source: mauRepo/dj_security_middleware/trunk/dj_security_middleware/dj_security_middleware/middleware.py @ 8725

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg/mauRepo/dj_security_middleware/trunk/dj_security_middleware/dj_security_middleware/middleware.py@8725
Revision 8725, 7.7 KB checked in by mnagni, 6 years ago (diff)

Incomplete - # 22614: [CEDA Site Python Port] Dataset application - fix layout
 http://team.ceda.ac.uk/trac/ceda/ticket/22614

minimal update to logging

  • Property svn:mime-type set to text/plain
Line 
1'''
2BSD Licence
3Copyright (c) 2012, Science & Technology Facilities Council (STFC)
4All rights reserved.
5
6Redistribution and use in source and binary forms, with or without modification,
7are permitted provided that the following conditions are met:
8
9    * Redistributions of source code must retain the above copyright notice,
10        this list of conditions and the following disclaimer.
11    * Redistributions in binary form must reproduce the above copyright notice,
12        this list of conditions and the following disclaimer in the documentation
13        and/or other materials provided with the distribution.
14    * Neither the name of the Science & Technology Facilities Council (STFC)
15        nor the names of its contributors may be used to endorse or promote
16        products derived from this software without specific prior written permission.
17
18THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
20THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
21PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
22BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
23OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
24SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29Created on 2 Nov 2012
30
31@author: mnagni
32'''
33from paste.auth import auth_tkt
34from paste.auth.auth_tkt import BadTicket
35from django.conf import settings
36from dj_security_middleware.exception import DJMiddlewareException,\
37    MissingCookieException
38from django.utils.http import urlencode
39from django.http import HttpResponseRedirect
40import socket
41import logging
42import urlparse
43import re
44import base64
45
46# Get an instance of a logger
47LOGGER = logging.getLogger()
48
49LOGIN_SERVICE_ERROR = 'No LOGIN_SETTING parameter is defined in the \
50application settings.py file. Please define a proper URL to the \
51authenticating service'
52
53DJ_SECURITY_SHAREDSECRET_ERROR = 'No DJ_SECURITY_SHAREDSECRET parameter \
54is defined in the application settings.py file. \
55Please define it accordingly to the used LOGIN_SERVICE'
56
57AUTHENTICATION_COOKIE_MISSING = 'The expected cookie is missing. \
58Redirect to the authentication service'
59
60DJ_MIDDLEWARE_IP_ERROR = 'No DJ_MIDDLEWARE_IP parameter \
61is defined in the application settings.py file. \
62Please define it accordingly to the machine/proxy seen by the LOGIN_SERVICE'
63
64class DJ_Security_Middleware(object):
65    """
66        Validates if the actual user is authenticated agains a
67        given authentication service.
68        Actually the middleware intercepts all the requests submitted
69        to the underlying Django application and verifies if the presence
70        or not of a valid paste cookie in the request.
71    """   
72    def process_request(self, request):
73        url_fiters = getattr(settings, 'DJ_SECURITY_FILTER', None)
74        if url_fiters \
75            and security_url_filter(request.path, url_fiters):
76            return
77       
78        if not getattr(settings, 'DJ_SECURITY_LOGIN_SERVICE', None):
79            raise DJMiddlewareException(LOGIN_SERVICE_ERROR) 
80        if not getattr(settings, 'DJ_SECURITY_SHAREDSECRET', None):
81            raise DJMiddlewareException(DJ_SECURITY_SHAREDSECRET_ERROR)
82       
83        custom_auth = getattr(settings, 'DJ_SECURITY_AUTH_CHECK', None)
84        if custom_auth:
85            try:
86                if custom_auth(request):
87                    return
88            #Cannot specify the Exception type as don't know the
89            # exceptions type raised by custom_auth                 
90            except Exception:
91                pass
92       
93        #if not settings.DJ_MIDDLEWARE_IP:
