Synnefo

[

    {

        "model": "db.SynnefoUser",

        "pk": 1,

        "fields": {

            "name": "testdbuser",

            "realname" :"test db user",

            "uniq" :"test@synnefo.gr",

            "credit": 10,

            "auth_token": "46e427d657b20defe352804f0eb6f8a2",

            "auth_token_created": "2009-04-07 09:17:14",

            "type": "STUDENT",

            "created": "2011-02-06"

   	    }

    }

]

from time import time

from django.conf import settings

from django.http import HttpResponse, HttpResponseRedirect

from synnefo.db.models import SynnefoUser

from synnefo.logic.shibboleth import Tokens, register_shibboleth_user

import time

class SynnefoAuthMiddleware(object):

    auth_token = "X-Auth-Token"

    auth_user  = "X-Auth-User"

    auth_key   = "X-Auth-Key"

    def process_request(self, request):

        if self.auth_token in request.META:

            user = None

            #Retrieve user from DB or other caching mechanism

            try:

                user = SynnefoUser.objects.get(auth_token = request.META[self.auth_token])

            except SynnefoUser.DoesNotExist:

                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            #Check user's auth token

            if (time.time() -

                time.mktime(user.auth_token_created.timetuple()) +

                settings.AUTH_TOKEN_DURATION * 3600) > 0:

                #The user's token has expired, re-login

                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            request.user = user

            return

        #A user authenticated by Shibboleth, must include a uniq id

        if Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME in request.META:

            #We must somehow make sure that we only process

            #SIB headers when coming from a URL whitelist,

            #or a similar form of restriction

            if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys():

                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            user = None

            try:

                user = SynnefoUser.objects.get(

                    uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])

            except SynnefoUser.DoesNotExist:

                pass

            #No user with this id could be found in the database

            if user is None:

                #Attempt to register the incoming user

                if register_shibboleth_user(request.META):

                    user = SynnefoUser.objects.get(

                        uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])

                    response = HttpResponse()

                    response[self.auth_token] = user.auth_token

                    response['Location'] = "/"

                    response.status_code = 302

                    return response

                else:

                    return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            #User and authentication token valid, user allowed to proceed

            return

        #An API authentication request

        if self.auth_user in request.META and 'X-Auth-Key' in request.META \

           and '/v1.1' == request.path and 'GET' == request.method:

            # This is here merely for compatibility with the Openstack API.

            # All normal users should authenticate through Sibbolleth. Admin

            # users or other selected users could use this as a bypass

            # mechanism

            user = SynnefoUser.objects.filter(username = request.META[self.auth_user])

            return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

        #No authentication info found in headers, redirect to Shibboleth

        return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

    def process_response(self, request, response):

        #Tell proxies and other interested parties that the

        #request varies based on the auth token, to avoid

        #caching of results

        response['Vary'] = self.auth_token

        return response

from synnefo.api.tests_auth import AuthTestCase

#

# Unit Tests for api

#

# Provides automated tests for api module

#

# Copyright 2011 Greek Research and Technology Network

#

from django.test import TestCase

from django.test.client import Client

from django.conf import settings

from synnefo.logic.shibboleth import Tokens, NoUniqueToken

from synnefo.db.models import SynnefoUser

from datetime import datetime, timedelta

class AuthTestCase(TestCase):

    fixtures = ['api_test_data', 'auth_test_data']

    apibase = '/api/v1.1'

    def setUp(self):

        self.client = Client()

    def test_shibboleth_correct_request(self):

        """test request that should succeed and register a user

        """

        response = self.client.get(self.apibase + '/servers', {},

                                   **{Tokens.SIB_GIVEN_NAME: 'Jimmy',

                                      Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME: 'jh@gmail.com',

                                      Tokens.SIB_DISPLAY_NAME: 'Jimmy Hendrix'})

        user = None

        try:

            user = SynnefoUser.objects.get(uniq = "jh@gmail.com")

        except SynnefoUser.DoesNotExist:

            self.assertNotEqual(user, None)

        self.assertNotEqual(user, None)

        self.assertEquals(response.status_code, 302)

        self.assertEquals(response['Location'], "http://testserver/")

        self.assertTrue('X-Auth-Token' in response)

        self.assertEquals(response['X-Auth-Token'], user.auth_token)

    def test_shibboleth_no_uniq_request(self):

        """test a request with no unique field

        """

        response = self.client.get(self.apibase + '/servers', {},

                                    **{Tokens.SIB_GIVEN_NAME: 'Jimmy',

                                    Tokens.SIB_DISPLAY_NAME: 'Jimmy Hendrix'})

        self._test_redirect(response)

    def test_shibboleth_wrong_from_request(self):

