Synnefo

from time import time

from django.conf import settings

from django.http import HttpResponse, HttpResponseRedirect

from synnefo.db.models import SynnefoUser

from synnefo.aai.shibboleth import Tokens, register_shibboleth_user

import time

class SynnefoAuthMiddleware(object):

    auth_token = "X-Auth-Token"

    auth_user  = "X-Auth-User"

    auth_key   = "X-Auth-Key"

    def process_request(self, request):

        if self.auth_token in request.META:

            user = None

            #Retrieve user from DB or other caching mechanism

            try:

                user = SynnefoUser.objects.get(auth_token = request.META[self.auth_token])

            except SynnefoUser.DoesNotExist:

                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            #Check user's auth token

            if (time.time() -

                time.mktime(user.auth_token_created.timetuple()) +

                settings.AUTH_TOKEN_DURATION * 3600) > 0:

                #The user's token has expired, re-login

                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            request.user = user

            return

        #A user authenticated by Shibboleth, must include a uniq id

        if Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME in request.META:

            #We must somehow make sure that we only process

            #SIB headers when coming from a URL whitelist,

            #or a similar form of restriction

            if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys():

                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            user = None

            try:

                user = SynnefoUser.objects.get(

                    uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])

            except SynnefoUser.DoesNotExist:

                pass

            #No user with this id could be found in the database

            if user is None:

                #Attempt to register the incoming user

                if register_shibboleth_user(request.META):

                    user = SynnefoUser.objects.get(

                        uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])

                    response = HttpResponse()

                    response[self.auth_token] = user.auth_token

                    response['Location'] = "/"

                    response.status_code = 302

                    return response

                else:

                    return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

            #User and authentication token valid, user allowed to proceed

            return

        #An API authentication request

        if self.auth_user in request.META and self.auth_key in request.META and 'GET' == request.method:

            # This is here merely for compatibility with the Openstack API.

            # All normal users should authenticate through Sibbolleth. Admin

            # users or other selected users could use this as a bypass

            # mechanism

            user = SynnefoUser.objects\

                    .filter(name = request.META[self.auth_user]) \

                    .filter(uniq = request.META[self.auth_key])

            response = HttpResponse()

            if user.count() <= 0:

                response.status_code = 401

            else:

                response.status_code = 204

                response['X-Auth-Token'] = user[0].auth_token

                #TODO: set the following fields when we do have this info

                response['X-Server-Management-Url'] = ""

                response['X-Storage-Url'] = ""

                response['X-CDN-Management-Url'] = ""

            return response

        if settings.TESTING:

            if 'TEST-AAI' in request.META:

                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

        else:

            #No authentication info found in headers, redirect to Shibboleth

            return HttpResponseRedirect(settings.SHIBBOLETH_HOST)

    def process_response(self, request, response):

        #Tell proxies and other interested parties that the

        #request varies based on the auth token, to avoid

        #caching of results

        response['Vary'] = self.auth_token

        return response