Revision 63efc637
| b/aai/middleware.py | ||
|---|---|---|
| 12 | 12 |
auth_key = "X-Auth-Key" |
| 13 | 13 |
|
| 14 | 14 |
def process_request(self, request): |
| 15 |
|
|
| 16 | 15 |
if self.auth_token in request.META: |
| 17 | 16 |
user = None |
| 18 | 17 |
#Retrieve user from DB or other caching mechanism |
| 19 | 18 |
try: |
| 20 | 19 |
user = SynnefoUser.objects.get(auth_token = request.META[self.auth_token]) |
| 21 | 20 |
except SynnefoUser.DoesNotExist: |
| 22 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
| 21 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
| 23 | 22 |
|
| 24 | 23 |
#Check user's auth token |
| 25 | 24 |
if (time.time() - |
| 26 | 25 |
time.mktime(user.auth_token_created.timetuple()) + |
| 27 | 26 |
settings.AUTH_TOKEN_DURATION * 3600) > 0: |
| 28 | 27 |
#The user's token has expired, re-login |
| 29 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
| 28 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
| 30 | 29 |
|
| 31 | 30 |
request.user = user |
| 32 | 31 |
return |
| 33 | 32 |
|
| 34 | 33 |
#A user authenticated by Shibboleth, must include a uniq id |
| 35 |
if Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME in request.META:
|
|
| 34 |
if Tokens.SIB_EPPN in request.META:
|
|
| 36 | 35 |
#We must somehow make sure that we only process |
| 37 | 36 |
#SIB headers when coming from a URL whitelist, |
| 38 | 37 |
#or a similar form of restriction |
| 39 |
if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys(): |
|
| 40 |
return HttpResponseRedirect(settings.LOGIN_PATH)
|
|
| 38 |
#if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys():
|
|
| 39 |
# return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
| 41 | 40 |
|
| 42 | 41 |
user = None |
| 43 | 42 |
try: |
| 44 | 43 |
user = SynnefoUser.objects.get( |
| 45 |
uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])
|
|
| 44 |
uniq = request.META[Tokens.SIB_EPPN])
|
|
| 46 | 45 |
except SynnefoUser.DoesNotExist: |
| 47 | 46 |
pass |
| 48 | 47 |
|
| ... | ... | |
| 51 | 50 |
#Attempt to register the incoming user |
| 52 | 51 |
if register_shibboleth_user(request.META): |
| 53 | 52 |
user = SynnefoUser.objects.get( |
| 54 |
uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])
|
|
| 53 |
uniq = request.META[Tokens.SIB_EPPN])
|
|
| 55 | 54 |
response = HttpResponse() |
| 56 | 55 |
response[self.auth_token] = user.auth_token |
| 57 |
response['Location'] = "/"
|
|
| 56 |
response['Location'] = settings.APP_INSTALL_URL
|
|
| 58 | 57 |
response.status_code = 302 |
| 59 | 58 |
return response |
| 60 | 59 |
else: |
| 61 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
| 60 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
| 62 | 61 |
|
| 63 | 62 |
#User and authentication token valid, user allowed to proceed |
| 64 | 63 |
return |
| ... | ... | |
| 87 | 86 |
|
| 88 | 87 |
if settings.TEST: |
| 89 | 88 |
if 'TEST-AAI' in request.META: |
| 90 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
| 89 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
| 91 | 90 |
else: |
| 92 | 91 |
#Avoid redirect loops |
| 93 |
