source: mauRepo/dj_security_middleware/tags/v_0_0_9/trunk/dj_security_middleware/middleware.py @ 8756

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/mauRepo/dj_security_middleware/tags/v_0_0_9/trunk/dj_security_middleware/middleware.py@8756
Revision 8756, 8.3 KB checked in by mnagni, 8 years ago (diff)
  • Property svn:mime-type set to text/plain
Line 
1'''
2BSD Licence
3Copyright (c) 2012, Science & Technology Facilities Council (STFC)
4All rights reserved.
5
6Redistribution and use in source and binary forms, with or without modification,
7are permitted provided that the following conditions are met:
8
9    * Redistributions of source code must retain the above copyright notice,
10        this list of conditions and the following disclaimer.
11    * Redistributions in binary form must reproduce the above copyright notice,
12        this list of conditions and the following disclaimer in the documentation
13        and/or other materials provided with the distribution.
14    * Neither the name of the Science & Technology Facilities Council (STFC)
15        nor the names of its contributors may be used to endorse or promote
16        products derived from this software without specific prior written permission.
17
18THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
22BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
23OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29Created on 2 Nov 2012
30
31@author: mnagni
32'''
33from paste.auth import auth_tkt
34from paste.auth.auth_tkt import BadTicket
35from django.conf import settings
36from dj_security_middleware.exception import DJMiddlewareException,\
37    MissingCookieException
38from django.utils.http import urlencode
39from django.http import HttpResponseRedirect
40import socket
41import logging
42import urlparse
43import re
44import base64
45
46# Get an instance of a logger
47LOGGER = logging.getLogger()
48
49LOGIN_SERVICE_ERROR = 'No LOGIN_SETTING parameter is defined in the \
50application settings.py file. Please define a proper URL to the \
51authenticating service'
52
53DJ_SECURITY_SHAREDSECRET_ERROR = 'No DJ_SECURITY_SHAREDSECRET parameter \
54is defined in the application settings.py file. \
55Please define it accordingly to the used LOGIN_SERVICE'
56
57AUTHENTICATION_COOKIE_MISSING = 'The expected cookie is missing. \
58Redirect to the authentication service'
59
60DJ_MIDDLEWARE_IP_ERROR = 'No DJ_MIDDLEWARE_IP parameter \
61is defined in the application settings.py file. \
62Please define it accordingly to the machine/proxy seen by the LOGIN_SERVICE'
63
64AUTH_TKT = 'auth_tkt'
65
66LOGOUT = 'logout'
67
68class DJ_Security_Middleware(object):
69    """
70        Validates if the actual user is authenticated agains a
71        given authentication service.
72        Actually the middleware intercepts all the requests submitted
73        to the underlying Django application and verifies if the presence
74        or not of a valid paste cookie in the request.
75    """   
76    def process_request(self, request):
77        if len(request.REQUEST.get(LOGOUT, '')) > 0:
78            response = HttpResponseRedirect(_build_url(request))           
79            response.delete_cookie(AUTH_TKT,
80                                   domain=getattr(settings,
81                                                  'COOKIE_DOMAIN',
82                                                  'rl.ac.uk'))
83            return response
84
85        request.session['accountid'] = None
86        url_fiters = getattr(settings, 'DJ_SECURITY_FILTER', None)
87        if url_fiters \
88            and security_url_filter(request.path, url_fiters):
89            return
90       
91        if not getattr(settings, 'DJ_SECURITY_LOGIN_SERVICE', None):
92            raise DJMiddlewareException(LOGIN_SERVICE_ERROR) 
93        if not getattr(settings, 'DJ_SECURITY_SHAREDSECRET', None):
94            raise DJMiddlewareException(DJ_SECURITY_SHAREDSECRET_ERROR)
95       
96        custom_auth = getattr(settings, 'DJ_SECURITY_AUTH_CHECK', None)
97        if custom_auth:
98            try:
99                if custom_auth(request):
100                    return
101            #Cannot specify the Exception type as don't know the
102            # exceptions type raised by custom_auth                 
103            except Exception:
104                pass
105       
