X-Git-Url: https://git.mdrn.pl/django-cas-provider.git/blobdiff_plain/73d0d205328a0c7df22bae99b3733660fbdbb842..bfc8611ed146567fadac90312da6f172601908ec:/cas_provider/views.py?ds=inline diff --git a/cas_provider/views.py b/cas_provider/views.py index be6c4d4..976c271 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -2,16 +2,23 @@ import logging logger = logging.getLogger('cas_provider.views') import urllib -import logging from urllib import urlencode import urllib2 import urlparse +from functools import wraps + +from django.utils.decorators import available_attrs +from django.views.decorators.debug import sensitive_post_parameters +from django.views.decorators.cache import cache_control +from django.utils.cache import patch_cache_control +from django.views.decorators.csrf import csrf_protect from django.http import HttpResponse, HttpResponseRedirect from django.conf import settings from django.contrib.auth import login as auth_login, logout as auth_logout from django.core.urlresolvers import get_callable from django.shortcuts import render_to_response +from django.utils.translation import ugettext as _ from django.template import RequestContext from django.contrib.auth import authenticate from django.core.urlresolvers import reverse @@ -21,7 +28,6 @@ from cas_provider.attribute_formatters import NSMAP, CAS from cas_provider.models import ProxyGrantingTicket, ProxyTicket from cas_provider.models import ServiceTicket -from cas_provider.exceptions import SameEmailMismatchedPasswords from cas_provider.forms import LoginForm, MergeLoginForm from . import signals @@ -44,6 +50,27 @@ ERROR_MESSAGES = ( logger = logging.getLogger(__name__) +_never_cache = cache_control(no_cache=True, must_revalidate=True) + + +def never_cache(view_func): + """ + Decorator that adds headers to a response so that it will + never be cached. + """ + @wraps(view_func, assigned=available_attrs(view_func)) + def _wrapped_view_func(request, *args, **kwargs): + response = view_func(request, *args, **kwargs) + patch_cache_control(response, no_cache=True, + must_revalidate=True, proxy_revalidate=True) + response['Pragma'] = 'no-cache' + return response + return _wrapped_view_func + + +@sensitive_post_parameters() +@csrf_protect +@never_cache def login(request, template_name='cas/login.html', success_redirect=settings.LOGIN_REDIRECT_URL, warn_template_name='cas/warn.html', **kwargs): @@ -70,7 +97,7 @@ def login(request, template_name='cas/login.html', if form.is_valid(): service = form.cleaned_data.get('service', None) try: - auth_args = dict(username=form.cleaned_data['email'], + auth_args = dict(username=form.cleaned_data['username'], password=form.cleaned_data['password']) if merge: # We only want to send the merge argument if it's @@ -78,7 +105,7 @@ def login(request, template_name='cas/login.html', # through the auth backends properly. auth_args['merge'] = merge user = authenticate(**auth_args) - except SameEmailMismatchedPasswords: + except: # Need to merge the accounts? if merge: # We shouldn't get here... @@ -87,7 +114,7 @@ def login(request, template_name='cas/login.html', base_url = reverse('cas_provider_merge') args = dict( success_redirect=success_redirect, - email=form.cleaned_data['email'], + username=form.cleaned_data['username'], ) if service is not None: args['service'] = service @@ -96,33 +123,36 @@ def login(request, template_name='cas/login.html', url = '%s?