[0]) # Check for an email collision. for matching_user in UserProfile.objects.filter( user__email__iexact=user_args['email']): if (matching_user.rapidConnectEduPersonTargetedID is not None and matching_user.rapidConnectEduPersonTargetedID != edupersontargetedid): del request.session['attributes'] del request.session['jwt'] del request.session['jws'] django_logout(request) raise PermissionDenied user = get_or_create_user(user_args, authMethod='aaf') if user is not None: user.backend = 'django.contrib.auth.backends.ModelBackend' djauth.login(request, user) return redirect('/') else: del request.session['attributes'] del request.session['jwt'] del request.session['jws'] django_logout(request) raise PermissionDenied # Error: Not for this audience except jwt.ExpiredSignature: del request.session['attributes'] del request.session['jwt'] del request.session['jws'] django_logout(request) raise PermissionDenied # Error: Security cookie has expired except Exception, e: logger.debug('rcauth() failed with: %s' % e) raise PermissionDenied