def auth1_0(request):
"""
VERSION 1 AUTH -- DEPRECATED
Authentication is based on the values passed in to the header.
If successful, the request is passed on to auth_response
CAS Authentication requires: "x-auth-user" AND "x-auth-cas"
LDAP Authentication requires: "x-auth-user" AND "x-auth-key"
NOTE(esteve): Should we just always attempt authentication by cas,
then we dont send around x-auth-* headers..
"""
logger.debug("Auth Request")
if 'HTTP_X_AUTH_USER' in request.META\
and 'HTTP_X_AUTH_CAS' in request.META:
username = request.META['HTTP_X_AUTH_USER']
if cas_validateUser(username):
del request.META['HTTP_X_AUTH_CAS']
return auth_response(request)
else:
logger.debug("CAS login failed - %s" % username)
return HttpResponse("401 UNAUTHORIZED", status=401)
if 'HTTP_X_AUTH_KEY' in request.META\
and 'HTTP_X_AUTH_USER' in request.META:
username = request.META['HTTP_X_AUTH_USER']
x_auth_key = request.META['HTTP_X_AUTH_KEY']
if ldap_validate(username, x_auth_key):
return auth_response(request)
else:
logger.debug("LDAP login failed - %s" % username)
return HttpResponse("401 UNAUTHORIZED", status=401)
else:
logger.debug("Request did not have User/Key"
" or User/CAS in the headers")
return HttpResponse("401 UNAUTHORIZED", status=401)
def auth1_0(request):
"""
VERSION 1 AUTH -- DEPRECATED
Authentication is based on the values passed in to the header.
If successful, the request is passed on to auth_response
CAS Authentication requires: "x-auth-user" AND "x-auth-cas"
LDAP Authentication requires: "x-auth-user" AND "x-auth-key"
NOTE(esteve): Should we just always attempt authentication by cas,
then we dont send around x-auth-* headers..
"""
logger.debug("Auth Request")
if 'HTTP_X_AUTH_USER' in request.META\
and 'HTTP_X_AUTH_CAS' in request.META:
username = request.META['HTTP_X_AUTH_USER']
if cas_validateUser(username):
del request.META['HTTP_X_AUTH_CAS']
return auth_response(request)
else:
logger.debug("CAS login failed - %s" % username)
return HttpResponse("401 UNAUTHORIZED", status=401)
if 'HTTP_X_AUTH_KEY' in request.META\
and 'HTTP_X_AUTH_USER' in request.META:
username = request.META['HTTP_X_AUTH_USER']
x_auth_key = request.META['HTTP_X_AUTH_KEY']
if ldap_validate(username, x_auth_key):
return auth_response(request)
else:
logger.debug("LDAP login failed - %s" % username)
return HttpResponse("401 UNAUTHORIZED", status=401)
else:
logger.debug("Request did not have User/Key"
" or User/CAS in the headers")
return HttpResponse("401 UNAUTHORIZED", status=401)
def validate_token(token, request=None):
"""
Validates the token attached to the request (SessionStorage, GET/POST)
If token has expired,
CAS will attempt to reauthenticate the user and refresh token.
Expired Tokens can be used for GET requests ONLY!
"""
#Existence test
try:
auth_token = AuthToken.objects.get(key=token)
user = auth_token.user
except AuthToken.DoesNotExist:
#logger.info("AuthToken <%s> does not exist." % token)
return False
if auth_token.is_expired():
if request and request.META['REQUEST_METHOD'] == 'POST':
user_to_auth = request.session.get('emulated_by', user)
if cas_validateUser(user_to_auth):
#logger.debug("Reauthenticated user -- Token updated")
auth_token.update_expiration()
auth_token.save()
return True
else:
logger.warn("Could not reauthenticate user")
return False
else:
#logger.debug("%s using EXPIRED token to GET data.." % user)
return True
else:
return True
def validate_token(token, request=None):
"""
Validates the token attached to the request (SessionStorage, GET/POST)
If token has expired,
CAS will attempt to reauthenticate the user and refresh token.
Expired Tokens can be used for GET requests ONLY!