%s' % (base_url, args) logging.debug('Redirecting to %s', url) return HttpResponseRedirect(url) - + if user is None: - errors.append('Incorrect username and/or password.') + errors.append(_('Incorrect username and/or password.')) else: if user.is_active: auth_login(request, user) else: # Not a POST... if merge: - form = MergeLoginForm(initial={'service': service, 'email': request.GET.get('email')}) + form = MergeLoginForm(initial={'service': service, 'username': request.GET.get('username')}) else: form = LoginForm(initial={'service': service}) if user is not None and user.is_authenticated(): # We have an authenticated user. if not user.is_active: - errors.append('This account is disabled.') + errors.append(_('This account is disabled. Please contact us if you feel it should be enabled again.')) else: # Send the on_cas_login signal. If we get an HttpResponse, return that. for receiver, response in signals.on_cas_login.send(sender=login, request=request, **kwargs): if isinstance(response, HttpResponse): return response - + if service is None: # Try and pull the service off the session service = request.session.pop('service', service) - + + signals.on_cas_login_success.send(sender=login, request=request, + service=service, **kwargs) + if service is None: # Normal internal success redirection. logging.debug('Redirecting to %s', success_redirect) @@ -133,7 +163,7 @@ def login(request, template_name='cas/login.html', 'service': service, 'warn': False }, context_instance=RequestContext(request)) - + # Create a service ticket and redirect to the service. ticket = ServiceTicket.objects.create(service=service, user=user) if 'service' in request.session: @@ -148,6 +178,7 @@ def login(request, template_name='cas/login.html', return render_to_response(template_name, {'form': form, 'errors': errors}, context_instance=RequestContext(request)) +@never_cache def validate(request): """Validate ticket via CAS v.1 protocol """ @@ -176,8 +207,9 @@ def validate(request): logger.info('Validation failed.') return HttpResponse("no\n\n") - + +@never_cache def logout(request, template_name='cas/logout.html', auto_redirect=settings.CAS_AUTO_REDIRECT_AFTER_LOGOUT): url = request.GET.get('url', None) @@ -191,6 +223,7 @@ def logout(request, template_name='cas/logout.html', context_instance=RequestContext(request)) +@never_cache def proxy(request): targetService = request.GET['targetService'] pgt_id = request.GET['pgt'] @@ -251,6 +284,7 @@ def ticket_validate(service, ticket_string, pgtUrl): return _cas2_sucess_response(user, pgtIouId, proxies) +@never_cache def service_validate(request): """Validate ticket via CAS v.2 protocol""" service = request.GET.get('service', None) @@ -262,6 +296,7 @@ def service_validate(request): return ticket_validate(service, ticket_string, pgtUrl) +@never_cache def proxy_validate(request): """Validate ticket via CAS v.2 protocol""" service = request.GET.get('service', None) @@ -290,7 +325,7 @@ def generate_proxy_granting_ticket(pgt_url, ticket): uri[3] = urlencode(query) try: - response = urllib2.urlopen(urlparse.urlunsplit(uri)) + urllib2.urlopen(urlparse.urlunsplit(uri)) except urllib2.HTTPError as e: if not e.code in proxy_callback_good_status: logger.debug('Checking Proxy Callback URL {} returned {}. Not issuing PGT.'.format(uri, e.code)) @@ -308,7 +343,7 @@ def _cas2_proxy_success(pt): def _cas2_sucess_response(user, pgt=None, proxies=None): - return HttpResponse(auth_success_response(user, pgt, proxies), mimetype='text/xml') + return HttpResponse(auth_success_response(user, pgt, proxies), content_type='text/xml') def _cas2_error_response(code, message=None): @@ -319,7 +354,7 @@ def _cas2_error_response(code, message=None): ''' % { 'code': code, 'message': message if message else dict(ERROR_MESSAGES).get(code) - }, mimetype='text/xml') + }, content_type='text/xml') def proxy_success(pt): @@ -341,7 +376,12 @@ def auth_success_response(user, pgt, proxies): if custom: attrs.update(custom) - attrs['identifiers'] = [i for r, i in signals.on_cas_collect_histories.send(sender=validate, for_user=user)] + identifiers = [i for sr, rr in signals.on_cas_collect_histories.send(sender=validate, for_user=user) + for i in rr] + + if identifiers: + # Singular `identifier`, as that is the name of the element tag(s). + attrs['identifier'] = identifiers if attrs: formatter = get_callable(settings.CAS_CUSTOM_ATTRIBUTES_FORMATER)