1097 lines
42 KiB
Python
1097 lines
42 KiB
Python
# -*- coding: utf-8 -*-
|
|
# This program is distributed in the hope that it will be useful, but WITHOUT
|
|
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
|
|
# more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License version 3
|
|
# along with this program; if not, write to the Free Software Foundation, Inc., 51
|
|
# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
|
#
|
|
# (c) 2015-2016 Valentin Samir
|
|
"""models for the app"""
|
|
from .default_settings import settings, SessionStore
|
|
|
|
from django.db import models
|
|
from django.db.models import Q
|
|
from django.contrib import messages
|
|
from django.utils.translation import ugettext_lazy as _
|
|
from django.utils import timezone
|
|
from django.utils.encoding import python_2_unicode_compatible
|
|
from django.core.mail import send_mail
|
|
|
|
import re
|
|
import sys
|
|
import smtplib
|
|
import logging
|
|
from datetime import timedelta
|
|
from concurrent.futures import ThreadPoolExecutor
|
|
from requests_futures.sessions import FuturesSession
|
|
|
|
from cas_server import utils
|
|
from . import VERSION
|
|
|
|
#: logger facility
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class JsonAttributes(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
A base class for models storing attributes as a json
|
|
"""
|
|
|
|
class Meta:
|
|
abstract = True
|
|
|
|
#: The attributes json encoded
|
|
_attributs = models.TextField(default=None, null=True, blank=True)
|
|
|
|
@property
|
|
def attributs(self):
|
|
"""The attributes"""
|
|
if self._attributs is not None:
|
|
return utils.json.loads(self._attributs)
|
|
|
|
@attributs.setter
|
|
def attributs(self, value):
|
|
"""attributs property setter"""
|
|
self._attributs = utils.json_encode(value)
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class FederatedIendityProvider(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
An identity provider for the federated mode
|
|
"""
|
|
class Meta:
|
|
verbose_name = _(u"identity provider")
|
|
verbose_name_plural = _(u"identity providers")
|
|
#: Suffix append to backend CAS returned username: ``returned_username`` @ ``suffix``.
|
|
#: it must be unique.
|
|
suffix = models.CharField(
|
|
max_length=30,
|
|
unique=True,
|
|
verbose_name=_(u"suffix"),
|
|
help_text=_(
|
|
u"Suffix append to backend CAS returned "
|
|
u"username: ``returned_username`` @ ``suffix``."
|
|
)
|
|
)
|
|
#: URL to the root of the CAS server application. If login page is
|
|
#: https://cas.example.net/cas/login then :attr:`server_url` should be
|
|
#: https://cas.example.net/cas/
|
|
server_url = models.CharField(max_length=255, verbose_name=_(u"server url"))
|
|
#: Version of the CAS protocol to use when sending requests the the backend CAS.
|
|
cas_protocol_version = models.CharField(
|
|
max_length=30,
|
|
choices=[
|
|
("1", "CAS 1.0"),
|
|
("2", "CAS 2.0"),
|
|
("3", "CAS 3.0"),
|
|
("CAS_2_SAML_1_0", "SAML 1.1")
|
|
],
|
|
verbose_name=_(u"CAS protocol version"),
|
|
help_text=_(
|
|
u"Version of the CAS protocol to use when sending requests the the backend CAS."
|
|
),
|
|
default="3"
|
|
)
|
|
#: Name for this identity provider displayed on the login page.
|
|
verbose_name = models.CharField(
|
|
max_length=255,
|
|
verbose_name=_(u"verbose name"),
|
|
help_text=_(u"Name for this identity provider displayed on the login page.")
|
|
)
|
|
#: Position of the identity provider on the login page. Identity provider are sorted using the
|
|
#: (:attr:`pos`, :attr:`verbose_name`, :attr:`suffix`) attributes.
|
|
pos = models.IntegerField(
|
|
default=100,
|
|
verbose_name=_(u"position"),
|
|
help_text=_(
|
|
(
|
|
u"Position of the identity provider on the login page. "
|
|
u"Identity provider are sorted using the "
|
|
u"(position, verbose name, suffix) attributes."
|
|
)
|
|
)
|
|
)
|
|
#: Display the provider on the login page. Beware that this do not disable the identity
|
|
#: provider, it just hide it on the login page. User will always be able to log in using this
|
|
#: provider by fetching ``/federate/suffix``.
|
|
display = models.BooleanField(
|
|
default=True,
|
|
verbose_name=_(u"display"),
|
|
help_text=_("Display the provider on the login page.")
|
|
)
|
|
|
|
def __str__(self):
|
|
return self.verbose_name
|
|
|
|
@staticmethod
|
|
def build_username_from_suffix(username, suffix):
|
|
"""
|
|
Transform backend username into federated username using ``suffix``
|
|
|
|
:param unicode username: A CAS backend returned username
|
|
:param unicode suffix: A suffix identifying the CAS backend
|
|
:return: The federated username: ``username`` @ ``suffix``.
|
|
:rtype: unicode
|
|
"""
|
|
return u'%s@%s' % (username, suffix)
|
|
|
|
def build_username(self, username):
|
|
"""
|
|
Transform backend username into federated username
|
|
|
|
:param unicode username: A CAS backend returned username
|
|
:return: The federated username: ``username`` @ :attr:`suffix`.