        """ test request from wrong host

        """

        response = self.client.get(self.apibase + '/servers', {},

                                   **{Tokens.SIB_GIVEN_NAME: 'Jimmy',

                                      Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME: 'jh@gmail.com',

                                      Tokens.SIB_DISPLAY_NAME: 'Jimmy Hendrix',

                                      'REMOTE_ADDR': '1.2.3.4',

                                      'SERVER_NAME': 'nohost.nodomain'})

        self._test_redirect(response)

    def test_shibboleth_expired_token(self):

        """ test request from expired token

        """

        user = SynnefoUser.objects.get(uniq = "test@synnefo.gr")

        self.assertNotEqual(user.auth_token_created, None)

        user.auth_token_created = (datetime.now() -

                                   timedelta(hours = settings.AUTH_TOKEN_DURATION))

        user.save()

        response = self.client.get(self.apibase + '/servers', {},

                                   **{'X-Auth-Token': user.auth_token})

        self._test_redirect(response)

    def test_shibboleth_redirect(self):

        """ test redirect to Sibboleth page

        """

        response = self.client.get(self.apibase + '/servers')

        self._test_redirect(response)

    def test_shibboleth_auth(self):

        """ test authentication with X-Auth-Token

        """

        user = SynnefoUser.objects.get(uniq = "test@synnefo.gr")

        response = self.client.get(self.apibase + '/servers', {},

                                   **{'X-Auth-Token': user.auth_token})

        self.assertTrue(response.status_code, 200)

        self.assertTrue('Vary' in response)

        self.assertTrue('X-Auth-Token' in response['Vary'])

    def test_fail_oapi_auth(self):

        """ test authentication from not registered user using OpenAPI

        """

        response = self.client.get(self.apibase + '/servers', {},

                                   **{'X-Auth-User': 'notme',

                                      'X-Auth-Key': '0xdeadbabe'})

        self.assertEquals(response.status_code, 401)

    def test_oapi_auth(self):

        """authentication with user registration

        """

        response = self.client.get(self.apibase + '/', {},

                                   **{'X-Auth-User': 'testuser',

                                      'X-Auth-Key': 'testuserpasswd'})

        self.assertEquals(response.status_code, 204)

        self.assertNotEqual(response['X-Auth-Token'], None)

        self.assertEquals(response['X-Server-Management-Url'], '')

        self.assertEquals(response['X-Storage-Url'], '')

        self.assertEquals(response['X-CDN-Management-Url'], '')

        #Check access now that we do have an auth token

        token = response['X-Auth-Token']

        response = self.client.get(self.apibase + '/servers/detail', {},

                                   **{'X-Auth-Token': token})

        self.assertEquals(response.status_code, 200)

    def _test_redirect(self, response):

        self.assertEquals(response.status_code, 302)

        self.assertTrue('Location' in response)

        self.assertEquals(response['Location'], settings.SHIBBOLETH_HOST)

# vim: ts=4 sts=4 et ai sw=4 fileencoding=utf-8

#

# Copyright © 2010 Greek Research and Technology Network

#

from piston.handler import AnonymousBaseHandler

from django.http import HttpResponse

from django.core.urlresolvers import reverse

CURRENT_SERVER_VERSION = 'v1.0'

class AuthHandler(AnonymousBaseHandler):

    allowed_methods = ('GET',)

    def read(self, request):

        user = request.META.get('HTTP_X_AUTH_USER', None)

        key = request.META.get('HTTP_X_AUTH_KEY', None)

        if user is None or key is None:

            return HttpResponse(status=401)

        response = HttpResponse(status=204)

        # dummy auth

        response['X-Auth-Token'] = 'dummy-token'

        # return X-Server-Management's URL

        url = reverse('synnefo.api.urls.version_handler',

                kwargs={'number': CURRENT_SERVER_VERSION})

        url = request.build_absolute_uri(url)

        response['X-Server-Management-Url'] = url

        return response

# vim: ts=4 sts=4 et ai sw=4 fileencoding=utf-8

#

# Copyright © 2010 Greek Research and Technology Network

#

from django.conf.urls.defaults import *

from piston.resource import Resource

from synnefo.auth.handlers import *

auth_handler = Resource(AuthHandler)

urlpatterns = patterns('',

    (r'^v1.0', auth_handler),

)

    #'django.contrib.auth.middleware.AuthenticationMiddleware',

    'synnefo.auth',

    'localhost' : '127.0.0.1'