|
1 |
from time import time
|
| 1 |
2 |
from django.conf import settings
|
| 2 |
3 |
from django.http import HttpResponse, HttpResponseRedirect
|
| 3 |
4 |
from synnefo.db.models import SynnefoUser
|
|
5 |
from synnefo.logic.shibboleth import Tokens, register_shibboleth_user
|
| 4 |
6 |
|
| 5 |
7 |
class SynnefoAuthMiddleware(object):
|
| 6 |
8 |
|
| ... | ... | |
| 14 |
16 |
#Retrieve user from DB or other caching mechanism
|
| 15 |
17 |
user = SynnefoUser.objects.filter(auth_token = request.META[self.auth_token])
|
| 16 |
18 |
if user is None :
|
| 17 |
|
return HttpResponseRedirect(settings.SIBBOLLETH_HOST)
|
|
19 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
| 18 |
20 |
request.user = user
|
| 19 |
21 |
return
|
| 20 |
22 |
|
| 21 |
|
#An authentication request
|
|
23 |
#A user authenticated by Shibboleth
|
|
24 |
if Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME in request.META:
|
|
25 |
#TODO: We must somehow make sure that we only process
|
|
26 |
# SIB headers when coming from a URL whitelist,
|
|
27 |
# or a similar for of restriction
|
|
28 |
if request.get_host() not in settings.SHIBBOLETH_HOST:
|
|
29 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
30 |
|
|
31 |
user = SynnefoUser.objects.filter(
|
|
32 |
uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])
|
|
33 |
|
|
34 |
#No user with this id could be found in the database
|
|
35 |
if user is None:
|
|
36 |
#Try to register incoming user
|
|
37 |
if register_shibboleth_user(request.META):
|
|
38 |
#Registration succeded, user allowed to proceed
|
|
39 |
return
|
|
40 |
#Registration failed, redirect to Shibboleth
|
|
41 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
42 |
|
|
43 |
#At this point, the user has been identified in our database
|
|
44 |
#Check user's auth token
|
|
45 |
if time() - user.auth_token_created > settings.AUTH_TOKEN_DURATION * 3600:
|
|
46 |
#The user's token has expired, re-login
|
|
47 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
|
48 |
|
|
49 |
#User and authentication token valid, user allowed to proceed
|
|
50 |
return
|
|
51 |
|
|
52 |
#An API authentication request
|
| 22 |
53 |
if self.auth_user in request.META and 'X-Auth-Key' in request.META \
|
| 23 |
|
and '/v1.0' == request.path and 'GET' == request.method:
|
|
54 |
and '/v1.1' == request.path and 'GET' == request.method:
|
| 24 |
55 |
# This is here merely for compatibility with the Openstack API.
|
| 25 |
56 |
# All normal users should authenticate through Sibbolleth. Admin
|
| 26 |
57 |
# users or other selected users could use this as a bypass
|
| 27 |
58 |
# mechanism
|
| 28 |
59 |
user = SynnefoUser.objects.filter(username = request.META[self.auth_user])
|
|
60 |
|
|
61 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
| 29 |
62 |
|
| 30 |
|
return HttpResponseRedirect(settings.SIBBOLLETH_HOST)
|
| 31 |
|
|
| 32 |
|
return HttpResponseRedirect(settings.SIBBOLLETH_HOST)
|
|
63 |
#No authentication info found in headers, redirect to Shibboleth
|
|
64 |
return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
|
| 33 |
65 |
|
| 34 |
66 |
def process_response(self, request, response):
|
|
67 |
#Tell proxies and other interested parties that the
|
|
68 |
#request varies based on the auth token, to avoid
|
|
69 |
#caching of results
|
| 35 |
70 |
response['Vary'] = self.auth_key
|
| 36 |
71 |
return response
|
| 37 |
72 |
|