|
|
:rtype: unicode
|
|
"""
|
|
return u'%s@%s' % (username, self.suffix)
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class FederatedUser(JsonAttributes):
|
|
"""
|
|
Bases: :class:`JsonAttributes`
|
|
|
|
A federated user as returner by a CAS provider (username and attributes)
|
|
"""
|
|
class Meta:
|
|
unique_together = ("username", "provider")
|
|
verbose_name = _("Federated user")
|
|
verbose_name_plural = _("Federated users")
|
|
#: The user username returned by the CAS backend on successful ticket validation
|
|
username = models.CharField(max_length=124)
|
|
#: A foreign key to :class:`FederatedIendityProvider`
|
|
provider = models.ForeignKey(FederatedIendityProvider, on_delete=models.CASCADE)
|
|
#: The last ticket used to authenticate :attr:`username` against :attr:`provider`
|
|
ticket = models.CharField(max_length=255)
|
|
#: Last update timespampt. Usually, the last time :attr:`ticket` has been set.
|
|
last_update = models.DateTimeField(auto_now=True)
|
|
|
|
def __str__(self):
|
|
return self.federated_username
|
|
|
|
@property
|
|
def federated_username(self):
|
|
"""The federated username with a suffix for the current :class:`FederatedUser`."""
|
|
return self.provider.build_username(self.username)
|
|
|
|
@classmethod
|
|
def get_from_federated_username(cls, username):
|
|
"""
|
|
:return: A :class:`FederatedUser` object from a federated ``username``
|
|
:rtype: :class:`FederatedUser`
|
|
"""
|
|
if username is None:
|
|
raise cls.DoesNotExist()
|
|
else:
|
|
component = username.split('@')
|
|
username = '@'.join(component[:-1])
|
|
suffix = component[-1]
|
|
try:
|
|
provider = FederatedIendityProvider.objects.get(suffix=suffix)
|
|
return cls.objects.get(username=username, provider=provider)
|
|
except FederatedIendityProvider.DoesNotExist:
|
|
raise cls.DoesNotExist()
|
|
|
|
@classmethod
|
|
def clean_old_entries(cls):
|
|
"""remove old unused :class:`FederatedUser`"""
|
|
federated_users = cls.objects.filter(
|
|
last_update__lt=(timezone.now() - timedelta(seconds=settings.CAS_TICKET_TIMEOUT))
|
|
)
|
|
known_users = {user.username for user in User.objects.all()}
|
|
for user in federated_users:
|
|
if user.federated_username not in known_users:
|
|
user.delete()
|
|
|
|
|
|
class FederateSLO(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
An association between a CAS provider ticket and a (username, session) for processing SLO
|
|
"""
|
|
class Meta:
|
|
unique_together = ("username", "session_key", "ticket")
|
|
#: the federated username with the ``@``component
|
|
username = models.CharField(max_length=30)
|
|
#: the session key for the session :attr:`username` has been authenticated using :attr:`ticket`
|
|
session_key = models.CharField(max_length=40, blank=True, null=True)
|
|
#: The ticket used to authenticate :attr:`username`
|
|
ticket = models.CharField(max_length=255, db_index=True)
|
|
|
|
@classmethod
|
|
def clean_deleted_sessions(cls):
|
|
"""remove old :class:`FederateSLO` object for which the session do not exists anymore"""
|
|
for federate_slo in cls.objects.all():
|
|
if not SessionStore(session_key=federate_slo.session_key).get('authenticated'):
|
|
federate_slo.delete()
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class UserAttributes(JsonAttributes):
|
|
"""
|
|
Bases: :class:`JsonAttributes`
|
|
|
|
Local cache of the user attributes, used then needed
|
|
"""
|
|
class Meta:
|
|
verbose_name = _("User attributes cache")
|
|
verbose_name_plural = _("User attributes caches")
|
|
#: The username of the user for which we cache attributes
|
|
username = models.CharField(max_length=155, unique=True)
|
|
|
|
def __str__(self):
|
|
return self.username
|
|
|
|
@classmethod
|
|
def clean_old_entries(cls):
|
|
"""Remove :class:`UserAttributes` for which no more :class:`User` exists."""
|
|
for user in cls.objects.all():
|
|
if User.objects.filter(username=user.username).count() == 0:
|
|
user.delete()
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class User(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
A user logged into the CAS
|
|
"""
|
|
class Meta:
|
|
unique_together = ("username", "session_key")
|
|
verbose_name = _("User")
|
|
verbose_name_plural = _("Users")
|
|
#: The session key of the current authenticated user
|
|
session_key = models.CharField(max_length=40, blank=True, null=True)
|
|
#: The username of the current authenticated user
|
|
username = models.CharField(max_length=250)
|
|
#: Last time the authenticated user has do something (auth, fetch ticket, etc…)
|
|
date = models.DateTimeField(auto_now=True)
|
|
#: last time the user logged
|
|
last_login = models.DateTimeField(auto_now_add=True)
|
|
|
|
def delete(self, *args, **kwargs):
|
|
"""
|
|
Remove the current :class:`User`. If ``settings.CAS_FEDERATE`` is ``True``, also delete
|
|
the corresponding :class:`FederateSLO` object.
|
|
"""
|
|
if settings.CAS_FEDERATE:
|
|
FederateSLO.objects.filter(
|
|
username=self.username,
|
|
session_key=self.session_key
|
|
).delete()
|
|
super(User, self).delete(*args, **kwargs)
|
|
|
|
@classmethod
|
|
def clean_old_entries(cls):
|
|
"""
|
|
Remove :class:`User` objects inactive since more that
|
|
:django:setting:`SESSION_COOKIE_AGE` and send corresponding SingleLogOut requests.
