possibility to limit PT delivery by service

cas_server/locale/en/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-05-28 02:10+0200\n"
+"POT-Creation-Date: 2015-05-28 15:24+0200\n"
 "PO-Revision-Date: 2015-05-23 19:03+0100\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
@@ -33,117 +33,123 @@ msgstr " Warn me before logging me into other sites."
 msgid "Bad user"
 msgstr "The credentials you provided cannot be determined to be authentic."
 
-#: models.py:89
+#: models.py:58
 #, fuzzy, python-format
 #| msgid "Error during service logout %s"
-msgid "Error during service logout %r"
+msgid "Error during service logout %s"
 msgstr "Error during service logout %s"
 
-#: models.py:147
+#: models.py:117
 msgid "position"
 msgstr ""
 
-#: models.py:154 models.py:239
+#: models.py:124 models.py:213
 msgid "name"
 msgstr ""
 
-#: models.py:155
+#: models.py:125
 #, fuzzy
 #| msgid "Connect to the service"
 msgid "A name for the service"
 msgstr "Connect to the service"
 
-#: models.py:160 models.py:266 models.py:283
+#: models.py:130 models.py:240 models.py:257
 msgid "pattern"
 msgstr ""
 
-#: models.py:166
+#: models.py:136
 msgid "user field"
 msgstr ""
 
-#: models.py:167
+#: models.py:137
 msgid "Name of the attribut to transmit as username, empty = login"
 msgstr ""
 
-#: models.py:171
+#: models.py:141
 msgid "restrict username"
 msgstr ""
 
-#: models.py:172
+#: models.py:142
 msgid "Limit username allowed to connect to the list provided bellow"
 msgstr ""
 
-#: models.py:176
+#: models.py:146
 msgid "proxy"
 msgstr ""
 
-#: models.py:177
-msgid ""
-"A ProxyGrantingTicket can be delivered to the service in order to "
-"authenticate for the user on a backend service"
+#: models.py:147
+msgid "Proxy tickets can be delivered to the service"
 msgstr ""
 
-#: models.py:182
+#: models.py:151
+msgid "proxy callback"
+msgstr ""
+
+#: models.py:152
+msgid "can be used as a proxy callback to deliver PGT"
+msgstr ""
+
+#: models.py:156
 msgid "single log out"
 msgstr ""
 
-#: models.py:183
+#: models.py:157
 #, fuzzy
 #| msgid "Connect to the service"
 msgid "Enable SLO for the service"
 msgstr "Connect to the service"
 
-#: models.py:225
+#: models.py:199
 msgid "username"
 msgstr ""
 
-#: models.py:226
+#: models.py:200
 #, fuzzy
 #| msgid "Connect to the service"
 msgid "username allowed to connect to the service"
 msgstr "Connect to the service"
 
-#: models.py:240
+#: models.py:214
 #, fuzzy
 #| msgid "The attribut %(field)s is needed to use that service"
 msgid "name of an attribut to send to the service"
 msgstr "The attribut %(field)s is needed to use that service"
 
-#: models.py:245 models.py:289
+#: models.py:219 models.py:263
 msgid "replace"
 msgstr ""
 
-#: models.py:246
+#: models.py:220
 msgid ""
 "name under which the attribut will be showto the service. empty = default "
 "name of the attribut"
 msgstr ""
 
-#: models.py:261 models.py:278
+#: models.py:235 models.py:252
 msgid "attribut"
 msgstr ""
 
-#: models.py:262
+#: models.py:236
 msgid "Name of the attribut which must verify pattern"
 msgstr ""
 
-#: models.py:267
+#: models.py:241
 msgid "a regular expression"
 msgstr ""
 
-#: models.py:279
+#: models.py:253
 msgid "Name of the attribut for which the value must be replace"
 msgstr ""
 
-#: models.py:284
+#: models.py:258
 msgid "An regular expression maching whats need to be replaced"
 msgstr ""
 
-#: models.py:290
+#: models.py:264
 msgid "replace expression, groups are capture by \\1, \\2 …"
 msgstr ""
 
