source: mauRepo/dj_security_middleware/tags/0_14/dj_security_middleware/middleware.py @ 8812

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/mauRepo/dj_security_middleware/tags/0_14/dj_security_middleware/middleware.py@8812
Revision 8812, 7.3 KB checked in by mnagni, 6 years ago (diff)
  • Property svn:mime-type set to text/plain
Line 
1'''
2BSD Licence
3Copyright (c) 2012, Science & Technology Facilities Council (STFC)
4All rights reserved.
5
6Redistribution and use in source and binary forms, with or without modification,
7are permitted provided that the following conditions are met:
8
9    * Redistributions of source code must retain the above copyright notice,
10        this list of conditions and the following disclaimer.
11    * Redistributions in binary form must reproduce the above copyright notice,
12        this list of conditions and the following disclaimer in the documentation
13        and/or other materials provided with the distribution.
14    * Neither the name of the Science & Technology Facilities Council (STFC)
15        nor the names of its contributors may be used to endorse or promote
16        products derived from this software without specific prior written permission.
17
18THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
22BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
23OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29Created on 2 Nov 2012
30
31@author: mnagni
32'''
33from paste.auth import auth_tkt
34from paste.auth.auth_tkt import BadTicket
35from django.conf import settings
36
37from django.utils.http import urlencode
38from django.http import HttpResponseRedirect
39
40from dj_security_middleware.exception import DJMiddlewareException,\
41    MissingCookieException
42from dj_security_middleware import _get_host_ip, security_filter, \
43auth_tkt_name, shared_secret, token_field_name, redirect_field_name, \
44cookie_domain, login_service
45
46import socket
47import logging
48import re
49import urllib
50
51DJ_SECURITY_SHAREDSECRET_ERROR = 'No SECURITY_SHAREDSECRET parameter \
52is defined in the application settings.py file. \
53Please define it accordingly to the used LOGIN_SERVICE'
54
55AUTHENTICATION_COOKIE_MISSING = 'The expected cookie is missing. \
56Redirect to the authentication service'
57
58DJ_MIDDLEWARE_IP_ERROR = 'No DJ_MIDDLEWARE_IP parameter \
59is defined in the application settings.py file. \
60Please define it accordingly to the machine/proxy seen by the LOGIN_SERVICE'
61
62LOGOUT = 'logout'
63
64LOGGER = logging.getLogger(__name__)
65
66def preapare_user_for_session(request, timestamp, userid, tokens, user_data):
67    request.authenticated_user = {'timestamp': timestamp, \
68                                     'userid': userid, \
69                                     'tokens': tokens, \
70                                     'user_data': user_data}
71    LOGGER.debug("stored in request - userid:%s, user_data:%s" % (userid, user_data))
72    request.session['accountid'] = userid
73
74class DJ_Security_Middleware(object):
75    """
76        Validates if the actual user is authenticated agains a
77        given authentication service.
78        Actually the middleware intercepts all the requests submitted
79        to the underlying Django application and verifies if the presence
80        or not of a valid paste cookie in the request.
81    """
82
83    def process_request(self, request):
84        login_service()
85       
86        #Has to process a reset password request?
87        if len(request.REQUEST.get(LOGOUT, '')) > 0:
88            response = HttpResponseRedirect(_build_url(request))           
89            response.delete_cookie(auth_tkt_name(), domain = cookie_domain())
90            return response
91
92        request.session['accountid'] = None
93        url_fiters = getattr(settings, 'DJ_SECURITY_FILTER', [])
94       
95        #adds a default filter for reset password request
96        reset_regexpr = '%s=[a-f0-9-]*$' % (token_field_name())
97        if reset_regexpr not in security_filter():
98            url_fiters.append(reset_regexpr)
99       
100        if url_fiters \
101            and filter(_build_url(request), url_fiters):
102            return
103       
104        custom_auth = getattr(settings, 'DJ_SECURITY_AUTH_CHECK', None)
105        if custom_auth:
106            try:
107                if custom_auth(request):
108                    return
109            #Cannot specify the Exception type as don't know the
110            # exceptions type raised by custom_auth                 
111            except Exception:
112                pass
113       
114        #if not settings.DJ_MIDDLEWARE_IP:
115        #    raise DJMiddlewareException(DJ_MIDDLEWARE_IP_ERROR)       
116         
117        try:
118            qs = {redirect_field_name():
119                  urllib.quote_plus((_build_url(request)))}             
120            url = '%s?%s' % (login_service(),
121                             urlencode(qs))
122            timestamp, userid, tokens, user_data = _is_authenticated(request)
123            preapare_user_for_session(request,
124                                      timestamp,
125                                      userid,
126                                      tokens,
127                                      user_data)
128        except MissingCookieException as ex:
129            LOGGER.info("Missing cookie '%s'. Redirecting to %s" % (auth_tkt_name(), url))
130            return HttpResponseRedirect(url)
131        except DJMiddlewareException as ex:                   
132            LOGGER.info("Error in authentication. Redirecting to %s" % (url))
133            return HttpResponseRedirect(url)           
134
135
136           
137    def process_response(self, request, response):
138        return response
139
140def _build_url(request):
141    hostname = socket.getfqdn()
142    new_get = request.GET.copy()
143    if new_get.has_key(LOGOUT):
144        new_get.pop(LOGOUT)
145    if request.META['SERVER_PORT'] != 80:
146        hostname = "%s:%s" % (hostname, request.META['SERVER_PORT'])
147    return 'http://%s%s?%s' % (hostname,
148                               request.path,
149                               urllib.urlencode(new_get))
150
151def _is_authenticated(request):
152    """
153        Verifies the presence and validity of a paste cookie.
154        If the cookie is not present the request is redirected
155        to the url specified in LOGIN_SERVICE
156        ** Return ** a tuple containing (timestamp, userid, tokens, user_data)
157        ** raise ** a DJ_SecurityException if the ticket is not valid
158    """
159    if auth_tkt_name() in request.COOKIES:
160        LOGGER.debug("Found cookie '%s': %s in cookies" \
161                     % (auth_tkt_name(), request.COOKIES.get(auth_tkt_name())))
162        try:
163           
164            return auth_tkt.parse_ticket(
165                    shared_secret(),
166                    request.COOKIES.get(auth_tkt_name(), ''),
167                    request.environ.get('REMOTE_ADDR'))
168        except BadTicket as ex:
169            raise DJMiddlewareException(ex)
170    raise MissingCookieException(AUTHENTICATION_COOKIE_MISSING)
171
172def filter(string, filters):
173    """
174        Checks a given strings against a list of strings.
175        ** string ** string a url
176        ** filters ** a list of strings
177    """
178    for ifilter in filters:
179        if re.search(ifilter, string):
180            return True
Note: See TracBrowser for help on using the repository browser.