|
|
"""
|
|
filter = Q(date__lt=(timezone.now() - timedelta(seconds=settings.SESSION_COOKIE_AGE)))
|
|
if settings.CAS_TGT_VALIDITY is not None:
|
|
filter |= Q(
|
|
last_login__lt=(timezone.now() - timedelta(seconds=settings.CAS_TGT_VALIDITY))
|
|
)
|
|
users = cls.objects.filter(filter)
|
|
for user in users:
|
|
user.logout()
|
|
users.delete()
|
|
|
|
@classmethod
|
|
def clean_deleted_sessions(cls):
|
|
"""Remove :class:`User` objects where the corresponding session do not exists anymore."""
|
|
for user in cls.objects.all():
|
|
if not SessionStore(session_key=user.session_key).get('authenticated'):
|
|
user.logout()
|
|
user.delete()
|
|
|
|
@property
|
|
def attributs(self):
|
|
"""
|
|
Property.
|
|
A fresh :class:`dict` for the user attributes, using ``settings.CAS_AUTH_CLASS`` if
|
|
possible, and if not, try to fallback to cached attributes (actually only used for ldap
|
|
auth class with bind password check mthode).
|
|
"""
|
|
try:
|
|
return utils.import_attr(settings.CAS_AUTH_CLASS)(self.username).attributs()
|
|
except NotImplementedError:
|
|
try:
|
|
user = UserAttributes.objects.get(username=self.username)
|
|
attributes = user.attributs
|
|
if attributes is not None:
|
|
return attributes
|
|
else:
|
|
return {}
|
|
except UserAttributes.DoesNotExist:
|
|
return {}
|
|
|
|
def __str__(self):
|
|
return u"%s - %s" % (self.username, self.session_key)
|
|
|
|
def logout(self, request=None):
|
|
"""
|
|
Send SLO requests to all services the user is logged in.
|
|
|
|
:param request: The current django HttpRequest to display possible failure to the user.
|
|
:type request: :class:`django.http.HttpRequest` or :obj:`NoneType<types.NoneType>`
|
|
"""
|
|
ticket_classes = [ProxyGrantingTicket, ServiceTicket, ProxyTicket]
|
|
for error in Ticket.send_slos(
|
|
[ticket_class.objects.filter(user=self) for ticket_class in ticket_classes]
|
|
):
|
|
logger.warning(
|
|
"Error during SLO for user %s: %s" % (
|
|
self.username,
|
|
error
|
|
)
|
|
)
|
|
if request is not None:
|
|
error = utils.unpack_nested_exception(error)
|
|
messages.add_message(
|
|
request,
|
|
messages.WARNING,
|
|
_(u'Error during service logout %s') % error
|
|
)
|
|
|
|
def get_ticket(self, ticket_class, service, service_pattern, renew):
|
|
"""
|
|
Generate a ticket using ``ticket_class`` for the service
|
|
``service`` matching ``service_pattern`` and asking or not for
|
|
authentication renewal with ``renew``
|
|
|
|
:param type ticket_class: :class:`ServiceTicket` or :class:`ProxyTicket` or
|
|
:class:`ProxyGrantingTicket`.
|
|
:param unicode service: The service url for which we want a ticket.
|
|
:param ServicePattern service_pattern: The service pattern matching ``service``.
|
|
Beware that ``service`` must match :attr:`ServicePattern.pattern` and the current
|
|
:class:`User` must pass :meth:`ServicePattern.check_user`. These checks are not done
|
|
here and you must perform them before calling this method.
|
|
:param bool renew: Should be ``True`` if authentication has been renewed. Must be
|
|
``False`` otherwise.
|
|
:return: A :class:`Ticket` object.
|
|
:rtype: :class:`ServiceTicket` or :class:`ProxyTicket` or
|
|
:class:`ProxyGrantingTicket`.
|
|
"""
|
|
attributs = dict(
|
|
(a.name, a.replace if a.replace else a.name) for a in service_pattern.attributs.all()
|
|
)
|
|
replacements = dict(
|
|
(a.attribut, (a.pattern, a.replace)) for a in service_pattern.replacements.all()
|
|
)
|
|
service_attributs = {}
|
|
for (key, value) in self.attributs.items():
|
|
if key in attributs or '*' in attributs:
|
|
if key in replacements:
|
|
if isinstance(value, list):
|
|
for index, subval in enumerate(value):
|
|
value[index] = re.sub(
|
|
replacements[key][0],
|
|
replacements[key][1],
|
|
subval
|
|
)
|
|
else:
|
|
value = re.sub(replacements[key][0], replacements[key][1], value)
|
|
service_attributs[attributs.get(key, key)] = value
|
|
ticket = ticket_class.objects.create(
|
|
user=self,
|
|
attributs=service_attributs,
|
|
service=service,
|
|
renew=renew,
|
|
service_pattern=service_pattern,
|
|
single_log_out=service_pattern.single_log_out
|
|
)
|
|
ticket.save()
|
|
self.save()
|
|
return ticket
|
|
|
|
def get_service_url(self, service, service_pattern, renew):
|
|
"""
|
|
Return the url to which the user must be redirected to
|
|
after a Service Ticket has been generated
|
|
|
|
:param unicode service: The service url for which we want a ticket.
|
|
:param ServicePattern service_pattern: The service pattern matching ``service``.
|
|
Beware that ``service`` must match :attr:`ServicePattern.pattern` and the current
|
|
:class:`User` must pass :meth:`ServicePattern.check_user`. These checks are not done
|
|
here and you must perform them before calling this method.
