Extended validity for PGT
This commit is contained in:
Valentin Samir
parent
8fe1738183
commit
a4ff5c3d64
3 changed files with 47 additions and 38 deletions
|
|
@ -33,7 +33,8 @@ setting_default('CAS_PT_LEN', settings.CAS_TICKET_LEN)
|
||||||
setting_default('CAS_PGT_LEN', settings.CAS_TICKET_LEN)
|
setting_default('CAS_PGT_LEN', settings.CAS_TICKET_LEN)
|
||||||
setting_default('CAS_PGTIOU_LEN', settings.CAS_TICKET_LEN)
|
setting_default('CAS_PGTIOU_LEN', settings.CAS_TICKET_LEN)
|
||||||
|
|
||||||
setting_default('CAS_TICKET_VALIDITY', 300)
|
setting_default('CAS_TICKET_VALIDITY', 60)
|
||||||
|
setting_default('CAS_PGT_VALIDITY', 3600)
|
||||||
setting_default('CAS_TICKET_TIMEOUT', 24*3600)
|
setting_default('CAS_TICKET_TIMEOUT', 24*3600)
|
||||||
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
|
setting_default('CAS_PROXY_CA_CERTIFICATE_PATH', True)
|
||||||
setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
|
setting_default('CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT', False)
|
||||||
|
|
|
||||||
|
|
@ -292,6 +292,9 @@ class Ticket(models.Model):
|
||||||
renew = models.BooleanField(default=False)
|
renew = models.BooleanField(default=False)
|
||||||
single_log_out = models.BooleanField(default=False)
|
single_log_out = models.BooleanField(default=False)
|
||||||
|
|
||||||
|
VALIDITY = settings.CAS_TICKET_VALIDITY
|
||||||
|
TIMEOUT = settings.CAS_TICKET_TIMEOUT
|
||||||
|
|
||||||
def __unicode__(self):
|
def __unicode__(self):
|
||||||
return u"Ticket(%s, %s)" % (self.user, self.service)
|
return u"Ticket(%s, %s)" % (self.user, self.service)
|
||||||
|
|
||||||
|
|
@ -304,19 +307,18 @@ class Ticket(models.Model):
|
||||||
Q(single_log_out=False)&Q(validate=True)
|
Q(single_log_out=False)&Q(validate=True)
|
||||||
)|(
|
)|(
|
||||||
Q(validate=False)&\
|
Q(validate=False)&\
|
||||||
Q(creation__lt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY)))
|
Q(creation__lt=(timezone.now() - timedelta(seconds=cls.VALIDITY)))
|
||||||
)
|
)
|
||||||
).delete()
|
).delete()
|
||||||
|
|
||||||
# sending SLO to timed-out validated tickets
|
# sending SLO to timed-out validated tickets
|
||||||
if settings.CAS_TICKET_TIMEOUT and \
|
if cls.TIMEOUT and cls.TIMEOUT > 0:
|
||||||
settings.CAS_TICKET_TIMEOUT >= settings.CAS_TICKET_VALIDITY:
|
|
||||||
async_list = []
|
async_list = []
|
||||||
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
|
session = FuturesSession(executor=ThreadPoolExecutor(max_workers=10))
|
||||||
queryset = cls.objects.filter(
|
queryset = cls.objects.filter(
|
||||||
single_log_out=True,
|
single_log_out=True,
|
||||||
validate=True,
|
validate=True,
|
||||||
creation__lt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_TIMEOUT))
|
creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT))
|
||||||
)
|
)
|
||||||
for ticket in queryset:
|
for ticket in queryset:
|
||||||
async_list.append(ticket.logout(None, session))
|
async_list.append(ticket.logout(None, session))
|
||||||
|
|
@ -373,7 +375,10 @@ class ProxyTicket(Ticket):
|
||||||
class ProxyGrantingTicket(Ticket):
|
class ProxyGrantingTicket(Ticket):
|
||||||
"""A Proxy Granting Ticket"""
|
"""A Proxy Granting Ticket"""
|
||||||
PREFIX = settings.CAS_PROXY_GRANTING_TICKET_PREFIX
|
PREFIX = settings.CAS_PROXY_GRANTING_TICKET_PREFIX
|
||||||
|
VALIDITY = settings.CAS_PGT_VALIDITY
|
||||||
value = models.CharField(max_length=255, default=utils.gen_pgt, unique=True)
|