94        #    raise DJMiddlewareException(DJ_MIDDLEWARE_IP_ERROR)       
95         
96        try:
97            timestamp, userid, tokens, user_data = _is_authenticated(request)
98            request.authenticated_user = {'timestamp': timestamp, \
99                                             'userid': userid, \
100                                             'tokens': tokens, \
101                                             'user_data': user_data}
102            LOGGER.debug("stored in request - userid:%s, user_data:%s" % (userid, user_data))
103            pass
104        except MissingCookieException as ex:
105            LOGGER.info("Missing 'auth_tkt' cookie")
106        except DJMiddlewareException as ex:       
107            LOGGER.info(ex)
108        url = '%s?%s' % (settings.DJ_SECURITY_LOGIN_SERVICE, _build_ret_url(request))
109        LOGGER.info("error in authentication. Redirecting to %s" % (url))
110        return HttpResponseRedirect(url)           
111           
112
113def _build_ret_url(request):
114    hostname = socket.getfqdn()
115    if request.META['SERVER_PORT'] != 80:
116        hostname = "%s:%s" % (hostname, request.META['SERVER_PORT'])
117    qs = {}
118    qs['r'] = base64.b64encode('http://%s%s?%s' % (hostname, request.path, request.GET.urlencode()))
119    return urlencode(qs)           
120
121def _is_authenticated(request):
122    """
123        Verifies the presence and validity of a paste cookie.
124        If the cookie is not present the request is redirected
125        to the url specified in LOGIN_SERVICE
126        ** Return ** a tuple containing (timestamp, userid, tokens, user_data)
127        ** raise ** a DJ_SecurityException if the ticket is not valid
128    """
129    if 'auth_tkt' in request.COOKIES:
130        LOGGER.debug("Found auth_tkt: %s in cookies" % (request.COOKIES.get('auth_tkt')))
131        try:
132           
133            return auth_tkt.parse_ticket(
134                    settings.DJ_SECURITY_SHAREDSECRET,
135                    request.COOKIES.get('auth_tkt', ''),
136                    _get_host_ip())
137        except BadTicket as ex:
138            raise DJMiddlewareException(ex)
139        finally:
140            request.COOKIES.pop('auth_tkt', None)
141    raise MissingCookieException(AUTHENTICATION_COOKIE_MISSING)
142   
143def _calculate_remote_ip(url_path):   
144    remote_url = urlparse.urlparse(url_path)
145    LOGGER.debug("calculating remote_ip for %s" % (str(remote_url)))
146    port = 80
147    host = None
148    if remote_url.netloc:
149        host = remote_url.netloc
150    elif remote_url.path:
151        host = remote_url.path
152       
153    if not host:
154        return None
155   
156    if ':' in host:
157        host, port = host.split(':')
158    addrinfo = socket.getaddrinfo(host, int(port))
159    LOGGER.debug("%s has remote_ip %s" % (url_path, addrinfo[0][-1][0]))
160    for remote_url in addrinfo:
161        if not remote_url[-1][0].startswith('127'):
162            return remote_url[-1][0]
163    return None
164   
165def _get_host_ip():
166    if getattr(settings, 'DJ_MIDDLEWARE_IP', None):
167        return settings.DJ_MIDDLEWARE_IP
168       
169    return _calculate_remote_ip(socket.getfqdn())
170
171def security_url_filter(string, filters):
172    """
173        Checks a given url request against a list of url filters.
174        ** string ** string a url
175        ** filters ** a list of strings
176        ** RETURN ** True if a match is found, False otherwise
177    """
178    try:       
179        result = urlparse.urlparse(string)
180        return _security_filter(result.path, filters)
181    except AttributeError:
182        return False
183
184def _security_filter(string, filters):
185    """
186        Checks a given strings against a list of strings.
187        ** string ** string a url
188        ** filters ** a list of strings
189    """   
190    if not filters or not string or len(string.strip()) == 0:
191        return False
192    if string in filters:
193        return True
194    for ifilter in filters:
195        if re.match(ifilter, string):
196            return True
Note: See TracBrowser for help on using the repository browser.