|
|
:param bool renew: Should be ``True`` if authentication has been renewed. Must be
|
|
``False`` otherwise.
|
|
:return unicode: The service url with the ticket GET param added.
|
|
:rtype: unicode
|
|
"""
|
|
ticket = self.get_ticket(ServiceTicket, service, service_pattern, renew)
|
|
url = utils.update_url(service, {'ticket': ticket.value})
|
|
logger.info("Service ticket created for service %s by user %s." % (service, self.username))
|
|
return url
|
|
|
|
|
|
class ServicePatternException(Exception):
|
|
"""
|
|
Bases: :class:`exceptions.Exception`
|
|
|
|
Base exception of exceptions raised in the ServicePattern model"""
|
|
pass
|
|
|
|
|
|
class BadUsername(ServicePatternException):
|
|
"""
|
|
Bases: :class:`ServicePatternException`
|
|
|
|
Exception raised then an non allowed username try to get a ticket for a service
|
|
"""
|
|
pass
|
|
|
|
|
|
class BadFilter(ServicePatternException):
|
|
"""
|
|
Bases: :class:`ServicePatternException`
|
|
|
|
Exception raised then a user try to get a ticket for a service and do not reach a condition
|
|
"""
|
|
pass
|
|
|
|
|
|
class UserFieldNotDefined(ServicePatternException):
|
|
"""
|
|
Bases: :class:`ServicePatternException`
|
|
|
|
Exception raised then a user try to get a ticket for a service using as username
|
|
an attribut not present on this user
|
|
"""
|
|
pass
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class ServicePattern(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
Allowed services pattern against services are tested to
|
|
"""
|
|
class Meta:
|
|
ordering = ("pos", )
|
|
verbose_name = _("Service pattern")
|
|
verbose_name_plural = _("Services patterns")
|
|
|
|
#: service patterns are sorted using the :attr:`pos` attribute
|
|
pos = models.IntegerField(
|
|
default=100,
|
|
verbose_name=_(u"position"),
|
|
help_text=_(u"service patterns are sorted using the position attribute")
|
|
)
|
|
#: A name for the service (this can bedisplayed to the user on the login page)
|
|
name = models.CharField(
|
|
max_length=255,
|
|
unique=True,
|
|
blank=True,
|
|
null=True,
|
|
verbose_name=_(u"name"),
|
|
help_text=_(u"A name for the service")
|
|
)
|
|
#: A regular expression matching services. "Will usually looks like
|
|
#: '^https://some\\.server\\.com/path/.*$'. As it is a regular expression, special character
|
|
#: must be escaped with a '\\'.
|
|
pattern = models.CharField(
|
|
max_length=255,
|
|
unique=True,
|
|
verbose_name=_(u"pattern"),
|
|
help_text=_(
|
|
"A regular expression matching services. "
|
|
"Will usually looks like '^https://some\\.server\\.com/path/.*$'."
|
|
"As it is a regular expression, special character must be escaped with a '\\'."
|
|
),
|
|
validators=[utils.regexpr_validator]
|
|
)
|
|
#: Name of the attribute to transmit as username, if empty the user login is used
|
|
user_field = models.CharField(
|
|
max_length=255,
|
|
default="",
|
|
blank=True,
|
|
verbose_name=_(u"user field"),
|
|
help_text=_("Name of the attribute to transmit as username, empty = login")
|
|
)
|
|
#: A boolean allowing to limit username allowed to connect to :attr:`usernames`.
|
|
restrict_users = models.BooleanField(
|
|
default=False,
|
|
verbose_name=_(u"restrict username"),
|
|
help_text=_("Limit username allowed to connect to the list provided bellow")
|
|
)
|
|
#: A boolean allowing to deliver :class:`ProxyTicket` to the service.
|
|
proxy = models.BooleanField(
|
|
default=False,
|
|
verbose_name=_(u"proxy"),
|
|
help_text=_("Proxy tickets can be delivered to the service")
|
|
)
|
|
#: A boolean allowing the service to be used as a proxy callback (via the pgtUrl GET param)
|
|
#: to deliver :class:`ProxyGrantingTicket`.
|
|
proxy_callback = models.BooleanField(
|
|
default=False,
|
|
verbose_name=_(u"proxy callback"),
|
|
help_text=_("can be used as a proxy callback to deliver PGT")
|
|
)
|
|
#: Enable SingleLogOut for the service. Old validaed tickets for the service will be kept
|
|
#: until ``settings.CAS_TICKET_TIMEOUT`` after what a SLO request is send to the service and
|
|
#: the ticket is purged from database. A SLO can be send earlier if the user log-out.
|
|
single_log_out = models.BooleanField(
|
|
default=False,
|
|
verbose_name=_(u"single log out"),
|
|
help_text=_("Enable SLO for the service")
|
|
)
|
|
#: An URL where the SLO request will be POST. If empty the service url will be used.
|
|
#: This is usefull for non HTTP proxied services like smtp or imap.
|
|
single_log_out_callback = models.CharField(
|
|
max_length=255,
|
|
default="",
|
|
blank=True,
|
|
verbose_name=_(u"single log out callback"),
|
|
help_text=_(u"URL where the SLO request will be POST. empty = service url\n"
|
|
u"This is usefull for non HTTP proxied services.")