value = models.CharField(max_length=255, default=utils.gen_pgt, unique=True)
|
||||||
|
|
||||||
|
|
||||||
def __unicode__(self):
|
def __unicode__(self):
|
||||||
return u"ProxyGrantingTicket(%s, %s, %s)" % (self.user, self.value, self.service)
|
return u"ProxyGrantingTicket(%s, %s, %s)" % (self.user, self.value, self.service)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,9 @@ import utils
|
||||||
import forms
|
import forms
|
||||||
import models
|
import models
|
||||||
|
|
||||||
|
from .models import ServiceTicket, ProxyTicket, ProxyGrantingTicket
|
||||||
|
from .models import ServicePattern
|
||||||
|
|
||||||
class AttributesMixin(object):
|
class AttributesMixin(object):
|
||||||
"""mixin for the attributs methode"""
|
"""mixin for the attributs methode"""
|
||||||
|
|
||||||
|
|
@ -189,7 +192,7 @@ class LoginView(View, LogoutMixin):
|
||||||
"""Perform login agains a service"""
|
"""Perform login agains a service"""
|
||||||
try:
|
try:
|
||||||
# is the service allowed
|
# is the service allowed
|
||||||
service_pattern = models.ServicePattern.validate(self.service)
|
service_pattern = ServicePattern.validate(self.service)
|
||||||
# is the current user allowed on this service
|
# is the current user allowed on this service
|
||||||
service_pattern.check_user(self.user)
|
service_pattern.check_user(self.user)
|
||||||
# if the user has asked to be warned before any login to a service
|
# if the user has asked to be warned before any login to a service
|
||||||
|
|
@ -215,7 +218,7 @@ class LoginView(View, LogoutMixin):
|
||||||
return HttpResponseRedirect(
|
return HttpResponseRedirect(
|
||||||
self.user.get_service_url(self.service, service_pattern, renew=self.renew)
|
self.user.get_service_url(self.service, service_pattern, renew=self.renew)
|
||||||
)
|
)
|
||||||
except models.ServicePattern.DoesNotExist:
|
except ServicePattern.DoesNotExist:
|
||||||
messages.add_message(
|
messages.add_message(
|
||||||
self.request,
|
self.request,
|
||||||
messages.ERROR,
|
messages.ERROR,
|
||||||
|
|
@ -270,7 +273,7 @@ class LoginView(View, LogoutMixin):
|
||||||
"""Processing non authenticated users"""
|
"""Processing non authenticated users"""
|
||||||
if self.service:
|
if self.service:
|
||||||
try:
|
try:
|
||||||
service_pattern = models.ServicePattern.validate(self.service)
|
service_pattern = ServicePattern.validate(self.service)
|
||||||
if self.gateway:
|
if self.gateway:
|
||||||
list(messages.get_messages(self.request))# clean messages before leaving django
|
list(messages.get_messages(self.request))# clean messages before leaving django
|
||||||
return HttpResponseRedirect(self.service)
|
return HttpResponseRedirect(self.service)
|
||||||
|
|
@ -288,7 +291,7 @@ class LoginView(View, LogoutMixin):
|
||||||
_(u"Authentication required by service %(name)s (%(url)s).") %
|
_(u"Authentication required by service %(name)s (%(url)s).") %
|
||||||
{'name':service_pattern.name, 'url':self.service}
|
{'name':service_pattern.name, 'url':self.service}
|
||||||
)
|
)
|
||||||
except models.ServicePattern.DoesNotExist:
|
except ServicePattern.DoesNotExist:
|
||||||
messages.add_message(
|
messages.add_message(
|
||||||
self.request,
|
self.request,
|
||||||
messages.ERROR,
|
messages.ERROR,
|
||||||
|
|
@ -337,12 +340,12 @@ class Auth(View):
|
||||||
try:
|
try:
|
||||||
user = models.User.objects.get(username=form.cleaned_data['username'])
|
user = models.User.objects.get(username=form.cleaned_data['username'])
