def _get_or_create_user_from_dict(self, user_dict, auth_method):
from tardis.tardis_portal.auth.utils import get_or_create_user
(user, created) = get_or_create_user(auth_method, user_dict["id"])
if user and created:
self._set_user_from_dict(user, user_dict, auth_method)
return user
def testLocalUser(self):
method = "localdb"
user_id = "adminX1"
email = "*****@*****.**"
targetedID = None
(result, created) = get_or_create_user(method, user_id, email)
assert result is not None
profile = UserProfile.objects.get(user=result)
assert profile is not None
assert profile.isDjangoAccount is not None
assert profile.isDjangoAccount == True
assert profile.rapidConnectEduPersonTargetedID is None
return
def cas_callback(sender, **kwargs):
logger.debug("_cas_callback() start!")
for key, value in kwargs.iteritems():
logger.debug("kwargs[%s] = %s" % (str(key), str(value)))
if key == "user":
try:
email = "%s@%s" % (value, settings.LOGIN_HOME_ORGANIZATION)
authMethod = "cas"
logger.debug("user[%s] authMethod[%s] email[%s]" % (value, authMethod, email))
user, created = get_or_create_user("cas", value, email)
if created:
logger.debug("user created = %s" % str(user))
else:
logger.debug("user creation failed!")
except Exception, e:
logger.error("get_or_create_user['%s'] failed with %s" % (value, e))
def testLocalUser(self):
method = "localdb"
user_id = "adminX1"
email = "*****@*****.**"
targetedID = None
(result, created) = get_or_create_user(method, user_id, email)
assert result is not None
profile = UserProfile.objects.get(user=result)
assert profile is not None
assert profile.isDjangoAccount is not None
assert profile.isDjangoAccount == True
assert profile.rapidConnectEduPersonTargetedID is None
return
def cas_callback(sender, **kwargs):
logger.debug('_cas_callback() start!')
for key, value in kwargs.iteritems():
logger.debug('kwargs[%s] = %s' % (str(key), str(value)))
if key == 'user':
try:
email = '%s@%s' % (value, settings.LOGIN_HOME_ORGANIZATION)
authMethod = 'cas'
logger.debug("user[%s] authMethod[%s] email[%s]" %
(value, authMethod, email))
user, created = get_or_create_user('cas', value, email)
if created:
logger.debug('user created = %s' % str(user))
else:
logger.debug('user creation failed!')
except Exception, e:
logger.error("get_or_create_user['%s'] failed with %s" %
(value, e))
def rcauth(request):
logger.debug("rcauth() start!")
# Only POST is supported on this URL.
if request.method != "POST":
raise PermissionDenied
# Rapid Connect authorization is disabled, so don't process anything.
if not settings.LOGIN_FRONTENDS["aaf"]["enabled"] and not settings.LOGIN_FRONTENDS["aafe"]["enabled"]:
raise PermissionDenied
try:
# Verifies signature and expiry time
verified_jwt = jwt.decode(
request.POST["assertion"],
settings.RAPID_CONNECT_CONFIG["secret"],
audience=settings.RAPID_CONNECT_CONFIG["aud"],
)
# Check for a replay attack using the jti value.
jti = verified_jwt["jti"]
if JTI.objects.filter(jti=jti).exists():
logger.debug("Replay attack? " + str(jti))
request.session.pop("attributes", None)
request.session.pop("jwt", None)
request.session.pop("jws", None)
django_logout(request)
return redirect("/")
else:
JTI(jti=jti).save()
if (
verified_jwt["aud"] == settings.RAPID_CONNECT_CONFIG["aud"]
and verified_jwt["iss"] == settings.RAPID_CONNECT_CONFIG["iss"]
):
request.session["attributes"] = verified_jwt["https://aaf.edu.au/attributes"]
request.session["jwt"] = verified_jwt
request.session["jws"] = request.POST["assertion"]
institution_email = request.session["attributes"]["mail"]
edupersontargetedid = request.session["attributes"]["edupersontargetedid"]
principalname = request.session["attributes"]["edupersonprincipalname"]
logger.debug("Successfully authenticated %s via Rapid Connect." % institution_email)
# Create a user account and profile automatically. In future,
# support blacklists and whitelists.
first_name = request.session["attributes"]["givenname"]
c_name = request.session["attributes"].get("cn", "").split(" ")
if not first_name and len(c_name) > 1:
first_name = c_name[0]
user_args = {
"id": institution_email.lower(),
"email": institution_email.lower(),
"password": pwgen.pwgen(),
"first_name": first_name,
"last_name": request.session["attributes"]["surname"],
}
# if a principal domain is set strip domain from
# 'edupersonprincipalname' and use remainder as user id.
try:
if settings.LOGIN_HOME_ORGANIZATION:
domain = "@" + settings.LOGIN_HOME_ORGANIZATION
if ";" not in principalname and principalname.endswith(domain):
user_id = principalname.replace(domain, "").lower()
user_args["id"] = user_id
except:
logger.debug("check principal domain failed with: %s" % sys.exc_info()[0])