|
|
)
|
|
|
|
def __str__(self):
|
|
return u"%s: %s" % (self.pos, self.pattern)
|
|
|
|
def check_user(self, user):
|
|
"""
|
|
Check if ``user`` if allowed to use theses services. If ``user`` is not allowed,
|
|
raises one of :class:`BadFilter`, :class:`UserFieldNotDefined`, :class:`BadUsername`
|
|
|
|
:param User user: a :class:`User` object
|
|
:raises BadUsername: if :attr:`restrict_users` if ``True`` and :attr:`User.username`
|
|
is not within :attr:`usernames`.
|
|
:raises BadFilter: if a :class:`FilterAttributValue` condition of :attr:`filters`
|
|
connot be verified.
|
|
:raises UserFieldNotDefined: if :attr:`user_field` is defined and its value is not
|
|
within :attr:`User.attributs`.
|
|
:return: ``True``
|
|
:rtype: bool
|
|
"""
|
|
if self.restrict_users and not self.usernames.filter(value=user.username):
|
|
logger.warning("Username %s not allowed on service %s" % (user.username, self.name))
|
|
raise BadUsername()
|
|
for filtre in self.filters.all():
|
|
if isinstance(user.attributs.get(filtre.attribut, []), list):
|
|
attrs = user.attributs.get(filtre.attribut, [])
|
|
else:
|
|
attrs = [user.attributs[filtre.attribut]]
|
|
for value in attrs:
|
|
if re.match(filtre.pattern, str(value)):
|
|
break
|
|
else:
|
|
bad_filter = (filtre.pattern, filtre.attribut, user.attributs.get(filtre.attribut))
|
|
logger.warning(
|
|
"User constraint failed for %s, service %s: %s do not match %s %s." % (
|
|
(user.username, self.name) + bad_filter
|
|
)
|
|
)
|
|
raise BadFilter('%s do not match %s %s' % bad_filter)
|
|
if self.user_field and not user.attributs.get(self.user_field):
|
|
logger.warning(
|
|
"Cannot use %s a loggin for user %s on service %s because it is absent" % (
|
|
self.user_field,
|
|
user.username,
|
|
self.name
|
|
)
|
|
)
|
|
raise UserFieldNotDefined()
|
|
return True
|
|
|
|
@classmethod
|
|
def validate(cls, service):
|
|
"""
|
|
Get a :class:`ServicePattern` intance from a service url.
|
|
|
|
:param unicode service: A service url
|
|
:return: A :class:`ServicePattern` instance matching ``service``.
|
|
:rtype: :class:`ServicePattern`
|
|
:raises ServicePattern.DoesNotExist: if no :class:`ServicePattern` is matching
|
|
``service``.
|
|
"""
|
|
for service_pattern in cls.objects.all().order_by('pos'):
|
|
if re.match(service_pattern.pattern, service):
|
|
return service_pattern
|
|
logger.warning("Service %s not allowed." % service)
|
|
raise cls.DoesNotExist()
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class Username(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
A list of allowed usernames on a :class:`ServicePattern`
|
|
"""
|
|
#: username allowed to connect to the service
|
|
value = models.CharField(
|
|
max_length=255,
|
|
verbose_name=_(u"username"),
|
|
help_text=_(u"username allowed to connect to the service")
|
|
)
|
|
#: ForeignKey to a :class:`ServicePattern`. :class:`Username` instances for a
|
|
#: :class:`ServicePattern` are accessible thought its :attr:`ServicePattern.usernames`
|
|
#: attribute.
|
|
service_pattern = models.ForeignKey(ServicePattern, related_name="usernames")
|
|
|
|
def __str__(self):
|
|
return self.value
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class ReplaceAttributName(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
A replacement of an attribute name for a :class:`ServicePattern`. It also tell to transmit
|
|
an attribute of :attr:`User.attributs` to the service. An empty :attr:`replace` mean
|
|
to use the original attribute name.
|
|
"""
|
|
class Meta:
|
|
unique_together = ('name', 'replace', 'service_pattern')
|
|
#: Name the attribute: a key of :attr:`User.attributs`
|
|
name = models.CharField(
|
|
max_length=255,
|
|
verbose_name=_(u"name"),
|
|
help_text=_(u"name of an attribute to send to the service, use * for all attributes")
|
|
)
|
|
#: The name of the attribute to transmit to the service. If empty, the value of :attr:`name`
|
|
#: is used.
|
|
replace = models.CharField(
|
|
max_length=255,
|
|
blank=True,
|
|
verbose_name=_(u"replace"),
|
|
help_text=_(u"name under which the attribute will be show "
|
|
u"to the service. empty = default name of the attribut")
|
|
)
|
|
#: ForeignKey to a :class:`ServicePattern`. :class:`ReplaceAttributName` instances for a
|
|
#: :class:`ServicePattern` are accessible thought its :attr:`ServicePattern.attributs`
|
|
#: attribute.
|
|
service_pattern = models.ForeignKey(ServicePattern, related_name="attributs")
|
|
|
|
def __str__(self):
|
|
if not self.replace:
|
|
return self.name
|
|
else:
|
|
return u"%s → %s" % (self.name, self.replace)
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class FilterAttributValue(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
A filter on :attr:`User.attributs` for a :class:`ServicePattern`. If a :class:`User` do not
|
|
have an attribute :attr:`attribut` or its value do not match :attr:`pattern`, then
|
|
:meth:`ServicePattern.check_user` will raises :class:`BadFilter` if called with that user.
|
|
"""
|
|
#: The name of a user attribute
|
|
attribut = models.CharField(
|
|
max_length=255,
|
|
verbose_name=_(u"attribute"),
|
|
help_text=_(u"Name of the attribute which must verify pattern")
|
|
)
|
|
#: A regular expression the attribute :attr:`attribut` value must verify. If :attr:`attribut`
|
|
#: if a list, only one of the list values needs to match.
