2017-01-17 02:38:56 +00:00
|
|
|
from django.conf import settings
|
2014-12-17 06:29:29 +00:00
|
|
|
from django.contrib.auth.middleware import RemoteUserMiddleware
|
|
|
|
|
from django.core.exceptions import ImproperlyConfigured
|
2016-03-24 08:25:45 +00:00
|
|
|
from django.core.urlresolvers import reverse
|
|
|
|
|
from django.http import HttpResponseRedirect
|
2017-06-05 09:41:30 +00:00
|
|
|
from seaserv import seafile_api
|
2014-12-17 06:29:29 +00:00
|
|
|
|
2015-03-04 23:09:06 +00:00
|
|
|
from shibboleth.app_settings import SHIB_ATTRIBUTE_MAP, LOGOUT_SESSION_KEY, SHIB_USER_HEADER
|
2014-12-17 06:29:29 +00:00
|
|
|
|
2014-12-17 06:40:16 +00:00
|
|
|
from seahub import auth
|
2017-01-17 02:38:56 +00:00
|
|
|
from seahub.base.accounts import User
|
2015-05-05 05:42:03 +00:00
|
|
|
from seahub.base.sudo_mode import update_sudo_mode_ts
|
2016-01-27 05:21:03 +00:00
|
|
|
from seahub.profile.models import Profile
|
2017-06-05 09:41:30 +00:00
|
|
|
from seahub.utils.file_size import get_quota_from_string
|
|
|
|
|
from seahub.utils.user_permissions import get_user_role
|
|
|
|
|
|
2014-12-17 06:40:16 +00:00
|
|
|
|
2014-12-17 06:29:29 +00:00
|
|
|
class ShibbolethRemoteUserMiddleware(RemoteUserMiddleware):
|
|
|
|
|
"""
|
|
|
|
|
Authentication Middleware for use with Shibboleth. Uses the recommended pattern
|
|
|
|
|
for remote authentication from: http://code.djangoproject.com/svn/django/tags/releases/1.3/django/contrib/auth/middleware.py
|
|
|
|
|
"""
|
2014-12-17 06:42:02 +00:00
|
|
|
def __init__(self, *a, **kw):
|
|
|
|
|
super(ShibbolethRemoteUserMiddleware, self).__init__(*a, **kw)
|
|
|
|
|
|
2014-12-17 06:29:29 +00:00
|
|
|
def process_request(self, request):
|
|
|
|
|
# AuthenticationMiddleware is required so that request.user exists.
|
|
|
|
|
if not hasattr(request, 'user'):
|
|
|
|
|
raise ImproperlyConfigured(
|
|
|
|
|
"The Django remote user auth middleware requires the"
|
|
|
|
|
" authentication middleware to be installed. Edit your"
|
|
|
|
|
" MIDDLEWARE_CLASSES setting to insert"
|
|
|
|
|
" 'django.contrib.auth.middleware.AuthenticationMiddleware'"
|
|
|
|
|
" before the RemoteUserMiddleware class.")
|
|
|
|
|
|
|
|
|
|
#To support logout. If this variable is True, do not
|
|
|
|
|
#authenticate user and return now.
|
|
|
|
|
if request.session.get(LOGOUT_SESSION_KEY) == True:
|
|
|
|
|
return
|
|
|
|
|
else:
|
|
|
|
|
#Delete the shib reauth session key if present.
|
2015-05-05 05:42:03 +00:00
|
|
|
request.session.pop(LOGOUT_SESSION_KEY, None)
|
2014-12-17 06:29:29 +00:00
|
|
|
|
|
|
|
|
#Locate the remote user header.
|
2015-04-02 12:45:32 +00:00
|
|
|
# import pprint; pprint.pprint(request.META)
|
2014-12-17 06:29:29 +00:00
|
|
|
try:
|
2015-03-04 23:09:06 +00:00
|
|
|
username = request.META[SHIB_USER_HEADER]
|
2014-12-17 06:29:29 +00:00
|
|
|
except KeyError:
