Shibboleth login function.

diff --git a/README b/README
index f54c1d2..655bd24 100644 (file)
--- a/README
+++ b/README
@@ -18,6 +18,8 @@ Running the server
 ------------------
 
 Enter the pithos dir and run:
+    python manage.py syncdb
+    python manage.py loaddata aai/fixtures/auth_test_data.json (to load sample users)
     python manage.py runserver
 
 This server is useful during development, but should not be used for deployment.

diff --git a/docs/source/adminguide.rst b/docs/source/adminguide.rst
index b4d4cf5..1e5b037 100644 (file)
--- a/docs/source/adminguide.rst
+++ b/docs/source/adminguide.rst
@@ -20,6 +20,7 @@ Setup the files (choose where to store data in ``settings.py``)::
 
   cd /pithos/pithos
   cp settings.py.dist settings.py
+  python manage.py syncdb
   cd /pithos
   python setup.py build_sphinx
 
@@ -50,6 +51,7 @@ Edit ``/etc/apache2/sites-available/pithos`` (change the ``ServerName`` directiv
        RewriteEngine On
        RewriteRule ^/v(.*) /api/v$1 [PT]
        RewriteRule ^/public(.*) /api/public$1 [PT]
+       RewriteRule ^/login(.*) /api/login$1 [PT]
 
        <Directory /pithos/pithos/wsgi/>
                Order allow,deny
@@ -70,7 +72,7 @@ Edit ``/etc/apache2/sites-available/pithos`` (change the ``ServerName`` directiv
 
   </VirtualHost>
 
-Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/private/pithos.dev.key`` and ``/etc/ssl/certs/pithos.dev.crt`` - change the ``ServerName`` directive)::
+Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/private/pithos.dev.grnet.gr.key`` and ``/etc/ssl/certs/pithos.dev.grnet.gr.crt`` - change the ``ServerName`` directive)::
 
   <IfModule mod_ssl.c>
   <VirtualHost _default_:443>
@@ -98,6 +100,7 @@ Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/p
        RewriteEngine On
        RewriteRule ^/v(.*) /api/v$1 [PT]
        RewriteRule ^/public(.*) /api/public$1 [PT]
+       RewriteRule ^/login(.*) /api/login$1 [PT]
 
         <Directory /pithos/pithos/wsgi/>
                 Order allow,deny
@@ -122,8 +125,8 @@ Edit ``/etc/apache2/sites-available/pithos-ssl`` (assuming files in ``/etc/ssl/p
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
-       SSLCertificateFile    /etc/ssl/certs/pithos.dev.crt
-       SSLCertificateKeyFile /etc/ssl/private/pithos.dev.key
+       SSLCertificateFile    /etc/ssl/certs/pithos.dev.grnet.gr.crt
+       SSLCertificateKeyFile /etc/ssl/private/pithos.dev.grnet.gr.key
 
        #   Server Certificate Chain:
        #   Point SSLCertificateChainFile at a file containing the

diff --git a/pithos/aai/functions.py b/pithos/aai/functions.py
index 21e9b1a..260ca70 100644 (file)
--- a/pithos/aai/functions.py
+++ b/pithos/aai/functions.py
@@ -35,83 +35,54 @@ from time import time, mktime
 
 from django.conf import settings
 from django.http import HttpResponse, HttpResponseRedirect
+from django.utils.http import urlencode
 from django.utils.cache import patch_vary_headers
 
 from models import PithosUser
 from shibboleth import Tokens, register_shibboleth_user
+from util import create_auth_token
 