|
|
pattern = models.CharField(
|
|
max_length=255,
|
|
verbose_name=_(u"pattern"),
|
|
help_text=_(u"a regular expression"),
|
|
validators=[utils.regexpr_validator]
|
|
)
|
|
#: ForeignKey to a :class:`ServicePattern`. :class:`FilterAttributValue` instances for a
|
|
#: :class:`ServicePattern` are accessible thought its :attr:`ServicePattern.filters`
|
|
#: attribute.
|
|
service_pattern = models.ForeignKey(ServicePattern, related_name="filters")
|
|
|
|
def __str__(self):
|
|
return u"%s %s" % (self.attribut, self.pattern)
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class ReplaceAttributValue(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
A replacement (using a regular expression) of an attribute value for a
|
|
:class:`ServicePattern`.
|
|
"""
|
|
#: Name the attribute: a key of :attr:`User.attributs`
|
|
attribut = models.CharField(
|
|
max_length=255,
|
|
verbose_name=_(u"attribute"),
|
|
help_text=_(u"Name of the attribute for which the value must be replace")
|
|
)
|
|
#: A regular expression matching the part of the attribute value that need to be changed
|
|
pattern = models.CharField(
|
|
max_length=255,
|
|
verbose_name=_(u"pattern"),
|
|
help_text=_(u"An regular expression maching whats need to be replaced"),
|
|
validators=[utils.regexpr_validator]
|
|
)
|
|
#: The replacement to what is mached by :attr:`pattern`. groups are capture by \\1, \\2 …
|
|
replace = models.CharField(
|
|
max_length=255,
|
|
blank=True,
|
|
verbose_name=_(u"replace"),
|
|
help_text=_(u"replace expression, groups are capture by \\1, \\2 …")
|
|
)
|
|
#: ForeignKey to a :class:`ServicePattern`. :class:`ReplaceAttributValue` instances for a
|
|
#: :class:`ServicePattern` are accessible thought its :attr:`ServicePattern.replacements`
|
|
#: attribute.
|
|
service_pattern = models.ForeignKey(ServicePattern, related_name="replacements")
|
|
|
|
def __str__(self):
|
|
return u"%s %s %s" % (self.attribut, self.pattern, self.replace)
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class Ticket(JsonAttributes):
|
|
"""
|
|
Bases: :class:`JsonAttributes`
|
|
|
|
Generic class for a Ticket
|
|
"""
|
|
class Meta:
|
|
abstract = True
|
|
#: ForeignKey to a :class:`User`.
|
|
user = models.ForeignKey(User, related_name="%(class)s")
|
|
#: A boolean. ``True`` if the ticket has been validated
|
|
validate = models.BooleanField(default=False)
|
|
#: The service url for the ticket
|
|
service = models.TextField()
|
|
#: ForeignKey to a :class:`ServicePattern`. The :class:`ServicePattern` corresponding to
|
|
#: :attr:`service`. Use :meth:`ServicePattern.validate` to find it.
|
|
service_pattern = models.ForeignKey(ServicePattern, related_name="%(class)s")
|
|
#: Date of the ticket creation
|
|
creation = models.DateTimeField(auto_now_add=True)
|
|
#: A boolean. ``True`` if the user has just renew his authentication
|
|
renew = models.BooleanField(default=False)
|
|
#: A boolean. Set to :attr:`service_pattern` attribute
|
|
#: :attr:`ServicePattern.single_log_out` value.
|
|
single_log_out = models.BooleanField(default=False)
|
|
|
|
#: Max duration between ticket creation and its validation. Any validation attempt for the
|
|
#: ticket after :attr:`creation` + VALIDITY will fail as if the ticket do not exists.
|
|
VALIDITY = settings.CAS_TICKET_VALIDITY
|
|
#: Time we keep ticket with :attr:`single_log_out` set to ``True`` before sending SingleLogOut
|
|
#: requests.
