mirror of
https://github.com/YunoHost-Apps/django-for-runners_ynh.git
synced 2024-09-03 18:26:16 +02:00
remove obsolete auth script
This commit is contained in:
parent
c7c5aa877a
commit
478b7d1a6e
3 changed files with 0 additions and 187 deletions
|
@ -1,185 +0,0 @@
|
||||||
"""
|
|
||||||
* remote user authentication backend
|
|
||||||
* remote user middleware
|
|
||||||
|
|
||||||
Note: SSOwat/nginx add authentication headers:
|
|
||||||
|
|
||||||
'HTTP_AUTHORIZATION': 'Basic XXXXXXXXXXXXXXXX='
|
|
||||||
'HTTP_AUTH_USER': 'username'
|
|
||||||
'HTTP_REMOTE_USER': 'username'
|
|
||||||
|
|
||||||
Basic auth contains "{username}:{plaintext-password}"
|
|
||||||
|
|
||||||
and we get SSOwat cookies like:
|
|
||||||
|
|
||||||
'HTTP_COOKIE': 'SSOwAuthUser=username; '
|
|
||||||
'SSOwAuthHash=593876aa66...99e69f88af1e; '
|
|
||||||
'SSOwAuthExpire=1609227697.998; '
|
|
||||||
|
|
||||||
* Login a user via HTTP_REMOTE_USER header, but check also username in:
|
|
||||||
* SSOwAuthUser
|
|
||||||
* HTTP_AUTH_USER
|
|
||||||
* HTTP_AUTHORIZATION (Basic auth)
|
|
||||||
* Create new users
|
|
||||||
* Update Email, First / Last name for existing users
|
|
||||||
"""
|
|
||||||
import base64
|
|
||||||
import logging
|
|
||||||
|
|
||||||
from axes.exceptions import AxesBackendPermissionDenied
|
|
||||||
from django.contrib.auth.backends import RemoteUserBackend as OriginRemoteUserBackend
|
|
||||||
from django.contrib.auth.middleware import RemoteUserMiddleware as OriginRemoteUserMiddleware
|
|
||||||
from django.core.exceptions import ValidationError
|
|
||||||
from inventory.permissions import get_or_create_normal_user_group
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
|
|
||||||
def update_user_profile(request):
|
|
||||||
"""
|
|
||||||
Update existing user information:
|
|
||||||
* Email
|
|
||||||
* First / Last name
|
|
||||||
"""
|
|
||||||
user = request.user
|
|
||||||
assert user.is_authenticated
|
|
||||||
|
|
||||||
update_fields = []
|
|
||||||
|
|
||||||
if not user.password:
|
|
||||||
# Empty password is not valid, so we can't save the model, because of full_clean() call
|
|
||||||
logger.info('Set unusable password for user: %s', user)
|
|
||||||
user.set_unusable_password()
|
|
||||||
update_fields.append('password')
|
|
||||||
|
|
||||||
email = request.META.get('HTTP_EMAIL')
|
|
||||||
if email and user.email != email:
|
|
||||||
logger.info('Update email: %r -> %r', user.email, email)
|
|
||||||
user.email = email
|
|
||||||
update_fields.append('email')
|
|
||||||
|
|
||||||
raw_username = request.META.get('HTTP_NAME')
|
|
||||||
if raw_username:
|
|
||||||
if ' ' in raw_username:
|
|
||||||
first_name, last_name = raw_username.split(' ', 1)
|
|
||||||
else:
|
|
||||||
first_name = ''
|
|
||||||
last_name = raw_username
|
|
||||||
|
|
||||||
if user.first_name != first_name:
|
|
||||||
logger.info('Update first name: %r -> %r', user.first_name, first_name)
|
|
||||||
user.first_name = first_name
|
|
||||||
update_fields.append('first_name')
|
|
||||||
|
|
||||||
if user.last_name != last_name:
|
|
||||||
logger.info('Update last name: %r -> %r', user.last_name, last_name)
|
|
||||||
user.last_name = last_name
|
|
||||||
update_fields.append('last_name')
|
|
||||||
|
|
||||||
if update_fields:
|
|
||||||
try:
|
|
||||||
user.full_clean()
|
|
||||||
except ValidationError:
|
|
||||||
logger.exception('Can not update user: %s', user)
|
|
||||||
else:
|
|
||||||
user.save(update_fields=update_fields)
|
|
||||||
|
|
||||||
|
|
||||||
class RemoteUserMiddleware(OriginRemoteUserMiddleware):
|
|
||||||
"""
|
|
||||||
Middleware to login a user HTTP_REMOTE_USER header.
|
|
||||||
Use Django Axes if something is wrong.
|
|
||||||
Update exising user informations.
|
|
||||||
"""
|
|
||||||
header = 'HTTP_REMOTE_USER'
|
|
||||||
force_logout_if_no_header = True
|
|
||||||
|
|
||||||
def process_request(self, request):
|
|
||||||
# Keep the information if the user is already logged in
|
|
||||||
was_authenticated = request.user.is_authenticated
|
|
||||||
|
|
||||||
super().process_request(request) # login remote user
|
|
||||||
|
|
||||||
if not request.user.is_authenticated:
|
|
||||||
# Not logged in -> nothing to verify here
|
|
||||||
return
|
|
||||||
|
|
||||||
# Check SSOwat cookie informations:
|
|
||||||
try:
|
|
||||||
username = request.COOKIES['SSOwAuthUser']
|
|
||||||
except KeyError:
|
|
||||||
logger.error('SSOwAuthUser cookie missing!')