|
||||||
# is the service allowed
|
# is the service allowed
|
||||||
service_pattern = models.ServicePattern.validate(service)
|
service_pattern = ServicePattern.validate(service)
|
||||||
# is the current user allowed on this service
|
# is the current user allowed on this service
|
||||||
service_pattern.check_user(user)
|
service_pattern.check_user(user)
|
||||||
# if the user has asked to be warned before any login to a service
|
# if the user has asked to be warned before any login to a service
|
||||||
return HttpResponse("yes\n", content_type="text/plain")
|
return HttpResponse("yes\n", content_type="text/plain")
|
||||||
except (models.ServicePattern.DoesNotExist, models.ServicePatternException) as error:
|
except (ServicePattern.DoesNotExist, ServicePatternException) as error:
|
||||||
print "error: %r" % error
|
print "error: %r" % error
|
||||||
return HttpResponse("no\n", content_type="text/plain")
|
return HttpResponse("no\n", content_type="text/plain")
|
||||||
else:
|
else:
|
||||||
|
|
@ -359,17 +362,17 @@ class Validate(View):
|
||||||
renew = True if request.GET.get('renew') else False
|
renew = True if request.GET.get('renew') else False
|
||||||
if service and ticket:
|
if service and ticket:
|
||||||
try:
|
try:
|
||||||
ticket = models.ServiceTicket.objects.get(
|
ticket = ServiceTicket.objects.get(
|
||||||
value=ticket,
|
value=ticket,
|
||||||
service=service,
|
service=service,
|
||||||
validate=False,
|
validate=False,
|
||||||
renew=renew,
|
renew=renew,
|
||||||
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))
|
creation__gt=(timezone.now() - timedelta(seconds=ServiceTicket.VALIDITY))
|
||||||
)
|
)
|
||||||
ticket.validate = True
|
ticket.validate = True
|
||||||
ticket.save()
|
ticket.save()
|
||||||
return HttpResponse("yes\n", content_type="text/plain")
|
return HttpResponse("yes\n", content_type="text/plain")
|
||||||
except models.ServiceTicket.DoesNotExist:
|
except ServiceTicket.DoesNotExist:
|
||||||
return HttpResponse("no\n", content_type="text/plain")
|
return HttpResponse("no\n", content_type="text/plain")
|
||||||
else:
|
else:
|
||||||
return HttpResponse("no\n", content_type="text/plain")
|
return HttpResponse("no\n", content_type="text/plain")
|
||||||
|
|
@ -447,19 +450,19 @@ class ValidateService(View, AttributesMixin):
|
||||||
"""fetch the ticket angains the database and check its validity"""
|
"""fetch the ticket angains the database and check its validity"""
|
||||||
try:
|
try:
|
||||||
proxies = []
|
proxies = []
|
||||||
if self.ticket.startswith(models.ServiceTicket.PREFIX):
|
if self.ticket.startswith(ServiceTicket.PREFIX):
|
||||||
ticket = models.ServiceTicket.objects.get(
|
ticket = ServiceTicket.objects.get(
|
||||||
value=self.ticket,
|
value=self.ticket,
|
||||||
validate=False,
|
validate=False,
|
||||||
renew=self.renew,
|
renew=self.renew,
|
||||||
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))
|
creation__gt=(timezone.now() - timedelta(seconds=ServiceTicket.VALIDITY))
|
||||||
)
|
)
|
||||||
elif self.allow_proxy_ticket and self.ticket.startswith(models.ProxyTicket.PREFIX):
|
elif self.allow_proxy_ticket and self.ticket.startswith(ProxyTicket.PREFIX):
|
||||||
ticket = models.ProxyTicket.objects.get(
|
ticket = ProxyTicket.objects.get(
|
||||||
value=self.ticket,
|
value=self.ticket,
|
||||||
validate=False,
|
validate=False,
|
||||||
renew=self.renew,
|
renew=self.renew,
|
||||||