"""
#Existence test
try:
auth_token = AuthToken.objects.get(key=token)
user = auth_token.user
except AuthToken.DoesNotExist:
#logger.info("AuthToken <%s> does not exist." % token)
return False
if auth_token.is_expired():
if request and request.META['REQUEST_METHOD'] == 'POST':
user_to_auth = request.session.get('emulated_by', user)
if cas_validateUser(user_to_auth):
#logger.debug("Reauthenticated user -- Token updated")
auth_token.update_expiration()
auth_token.save()
return True
else:
logger.warn("Could not reauthenticate user")
return False
else:
#logger.debug("%s using EXPIRED token to GET data.." % user)
return True
else:
return True
def validate_token(token, request=None):
"""
Validates the token attached to the request (SessionStorage, GET/POST)
If token has expired,
CAS will attempt to reauthenticate the user and refresh token.
Expired Tokens can be used for GET requests ONLY!
"""
#Existence test
try:
auth_token = AuthToken.objects.get(key=token)
user = auth_token.user
except AuthToken.DoesNotExist:
logger.info("AuthToken Retrieved:%s Does not exist." % (token,))
return False
if auth_token.is_expired():
if request and request.META['REQUEST_METHOD'] == 'POST':
#See if the user (Or the user who is emulating a user) can be re-authed.
user_to_auth = request.session.get('emulated_by', user)
if cas_validateUser(user_to_auth):
#logger.debug("Reauthenticated user -- Token updated")
auth_token.update_expiration()
auth_token.save()
return True
else:
logger.info("Token %s expired, User %s "
"could not be reauthenticated in CAS"
% (token, user))
return False
else:
logger.debug("Token %s EXPIRED, but allowing User %s to GET data.."
% (token, user))
return True
else:
return True
def validate_token1_0(request):
"""
validates the token attached to the request
(Opts: in HEADERS || SessionStorage || GET/POST)
Validate token against the database.
Check token's time-out to determine authenticity.
If token has timed out,
CAS will attempt to reauthenticate the user to renew the token
Timed out tokens can be used for GET requests ONLY!
"""
from web import getRequestVars
request_vars = getRequestVars(request)
user = request_vars.get('username', None)
token = request_vars.get('token', None)
api_server = request_vars.get('api_server', None)
emulate = request_vars.get('emulate', None)
if not user or not token:
#logger.debug("Request Variables missing")
return False
try:
token = AuthToken.objects.get(token=token)
except AuthToken.DoesNotExist:
#logger.debug("AuthToken does not exist")
return False
tokenExpireTime = timedelta(days=1)
#Invalid Token
if token.user != user\
or token.logout is not None\
or token.api_server_url != api_server:
#logger.debug("%s - Token Invalid." % user)
#logger.debug("%s != %s" % (token.user, user))
#logger.debug("%s != %s" % (token.api_server_url, api_server))
#logger.debug("%s is not None" % (token.logout))
return False
#Expired Token
if token.issuedTime + tokenExpireTime < timezone.now():
if request.META["REQUEST_METHOD"] == "GET":
#logger.debug("Token Expired - %s requesting GET data OK" % user)
return True
#Expired and POSTing data, need to re-authenticate the token
if emulate:
user = emulate
if not cas_validateUser(user):
#logger.debug("Token Expired - %s was not logged into CAS.")
return False
#CAS Reauthentication Success
#logger.debug("%s reauthenticated with CAS" % user)
#Valid Token
token.issuedTime = timezone.now()
token.save()
return True
def validate_token1_0(request):
"""
validates the token attached to the request
(Opts: in HEADERS || SessionStorage || GET/POST)
Validate token against the database.
Check token's time-out to determine authenticity.
If token has timed out,
CAS will attempt to reauthenticate the user to renew the token
Timed out tokens can be used for GET requests ONLY!
"""
from web import getRequestVars
request_vars = getRequestVars(request)
user = request_vars.get('username', None)
token = request_vars.get('token', None)
api_server = request_vars.get('api_server', None)
emulate = request_vars.get('emulate', None)
if not user or not token:
#logger.debug("Request Variables missing")
return False
try:
token = AuthToken.objects.get(token=token)
except AuthToken.DoesNotExist:
#logger.debug("AuthToken does not exist")
return False
tokenExpireTime = timedelta(days=1)
#Invalid Token
if token.user != user\
or token.logout is not None\
or token.api_server_url != api_server:
#logger.debug("%s - Token Invalid." % user)
#logger.debug("%s != %s" % (token.user, user))
#logger.debug("%s != %s" % (token.api_server_url, api_server))
#logger.debug("%s is not None" % (token.logout))
return False
#Expired Token
if token.issuedTime + tokenExpireTime < timezone.now():
if request.META["REQUEST_METHOD"] == "GET":
#logger.debug("Token Expired - %s requesting GET data OK" % user)
return True
#Expired and POSTing data, need to re-authenticate the token
if emulate:
user = emulate
if not cas_validateUser(user):
#logger.debug("Token Expired - %s was not logged into CAS.")