|
|
TIMEOUT = settings.CAS_TICKET_TIMEOUT
|
|
|
|
class DoesNotExist(Exception):
|
|
"""raised in :meth:`Ticket.get` then ticket prefix and ticket classes mismatch"""
|
|
pass
|
|
|
|
def __str__(self):
|
|
return u"Ticket-%s" % self.pk
|
|
|
|
@staticmethod
|
|
def send_slos(queryset_list):
|
|
"""
|
|
Send SLO requests to each ticket of each queryset of ``queryset_list``
|
|
|
|
:param list queryset_list: A list a :class:`Ticket` queryset
|
|
:return: A list of possibly encoutered :class:`Exception`
|
|
:rtype: list
|
|
"""
|
|
# sending SLO to timed-out validated tickets
|
|
async_list = []
|
|
session = FuturesSession(
|
|
executor=ThreadPoolExecutor(max_workers=settings.CAS_SLO_MAX_PARALLEL_REQUESTS)
|
|
)
|
|
errors = []
|
|
for queryset in queryset_list:
|
|
for ticket in queryset:
|
|
ticket.logout(session, async_list)
|
|
queryset.delete()
|
|
for future in async_list:
|
|
if future: # pragma: no branch (should always be true)
|
|
try:
|
|
future.result()
|
|
except Exception as error:
|
|
errors.append(error)
|
|
return errors
|
|
|
|
@classmethod
|
|
def clean_old_entries(cls):
|
|
"""Remove old ticket and send SLO to timed-out services"""
|
|
# removing old validated ticket and non validated expired tickets
|
|
cls.objects.filter(
|
|
(
|
|
Q(single_log_out=False) & Q(validate=True)
|
|
) | (
|
|
Q(validate=False) &
|
|
Q(creation__lt=(timezone.now() - timedelta(seconds=cls.VALIDITY)))
|
|
)
|
|
).delete()
|
|
queryset = cls.objects.filter(
|
|
creation__lt=(timezone.now() - timedelta(seconds=cls.TIMEOUT))
|
|
)
|
|
for error in cls.send_slos([queryset]):
|
|
logger.warning("Error durring SLO %s" % error)
|
|
sys.stderr.write("%r\n" % error)
|
|
|
|
def logout(self, session, async_list=None):
|
|
"""Send a SLO request to the ticket service"""
|
|
# On logout invalidate the Ticket
|
|
self.validate = True
|
|
self.save()
|
|
if self.validate and self.single_log_out: # pragma: no branch (should always be true)
|
|
logger.info(
|
|
"Sending SLO requests to service %s for user %s" % (
|
|
self.service,
|
|
self.user.username
|
|
)
|
|
)
|
|
xml = utils.logout_request(self.value)
|
|
if self.service_pattern.single_log_out_callback:
|
|
url = self.service_pattern.single_log_out_callback
|
|
else:
|
|
url = self.service
|
|
async_list.append(
|
|
session.post(
|
|
url.encode('utf-8'),
|
|
data={'logoutRequest': xml.encode('utf-8')},
|
|
timeout=settings.CAS_SLO_TIMEOUT
|
|
)
|
|
)
|
|
|
|
@staticmethod
|
|
def get_class(ticket, classes=None):
|
|
"""
|
|
Return the ticket class of ``ticket``
|
|
|
|
:param unicode ticket: A ticket
|
|
:param list classes: Optinal arguement. A list of possible :class:`Ticket` subclasses
|
|
:return: The class corresponding to ``ticket`` (:class:`ServiceTicket` or
|
|
:class:`ProxyTicket` or :class:`ProxyGrantingTicket`) if found among ``classes,
|
|
``None`` otherwise.
|
|
:rtype: :obj:`type` or :obj:`NoneType<types.NoneType>`
|
|
"""
|
|
if classes is None: # pragma: no cover (not used)
|
|
classes = [ServiceTicket, ProxyTicket, ProxyGrantingTicket]
|
|
for ticket_class in classes:
|
|
if ticket.startswith(ticket_class.PREFIX):
|
|
return ticket_class
|
|
|
|
def username(self):
|
|
"""
|
|
The username to send on ticket validation
|
|
|
|
:return: The value of the corresponding user attribute if
|
|
:attr:`service_pattern`.user_field is set, the user username otherwise.
|
|
"""
|
|
if self.service_pattern.user_field and self.user.attributs.get(
|
|
self.service_pattern.user_field
|
|
):
|
|
username = self.user.attributs[self.service_pattern.user_field]
|
|
if isinstance(username, list):
|
|
# the list is not empty because we wont generate a ticket with a user_field
|
|
# that evaluate to False
|
|
username = username[0]
|
|
else:
|
|
username = self.user.username
|
|
return username
|
|
|
|
def attributs_flat(self):
|
|
"""
|
|
generate attributes list for template rendering
|
|
|
|
:return: An list of (attribute name, attribute value) of all user attributes flatened
|
|
(no nested list)
|
|
:rtype: :obj:`list` of :obj:`tuple` of :obj:`unicode`
|
|
"""
|
|
attributes = []
|
|
for key, value in self.attributs.items():
|
|
if isinstance(value, list):
|
|
for elt in value:
|
|
attributes.append((key, elt))
|
|
else:
|
|
attributes.append((key, value))
|
|
return attributes
|
|
|
|
@classmethod
|
|
def get(cls, ticket, renew=False, service=None):
|
|
"""
|
|
Search the database for a valid ticket with provided arguments
|
|
|
|
:param unicode ticket: A ticket value
|
|
:param bool renew: Is authentication renewal needed
|
|
:param unicode service: Optional argument. The ticket service
|
|
:raises Ticket.DoesNotExist: if no class is found for the ticket prefix
|
|
:raises cls.DoesNotExist: if ``ticket`` value is not found in th database
|
|
:return: a :class:`Ticket` instance
|
|
:rtype: Ticket
|
|
"""
|
|
# If the method class is the ticket abstract class, search for the submited ticket
|
|
# class using its prefix. Assuming ticket is a ProxyTicket or a ServiceTicket
|
|
if cls == Ticket:
|
|
ticket_class = cls.get_class(ticket, classes=[ServiceTicket, ProxyTicket])
|
|
# else use the method class
|
|
else:
|
|
ticket_class = cls
|
|
# If ticket prefix is wrong, raise DoesNotExist
|
|
if cls != Ticket and not ticket.startswith(cls.PREFIX):
|
|
raise Ticket.DoesNotExist()
|
|
if ticket_class:
|
|
# search for the ticket that is not yet validated and is still valid
|
|
ticket_queryset = ticket_class.objects.filter(
|
|
value=ticket,
|
|
validate=False,
|
|
creation__gt=(timezone.now() - timedelta(seconds=ticket_class.VALIDITY))
|
|
)
|
|
# if service is specified, add it the the queryset
|
|
if service is not None:
|
|
ticket_queryset = ticket_queryset.filter(service=service)