# Check for an email collision.
for matching_user in UserProfile.objects.filter(user__email__iexact=user_args["email"]):
if (
matching_user.rapidConnectEduPersonTargetedID is not None
and matching_user.rapidConnectEduPersonTargetedID != edupersontargetedid
):
del request.session["attributes"]
del request.session["jwt"]
del request.session["jws"]
django_logout(request)
raise PermissionDenied
user = get_or_create_user(user_args, authMethod="aaf")
if user is not None:
user.backend = "django.contrib.auth.backends.ModelBackend"
djauth.login(request, user)
return redirect("/")
else:
del request.session["attributes"]
del request.session["jwt"]
del request.session["jws"]
django_logout(request)
raise PermissionDenied # Error: Not for this audience
except jwt.ExpiredSignature:
del request.session["attributes"]
del request.session["jwt"]
del request.session["jws"]
django_logout(request)
raise PermissionDenied # Error: Security cookie has expired
except Exception, e:
logger.debug("rcauth() failed with: %s" % e)
raise PermissionDenied
def _get_or_create_user_from_dict(self, user_dict, auth_method):
(user, created) = get_or_create_user(auth_method, user_dict['id'])
if user and created:
self._set_user_from_dict(user, user_dict, auth_method)
return user
def _get_or_create_user_from_dict(self, user_dict, auth_method):
(user, created) = get_or_create_user(auth_method, user_dict['id'])
if user and created:
self._set_user_from_dict(user, user_dict, auth_method)
return user
def _get_or_create_user_from_dict(self, user_dict, auth_method):
from tardis.tardis_portal.auth.utils import get_or_create_user
(user, created) = get_or_create_user(auth_method, user_dict['id'])
if user and created:
self._set_user_from_dict(user, user_dict, auth_method)
return user
def rcauth(request):
logger.debug('rcauth() start!')
# Only POST is supported on this URL.
if request.method != 'POST':
raise PermissionDenied
# Rapid Connect authorization is disabled, so don't process anything.
if (not settings.LOGIN_FRONTENDS['aaf']['enabled']
and not settings.LOGIN_FRONTENDS['aafe']['enabled']):
raise PermissionDenied
try:
# Verifies signature and expiry time
verified_jwt = jwt.decode(
request.POST['assertion'],
settings.RAPID_CONNECT_CONFIG['secret'],
audience=settings.RAPID_CONNECT_CONFIG['aud'])
# Check for a replay attack using the jti value.
jti = verified_jwt['jti']
if JTI.objects.filter(jti=jti).exists():
logger.debug('Replay attack? ' + str(jti))
request.session.pop('attributes', None)
request.session.pop('jwt', None)
request.session.pop('jws', None)
django_logout(request)
return redirect('/')
else:
JTI(jti=jti).save()
if verified_jwt['aud'] == settings.RAPID_CONNECT_CONFIG['aud'] and \
verified_jwt['iss'] == settings.RAPID_CONNECT_CONFIG['iss']:
request.session['attributes'] = verified_jwt[
'https://aaf.edu.au/attributes']
request.session['jwt'] = verified_jwt
request.session['jws'] = request.POST['assertion']
institution_email = request.session['attributes']['mail']
edupersontargetedid = request.session['attributes'][
'edupersontargetedid']
principalname = request.session['attributes'][
'edupersonprincipalname']
logger.debug('Successfully authenticated %s via Rapid Connect.' %
institution_email)
# Create a user account and profile automatically. In future,
# support blacklists and whitelists.
first_name = request.session['attributes']['givenname']
c_name = request.session['attributes'].get('cn', '').split(' ')
if not first_name and len(c_name) > 1:
first_name = c_name[0]
user_args = {
'id': institution_email.lower(),
'email': institution_email.lower(),
'password': pwgen.pwgen(),
'first_name': first_name,
'last_name': request.session['attributes']['surname'],
}
# if a principal domain is set strip domain from
# 'edupersonprincipalname' and use remainder as user id.
try:
if settings.LOGIN_HOME_ORGANIZATION:
domain = "@" + settings.LOGIN_HOME_ORGANIZATION
if ';' not in principalname and \
principalname.endswith(domain):
user_id = principalname.replace(domain, '').lower()
user_args['id'] = user_id
except:
logger.debug('check principal domain failed with: %s' %
sys.exc_info()[0])
# Check for an email collision.
for matching_user in UserProfile.objects.filter(
user__email__iexact=user_args['email']):
if (matching_user.rapidConnectEduPersonTargetedID is not None
and matching_user.rapidConnectEduPersonTargetedID !=
edupersontargetedid):
del request.session['attributes']
del request.session['jwt']
del request.session['jws']
django_logout(request)
raise PermissionDenied
user = get_or_create_user(user_args, authMethod='aaf')
if user is not None:
user.backend = 'django.contrib.auth.backends.ModelBackend'
djauth.login(request, user)
return redirect('/')
else:
del request.session['attributes']
del request.session['jwt']
del request.session['jws']
django_logout(request)
raise PermissionDenied # Error: Not for this audience
except jwt.ExpiredSignature:
del request.session['attributes']
del request.session['jwt']
del request.session['jws']
django_logout(request)
raise PermissionDenied # Error: Security cookie has expired
except Exception, e:
logger.debug('rcauth() failed with: %s' % e)
raise PermissionDenied
