Revision 60de282a
b/aai/middleware.py | ||
---|---|---|
19 | 19 |
try: |
20 | 20 |
user = SynnefoUser.objects.get(auth_token = request.META[self.auth_token]) |
21 | 21 |
except SynnefoUser.DoesNotExist: |
22 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
22 |
return HttpResponseRedirect(settings.LOGIN_PATH)
|
|
23 | 23 |
|
24 | 24 |
#Check user's auth token |
25 | 25 |
if (time.time() - |
26 | 26 |
time.mktime(user.auth_token_created.timetuple()) + |
27 | 27 |
settings.AUTH_TOKEN_DURATION * 3600) > 0: |
28 | 28 |
#The user's token has expired, re-login |
29 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
29 |
return HttpResponseRedirect(settings.LOGIN_PATH)
|
|
30 | 30 |
|
31 | 31 |
request.user = user |
32 | 32 |
return |
... | ... | |
37 | 37 |
#SIB headers when coming from a URL whitelist, |
38 | 38 |
#or a similar form of restriction |
39 | 39 |
if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys(): |
40 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
40 |
return HttpResponseRedirect(settings.LOGIN_PATH)
|
|
41 | 41 |
|
42 | 42 |
user = None |
43 | 43 |
try: |
... | ... | |
58 | 58 |
response.status_code = 302 |
59 | 59 |
return response |
60 | 60 |
else: |
61 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
61 |
return HttpResponseRedirect(settings.LOGIN_PATH)
|
|
62 | 62 |
|
63 | 63 |
#User and authentication token valid, user allowed to proceed |
64 | 64 |
return |
... | ... | |
87 | 87 |
|
88 | 88 |
if settings.TEST: |
89 | 89 |
if 'TEST-AAI' in request.META: |
90 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
90 |
return HttpResponseRedirect(settings.LOGIN_PATH)
|
|
91 | 91 |
else: |
92 |
#No authentication info found in headers, redirect to Shibboleth |
|
93 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST) |
|
92 |
#Avoid redirect loops |
|
93 |
if 'Referer' in request.META and request.META['Referer'].endswith(settings.LOGIN_PATH): |
|
94 |
return |
|
95 |
else : |
|
96 |
#No authentication info found in headers, redirect to Shibboleth |
|
97 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
94 | 98 |
|
95 | 99 |
def process_response(self, request, response): |
96 | 100 |
#Tell proxies and other interested parties that the |
b/aai/tests.py | ||
---|---|---|
90 | 90 |
self.assertTrue('Vary' in response) |
91 | 91 |
self.assertTrue('X-Auth-Token' in response['Vary']) |
92 | 92 |
|
93 |
|
|
94 |
def test_shibboleth_redirect_loop(self): |
|
95 |
""" |
|
96 |
""" |
|
97 |
response = self.client.get(self.apibase + '/servers', {}, |
|
98 |
**{'Referer' : settings.LOGIN_PATH, |
|
99 |
'TEST-AAI' : 'true'}) |
|
100 |
self.assertEquals(response.status_code, 200) |
|
101 |
|
|
102 |
|
|
93 | 103 |
def test_fail_oapi_auth(self): |
94 | 104 |
""" test authentication from not registered user using OpenAPI |
95 | 105 |
""" |
... | ... | |
115 | 125 |
def _test_redirect(self, response): |
116 | 126 |
self.assertEquals(response.status_code, 302) |
117 | 127 |
self.assertTrue('Location' in response) |
118 |
self.assertEquals(response['Location'], settings.SHIBBOLETH_HOST)
|
|
128 |
self.assertTrue(response['Location'].endswith(settings.LOGIN_PATH))
|
|
119 | 129 |
|
120 | 130 |
def _update_user_ts(self, user): |
121 | 131 |
user.auth_token_created = (datetime.now() - |
b/settings.py.dist | ||
---|---|---|
167 | 167 |
# to its resources. Thus, it needs to know its public URL. |
168 | 168 |
API_ROOT_URL = 'http://127.0.0.1:8000/api/' |
169 | 169 |
|
170 |
SHIBBOLETH_HOST = "http://wayf.grnet.gr/"
|
|
170 |
LOGIN_PATH = "/okeanos/login"
|
|
171 | 171 |
|
172 | 172 |
SHIBBOLETH_WHITELIST = { |
173 | 173 |
'localhost' : '127.0.0.1', |
Also available in: Unified diff