def process_request(self, request):
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, "user"):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class."
)
# To support logout. If this variable is True, do not
# authenticate user and return now.
if request.session.get(LOGOUT_SESSION_KEY) == True:
return
else:
# Delete the shib reauth session key if present.
request.session.pop(LOGOUT_SESSION_KEY, None)
# Locate the remote user header.
# import pprint; pprint.pprint(request.META)
try:
username = request.META[SHIB_USER_HEADER]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == username:
if request.user.is_staff:
update_sudo_mode_ts(request)
return
# Make sure we have all required Shiboleth elements before proceeding.
shib_meta, error = self.parse_attributes(request)
# Add parsed attributes to the session.
request.session["shib"] = shib_meta
if error:
raise ShibbolethValidationError("All required Shibboleth elements" " not found. %s" % shib_meta)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# call make profile.
self.make_profile(user, shib_meta)
# setup session.
self.setup_session(request)
request.shib_login = True
def auth_complete(request):
from seahub.api2.utils import get_token_v1, get_token_v2
# generate tokenv2 using information in request params
keys = (
'platform',
'device_id',
'device_name',
'client_version',
'platform_version',
)
if all(['shib_' + key in request.GET for key in keys]):
platform = request.GET['shib_platform']
device_id = request.GET['shib_device_id']
device_name = request.GET['shib_device_name']
client_version = request.GET['shib_client_version']
platform_version = request.GET['shib_platform_version']
token = get_token_v2(request, request.user.username, platform,
device_id, device_name, client_version,
platform_version)
elif all(['shib_' + key not in request.GET for key in keys]):
token = get_token_v1(request.user.username)
resp = HttpResponseRedirect(reverse('libraries'))
resp.set_cookie('seahub_auth', request.user.username + '@' + token.key)
# Added by Khorkin update sudo timestamp
if request.user.is_authenticated:
if request.user.is_staff:
update_sudo_mode_ts(request)
return resp
def process_request(self, request):
protected_paths = [
item.strip().strip('/') for item in self.protected_paths
]
if request.path.strip('/') not in protected_paths:
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
try:
username = request.META[self.header]
except KeyError:
if settings.DEBUG:
assert False
# If specified header doesn't exist then remove any existing
# authenticated remote-user, or return (leaving request.user set to
# AnonymousUser by the AuthenticationMiddleware).
if self.force_logout_if_no_header and request.user.is_authenticated(
):
self._remove_invalid_user(request)
return
if self.remote_user_domain:
username = username.split('@')[0] + '@' + self.remote_user_domain
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.get_username() == self.clean_username(
username, request):
if request.user.is_staff:
update_sudo_mode_ts(request)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
return
else:
# An authenticated user is associated with the request, but
# it does not match the authorized user in the header.
self._remove_invalid_user(request)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(request=request, remote_user=username)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
def process_request(self, request):
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE_CLASSES setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
#To support logout. If this variable is True, do not
#authenticate user and return now.
if request.session.get(LOGOUT_SESSION_KEY) == True:
return
else:
#Delete the shib reauth session key if present.
request.session.pop(LOGOUT_SESSION_KEY, None)
#Locate the remote user header.
# import pprint; pprint.pprint(request.META)
try:
username = request.META[SHIB_USER_HEADER]
except KeyError:
# If specified header doesn't exist then return (leaving
# request.user set to AnonymousUser by the
# AuthenticationMiddleware).
return
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.username == username:
if request.user.is_staff:
update_sudo_mode_ts(request)
return
# Make sure we have all required Shiboleth elements before proceeding.
shib_meta, error = self.parse_attributes(request)
# Add parsed attributes to the session.
request.session['shib'] = shib_meta
if error:
raise ShibbolethValidationError("All required Shibboleth elements"
" not found. %s" % shib_meta)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
user.set_unusable_password()
user.save()
# call make profile.
self.make_profile(user, shib_meta)
#setup session.
self.setup_session(request)
request.shib_login = True
def process_request(self, request):
protected_paths = [item.strip().strip('/') for item in self.protected_paths]
if request.path.strip('/') not in protected_paths:
return
# AuthenticationMiddleware is required so that request.user exists.
if not hasattr(request, 'user'):
raise ImproperlyConfigured(
"The Django remote user auth middleware requires the"
" authentication middleware to be installed. Edit your"
" MIDDLEWARE setting to insert"
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
" before the RemoteUserMiddleware class.")
try:
username = request.META[self.header]
except KeyError:
if settings.DEBUG:
assert False
# If specified header doesn't exist then remove any existing
# authenticated remote-user, or return (leaving request.user set to
# AnonymousUser by the AuthenticationMiddleware).
if self.force_logout_if_no_header and request.user.is_authenticated(
):
self._remove_invalid_user(request)
return
if self.remote_user_domain:
username = username.split('@')[0] + '@' + self.remote_user_domain
# If the user is already authenticated and that user is the user we are
# getting passed in the headers, then the correct user is already
# persisted in the session and we don't need to continue.
if request.user.is_authenticated():
if request.user.get_username() == self.clean_username(
username, request):
if request.user.is_staff:
update_sudo_mode_ts(request)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
return
else:
# An authenticated user is associated with the request, but
# it does not match the authorized user in the header.
self._remove_invalid_user(request)
# We are seeing this user for the first time in this session, attempt
# to authenticate the user.
user = auth.authenticate(request=request, remote_user=username)
if user:
# User is valid. Set request.user and persist user in the session
# by logging the user in.
request.user = user
auth.login(request, user)
# add a mark to generate api token and set cookie
request.remote_user_authentication = True
def sys_sudo_mode(request):
if request.method not in ('GET', 'POST'):
return HttpResponseNotAllowed
# here we can't use @sys_staff_required
if not request.user.is_staff:
raise Http404
next_page = request.GET.get('next', reverse('sys_info'))
password_error = False
if request.method == 'POST':
password = request.POST.get('password')
username = request.user.username
ip = get_remote_ip(request)
if password:
user = authenticate(username=username, password=password)
if user:
update_sudo_mode_ts(request)
from seahub.auth.utils import clear_login_failed_attempts
clear_login_failed_attempts(request, username)
return HttpResponseRedirect(next_page)
password_error = True
from seahub.auth.utils import get_login_failed_attempts, incr_login_failed_attempts
failed_attempt = get_login_failed_attempts(username=username, ip=ip)
if failed_attempt >= config.LOGIN_ATTEMPT_LIMIT:
# logout user
from seahub.auth import logout
logout(request)
return HttpResponseRedirect(reverse('auth_login'))
else:
incr_login_failed_attempts(username=username, ip=ip)
enable_shib_login = getattr(settings, 'ENABLE_SHIB_LOGIN', False)
enable_adfs_login = getattr(settings, 'ENABLE_ADFS_LOGIN', False)
return render(
request, 'sysadmin/sudo_mode.html', {
'password_error': password_error,
'enable_sso': enable_shib_login or enable_adfs_login,
'next': next_page,
})