|
|
# only require renew if renew is True, otherwise it do not matter if renew is True
|
|
# or False.
|
|
if renew:
|
|
ticket_queryset = ticket_queryset.filter(renew=True)
|
|
# fetch the ticket ``MultipleObjectsReturned`` is never raised as the ticket value
|
|
# is unique across the database
|
|
ticket = ticket_queryset.get()
|
|
# For ServiceTicket and Proxyticket, mark it as validated before returning
|
|
if ticket_class != ProxyGrantingTicket:
|
|
ticket.validate = True
|
|
ticket.save()
|
|
return ticket
|
|
# If no class found for the ticket, raise DoesNotExist
|
|
else:
|
|
raise Ticket.DoesNotExist()
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class ServiceTicket(Ticket):
|
|
"""
|
|
Bases: :class:`Ticket`
|
|
|
|
A Service Ticket
|
|
"""
|
|
#: The ticket prefix used to differentiate it from other tickets types
|
|
PREFIX = settings.CAS_SERVICE_TICKET_PREFIX
|
|
#: The ticket value
|
|
value = models.CharField(max_length=255, default=utils.gen_st, unique=True)
|
|
|
|
def __str__(self):
|
|
return u"ServiceTicket-%s" % self.pk
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class ProxyTicket(Ticket):
|
|
"""
|
|
Bases: :class:`Ticket`
|
|
|
|
A Proxy Ticket
|
|
"""
|
|
#: The ticket prefix used to differentiate it from other tickets types
|
|
PREFIX = settings.CAS_PROXY_TICKET_PREFIX
|
|
#: The ticket value
|
|
value = models.CharField(max_length=255, default=utils.gen_pt, unique=True)
|
|
|
|
def __str__(self):
|
|
return u"ProxyTicket-%s" % self.pk
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class ProxyGrantingTicket(Ticket):
|
|
"""
|
|
Bases: :class:`Ticket`
|
|
|
|
A Proxy Granting Ticket
|
|
"""
|
|
#: The ticket prefix used to differentiate it from other tickets types
|
|
PREFIX = settings.CAS_PROXY_GRANTING_TICKET_PREFIX
|
|
#: ProxyGranting ticket are never validated. However, they can be used during :attr:`VALIDITY`
|
|
#: to get :class:`ProxyTicket` for :attr:`user`
|
|
VALIDITY = settings.CAS_PGT_VALIDITY
|
|
#: The ticket value
|
|
value = models.CharField(max_length=255, default=utils.gen_pgt, unique=True)
|
|
|
|
def __str__(self):
|
|
return u"ProxyGrantingTicket-%s" % self.pk
|
|
|
|
|
|
@python_2_unicode_compatible
|
|
class Proxy(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
A list of proxies on :class:`ProxyTicket`
|
|
"""
|
|
class Meta:
|
|
ordering = ("-pk", )
|
|
#: Service url of the PGT used for getting the associated :class:`ProxyTicket`
|
|
url = models.CharField(max_length=255)
|
|
#: ForeignKey to a :class:`ProxyTicket`. :class:`Proxy` instances for a
|
|
#: :class:`ProxyTicket` are accessible thought its :attr:`ProxyTicket.proxies`
|
|
#: attribute.
|
|
proxy_ticket = models.ForeignKey(ProxyTicket, related_name="proxies")
|
|
|
|
def __str__(self):
|
|
return self.url
|
|
|
|
|
|
class NewVersionWarning(models.Model):
|
|
"""
|
|
Bases: :class:`django.db.models.Model`
|
|
|
|
The last new version available version sent
|
|
"""
|
|
version = models.CharField(max_length=255)
|
|
|
|
@classmethod
|
|
def send_mails(cls):
|
|
"""
|
|
For each new django-cas-server version, if the current instance is not up to date
|
|
send one mail to ``settings.ADMINS``.
|
|
"""
|
|
if settings.CAS_NEW_VERSION_EMAIL_WARNING and settings.ADMINS:
|
|
try:
|
|
obj = cls.objects.get()
|
|
except cls.DoesNotExist:
|
|
obj = NewVersionWarning.objects.create(version=VERSION)
|
|
LAST_VERSION = utils.last_version()
|
|
if LAST_VERSION is not None and LAST_VERSION != obj.version:
|
|
if utils.decode_version(VERSION) < utils.decode_version(LAST_VERSION):
|
|
try:
|
|
send_mail(
|
|
(
|
|
'%sA new version of django-cas-server is available'
|
|
) % settings.EMAIL_SUBJECT_PREFIX,
|
|
u'''
|
|
A new version of the django-cas-server is available.
|
|
|
|
Your version: %s
|
|
New version: %s
|
|
|
|
Upgrade using:
|
|
* pip install -U django-cas-server
|
|
* fetching the last release on
|
|
https://github.com/nitmir/django-cas-server/ or on
|
|
https://pypi.python.org/pypi/django-cas-server
|
|
|
|
After upgrade, do not forget to run:
|
|
* ./manage.py migrate
|
|
* ./manage.py collectstatic
|
|
and to reload your wsgi server (apache2, uwsgi, gunicord, etc…)
|
|
|
|
--\u0020
|
|
django-cas-server
|
|
'''.strip() % (VERSION, LAST_VERSION),
|
|
settings.SERVER_EMAIL,
|
|
["%s <%s>" % admin for admin in settings.ADMINS],
|
|
fail_silently=False,
|
|
)
|
|
obj.version = LAST_VERSION
|
|
obj.save()
|
|
except smtplib.SMTPException as error: # pragma: no cover (should not happen)
|
|
logger.error("Unable to send new version mail: %s" % error)
|