if 'Referer' in request.META and request.META['Referer'].endswith(settings.LOGIN_PATH):
|
|
| 94 |
return |
|
| 92 |
if request.path.endswith(settings.LOGIN_PATH):
|
|
| 93 |
return
|
|
| 95 | 94 |
else : |
| 96 | 95 |
#No authentication info found in headers, redirect to Shibboleth |
| 97 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
| 96 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
| 98 | 97 |
|
| 99 | 98 |
def process_response(self, request, response): |
| 100 | 99 |
#Tell proxies and other interested parties that the |
| ... | ... | |
| 102 | 101 |
#caching of results |
| 103 | 102 |
response['Vary'] = self.auth_token |
| 104 | 103 |
return response |
| 104 |
|
|
| b/aai/shibboleth.py | ||
|---|---|---|
| 7 | 7 |
from synnefo.logic import users |
| 8 | 8 |
|
| 9 | 9 |
class Tokens: |
| 10 |
SIB_GIVEN_NAME = "shib_inetorgperson_givenname"
|
|
| 11 |
SIB_SN = "shib_person_surname"
|
|
| 12 |
SIB_CN = "cn"
|
|
| 10 |
SIB_NAME = "Shib-InetOrgPerson-givenName"
|
|
| 11 |
SIB_SURNAME = "Shib-Person-surname"
|
|
| 12 |
SIB_CN = "Shib-Person-commonName"
|
|
| 13 | 13 |
SIB_DISPLAY_NAME = "displayName" |
| 14 |
SIB_EDU_PERSON_PRINCIPAL_NAME = "eppn"
|
|
| 14 |
SIB_EPPN = "eppn"
|
|
| 15 | 15 |
SIB_EDU_PERSON_AFFILIATION = "shib_ep_primaryaffiliation" |
| 16 | 16 |
SIB_SCHAC_PERSONAL_UNIQUE_CODE = "schacPersonalUniqueCode" |
| 17 | 17 |
SIB_GR_EDU_PERSON_UNDERGRADUATE_BRANCH = "grEduPersonUndergraduateBranch" |
| ... | ... | |
| 36 | 36 |
http://aai.grnet.gr/policy |
| 37 | 37 |
""" |
| 38 | 38 |
realname = None |
| 39 |
print tokens |
|
| 39 | 40 |
|
| 40 |
if Tokens.SIB_GIVEN_NAME in tokens:
|
|
| 41 |
realname = tokens[Tokens.SIB_GIVEN_NAME]
|
|
| 41 |
if Tokens.SIB_SURNAME in tokens:
|
|
| 42 |
realname = tokens[Tokens.SIB_SURNAME]
|
|
| 42 | 43 |
|
| 43 |
if Tokens.SIB_DISPLAY_NAME in tokens: |
|
| 44 |
realname = tokens[Tokens.SIB_DISPLAY_NAME] |
|
| 44 |
if Tokens.SIB_NAME in tokens: |
|
| 45 |
realname = tokens[Tokens.SIB_NAME] + ' ' + realname |
|
| 46 |
|
|
| 47 |
if Tokens.SIB_CN in tokens: |
|
| 48 |
realname = tokens[Tokens.SIB_CN] |
|
| 45 | 49 |
|
| 46 | 50 |
is_student = Tokens.SIB_SCHAC_PERSONAL_UNIQUE_CODE in tokens or \ |
| 47 | 51 |
Tokens.SIB_GR_EDU_PERSON_UNDERGRADUATE_BRANCH in tokens |
| 48 | 52 |
|
| 49 |
unq = tokens.get(Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME)
|
|
| 53 |
unq = tokens.get(Tokens.SIB_EPPN)
|
|
| 50 | 54 |
|
| 51 | 55 |
if unq is None: |
| 52 | 56 |
raise NoUniqueToken("Authentication does not return a unique token")
|
| ... | ... | |
| 59 | 63 |
else: |
| 60 | 64 |
users.register_professor(realname, '' ,unq) |
| 61 | 65 |
|
| 62 |
return True |
|
| 66 |
return True |
|
| b/settings.py.dist | ||
|---|---|---|
| 167 | 167 |
# to its resources. Thus, it needs to know its public URL. |
| 168 | 168 |
API_ROOT_URL = 'http://127.0.0.1:8000/api/' |
| 169 | 169 |
|
| 170 |
LOGIN_PATH = "/okeanos/login" |
|
| 170 |
APP_INSTALL_URL = "https://login.okeanos.grnet.gr/okeanos" |
|
| 171 |
|
|
| 172 |
LOGIN_PATH = "/login" |
|
| 171 | 173 |
|
| 172 | 174 |
SHIBBOLETH_WHITELIST = {
|
| 173 | 175 |
'localhost' : '127.0.0.1', |
Also available in: Unified diff