Revision dd5f8f4d snf-astakos-app/astakos/im/target/shibboleth.py
b/snf-astakos-app/astakos/im/target/shibboleth.py | ||
---|---|---|
45 | 45 |
|
46 | 46 |
from urlparse import urlunsplit, urlsplit |
47 | 47 |
|
48 |
from astakos.im.util import prepare_response, get_context |
|
48 |
from astakos.im.util import prepare_response, get_context, login_url
|
|
49 | 49 |
from astakos.im.views import ( |
50 | 50 |
requires_anonymous, render_response, requires_auth_provider) |
51 | 51 |
from astakos.im.settings import ENABLE_LOCAL_ACCOUNT_MIGRATION, BASEURL |
... | ... | |
54 | 54 |
from astakos.im.activation_backends import get_backend, SimpleBackend |
55 | 55 |
from astakos.im import auth_providers |
56 | 56 |
from astakos.im import settings |
57 |
from astakos.im.target import add_pending_auth_provider, get_pending_key, \ |
|
58 |
handle_third_party_signup |
|
57 | 59 |
|
58 | 60 |
import astakos.im.messages as astakos_messages |
59 |
|
|
60 | 61 |
import logging |
61 | 62 |
|
62 | 63 |
logger = logging.getLogger(__name__) |
63 | 64 |
|
65 |
|
|
64 | 66 |
class Tokens: |
65 | 67 |
# these are mapped by the Shibboleth SP software |
66 | 68 |
SHIB_EPPN = "HTTP_EPPN" # eduPersonPrincipalName |
... | ... | |
72 | 74 |
SHIB_SESSION_ID = "HTTP_SHIB_SESSION_ID" |
73 | 75 |
SHIB_MAIL = "HTTP_SHIB_MAIL" |
74 | 76 |
|
77 |
|
|
75 | 78 |
@requires_auth_provider('shibboleth', login=True) |
76 | 79 |
@require_http_methods(["GET", "POST"]) |
77 | 80 |
def login( |
... | ... | |
82 | 85 |
extra_context = extra_context or {} |
83 | 86 |
|
84 | 87 |
tokens = request.META |
88 |
third_party_key = get_pending_key(request) |
|
85 | 89 |
|
86 | 90 |
try: |
87 | 91 |
eppn = tokens.get(Tokens.SHIB_EPPN) |
... | ... | |
101 | 105 |
raise KeyError(_(astakos_messages.SHIBBOLETH_MISSING_NAME)) |
102 | 106 |
else: |
103 | 107 |
realname = '' |
108 |
|
|
104 | 109 |
except KeyError, e: |
105 | 110 |
# invalid shibboleth headers, redirect to login, display message |
106 | 111 |
messages.error(request, e.message) |
107 |
return HttpResponseRedirect(reverse('login'))
|
|
112 |
return HttpResponseRedirect(login_url(request))
|
|
108 | 113 |
|
109 | 114 |
affiliation = tokens.get(Tokens.SHIB_EP_AFFILIATION, '') |
110 | 115 |
email = tokens.get(Tokens.SHIB_MAIL, '') |
111 | 116 |
provider_info = {'eppn': eppn, 'email': email, 'name': realname} |
117 |
userid = eppn |
|
112 | 118 |
|
113 | 119 |
# an existing user accessed the view |
114 | 120 |
if request.user.is_authenticated(): |
121 |
|
|
115 | 122 |
if request.user.has_auth_provider('shibboleth', identifier=eppn): |
116 | 123 |
return HttpResponseRedirect(reverse('edit_profile')) |
117 | 124 |
|
... | ... | |
136 | 143 |
identifier=eppn |
137 | 144 |
) |
138 | 145 |
if user.is_active: |
146 |
|
|
139 | 147 |
# authenticate user |
140 | 148 |
response = prepare_response(request, |
141 | 149 |
user, |
142 | 150 |
request.GET.get('next'), |
143 | 151 |
'renew' in request.GET) |
144 | 152 |
messages.success(request, _(astakos_messages.LOGIN_SUCCESS)) |
153 |
add_pending_auth_provider(request, third_party_key) |
|
145 | 154 |
response.set_cookie('astakos_last_login_method', 'local') |
146 | 155 |
return response |
147 | 156 |
else: |
148 | 157 |
message = user.get_inactive_message() |
149 | 158 |
messages.error(request, message) |
150 |
return HttpResponseRedirect(reverse('login'))
|
|
159 |
return HttpResponseRedirect(login_url(request))
|
|
151 | 160 |
|
152 | 161 |
except AstakosUser.DoesNotExist, e: |
153 |
provider = auth_providers.get_provider('shibboleth') |
|
154 |
if not provider.is_available_for_create(): |
|
155 |
messages.error(request, |
|
156 |
_(astakos_messages.AUTH_PROVIDER_INVALID_LOGIN)) |
|
157 |
return HttpResponseRedirect(reverse('login')) |
|
158 |
|
|
159 |
# eppn not stored in astakos models, create pending profile |
|
160 |
user, created = PendingThirdPartyUser.objects.get_or_create( |
|
161 |
third_party_identifier=eppn, |
|
162 |
provider='shibboleth' |
|
163 |
) |
|
164 |
# update pending user |
|
165 |
user.realname = realname |
|
166 |
user.affiliation = affiliation |
|
167 |
user.email = email |
|
168 |
user.info = json.dumps(provider_info) |
|
169 |
user.generate_token() |
|
170 |
user.save() |
|
171 |
|
|
172 |
extra_context['provider'] = 'shibboleth' |
|
173 |
extra_context['provider_title'] = provider.get_title_display |
|
174 |
extra_context['token'] = user.token |
|
175 |
extra_context['signup_url'] = reverse('signup') + \ |
|
176 |
"?third_party_token=%s" % user.token |
|
177 |
extra_context['add_url'] = reverse('index') + \ |
|
178 |
"?key=%s#other-login-methods" % user.token |
|
179 |
extra_context['can_create'] = provider.is_available_for_create() |
|
180 |
extra_context['can_add'] = provider.is_available_for_add() |
|
181 |
|
|
182 |
|
|
183 |
return render_response( |
|
184 |
template, |
|
185 |
context_instance=get_context(request, extra_context) |
|
186 |
) |
|
162 |
user_info = {'affiliation': affiliation, 'realname': realname} |
|
163 |
return handle_third_party_signup(request, userid, 'shibboleth', |
|
164 |
third_party_key, |
|
165 |
provider_info, |
|
166 |
user_info, |
|
167 |
template, |
|
168 |
extra_context) |
|
187 | 169 |
|
Also available in: Unified diff