Statistics
| Branch: | Tag: | Revision:

root / api / middleware.py @ faa26af8

History | View | Annotate | Download (3.3 kB)

1
from time import time
2
from django.conf import settings
3
from django.http import HttpResponse, HttpResponseRedirect
4
from synnefo.db.models import SynnefoUser
5
from synnefo.logic.shibboleth import Tokens, register_shibboleth_user
6
import time
7

    
8
class SynnefoAuthMiddleware(object):
9

    
10
    auth_token = "X-Auth-Token"
11
    auth_user  = "X-Auth-User"
12
    auth_key   = "X-Auth-Key"
13

    
14
    def process_request(self, request):
15

    
16
        if self.auth_token in request.META:
17
            user = None
18
            #Retrieve user from DB or other caching mechanism
19
            try:
20
                user = SynnefoUser.objects.get(auth_token = request.META[self.auth_token])
21
            except SynnefoUser.DoesNotExist:
22
                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
23

    
24
            #Check user's auth token
25
            if (time.time() -
26
                time.mktime(user.auth_token_created.timetuple()) +
27
                settings.AUTH_TOKEN_DURATION * 3600) > 0:
28
                #The user's token has expired, re-login
29
                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
30

    
31
            request.user = user
32
            return
33

    
34
        #A user authenticated by Shibboleth, must include a uniq id
35
        if Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME in request.META:
36
            #TODO: We must somehow make sure that we only process
37
            #      SIB headers when coming from a URL whitelist,
38
            #      or a similar form of restriction
39
            if request.get_host() not in settings.SHIBBOLETH_WHITELIST.keys():
40
                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
41

    
42
            user = None
43
            try:
44
                user = SynnefoUser.objects.get(
45
                    uniq = request.META[Tokens.SIB_EDU_PERSON_PRINCIPAL_NAME])
46
            except SynnefoUser.DoesNotExist:
47
                pass
48

    
49
            #No user with this id could be found in the database
50
            if user is None:
51
                #Try to register incoming user
52
                if register_shibboleth_user(request.META):
53
                    #Registration succeded, user allowed to proceed
54
                    return
55
                #Registration failed, redirect to Shibboleth
56
                return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
57

    
58
            #User and authentication token valid, user allowed to proceed
59
            return
60
            
61
        #An API authentication request
62
        if self.auth_user in request.META and 'X-Auth-Key' in request.META \
63
           and '/v1.1' == request.path and 'GET' == request.method:
64
            # This is here merely for compatibility with the Openstack API.
65
            # All normal users should authenticate through Sibbolleth. Admin
66
            # users or other selected users could use this as a bypass
67
            # mechanism
68
            user = SynnefoUser.objects.filter(username = request.META[self.auth_user])
69
            
70
            return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
71

    
72
        #No authentication info found in headers, redirect to Shibboleth
73
        return HttpResponseRedirect(settings.SHIBBOLETH_HOST)
74

    
75
    def process_response(self, request, response):
76
        #Tell proxies and other interested parties that the
77
        #request varies based on the auth token, to avoid
78
        #caching of results
79
        response['Vary'] = self.auth_key
80
        return response