return False
#CAS Reauthentication Success
#logger.debug("%s reauthenticated with CAS" % user)
#Valid Token
token.issuedTime = timezone.now()
token.save()
return True
def authenticate(self, username=None, password=None, request=None):
"""
Return user if validated by CAS
Return None otherwise.
"""
(success, cas_response) = cas_validateUser(username)
logger.info("Authenticate by CAS: %s - %s %s"
% (username, success, cas_response))
if not success:
logger.debug("CAS Authentication failed - "+username)
return None
attributes = cas_formatAttrs(cas_response)
return makeOrCreateUser(username, attributes)
def authenticate(self, username=None, password=None, request=None):
"""
Return user if validated by CAS
Return None otherwise.
"""
(success, cas_response) = cas_validateUser(username)
logger.info("Authenticate by CAS: %s - %s %s" %
(username, success, cas_response))
if not success:
logger.debug("CAS Authentication failed - " + username)
return None
attributes = cas_formatAttrs(cas_response)
return makeOrCreateUser(username, attributes)
def validate_token1_0(request):
"""
validates the token attached to the request
(Opts: in HEADERS || SessionStorage || GET/POST)
Validate token against the database.
Check token's time-out to determine authenticity.
If token has timed out,
CAS will attempt to reauthenticate the user to renew the token
Timed out tokens can be used for GET requests ONLY!
"""
request_vars = getRequestVars(request)
user = request_vars.get('username', None)
token = request_vars.get('token', None)
api_server = request_vars.get('api_server', None)
emulate = request_vars.get('emulate', None)
if not user or not token:
return False
try:
token = AuthToken.objects.get(token=token)
except AuthToken.DoesNotExist:
return False
tokenExpireTime = timedelta(days=1)
# Invalid Token
if token.user != user\
or token.logout is not None\
or token.api_server_url != api_server:
return False
# Expired Token
if token.issuedTime + tokenExpireTime < timezone.now():
if request.META["REQUEST_METHOD"] == "GET":
return True
# Expired and POSTing data, need to re-authenticate the token
if emulate:
user = emulate
if not cas_validateUser(user):
return False
# CAS Reauthentication Success
# Valid Token
token.issuedTime = timezone.now()
token.save()
return True
def authenticate(self, username=None, password=None, request=None):
"""
Return user if validated by CAS
Return None otherwise.
"""
logger.debug("U:%s P:%s R:%s" % (username, password, request))
if not username:
logger.debug("CAS Authentication skipped - No Username.")
return None
(success, cas_response) = cas_validateUser(username)
logger.info("Authenticate by CAS: %s - %s %s"
% (username, success, cas_response))
if not success:
logger.debug("CAS Authentication failed - "+username)
return None
attributes = cas_response.attributes
return get_or_create_user(username, attributes)
def token_auth(request):
"""
VERSION 2 AUTH
Authentication is based on the POST parameters:
* Username (Required)
* Password (Not Required if CAS authenticated previously)
NOTE: This authentication is SEPARATE from
django model authentication
Use this to give out tokens to access the API
"""
logger.info('Request to auth')
logger.info(request)
token = request.POST.get('token', None)
emulate_user = request.POST.get('emulate_user', None)
username = request.POST.get('username', None)
#CAS authenticated user already has session data
#without passing any parameters
if not username:
username = request.session.get('username', None)
password = request.POST.get('password', None)
#LDAP Authenticate if password provided.