-#: models.py:337
+#: models.py:313
 #, python-format
 msgid ""
 "Error during service logout %(service)s:\n"

cas_server/locale/fr/LC_MESSAGES/django.po

@@ -7,8 +7,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: cas_server\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2015-05-28 02:10+0200\n"
-"PO-Revision-Date: 2015-05-28 02:15+0100\n"
+"POT-Creation-Date: 2015-05-28 15:24+0200\n"
+"PO-Revision-Date: 2015-05-28 15:25+0100\n"
 "Last-Translator: Valentin Samir <valentin.samir@crans.org>\n"
 "Language-Team: django <LL@li.org>\n"
 "Language: fr\n"
@@ -34,115 +34,119 @@ msgstr "Prévenez-moi avant d'accéder à d'autres services."
 msgid "Bad user"
 msgstr "Les informations transmises n'ont pas permis de vous authentifier."
 
-#: models.py:89
+#: models.py:58
 #, python-format
-msgid "Error during service logout %r"
-msgstr "Une erreur est survenue durant la déconnexion du service %r"
+msgid "Error during service logout %s"
+msgstr "Une erreur est survenue durant la déconnexion du service %s"
 
-#: models.py:147
+#: models.py:117
 msgid "position"
 msgstr "position"
 
-#: models.py:154 models.py:239
+#: models.py:124 models.py:213
 msgid "name"
 msgstr "nom"
 
-#: models.py:155
+#: models.py:125
 msgid "A name for the service"
 msgstr "Un nom pour le service"
 
-#: models.py:160 models.py:266 models.py:283
+#: models.py:130 models.py:240 models.py:257
 msgid "pattern"
 msgstr "motif"
 
-#: models.py:166
+#: models.py:136
 msgid "user field"
 msgstr "champ utilisateur"
 
-#: models.py:167
+#: models.py:137
 msgid "Name of the attribut to transmit as username, empty = login"
 msgstr ""
 "Nom de l'attribut devant être transmis comme nom d'utilisateur au service. "
 "vide = nom de connection"
 
-#: models.py:171
+#: models.py:141
 msgid "restrict username"
 msgstr "limiter les noms d'utilisateurs"
 
-#: models.py:172
+#: models.py:142
 msgid "Limit username allowed to connect to the list provided bellow"
 msgstr ""
 "Limiter les noms d'utilisateurs autorisé à se connecter à la liste fournie "
 "ci-dessous"
 
-#: models.py:176
+#: models.py:146
 msgid "proxy"
 msgstr "proxy"
 
-#: models.py:177
-msgid ""
-"A ProxyGrantingTicket can be delivered to the service in order to "
-"authenticate for the user on a backend service"
-msgstr ""
-"Un ProxyGrantingTicket peut être délivré au service pour lui permettre de "
-"s'authentifier en temps l'utilisateur à un autre service"
+#: models.py:147
+msgid "Proxy tickets can be delivered to the service"
+msgstr "des proxy tickets peuvent être délivrés au service"
 
-#: models.py:182
+#: models.py:151
+msgid "proxy callback"
+msgstr ""
+
+#: models.py:152
+msgid "can be used as a proxy callback to deliver PGT"
+msgstr "peut être utilisé comme un callback pour recevoir un PGT"
+
+#: models.py:156
 msgid "single log out"
 msgstr ""
 
-#: models.py:183
+#: models.py:157
 msgid "Enable SLO for the service"
 msgstr "Active le SLO pour le service"
 
-#: models.py:225
+#: models.py:199
 msgid "username"
 msgstr "nom d'utilisateur"
 
-#: models.py:226
+#: models.py:200
 msgid "username allowed to connect to the service"
 msgstr "noms d'utilisateurs autorisé à se connecter au service"
 
-#: models.py:240
+#: models.py:214
 msgid "name of an attribut to send to the service"
 msgstr "nom d'un attribut a envoyer au service"
 
-#: models.py:245 models.py:289
+#: models.py:219 models.py:263
 msgid "replace"
 msgstr "remplacement"
 
-#: models.py:246
+#: models.py:220
 msgid ""
 "name under which the attribut will be showto the service. empty = default "
 "name of the attribut"
 msgstr ""
 "nom sous lequel l'attribut sera rendu visible au service. vide = inchangé"
 