|
|
||||||
|
|
||||||
# emits a signal indicating user login failed, which is processed by
|
|
||||||
# axes.signals.log_user_login_failed which logs and flags the failed request.
|
|
||||||
raise AxesBackendPermissionDenied('Cookie missing')
|
|
||||||
|
|
||||||
logger.info('SSOwat username from cookies: %r', username)
|
|
||||||
if username != request.user.username:
|
|
||||||
raise AxesBackendPermissionDenied('Wrong username')
|
|
||||||
|
|
||||||
# Compare with HTTP_AUTH_USER
|
|
||||||
try:
|
|
||||||
username = request.META['HTTP_AUTH_USER']
|
|
||||||
except KeyError:
|
|
||||||
logger.error('HTTP_AUTH_USER missing!')
|
|
||||||
raise AxesBackendPermissionDenied('No HTTP_AUTH_USER')
|
|
||||||
|
|
||||||
if username != request.user.username:
|
|
||||||
raise AxesBackendPermissionDenied('Wrong HTTP_AUTH_USER username')
|
|
||||||
|
|
||||||
# Also check 'HTTP_AUTHORIZATION', but only the username ;)
|
|
||||||
try:
|
|
||||||
auth = request.META['HTTP_AUTHORIZATION']
|
|
||||||
except KeyError:
|
|
||||||
logger.error('HTTP_AUTHORIZATION missing!')
|
|
||||||
raise AxesBackendPermissionDenied('No HTTP_AUTHORIZATION')
|
|
||||||
|
|
||||||
scheme, creds = auth.split(' ', 1)
|
|
||||||
if scheme.lower() != 'basic':
|
|
||||||
logger.error('HTTP_AUTHORIZATION with %r not supported', scheme)
|
|
||||||
raise AxesBackendPermissionDenied('HTTP_AUTHORIZATION scheme not supported')
|
|
||||||
|
|
||||||
creds = str(base64.b64decode(creds), encoding='utf-8')
|
|
||||||
username = creds.split(':', 1)[0]
|
|
||||||
if username != request.user.username:
|
|
||||||
raise AxesBackendPermissionDenied('Wrong HTTP_AUTHORIZATION username')
|
|
||||||
|
|
||||||
if not was_authenticated:
|
|
||||||
# First request, after login -> update user informations
|
|
||||||
logger.info('Remote used was logged in')
|
|
||||||
update_user_profile(request)
|
|
||||||
|
|
||||||
|
|
||||||
class RemoteUserBackend(OriginRemoteUserBackend):
|
|
||||||
"""
|
|
||||||
Authentication backend via SSO/nginx header
|
|
||||||
"""
|
|
||||||
create_unknown_user = True
|
|
||||||
|
|
||||||
def authenticate(self, request, remote_user):
|
|
||||||
logger.info('Remote user authenticate: %r', remote_user)
|
|
||||||
return super().authenticate(request, remote_user)
|
|
||||||
|
|
||||||
def configure_user(self, request, user):
|
|
||||||
"""
|
|
||||||
Configure a user after creation and return the updated user.
|
|
||||||
Setup a normal, non-superuser
|
|
||||||
"""
|
|
||||||
logger.warning('Configure user %s', user)
|
|
||||||
|
|
||||||
user.set_unusable_password() # Always login via SSO
|
|
||||||
user.is_staff = True
|
|
||||||
user.is_superuser = False
|
|
||||||
user.save()
|
|
||||||
|
|
||||||
pyinventory_user_group = get_or_create_normal_user_group()[0]
|
|
||||||
user.groups.set([pyinventory_user_group])
|
|
||||||
|
|
||||||
update_user_profile(request)
|
|
||||||
|
|
||||||
return user
|
|
||||||
|
|
||||||
def user_can_authenticate(self, user):
|
|
||||||
logger.warning('Remote user login: %s', user)
|
|
||||||
return True
|
|
|
@ -156,7 +156,6 @@ ynh_app_setting_set --app="$app" --key=redis_db --value="$redis_db"
|
||||||
|
|
||||||
touch "$final_path/local_settings.py"
|
touch "$final_path/local_settings.py"
|
||||||
|
|
||||||
cp "../conf/ynh_authenticate.py" "$final_path/ynh_authenticate.py"
|
|
||||||
cp "../conf/ynh_urls.py" "$final_path/ynh_urls.py"
|
cp "../conf/ynh_urls.py" "$final_path/ynh_urls.py"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
|
@ -145,7 +145,6 @@ ynh_store_file_checksum --file="$settings"
|
||||||
|
|
||||||
touch "$final_path/local_settings.py"
|
touch "$final_path/local_settings.py"
|
||||||
|
|
||||||
cp "../conf/ynh_authenticate.py" "$final_path/ynh_authenticate.py"
|
|
||||||
cp "../conf/ynh_urls.py" "$final_path/ynh_urls.py"
|
cp "../conf/ynh_urls.py" "$final_path/ynh_urls.py"
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
Loading…
Reference in a new issue