示例#1
0
    def test_service_url_has_ticket_stripped(self):
        params = OrderedDict(
            (('ticket', 'ST-001-abc'), ('param1', 'v1'), ('param2', 'v2')))
        self.request.form.update(params)
        self.request.environ['QUERY_STRING'] = urlencode(params)
        url = service_url(self.request)

        self.assertEqual('http://nohost?param1=v1&param2=v2', url)
示例#2
0
    def challenge(self, request, response, **kw):
        if 'ticket' in request.form:
            return False

        if not self.cas_server_url:
            return False

        response.redirect('%s/login?service=%s' % (
            self.cas_server_url,
            urllib.quote(service_url(request)),
        ),
                          lock=True)
        return True
示例#3
0
    def extractCredentials(self, request):
        if 'ticket' not in request.form:
            return None

        creds = {}
        creds['ticket'] = request.form.get('ticket')
        creds['service_url'] = service_url(request)

        # Avoid having the `ticket` query string param show up in the
        # user's browser's address bar by redirecting back to the
        # service_url, which should have the ticket stripped from it
        request.RESPONSE.redirect(creds['service_url'], lock=True)

        return creds
示例#4
0
    def reply(self):
        data = json_body(self.request)
        if 'ticket' not in data:
            self.request.response.setStatus(400)
            return dict(
                error=dict(type='Missing service ticket',
                           message='Service ticket must be provided in body.'))

        if 'service' in data:
            service = data['service']
        else:
            service = service_url(self.request)[:-10],  # Strip `/@caslogin`

        # Disable CSRF protection
        if 'IDisableCSRFProtection' in dir(plone.protect.interfaces):
            alsoProvides(self.request,
                         plone.protect.interfaces.IDisableCSRFProtection)

        uf = getToolByName(self.context, 'acl_users')
        plugins = uf._getOb('plugins')
        authenticators = plugins.listPlugins(IAuthenticationPlugin)
        cas_plugin = None
        jwt_plugin = None
        for id_, authenticator in authenticators:
            if authenticator.meta_type == "CAS Authentication Plugin":
                cas_plugin = authenticator
            elif authenticator.meta_type == "JWT Authentication Plugin":
                jwt_plugin = authenticator

        if cas_plugin is None or jwt_plugin is None:
            self.request.response.setStatus(501)
            return dict(error=dict(
                type='Login failed',
                message='CAS/JWT authentication plugin not installed.'))

        userid = validate_ticket(
            data['ticket'],
            cas_plugin.cas_server_url,
            service,
        )

        user = uf.getUserById(userid)
        if not user:
            return dict(error=dict(
                type='Login failed',
                message='User with userid {} not found.'.format(userid)))

        cas_plugin.handle_login(userid)
        payload = {'fullname': user.getProperty('fullname')}
        return {'token': jwt_plugin.create_token(userid, data=payload)}