Revision 63efc637
b/aai/middleware.py | ||
---|---|---|
12 | 12 |
auth_key = "X-Auth-Key" |
13 | 13 |
|
14 | 14 |
def process_request(self, request): |
15 |
|
|
16 | 15 |
if self.auth_token in request.META: |
17 | 16 |
user = None |
18 | 17 |
#Retrieve user from DB or other caching mechanism |
19 | 18 |
try: |
20 | 19 |
user = SynnefoUser.objects.get(auth_token = request.META[self.auth_token]) |
21 | 20 |
except SynnefoUser.DoesNotExist: |
22 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
21 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
23 | 22 |
|
24 | 23 |
#Check user's auth token |
25 | 24 |
if (time.time() - |
26 | 25 |
time.mktime(user.auth_token_created.timetuple()) + |
27 | 26 |
settings.AUTH_TOKEN_DURATION * 3600) > 0: |
28 | 27 |
#The user's token has expired, re-login |
29 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
28 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
30 | 29 |
|
31 | 30 |
request.user = user |
32 | 31 |
return |
33 | 32 |
|
34 | 33 |
#A user authenticated by Shibboleth, must include a uniq id |
35 |
if Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME in request.META:
|
|
34 |
if Tokens.SIB_EPPN in request.META:
|
|
36 | 35 |
#We must somehow make sure that we only process |
37 | 36 |
#SIB headers when coming from a URL whitelist, |
38 | 37 |
#or a similar form of restriction |
39 |
if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys(): |
|
40 |
return HttpResponseRedirect(settings.LOGIN_PATH)
|
|
38 |
#if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys():
|
|
39 |
# return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
41 | 40 |
|
42 | 41 |
user = None |
43 | 42 |
try: |
44 | 43 |
user = SynnefoUser.objects.get( |
45 |
uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])
|
|
44 |
uniq = request.META[Tokens.SIB_EPPN])
|
|
46 | 45 |
except SynnefoUser.DoesNotExist: |
47 | 46 |
pass |
48 | 47 |
|
... | ... | |
51 | 50 |
#Attempt to register the incoming user |
52 | 51 |
if register_shibboleth_user(request.META): |
53 | 52 |
user = SynnefoUser.objects.get( |
54 |
uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])
|
|
53 |
uniq = request.META[Tokens.SIB_EPPN])
|
|
55 | 54 |
response = HttpResponse() |
56 | 55 |
response[self.auth_token] = user.auth_token |
57 |
response['Location'] = "/"
|
|
56 |
response['Location'] = settings.APP_INSTALL_URL
|
|
58 | 57 |
response.status_code = 302 |
59 | 58 |
return response |
60 | 59 |
else: |
61 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
60 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
62 | 61 |
|
63 | 62 |
#User and authentication token valid, user allowed to proceed |
64 | 63 |
return |
... | ... | |
87 | 86 |
|
88 | 87 |
if settings.TEST: |
89 | 88 |
if 'TEST-AAI' in request.META: |
90 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
89 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
91 | 90 |
else: |
92 | 91 |
#Avoid redirect loops |
93 |
if 'Referer' in request.META and request.META['Referer'].endswith(settings.LOGIN_PATH):
|
|
94 |
return |
|
92 |
if request.path.endswith(settings.LOGIN_PATH):
|
|
93 |
return
|
|
95 | 94 |
else : |
96 | 95 |
#No authentication info found in headers, redirect to Shibboleth |
97 |
return HttpResponseRedirect(settings.LOGIN_PATH) |
|
96 |
return HttpResponseRedirect(settings.APP_INSTALL_URL + settings.LOGIN_PATH)
|
|
98 | 97 |
|
99 | 98 |
def process_response(self, request, response): |
100 | 99 |
#Tell proxies and other interested parties that the |
... | ... | |
102 | 101 |
#caching of results |
103 | 102 |
response['Vary'] = self.auth_token |
104 | 103 |
return response |
104 |
|
b/aai/shibboleth.py | ||
---|---|---|
7 | 7 |
from synnefo.logic import users |
8 | 8 |
|
9 | 9 |
class Tokens: |
10 |
SIB_GIVEN_NAME = "shib_inetorgperson_givenname"
|
|
11 |
SIB_SN = "shib_person_surname"
|
|
12 |
SIB_CN = "cn"
|
|
10 |
SIB_NAME = "Shib-InetOrgPerson-givenName"
|
|
11 |
SIB_SURNAME = "Shib-Person-surname"
|
|
12 |
SIB_CN = "Shib-Person-commonName"
|
|
13 | 13 |
SIB_DISPLAY_NAME = "displayName" |
14 |
SIB_EDU_PERSON_PRINCIPAL_NAME = "eppn"
|
|
14 |
SIB_EPPN = "eppn"
|
|
15 | 15 |
SIB_EDU_PERSON_AFFILIATION = "shib_ep_primaryaffiliation" |
16 | 16 |
SIB_SCHAC_PERSONAL_UNIQUE_CODE = "schacPersonalUniqueCode" |
17 | 17 |
SIB_GR_EDU_PERSON_UNDERGRADUATE_BRANCH = "grEduPersonUndergraduateBranch" |
... | ... | |
36 | 36 |
http://aai.grnet.gr/policy |
37 | 37 |
""" |
38 | 38 |
realname = None |
39 |
print tokens |
|
39 | 40 |
|
40 |
if Tokens.SIB_GIVEN_NAME in tokens:
|
|
41 |
realname = tokens[Tokens.SIB_GIVEN_NAME]
|
|
41 |
if Tokens.SIB_SURNAME in tokens:
|
|
42 |
realname = tokens[Tokens.SIB_SURNAME]
|
|
42 | 43 |
|
43 |
if Tokens.SIB_DISPLAY_NAME in tokens: |
|
44 |
realname = tokens[Tokens.SIB_DISPLAY_NAME] |
|
44 |
if Tokens.SIB_NAME in tokens: |
|
45 |
realname = tokens[Tokens.SIB_NAME] + ' ' + realname |
|
46 |
|
|
47 |
if Tokens.SIB_CN in tokens: |
|
48 |
realname = tokens[Tokens.SIB_CN] |
|
45 | 49 |
|
46 | 50 |
is_student = Tokens.SIB_SCHAC_PERSONAL_UNIQUE_CODE in tokens or \ |
47 | 51 |
Tokens.SIB_GR_EDU_PERSON_UNDERGRADUATE_BRANCH in tokens |
48 | 52 |
|
49 |
unq = tokens.get(Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME)
|
|
53 |
unq = tokens.get(Tokens.SIB_EPPN)
|
|
50 | 54 |
|
51 | 55 |
if unq is None: |
52 | 56 |
raise NoUniqueToken("Authentication does not return a unique token") |
... | ... | |
59 | 63 |
else: |
60 | 64 |
users.register_professor(realname, '' ,unq) |
61 | 65 |
|
62 |
return True |
|
66 |
return True |
b/settings.py.dist | ||
---|---|---|
167 | 167 |
# to its resources. Thus, it needs to know its public URL. |
168 | 168 |
API_ROOT_URL = 'http://127.0.0.1:8000/api/' |
169 | 169 |
|
170 |
LOGIN_PATH = "/okeanos/login" |
|
170 |
APP_INSTALL_URL = "https://login.okeanos.grnet.gr/okeanos" |
|
171 |
|
|
172 |
LOGIN_PATH = "/login" |
|
171 | 173 |
|
172 | 174 |
SHIBBOLETH_WHITELIST = { |
173 | 175 |
'localhost' : '127.0.0.1', |
Also available in: Unified diff