if username and password:
if ldap_validate(username, password):
logger.info("LDAP User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
status=status.HTTP_201_CREATED,
content_type='application/json')
else:
logger.debug("[LDAP] Failed to validate %s" % username)
return HttpResponse("LDAP login failed", status=401)
#if request.session and request.session.get('token'):
# logger.info("User %s already authenticated, renewing token" % username)
# token = validateToken(username, request.session.get('token'))
#ASSERT: Token exists here
if token:
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
if not username and not password:
#The user and password were not found
#force user to login via CAS
return cas_loginRedirect(request, '/auth/')
#CAS Authenticate by Proxy (Password not necessary):
if cas_validateUser(username):
logger.info("CAS User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
else:
logger.debug("[CAS] Failed to validate - %s" % username)
return HttpResponse("CAS Login Failure", status=401)
def token_auth(request):
"""
VERSION 2 AUTH
Authentication is based on the POST parameters:
* Username (Required)
* Password (Not Required if CAS authenticated previously)
NOTE: This authentication is SEPARATE from
django model authentication
Use this to give out tokens to access the API
"""
logger.info('Request to auth')
logger.info(request)
token = None
username = request.POST.get('username', None)
#CAS authenticated user already has session data
#without passing any parameters
if not username:
username = request.session.get('username', None)
password = request.POST.get('password', None)
#LDAP Authenticate if password provided.
if username and password:
if ldap_validate(username, password):
logger.info("LDAP User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
status=status.HTTP_201_CREATED,
content_type='application/json')
else:
logger.debug("[LDAP] Failed to validate %s" % username)
return HttpResponse("LDAP login failed", status=401)
#if request.session and request.session.get('token'):
# logger.info("User %s already authenticated, renewing token" % username)
# token = validateToken(username, request.session.get('token'))
#ASSERT: Token exists here
if token:
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
if not username and not password:
#The user and password were not found
#force user to login via CAS
return cas_loginRedirect(request, '/auth/')
#CAS Authenticate by Proxy (Password not necessary):
if cas_validateUser(username):
logger.info("CAS User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + secrets.TOKEN_EXPIRY_TIME
auth_json = {
'token': token.key,
'username': token.user.username,
'expires': expireTime.strftime("%b %d, %Y %H:%M:%S")
}
return HttpResponse(
content=json.dumps(auth_json),
content_type='application/json')
else:
logger.debug("[CAS] Failed to validate - %s" % username)
return HttpResponse("CAS Login Failure", status=401)
def token_auth(request):
"""
VERSION 2 AUTH
Authentication is based on the POST parameters:
* Username (Required)
* Password (Not Required if CAS authenticated previously)
NOTE: This authentication is SEPARATE from
django model authentication
Use this to give out tokens to access the API
"""
token = request.POST.get("token", None)
username = request.POST.get("username", None)
# CAS authenticated user already has session data
# without passing any parameters
if not username:
username = request.session.get("username", None)
password = request.POST.get("password", None)
# LDAP Authenticate if password provided.
if username and password:
if ldap_validate(username, password):
token = create_token(username, issuer="API")
expireTime = token.issuedTime + auth_settings.TOKEN_EXPIRY_TIME
auth_json = {
"token": token.key,
"username": token.user.username,
"expires": expireTime.strftime("%b %d, %Y %H:%M:%S"),
}
return HttpResponse(content=json.dumps(auth_json), status=201, content_type="application/json")
else:
logger.debug("[LDAP] Failed to validate %s" % username)
return HttpResponse("LDAP login failed", status=401)
# logger.info("User %s already authenticated, renewing token"
# % username)
# ASSERT: Token exists here
if token:
expireTime = token.issuedTime + auth_settings.TOKEN_EXPIRY_TIME
auth_json = {
"token": token.key,
"username": token.user.username,
"expires": expireTime.strftime("%b %d, %Y %H:%M:%S"),
}
return HttpResponse(content=json.dumps(auth_json), content_type="application/json")
if not username and not password:
# The user and password were not found
# force user to login via CAS
return cas_loginRedirect(request, "/auth/")
if cas_validateUser(username):
logger.info("CAS User %s validated. Creating auth token" % username)
token = createAuthToken(username)
expireTime = token.issuedTime + auth_settings.TOKEN_EXPIRY_TIME
auth_json = {
"token": token.key,
"username": token.user.username,
"expires": expireTime.strftime("%b %d, %Y %H:%M:%S"),
}
return HttpResponse(content=json.dumps(auth_json), content_type="application/json")
else:
logger.debug("[CAS] Failed to validate - %s" % username)
return HttpResponse("CAS Login Failure", status=401)