106        #if not settings.DJ_MIDDLEWARE_IP:
107        #    raise DJMiddlewareException(DJ_MIDDLEWARE_IP_ERROR)       
108         
109        try:
110            timestamp, userid, tokens, user_data = _is_authenticated(request)
111            request.authenticated_user = {'timestamp': timestamp, \
112                                             'userid': userid, \
113                                             'tokens': tokens, \
114                                             'user_data': user_data}
115            LOGGER.debug("stored in request - userid:%s, user_data:%s" % (userid, user_data))
116            request.session['accountid'] = userid
117        except MissingCookieException as ex:
118            LOGGER.info("Missing 'auth_tkt' cookie")
119        except DJMiddlewareException as ex:       
120            LOGGER.info(ex)
121            url = '%s?%s' % (settings.DJ_SECURITY_LOGIN_SERVICE, _build_login_url(request))
122            LOGGER.info("error in authentication. Redirecting to %s" % (url))
123            return HttpResponseRedirect(url)           
124           
125    def process_response(self, request, response):
126        return response
127
128def _build_url(request):
129    hostname = socket.getfqdn()
130    if request.META['SERVER_PORT'] != 80:
131        hostname = "%s:%s" % (hostname, request.META['SERVER_PORT'])
132    return 'http://%s%s?%s' % (hostname, request.path, request.GET.urlencode())
133
134def _build_login_url(request):
135    qs = {}
136    qs['r'] = base64.b64encode(_build_url(request))
137    return urlencode(qs)           
138
139def _is_authenticated(request):
140    """
141        Verifies the presence and validity of a paste cookie.
142        If the cookie is not present the request is redirected
143        to the url specified in LOGIN_SERVICE
144        ** Return ** a tuple containing (timestamp, userid, tokens, user_data)
145        ** raise ** a DJ_SecurityException if the ticket is not valid
146    """
147    if AUTH_TKT in request.COOKIES:
148        LOGGER.debug("Found auth_tkt: %s in cookies" % (request.COOKIES.get('auth_tkt')))
149        try:
150           
151            return auth_tkt.parse_ticket(
152                    settings.DJ_SECURITY_SHAREDSECRET,
153                    request.COOKIES.get(AUTH_TKT, ''),
154                    _get_host_ip())
155        except BadTicket as ex:
156            raise DJMiddlewareException(ex)
157    raise MissingCookieException(AUTHENTICATION_COOKIE_MISSING)
158   
159def _calculate_remote_ip(url_path):   
160    remote_url = urlparse.urlparse(url_path)
161    LOGGER.debug("calculating remote_ip for %s" % (str(remote_url)))
162    port = 80
163    host = None
164    if remote_url.netloc:
165        host = remote_url.netloc
166    elif remote_url.path:
167        host = remote_url.path
168       
169    if not host:
170        return None
171   
172    if ':' in host:
173        host, port = host.split(':')
174    addrinfo = socket.getaddrinfo(host, int(port))
175    LOGGER.debug("%s has remote_ip %s" % (url_path, addrinfo[0][-1][0]))
176    for remote_url in addrinfo:
177        if not remote_url[-1][0].startswith('127'):
178            return remote_url[-1][0]
179    return None
180   
181def _get_host_ip():
182    if getattr(settings, 'DJ_MIDDLEWARE_IP', None):
183        return settings.DJ_MIDDLEWARE_IP
184       
185    return _calculate_remote_ip(socket.getfqdn())
186
187def security_url_filter(string, filters):
188    """
189        Checks a given url request against a list of url filters.
190        ** string ** string a url
191        ** filters ** a list of strings
192        ** RETURN ** True if a match is found, False otherwise
193    """
194    try:       
195        result = urlparse.urlparse(string)
196        return _security_filter(result.path, filters)
197    except AttributeError:
198        return False
199
200def _security_filter(string, filters):
201    """
202        Checks a given strings against a list of strings.
203        ** string ** string a url
204        ** filters ** a list of strings
205    """   
206    if not filters or not string or len(string.strip()) == 0:
207        return False
208    if string in filters:
209        return True
210    for ifilter in filters:
211        if re.match(ifilter, string):
212            return True
Note: See TracBrowser for help on using the repository browser.