 
 def login(request):
-    return HttpResponse('login')
-
-#     # Special case for testing purposes, delivers the cookie for the
-#     # test user on first access
-#     if settings.BYPASS_AUTHENTICATION and \
-#        request.GET.get('test') is not None:
-#         u = PithosUser.objects.get(
-#             auth_token='46e427d657b20defe352804f0eb6f8a2')
-#         return _redirect_shib_auth_user(user = u)
-# 
-#     token = None
-# 
-#     # Try to find token in a cookie
-#     token = request.COOKIES.get('X-Auth-Token', None)
-# 
-#     # Try to find token in request header
-#     if not token:
-#         token = request.META.get('HTTP_X_AUTH_TOKEN', None)
-# 
-#     if token:
-#         # token was found, retrieve user from backing store
-#         try:
-#             user = PithosUser.objects.get(auth_token=token)
-# 
-#         except PithosUser.DoesNotExist:
-#             return HttpResponseRedirect(settings.LOGIN_URL)
-#         # check user's auth token validity
-#         if (time() - mktime(user.auth_token_expires.timetuple())) > 0:
-#             # the user's token has expired, prompt to re-login
-#             return HttpResponseRedirect(settings.LOGIN_URL)
-# 
-#         request.user = user
-#         return
-# 
-#     # token was not found but user authenticated by Shibboleth
-#     if Tokens.SHIB_EPPN in request.META and \
-#        Tokens.SHIB_SESSION_ID in request.META:
-#         try:
-#             user = PithosUser.objects.get(uniq=request.META[Tokens.SHIB_EPPN])
-#             return _redirect_shib_auth_user(user)
-#         except PithosUser.DoesNotExist:
-#             if register_shibboleth_user(request.META):
-#                 user = PithosUser.objects.get(uniq=request.META[Tokens.SHIB_EPPN])
-#                 return _redirect_shib_auth_user(user)
-#             else:
-#                 return HttpResponseRedirect(settings.LOGIN_URL)
-# 
-#     if settings.TEST and 'TEST-AAI' in request.META:
-#         return HttpResponseRedirect(settings.LOGIN_URL)
-# 
-#     if request.path.endswith(settings.LOGIN_URL):
-#         # avoid redirect loops
-#         return
-#     else:
-#         # no authentication info found in headers, redirect back
-#         return HttpResponseRedirect(settings.LOGIN_URL)
-# 
-# def process_response(request, response):
-#     # Tell proxies and other interested parties that the request varies
-#     # based on X-Auth-Token, to avoid caching of results
-#     patch_vary_headers(response, ('X-Auth-Token',))
-#     return response
-# 
-# def _redirect_shib_auth_user(user):
-#     expire_fmt = user.auth_token_expires.strftime('%a, %d-%b-%Y %H:%M:%S %Z')
-# 
-#     response = HttpResponse()
-#     response.set_cookie('X-Auth-Token', value=user.auth_token,
-#                         expires=expire_fmt, path='/')
-#     response['X-Auth-Token'] = user.auth_token
-#     response['Location'] = settings.APP_INSTALL_URL
-#     response.status_code = 302
-#     return response
+    """Register a user into the internal database
+       and issue a token for subsequent requests.
+       Users are authenticated by Shibboleth.
+       
+       Return the unique username and the token
+       as 'X-Auth-User' and 'X-Auth-Token' headers,
+       or redirect to the URL provided in 'next'
+       with the 'user' and 'token' as parameters.
+       
+       Reissue the token even if it has not yet
+       expired, if the 'reissue' parameter is present.
+    """
+    
+    try:
+        user = PithosUser.objects.get(uniq=request.META[Tokens.SHIB_EPPN])
+    except:
+        user = None
+    if user is None:
+        try:
+            user = register_shibboleth_user(request.META)
+        except:
+            return HttpResponseBadRequest('Missing necessary Shibboleth headers')
+    
+    if 'reissue' in request.GET:
+        create_auth_token(user)
+    next = request.GET.get('next')
+    if next is not None:
+        # TODO: Avoid redirect loops.
+        if '?' in next:
+            next = next[:next.find('?')]
+        next += '?user=' + urlencode(user.uniq)
+        next += '&' + urlencode(user.auth_token)
+    
+    response = HttpResponse()
+    if not next:
+        response['X-Auth-User'] = user.uniq
+        response['X-Auth-Token'] = user.auth_token
+        response.status_code = 204
+    else:
+        response['Location'] = next
+        response.status_code = 302
+    return response

diff --git a/pithos/aai/shibboleth.py b/pithos/aai/shibboleth.py
index e09ea37..1075086 100644 (file)
--- a/pithos/aai/shibboleth.py
+++ b/pithos/aai/shibboleth.py
@@ -74,7 +74,4 @@ def register_shibboleth_user(tokens):
 
     affiliation = tokens.get(Tokens.SHIB_EP_AFFILIATION, '')
 
-    register_user(eppn, realname, affiliation)
-
-    return True
-
+    return register_user(eppn, realname, affiliation)

diff --git a/pithos/aai/util.py b/pithos/aai/util.py
index 845cb19..8d31bc7 100644 (file)
--- a/pithos/aai/util.py
+++ b/pithos/aai/util.py
@@ -70,4 +70,3 @@ def create_auth_token(user):
     user.auth_token_expires = user.auth_token_created + \
                               timedelta(hours=settings.AUTH_TOKEN_DURATION)
     user.save()
-