From 6b3b280d316574394cf99a783e13ec7dcba6765e Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Mon, 4 Jul 2016 22:54:15 +0200 Subject: [PATCH] Add some logging and only permit backend CAS auth if the user is not already authenticated --- cas_server/federate.py | 9 +++++++++ cas_server/tests/mixin.py | 5 +++-- cas_server/views.py | 19 +++++++++++++++++++ 3 files changed, 31 insertions(+), 2 deletions(-) diff --git a/cas_server/federate.py b/cas_server/federate.py index 4534cda..74528cb 100644 --- a/cas_server/federate.py +++ b/cas_server/federate.py @@ -16,11 +16,14 @@ from django.db import IntegrityError from .cas import CASClient from .models import FederatedUser, FederateSLO, User +import logging from importlib import import_module from six.moves import urllib SessionStore = import_module(settings.SESSION_ENGINE).SessionStore +logger = logging.getLogger(__name__) + class CASFederateValidateUser(object): """Class CAS client used to authenticate the user again a CAS provider""" @@ -88,6 +91,12 @@ class CASFederateValidateUser(object): slos = [] for slo in slos: for federate_slo in FederateSLO.objects.filter(ticket=slo.text): + logger.info( + "Got an SLO requests for ticket %s, logging out user %s" % ( + federate_slo.username, + federate_slo.ticket + ) + ) session = SessionStore(session_key=federate_slo.session_key) session.flush() try: diff --git a/cas_server/tests/mixin.py b/cas_server/tests/mixin.py index 859c3a0..e4a5c0d 100644 --- a/cas_server/tests/mixin.py +++ b/cas_server/tests/mixin.py @@ -228,11 +228,12 @@ class CanLogin(object): self.assertEqual(response.status_code, code) # this message is displayed to the user upon successful authentication, so it should not # appear - self.assertFalse( + self.assertNotIn( ( b"You have successfully logged into " b"the Central Authentication Service" - ) in response.content + ), + response.content ) # if authentication has failed, these session variables should not be set diff --git a/cas_server/views.py b/cas_server/views.py index a95a6cd..c85cc52 100644 --- a/cas_server/views.py +++ b/cas_server/views.py @@ -208,6 +208,7 @@ class FederateAuth(View): def post(self, request, provider=None): """method called on POST request""" if not settings.CAS_FEDERATE: + logger.warning("CAS_FEDERATE is False, set it to True to use the federated mode") return redirect("cas_server:login") # POST with a provider, this is probably an SLO request try: @@ -251,15 +252,26 @@ class FederateAuth(View): def get(self, request, provider=None): """method called on GET request""" if not settings.CAS_FEDERATE: + logger.warning("CAS_FEDERATE is False, set it to True to use the federated mode") + return redirect("cas_server:login") + if self.request.session.get("authenticated"): + logger.warning("User already authenticated, dropping federate authentication request") return redirect("cas_server:login") try: provider = FederatedIendityProvider.objects.get(suffix=provider) auth = self.get_cas_client(request, provider) if 'ticket' not in request.GET: + logger.info("Trying to authenticate again %s" % auth.provider.server_url) return HttpResponseRedirect(auth.get_login_url()) else: ticket = request.GET['ticket'] if auth.verify_ticket(ticket): + logger.info( + "Got a valid ticket for %s from %s" % ( + auth.username, + auth.provider.server_url + ) + ) params = utils.copy_params(request.GET, ignore={"ticket"}) request.session["federate_username"] = auth.federated_username request.session["federate_ticket"] = ticket @@ -267,8 +279,15 @@ class FederateAuth(View): url = utils.reverse_params("cas_server:login", params) return HttpResponseRedirect(url) else: + logger.info( + "Got a invalid ticket for %s from %s. Retrying to authenticate" % ( + auth.username, + auth.provider.server_url + ) + ) return HttpResponseRedirect(auth.get_login_url()) except FederatedIendityProvider.DoesNotExist: + logger.warning("Identity provider suffix %s not found" % provider) return redirect("cas_server:login")