|
|
|
|
|
# If specified header doesn't exist then return (leaving
|
|
|
|
|
# request.user set to AnonymousUser by the
|
|
|
|
|
# AuthenticationMiddleware).
|
|
|
|
|
return
|
2016-01-27 05:21:03 +00:00
|
|
|
|
2014-12-17 06:29:29 +00:00
|
|
|
# If the user is already authenticated and that user is the user we are
|
|
|
|
|
# getting passed in the headers, then the correct user is already
|
|
|
|
|
# persisted in the session and we don't need to continue.
|
|
|
|
|
if request.user.is_authenticated():
|
2014-12-17 06:40:16 +00:00
|
|
|
if request.user.username == username:
|
2015-05-05 05:42:03 +00:00
|
|
|
if request.user.is_staff:
|
|
|
|
|
update_sudo_mode_ts(request)
|
2014-12-17 06:29:29 +00:00
|
|
|
return
|
|
|
|
|
|
|
|
|
|
# Make sure we have all required Shiboleth elements before proceeding.
|
|
|
|
|
shib_meta, error = self.parse_attributes(request)
|
|
|
|
|
# Add parsed attributes to the session.
|
|
|
|
|
request.session['shib'] = shib_meta
|
|
|
|
|
if error:
|
|
|
|
|
raise ShibbolethValidationError("All required Shibboleth elements"
|
|
|
|
|
" not found. %s" % shib_meta)
|
|
|
|
|
|
|
|
|
|
# We are seeing this user for the first time in this session, attempt
|
|
|
|
|
# to authenticate the user.
|
|
|
|
|
user = auth.authenticate(remote_user=username, shib_meta=shib_meta)
|
|
|
|
|
if user:
|
2016-03-24 08:25:45 +00:00
|
|
|
if not user.is_active:
|
2016-05-17 09:47:07 +00:00
|
|
|
return HttpResponseRedirect(reverse('shib_complete'))
|
2016-03-24 08:25:45 +00:00
|
|
|
|
2014-12-17 06:29:29 +00:00
|
|
|
# User is valid. Set request.user and persist user in the session
|
|
|
|
|
# by logging the user in.
|
|
|
|
|
request.user = user
|
|
|
|
|
auth.login(request, user)
|
|
|
|
|
user.set_unusable_password()
|
|
|
|
|
user.save()
|
|
|
|
|
# call make profile.
|
|
|
|
|
self.make_profile(user, shib_meta)
|
2017-06-05 09:41:30 +00:00
|
|
|
user_role = self.update_user_role(user, shib_meta)
|
|
|
|
|
self.update_user_quota(user, user_role)
|
2014-12-17 06:29:29 +00:00
|
|
|
#setup session.
|
|
|
|
|
self.setup_session(request)
|
2015-04-02 12:45:32 +00:00
|
|
|
request.shib_login = True
|
2014-12-17 06:42:02 +00:00
|
|
|
|
|
|
|
|
def process_response(self, request, response):
|
2015-04-02 12:45:32 +00:00
|
|
|
if getattr(request, 'shib_login', False):
|
|
|
|
|
print '%s: set shibboleth cookie!' % id(self)
|
2014-12-17 06:42:02 +00:00
|
|
|
self._set_auth_cookie(request, response)
|
|
|
|
|
return response
|
|
|
|
|
|
|
|
|
|
def _set_auth_cookie(self, request, response):
|
2015-02-26 12:44:48 +00:00
|
|
|
from seahub.api2.utils import get_token_v1, get_token_v2
|
|
|
|
|
# generate tokenv2 using information in request params
|
|
|
|
|
keys = (
|
|
|
|
|
'platform',
|
|
|
|
|
'device_id',
|
|
|
|
|
'device_name',
|
|
|
|
|
'client_version',
|
|
|
|
|
'platform_version',
|
|
|
|
|
)
|
|
|
|
|
if all(['shib_' + key in request.GET for key in keys]):
|
|
|
|
|
platform = request.GET['shib_platform']
|
|
|
|
|
device_id = request.GET['shib_device_id']
|
|
|
|
|
device_name = request.GET['shib_device_name']
|
|
|
|
|
client_version = request.GET['shib_client_version']
|
|
|
|
|
platform_version = request.GET['shib_platform_version']
|
|
|
|
|
token = get_token_v2(
|
|
|
|
|
request, request.user.username, platform, device_id,
|
|
|
|
|
device_name, client_version, platform_version)
|
|
|
|
|
elif all(['shib_' + key not in request.GET for key in keys]):
|
2015-04-07 02:25:31 +00:00
|
|
|
token = get_token_v1(request.user.username)
|
2015-02-26 12:44:48 +00:00
|
|
|
else:
|
|
|
|
|
return
|
2014-12-17 06:42:02 +00:00
|
|
|
response.set_cookie('seahub_auth', request.user.username + '@' + token.key)
|
2014-12-17 06:29:29 +00:00
|
|
|
|
|
|
|
|
def make_profile(self, user, shib_meta):
|
|
|
|
|
"""
|
2016-01-27 05:21:03 +00:00
|
|
|
Extrat nickname(givenname surname), contact_email, institution from
|
|
|
|
|
Shib attributs, and add those to user profile.
