def test_service_url_has_ticket_stripped(self): params = OrderedDict( (('ticket', 'ST-001-abc'), ('param1', 'v1'), ('param2', 'v2'))) self.request.form.update(params) self.request.environ['QUERY_STRING'] = urlencode(params) url = service_url(self.request) self.assertEqual('http://nohost?param1=v1¶m2=v2', url)
def challenge(self, request, response, **kw): if 'ticket' in request.form: return False if not self.cas_server_url: return False response.redirect('%s/login?service=%s' % ( self.cas_server_url, urllib.quote(service_url(request)), ), lock=True) return True
def extractCredentials(self, request): if 'ticket' not in request.form: return None creds = {} creds['ticket'] = request.form.get('ticket') creds['service_url'] = service_url(request) # Avoid having the `ticket` query string param show up in the # user's browser's address bar by redirecting back to the # service_url, which should have the ticket stripped from it request.RESPONSE.redirect(creds['service_url'], lock=True) return creds
def reply(self): data = json_body(self.request) if 'ticket' not in data: self.request.response.setStatus(400) return dict( error=dict(type='Missing service ticket', message='Service ticket must be provided in body.')) if 'service' in data: service = data['service'] else: service = service_url(self.request)[:-10], # Strip `/@caslogin` # Disable CSRF protection if 'IDisableCSRFProtection' in dir(plone.protect.interfaces): alsoProvides(self.request, plone.protect.interfaces.IDisableCSRFProtection) uf = getToolByName(self.context, 'acl_users') plugins = uf._getOb('plugins') authenticators = plugins.listPlugins(IAuthenticationPlugin) cas_plugin = None jwt_plugin = None for id_, authenticator in authenticators: if authenticator.meta_type == "CAS Authentication Plugin": cas_plugin = authenticator elif authenticator.meta_type == "JWT Authentication Plugin": jwt_plugin = authenticator if cas_plugin is None or jwt_plugin is None: self.request.response.setStatus(501) return dict(error=dict( type='Login failed', message='CAS/JWT authentication plugin not installed.')) userid = validate_ticket( data['ticket'], cas_plugin.cas_server_url, service, ) user = uf.getUserById(userid) if not user: return dict(error=dict( type='Login failed', message='User with userid {} not found.'.format(userid))) cas_plugin.handle_login(userid) payload = {'fullname': user.getProperty('fullname')} return {'token': jwt_plugin.create_token(userid, data=payload)}