-#: models.py:261 models.py:278
+#: models.py:235 models.py:252
 msgid "attribut"
 msgstr "attribut"
 
-#: models.py:262
+#: models.py:236
 msgid "Name of the attribut which must verify pattern"
 msgstr "Nom de l'attribut devant vérifier un motif"
 
-#: models.py:267
+#: models.py:241
 msgid "a regular expression"
 msgstr "une expression régulière"
 
-#: models.py:279
+#: models.py:253
 msgid "Name of the attribut for which the value must be replace"
 msgstr "nom de l'attribue pour lequel la valeur doit être remplacé"
 
-#: models.py:284
+#: models.py:258
 msgid "An regular expression maching whats need to be replaced"
 msgstr "une expression régulière reconnaissant ce qui doit être remplacé"
 
-#: models.py:290
+#: models.py:264
 msgid "replace expression, groups are capture by \\1, \\2 …"
 msgstr "expression de remplacement, les groupe sont capturé par \\1, \\2"
 
-#: models.py:337
+#: models.py:313
 #, python-format
 msgid ""
 "Error during service logout %(service)s:\n"
@@ -222,6 +226,13 @@ msgstr ""
 "Vous vous êtes déconnecté(e) du Service Central d'Authentification.<br/>Pour "
 "des raisons de sécurité, veuillez fermer votre navigateur."
 
+#~ msgid ""
+#~ "A ProxyGrantingTicket can be delivered to the service in order to "
+#~ "authenticate for the user on a backend service"
+#~ msgstr ""
+#~ "Un ProxyGrantingTicket peut être délivré au service pour lui permettre de "
+#~ "s'authentifier en temps l'utilisateur à un autre service"
+
 #~ msgid ""
 #~ "Une demande d'authentification a été émise pour le service %(name)s "
 #~ "(%(url)s)"

cas_server/migrations/0016_auto_20150528_1326.py

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import models, migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('cas_server', '0015_auto_20150528_1202'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='servicepattern',
+            name='proxy_callback',
+            field=models.BooleanField(default=False, help_text='can be used as a proxy callback to deliver PGT', verbose_name='proxy callback'),
+            preserve_default=True,
+        ),
+        migrations.AlterField(
+            model_name='servicepattern',
+            name='proxy',
+            field=models.BooleanField(default=False, help_text='Proxy tickets can be delivered to the service', verbose_name='proxy'),
+            preserve_default=True,
+        ),
+    ]

cas_server/models.py

@@ -144,8 +144,12 @@ class ServicePattern(models.Model):
     proxy = models.BooleanField(
         default=False,
         verbose_name=_(u"proxy"),
-        help_text=_("A ProxyGrantingTicket can be delivered to the service " \
-        "in order to authenticate for the user on a backend service")
+        help_text=_("Proxy tickets can be delivered to the service")
+    )
+    proxy_callback = models.BooleanField(
+        default=False,
+        verbose_name=_(u"proxy callback"),
+        help_text=_("can be used as a proxy callback to deliver PGT")
     )
     single_log_out = models.BooleanField(
         default=False,

cas_server/views.py

@@ -291,7 +291,7 @@ def ps_validate(request, ticket_type=None):
                 params['username'] = ticket.user.attributs.get(ticket.service_pattern.user_field)
             if pgt_url and pgt_url.startswith("https://"):
                 pattern = models.ServicePattern.validate(pgt_url)
-                if pattern.proxy:
+                if pattern.proxy_callback:
                     proxyid = utils.gen_pgtiou()
                     pticket = models.ProxyGrantingTicket.objects.create(
                         user=ticket.user,
@@ -358,6 +358,12 @@ def proxy(request):
         try:
             # is the target service allowed
             pattern = models.ServicePattern.validate(target_service)
+            if not pattern.proxy:
+                return _validate_error(
+                    request,
+                    'UNAUTHORIZED_SERVICE',
+                    'the service do not allow proxy ticket'
+                )
             # is the proxy granting ticket valid
             ticket = models.ProxyGrantingTicket.objects.get(
                 value=pgt,