Only set "remember my provider" in federated mode upon successful authentication

This commit is contained in:
Valentin Samir 2016-08-01 11:30:41 +02:00
parent 0466d397f3
commit 0237364d8e
2 changed files with 44 additions and 26 deletions

View file

@ -88,19 +88,23 @@ class FederateAuthLoginLogoutTestCase(
response = client.post('/federate', params)
# we are redirected to the provider CAS client url
self.assertEqual(response.status_code, 302)
self.assertEqual(response["Location"], '%s/federate/%s' % (
self.assertEqual(response["Location"], '%s/federate/%s%s' % (
'http://testserver' if django.VERSION < (1, 9) else "",
provider.suffix
provider.suffix,
"?remember=on" if remember else ""
))
# let's follow the redirect
response = client.get('/federate/%s' % provider.suffix)
response = client.get(
'/federate/%s%s' % (provider.suffix, "?remember=on" if remember else "")
)
# we are redirected to the provider CAS for authentication
self.assertEqual(response.status_code, 302)
self.assertEqual(
response["Location"],
"%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s" % (
"%s/login?service=http%%3A%%2F%%2Ftestserver%%2Ffederate%%2F%s%s" % (
provider.server_url,
provider.suffix
provider.suffix,
"%3Fremember%3Don" if remember else ""
)
)
# let's generate a ticket
@ -108,7 +112,10 @@ class FederateAuthLoginLogoutTestCase(
# we lauch a dummy CAS server that only validate once for the service
# http://testserver/federate/example.com with `ticket`
tests_utils.DummyCAS.run(
("http://testserver/federate/%s" % provider.suffix).encode("ascii"),
("http://testserver/federate/%s%s" % (
provider.suffix,
"?remember=on" if remember else ""
)).encode("ascii"),
ticket.encode("ascii"),
settings.CAS_TEST_USER.encode("utf8"),
[],
@ -116,7 +123,13 @@ class FederateAuthLoginLogoutTestCase(
)
# we normally provide a good ticket and should be redirected to /login as the ticket
# get successfully validated again the dummy CAS
response = client.get('/federate/%s' % provider.suffix, {'ticket': ticket})
response = client.get(
'/federate/%s' % provider.suffix,
{'ticket': ticket, 'remember': 'on' if remember else ''}
)
if remember:
self.assertIn("_remember_provider", client.cookies)
self.assertEqual(client.cookies["_remember_provider"].value, provider.suffix)
self.assertEqual(response.status_code, 302)
self.assertEqual(response["Location"], "%s/login" % (
'http://testserver' if django.VERSION < (1, 9) else ""

View file

@ -218,8 +218,7 @@ class FederateAuth(View):
"""
return super(FederateAuth, self).dispatch(request, *args, **kwargs)
@staticmethod
def get_cas_client(request, provider):
def get_cas_client(self, request, provider):
"""
return a CAS client object matching provider
@ -231,6 +230,7 @@ class FederateAuth(View):
"""
# compute the current url, ignoring ticket dans provider GET parameters
service_url = utils.get_current_url(request, {"ticket", "provider"})
self.service_url = service_url
return CASFederateValidateUser(provider, service_url)
def post(self, request, provider=None):
@ -264,7 +264,7 @@ class FederateAuth(View):
if form.is_valid():
params = utils.copy_params(
request.POST,
ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt", "remember"}
ignore={"provider", "csrfmiddlewaretoken", "ticket", "lt"}
)
if params.get("renew") == "False":
del params["renew"]
@ -273,17 +273,7 @@ class FederateAuth(View):
kwargs=dict(provider=form.cleaned_data["provider"].suffix),
params=params
)
response = HttpResponseRedirect(url)
# If the user has checked "remember my identity provider" store it in a cookie
if form.cleaned_data["remember"]:
max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
utils.set_cookie(
response,
"_remember_provider",
form.cleaned_data["provider"].suffix,
max_age
)
return response
return HttpResponseRedirect(url)
else:
return redirect("cas_server:login")
@ -323,7 +313,7 @@ class FederateAuth(View):
auth.provider.server_url
)
)
params = utils.copy_params(request.GET, ignore={"ticket"})
params = utils.copy_params(request.GET, ignore={"ticket", "remember"})
request.session["federate_username"] = auth.federated_username
request.session["federate_ticket"] = ticket
auth.register_slo(
@ -334,13 +324,28 @@ class FederateAuth(View):
# redirect to the the login page for the user to become authenticated
# thanks to the `federate_username` and `federate_ticket` session parameters
url = utils.reverse_params("cas_server:login", params)
return HttpResponseRedirect(url)
response = HttpResponseRedirect(url)
# If the user has checked "remember my identity provider" store it in a
# cookie
if request.GET.get("remember"):
max_age = settings.CAS_FEDERATE_REMEMBER_TIMEOUT
utils.set_cookie(
response,
"_remember_provider",
provider.suffix,
max_age
)
return response
# else redirect to the identity provider CAS login page
else:
logger.info(
"Got a invalid ticket for %s from %s. Retrying to authenticate" % (
auth.username,
auth.provider.server_url
(
"Got a invalid ticket %s from %s for service %s. "
"Retrying to authenticate"
) % (
ticket,
auth.provider.server_url,
self.service_url
)
)
return HttpResponseRedirect(auth.get_login_url())