|
2014-12-17 06:29:29 +00:00
|
|
|
"""
|
2016-02-23 06:26:10 +00:00
|
|
|
# use `display_name` as nickname in shib_meta first
|
|
|
|
|
nickname = shib_meta.get('display_name', None)
|
|
|
|
|
if nickname is None:
|
|
|
|
|
# otherwise, fallback to givenname plus surname in shib_meta
|
|
|
|
|
givenname = shib_meta.get('givenname', '')
|
|
|
|
|
surname = shib_meta.get('surname', '')
|
|
|
|
|
nickname = "%s %s" % (givenname, surname)
|
|
|
|
|
|
2016-01-27 05:21:03 +00:00
|
|
|
institution = shib_meta.get('institution', None)
|
|
|
|
|
contact_email = shib_meta.get('contact_email', None)
|
|
|
|
|
|
|
|
|
|
p = Profile.objects.get_profile_by_user(user.username)
|
|
|
|
|
if not p:
|
|
|
|
|
p = Profile(user=user.username)
|
|
|
|
|
|
2016-02-23 06:26:10 +00:00
|
|
|
if nickname.strip(): # set nickname when it's not empty
|
|
|
|
|
p.nickname = nickname
|
|
|
|
|
|
2016-01-27 05:21:03 +00:00
|
|
|
if institution:
|
|
|
|
|
p.institution = institution
|
|
|
|
|
if contact_email:
|
|
|
|
|
p.contact_email = contact_email
|
|
|
|
|
|
|
|
|
|
p.save()
|
2014-12-17 06:29:29 +00:00
|
|
|
|
2017-01-17 02:38:56 +00:00
|
|
|
def update_user_role(self, user, shib_meta):
|
|
|
|
|
affiliation = shib_meta.get('affiliation', '')
|
|
|
|
|
if not affiliation:
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
role_map = settings.SHIBBOLETH_AFFILIATION_ROLE_MAP
|
|
|
|
|
except AttributeError:
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
for e in affiliation.split(';'):
|
|
|
|
|
role = role_map.get(e)
|
|
|
|
|
if role:
|
|
|
|
|
User.objects.update_role(user.email, role)
|
2017-06-05 09:41:30 +00:00
|
|
|
return role
|
|
|
|
|
|
|
|
|
|
def update_user_quota(self, user, user_role):
|
|
|
|
|
if user.permissions.role_quota():
|
|
|
|
|
quota = get_quota_from_string(user.permissions.role_quota())
|
|
|
|
|
seafile_api.set_role_quota(user_role, quota)
|
|
|
|
|
else:
|
|
|
|
|
return
|
2017-01-17 02:38:56 +00:00
|
|
|
|
2014-12-17 06:29:29 +00:00
|
|
|
def setup_session(self, request):
|
|
|
|
|
"""
|
|
|
|
|
If you want to add custom code to setup user sessions, you
|
|
|
|
|
can extend this.
|
|
|
|
|
"""
|
|
|
|
|
return
|
|
|
|
|
|
|
|
|
|
def parse_attributes(self, request):
|
|
|
|
|
"""
|
|
|
|
|
Parse the incoming Shibboleth attributes.
|
|
|
|
|
From: https://github.com/russell/django-shibboleth/blob/master/django_shibboleth/utils.py
|
|
|
|
|
Pull the mapped attributes from the apache headers.
|
|
|
|
|
"""
|
|
|
|
|
shib_attrs = {}
|
|
|
|
|
error = False
|
|
|
|
|
meta = request.META
|
|
|
|
|
for header, attr in SHIB_ATTRIBUTE_MAP.items():
|
|
|
|
|
required, name = attr
|
|
|
|
|
value = meta.get(header, None)
|
|
|
|
|
shib_attrs[name] = value
|
|
|
|
|
if not value or value == '':
|
|
|
|
|
if required:
|
|
|
|
|
error = True
|
|
|
|
|
return shib_attrs, error
|
|
|
|
|
|
|
|
|
|
class ShibbolethValidationError(Exception):
|
|
|
|
|
pass
|
