def process_request(self, request): # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, "user"): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE_CLASSES setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class." ) # To support logout. If this variable is True, do not # authenticate user and return now. if request.session.get(LOGOUT_SESSION_KEY) == True: return else: # Delete the shib reauth session key if present. request.session.pop(LOGOUT_SESSION_KEY, None) # Locate the remote user header. # import pprint; pprint.pprint(request.META) try: username = request.META[SHIB_USER_HEADER] except KeyError: # If specified header doesn't exist then return (leaving # request.user set to AnonymousUser by the # AuthenticationMiddleware). return # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.username == username: if request.user.is_staff: update_sudo_mode_ts(request) return # Make sure we have all required Shiboleth elements before proceeding. shib_meta, error = self.parse_attributes(request) # Add parsed attributes to the session. request.session["shib"] = shib_meta if error: raise ShibbolethValidationError("All required Shibboleth elements" " not found. %s" % shib_meta) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(remote_user=username, shib_meta=shib_meta) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) user.set_unusable_password() user.save() # call make profile. self.make_profile(user, shib_meta) # setup session. self.setup_session(request) request.shib_login = True
def auth_complete(request): from seahub.api2.utils import get_token_v1, get_token_v2 # generate tokenv2 using information in request params keys = ( 'platform', 'device_id', 'device_name', 'client_version', 'platform_version', ) if all(['shib_' + key in request.GET for key in keys]): platform = request.GET['shib_platform'] device_id = request.GET['shib_device_id'] device_name = request.GET['shib_device_name'] client_version = request.GET['shib_client_version'] platform_version = request.GET['shib_platform_version'] token = get_token_v2(request, request.user.username, platform, device_id, device_name, client_version, platform_version) elif all(['shib_' + key not in request.GET for key in keys]): token = get_token_v1(request.user.username) resp = HttpResponseRedirect(reverse('libraries')) resp.set_cookie('seahub_auth', request.user.username + '@' + token.key) # Added by Khorkin update sudo timestamp if request.user.is_authenticated: if request.user.is_staff: update_sudo_mode_ts(request) return resp
def process_request(self, request): protected_paths = [ item.strip().strip('/') for item in self.protected_paths ] if request.path.strip('/') not in protected_paths: return # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class.") try: username = request.META[self.header] except KeyError: if settings.DEBUG: assert False # If specified header doesn't exist then remove any existing # authenticated remote-user, or return (leaving request.user set to # AnonymousUser by the AuthenticationMiddleware). if self.force_logout_if_no_header and request.user.is_authenticated( ): self._remove_invalid_user(request) return if self.remote_user_domain: username = username.split('@')[0] + '@' + self.remote_user_domain # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.get_username() == self.clean_username( username, request): if request.user.is_staff: update_sudo_mode_ts(request) # add a mark to generate api token and set cookie request.remote_user_authentication = True return else: # An authenticated user is associated with the request, but # it does not match the authorized user in the header. self._remove_invalid_user(request) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(request=request, remote_user=username) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) # add a mark to generate api token and set cookie request.remote_user_authentication = True
def process_request(self, request): # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE_CLASSES setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class.") #To support logout. If this variable is True, do not #authenticate user and return now. if request.session.get(LOGOUT_SESSION_KEY) == True: return else: #Delete the shib reauth session key if present. request.session.pop(LOGOUT_SESSION_KEY, None) #Locate the remote user header. # import pprint; pprint.pprint(request.META) try: username = request.META[SHIB_USER_HEADER] except KeyError: # If specified header doesn't exist then return (leaving # request.user set to AnonymousUser by the # AuthenticationMiddleware). return # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.username == username: if request.user.is_staff: update_sudo_mode_ts(request) return # Make sure we have all required Shiboleth elements before proceeding. shib_meta, error = self.parse_attributes(request) # Add parsed attributes to the session. request.session['shib'] = shib_meta if error: raise ShibbolethValidationError("All required Shibboleth elements" " not found. %s" % shib_meta) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(remote_user=username, shib_meta=shib_meta) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) user.set_unusable_password() user.save() # call make profile. self.make_profile(user, shib_meta) #setup session. self.setup_session(request) request.shib_login = True
def process_request(self, request): protected_paths = [item.strip().strip('/') for item in self.protected_paths] if request.path.strip('/') not in protected_paths: return # AuthenticationMiddleware is required so that request.user exists. if not hasattr(request, 'user'): raise ImproperlyConfigured( "The Django remote user auth middleware requires the" " authentication middleware to be installed. Edit your" " MIDDLEWARE setting to insert" " 'django.contrib.auth.middleware.AuthenticationMiddleware'" " before the RemoteUserMiddleware class.") try: username = request.META[self.header] except KeyError: if settings.DEBUG: assert False # If specified header doesn't exist then remove any existing # authenticated remote-user, or return (leaving request.user set to # AnonymousUser by the AuthenticationMiddleware). if self.force_logout_if_no_header and request.user.is_authenticated( ): self._remove_invalid_user(request) return if self.remote_user_domain: username = username.split('@')[0] + '@' + self.remote_user_domain # If the user is already authenticated and that user is the user we are # getting passed in the headers, then the correct user is already # persisted in the session and we don't need to continue. if request.user.is_authenticated(): if request.user.get_username() == self.clean_username( username, request): if request.user.is_staff: update_sudo_mode_ts(request) # add a mark to generate api token and set cookie request.remote_user_authentication = True return else: # An authenticated user is associated with the request, but # it does not match the authorized user in the header. self._remove_invalid_user(request) # We are seeing this user for the first time in this session, attempt # to authenticate the user. user = auth.authenticate(request=request, remote_user=username) if user: # User is valid. Set request.user and persist user in the session # by logging the user in. request.user = user auth.login(request, user) # add a mark to generate api token and set cookie request.remote_user_authentication = True
def sys_sudo_mode(request): if request.method not in ('GET', 'POST'): return HttpResponseNotAllowed # here we can't use @sys_staff_required if not request.user.is_staff: raise Http404 next_page = request.GET.get('next', reverse('sys_info')) password_error = False if request.method == 'POST': password = request.POST.get('password') username = request.user.username ip = get_remote_ip(request) if password: user = authenticate(username=username, password=password) if user: update_sudo_mode_ts(request) from seahub.auth.utils import clear_login_failed_attempts clear_login_failed_attempts(request, username) return HttpResponseRedirect(next_page) password_error = True from seahub.auth.utils import get_login_failed_attempts, incr_login_failed_attempts failed_attempt = get_login_failed_attempts(username=username, ip=ip) if failed_attempt >= config.LOGIN_ATTEMPT_LIMIT: # logout user from seahub.auth import logout logout(request) return HttpResponseRedirect(reverse('auth_login')) else: incr_login_failed_attempts(username=username, ip=ip) enable_shib_login = getattr(settings, 'ENABLE_SHIB_LOGIN', False) enable_adfs_login = getattr(settings, 'ENABLE_ADFS_LOGIN', False) return render( request, 'sysadmin/sudo_mode.html', { 'password_error': password_error, 'enable_sso': enable_shib_login or enable_adfs_login, 'next': next_page, })