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))
|
creation__gt=(timezone.now() - timedelta(seconds=ProxyTicket.VALIDITY))
|
||||||
)
|
)
|
||||||
for prox in ticket.proxies.all():
|
for prox in ticket.proxies.all():
|
||||||
proxies.append(prox.url)
|
proxies.append(prox.url)
|
||||||
|
|
@ -470,17 +473,17 @@ class ValidateService(View, AttributesMixin):
|
||||||
if ticket.service != self.service:
|
if ticket.service != self.service:
|
||||||
raise ValidateError('INVALID_SERVICE')
|
raise ValidateError('INVALID_SERVICE')
|
||||||
return ticket, proxies
|
return ticket, proxies
|
||||||
except (models.ServiceTicket.DoesNotExist, models.ProxyTicket.DoesNotExist):
|
except (ServiceTicket.DoesNotExist, ProxyTicket.DoesNotExist):
|
||||||
raise ValidateError('INVALID_TICKET', 'ticket not found')
|
raise ValidateError('INVALID_TICKET', 'ticket not found')
|
||||||
|
|
||||||
|
|
||||||
def process_pgturl(self, params):
|
def process_pgturl(self, params):
|
||||||
"""Handle PGT request"""
|
"""Handle PGT request"""
|
||||||
try:
|
try:
|
||||||
pattern = models.ServicePattern.validate(self.pgt_url)
|
pattern = ServicePattern.validate(self.pgt_url)
|
||||||
if pattern.proxy_callback:
|
if pattern.proxy_callback:
|
||||||
proxyid = utils.gen_pgtiou()
|
proxyid = utils.gen_pgtiou()
|
||||||
pticket = models.ProxyGrantingTicket.objects.create(
|
pticket = ProxyGrantingTicket.objects.create(
|
||||||
user=self.ticket.user,
|
user=self.ticket.user,
|
||||||
service=self.pgt_url,
|
service=self.pgt_url,
|
||||||
service_pattern=pattern,
|
service_pattern=pattern,
|
||||||
|
|
@ -507,7 +510,7 @@ class ValidateService(View, AttributesMixin):
|
||||||
'INVALID_PROXY_CALLBACK',
|
'INVALID_PROXY_CALLBACK',
|
||||||
"callback url not allowed by configuration"
|
"callback url not allowed by configuration"
|
||||||
)
|
)
|
||||||
except models.ServicePattern.DoesNotExist:
|
except ServicePattern.DoesNotExist:
|
||||||
raise ValidateError(
|
raise ValidateError(
|
||||||
'INVALID_PROXY_CALLBACK',
|
'INVALID_PROXY_CALLBACK',
|
||||||
'callback url not allowed by configuration'
|
'callback url not allowed by configuration'
|
||||||
|
|
@ -541,21 +544,21 @@ class Proxy(View):
|
||||||
"""handle PT request"""
|
"""handle PT request"""
|
||||||
try:
|
try:
|
||||||
# is the target service allowed
|
# is the target service allowed
|
||||||
pattern = models.ServicePattern.validate(self.target_service)
|
pattern = ServicePattern.validate(self.target_service)
|
||||||
if not pattern.proxy:
|
if not pattern.proxy:
|
||||||
raise ValidateError(
|
raise ValidateError(
|
||||||
'UNAUTHORIZED_SERVICE',
|
'UNAUTHORIZED_SERVICE',
|
||||||
'the service do not allow proxy ticket'
|
'the service do not allow proxy ticket'
|
||||||
)
|
)
|
||||||
# is the proxy granting ticket valid
|
# is the proxy granting ticket valid
|
||||||
ticket = models.ProxyGrantingTicket.objects.get(
|
ticket = ProxyGrantingTicket.objects.get(
|
||||||
value=self.pgt,
|
value=self.pgt,
|
||||||
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))
|
creation__gt=(timezone.now() - timedelta(seconds=ProxyGrantingTicket.VALIDITY))
|
||||||
)
|
)
|
||||||
# is the pgt user allowed on the target service
|
# is the pgt user allowed on the target service
|
||||||
pattern.check_user(ticket.user)
|
pattern.check_user(ticket.user)
|
||||||
pticket = ticket.user.get_ticket(
|
pticket = ticket.user.get_ticket(
|
||||||
models.ProxyTicket,
|
ProxyTicket,
|
||||||
self.target_service,
|
self.target_service,
|
||||||
pattern,
|
pattern,
|
||||||
renew=False)
|
renew=False)
|
||||||
|
|
@ -566,9 +569,9 @@ class Proxy(View):
|
||||||
{'ticket':pticket.value},
|
{'ticket':pticket.value},
|
||||||
content_type="text/xml; charset=utf-8"
|
content_type="text/xml; charset=utf-8"
|
||||||
)
|
)
|
||||||
except models.ProxyGrantingTicket.DoesNotExist:
|
except ProxyGrantingTicket.DoesNotExist:
|
||||||
raise ValidateError('INVALID_TICKET', 'PGT not found')
|
raise ValidateError('INVALID_TICKET', 'PGT not found')
|
||||||
except models.ServicePattern.DoesNotExist:
|
except ServicePattern.DoesNotExist:
|
||||||
raise ValidateError('UNAUTHORIZED_SERVICE')
|
raise ValidateError('UNAUTHORIZED_SERVICE')
|
||||||
except (models.BadUsername, models.BadFilter, models.UserFieldNotDefined):
|
except (models.BadUsername, models.BadFilter, models.UserFieldNotDefined):
|
||||||
raise ValidateError(
|
raise ValidateError(
|
||||||
|
|
@ -636,7 +639,7 @@ class SamlValidate(View, AttributesMixin):
|
||||||
try:
|
try:
|
||||||
self.ticket = self.process_ticket()
|
self.ticket = self.process_ticket()
|
||||||
expire_instant = (self.ticket.creation + \
|
expire_instant = (self.ticket.creation + \
|
||||||
timedelta(seconds=settings.CAS_TICKET_VALIDITY)).isoformat()
|
timedelta(seconds=self.ticket.VALIDITY)).isoformat()
|
||||||
attributes = self.attributes()
|
attributes = self.attributes()
|
||||||
params = {
|
params = {
|
||||||
'IssueInstant':timezone.now().isoformat(),
|
'IssueInstant':timezone.now().isoformat(),
|
||||||
|
|
@ -665,17 +668,17 @@ class SamlValidate(View, AttributesMixin):
|
||||||
try:
|
try:
|
||||||
auth_req = self.root.getchildren()[1].getchildren()[0]
|
auth_req = self.root.getchildren()[1].getchildren()[0]
|
||||||
ticket = auth_req.getchildren()[0].text
|
ticket = auth_req.getchildren()[0].text
|
||||||
if ticket.startswith(models.ServiceTicket.PREFIX):
|
if ticket.startswith(ServiceTicket.PREFIX):
|
||||||
ticket = models.ServiceTicket.objects.get(
|
ticket = ServiceTicket.objects.get(
|
||||||
value=ticket,
|
value=ticket,
|
||||||
validate=False,
|
validate=False,
|
||||||
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))
|
creation__gt=(timezone.now() - timedelta(seconds=ServiceTicket.VALIDITY))
|
||||||
)
|
)
|
||||||
elif ticket.startswith(models.ProxyTicket.PREFIX):
|
elif ticket.startswith(ProxyTicket.PREFIX):
|
||||||
ticket = models.ProxyTicket.objects.get(
|
ticket = ProxyTicket.objects.get(
|
||||||
value=ticket,
|
value=ticket,
|
||||||
validate=False,
|
validate=False,
|
||||||
creation__gt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))
|
creation__gt=(timezone.now() - timedelta(seconds=ProxyTicket.VALIDITY))
|
||||||
)
|
)
|
||||||
else:
|
else:
|
||||||
raise SamlValidateError(
|
raise SamlValidateError(
|
||||||
|
|
@ -692,5 +695,5 @@ class SamlValidate(View, AttributesMixin):
|
||||||
return ticket
|
return ticket
|
||||||
except (IndexError, KeyError):
|
except (IndexError, KeyError):
|
||||||
raise SamlValidateError('VersionMismatch')
|
raise SamlValidateError('VersionMismatch')
|
||||||
except (models.ServiceTicket.DoesNotExist, models.ProxyTicket.DoesNotExist):
|
except (ServiceTicket.DoesNotExist, ProxyTicket.DoesNotExist):
|
||||||
raise SamlValidateError('AuthnFailed', 'ticket not found')
|
raise SamlValidateError('AuthnFailed', 'ticket not found')
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue