class ProxyGrantingTicket(BaseTicket):
serviceTicket = models.ForeignKey(ServiceTicket, null=True)
pgtiou = models.CharField(max_length=256, verbose_name=_('PGTiou'))
+ targetService = models.URLField(_('service'), verify_exists=False)
prefix = 'PGT'
def __init__(self, *args, **kwargs):
proxyTicket = proxyTicketResponseXml.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP);
#Step 3: I have the proxy ticket I can talk to some other backend service as the currently logged in user!
- proxyValidateResponse = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket.text, 'service': proxyTarget, 'pgtUrl': None})
+ proxyValidateResponse = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket.text, 'service': proxyTarget})
proxyValidateResponseXml = ElementTree.parse(StringIO.StringIO(proxyValidateResponse.content))
auth_success_2 = proxyValidateResponseXml.find(CAS + 'authenticationSuccess', namespaces=NSMAP)
user_2 = auth_success.find(CAS + "user", namespaces=NSMAP)
- proxies = auth_success.find(CAS + "proxies")
- self.assertIsNotNone(auth_success_2)
+ proxies_1 = auth_success_2.find(CAS + "proxies")
+ self.assertIsNone(proxies_1) # there are no proxies. I am issued by a Service Ticket
+
self.assertEqual(user.text, user_2.text)
- self.assertIsNotNone(proxies)
def test_successful_proxy_chaining(self):
- self.assertFalse(True)
+ urllib2.urlopen = dummy_urlopen # monkey patching urllib2.urlopen so that the testcase doesnt really opens a url
+ proxyTarget_1 = "http://my.sweet.service_1"
+ proxyTarget_2 = "http://my.sweet.service_2"
+
+ response = self._login_user('root', '123')
+ response = self._validate_cas2(response, True, proxyTarget_1 )
+
+ # Test: I'm acting as the service that will call another service
+ # Step 1: Get the proxy granting ticket
+ responseXml = ElementTree.parse(StringIO.StringIO(response.content))
+ auth_success_1 = responseXml.find(CAS + 'authenticationSuccess', namespaces=NSMAP)
+ pgt_1 = auth_success_1.find(CAS + "proxyGrantingTicket", namespaces=NSMAP)
+ user_1 = auth_success_1.find(CAS + "user", namespaces=NSMAP)
+ self.assertEqual('root', user_1.text)
+ self.assertIsNotNone(pgt_1.text)
+ self.assertTrue(pgt_1.text.startswith('PGTIOU'))
+
+ #Step 2: Get the actual proxy ticket
+ proxyTicketResponse_1 = self.client.get(reverse('proxy'), {'targetService': proxyTarget_1, 'pgt': pgt_1.text}, follow=False)
+ proxyTicketResponseXml_1 = ElementTree.parse(StringIO.StringIO(proxyTicketResponse_1.content))
+ self.assertIsNotNone(proxyTicketResponseXml_1.find(CAS + "proxySuccess", namespaces=NSMAP))
+ self.assertIsNotNone(proxyTicketResponseXml_1.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP))
+ proxyTicket_1 = proxyTicketResponseXml_1.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP);
+
+ #Step 3: I'm backend service 1 - I have the proxy ticket - I want to talk to back service 2
+ #
+ proxyValidateResponse_1 = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket_1.text, 'service': proxyTarget_1, 'pgtUrl': proxyTarget_2})
+ proxyValidateResponseXml_1 = ElementTree.parse(StringIO.StringIO(proxyValidateResponse_1.content))
+
+ auth_success_2 = proxyValidateResponseXml_1.find(CAS + 'authenticationSuccess', namespaces=NSMAP)
+ user_2 = auth_success_2.find(CAS + "user", namespaces=NSMAP)
+
+ proxies_1 = auth_success_2.find(CAS + "proxies")
+ self.assertIsNone(proxies_1) # there are no proxies. I am issued by a Service Ticket
+ self.assertIsNotNone(auth_success_2)
+ self.assertEqual('root', user_2.text)
+
+ pgt_2 = auth_success_2.find(CAS + "proxyGrantingTicket", namespaces=NSMAP)
+ user = auth_success_2.find(CAS + "user", namespaces=NSMAP)
+ self.assertEqual('root', user.text)
+ self.assertIsNotNone(pgt_2.text)
+ self.assertTrue(pgt_2.text.startswith('PGTIOU'))
+
+ #Step 4: Get the second proxy ticket
+ proxyTicketResponse_2 = self.client.get(reverse('proxy'), {'targetService': proxyTarget_2, 'pgt': pgt_2.text})
+ proxyTicketResponseXml_2 = ElementTree.parse(StringIO.StringIO(proxyTicketResponse_2.content))
+ self.assertIsNotNone(proxyTicketResponseXml_2.find(CAS + "proxySuccess", namespaces=NSMAP))
+ self.assertIsNotNone(proxyTicketResponseXml_2.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP))
+ proxyTicket_2 = proxyTicketResponseXml_2.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP)
+
+ proxyValidateResponse_3 = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket_2.text, 'service': proxyTarget_2, 'pgtUrl': None})
+ proxyValidateResponseXml_3 = ElementTree.parse(StringIO.StringIO(proxyValidateResponse_3.content))
+
+ auth_success_3 = proxyValidateResponseXml_3.find(CAS + 'authenticationSuccess', namespaces=NSMAP)
+ user_3 = auth_success_3.find(CAS + "user", namespaces=NSMAP)
+
+ proxies_3 = auth_success_3.find(CAS + "proxies")
+ self.assertIsNotNone(proxies_3) # there should be a proxy. I am issued by a Proxy Ticket
+ proxy_3 = proxies_3.find(CAS + "proxy", namespaces=NSMAP)
+ self.assertEqual(proxyTarget_1, proxy_3.text )
+
+ self.assertIsNotNone(auth_success_2)
+ self.assertEqual('root', user_3.text)
+
+
def test_successful_service_not_matching_in_request_to_proxy(self):
- self.assertFalse(True)
+ urllib2.urlopen = dummy_urlopen # monkey patching urllib2.urlopen so that the testcase doesnt really opens a url
+ proxyTarget_1 = "http://my.sweet.service"
+ proxyTarget_2 = "http://my.malicious.service"
+
+ response = self._login_user('root', '123')
+ response = self._validate_cas2(response, True, proxyTarget_1 )
+
+ # Test: I'm acting as the service that will call another service
+ # Step 1: Get the proxy granting ticket
+ responseXml = ElementTree.parse(StringIO.StringIO(response.content))
+ auth_success = responseXml.find(CAS + 'authenticationSuccess', namespaces=NSMAP)
+ pgt = auth_success.find(CAS + "proxyGrantingTicket", namespaces=NSMAP)
+ user = auth_success.find(CAS + "user", namespaces=NSMAP)
+ self.assertEqual('root', user.text)
+ self.assertIsNotNone(pgt.text)
+ self.assertTrue(pgt.text.startswith('PGTIOU'))
+
+ #Step 2: Get the actual proxy ticket
+ proxyTicketResponse = self.client.get(reverse('proxy'), {'targetService': proxyTarget_2, 'pgt': pgt.text}, follow=False)
+ proxyTicketResponseXml = ElementTree.parse(StringIO.StringIO(proxyTicketResponse.content))
+ self.assertIsNotNone(proxyTicketResponseXml.find(CAS + "authenticationFailure", namespaces=NSMAP))
def test_succeessful_login(self):
auto_redirect=settings.CAS_AUTO_REDIRECT_AFTER_LOGOUT):
url = request.GET.get('url', None)
if request.user.is_authenticated():
- for ticket in ServiceTicket.objects.filter(user = request.user):
+ for ticket in ServiceTicket.objects.filter(user=request.user):
ticket.delete()
auth_logout(request)
if url and auto_redirect:
return HttpResponseRedirect(url)
- return render_to_response(template_name, {'url': url},\
- context_instance=RequestContext(request))
+ return render_to_response(template_name, {'url': url},
+ context_instance=RequestContext(request))
+
def proxy(request):
- targetService = request.GET['targetService']
+ targetService = request.GET['targetService']
pgtiou = request.GET['pgt']
try:
except ProxyGrantingTicket.DoesNotExist:
return _cas2_error_response(INVALID_TICKET)
- pt = ProxyTicket.objects.create(proxyGrantingTicket = proxyGrantingTicket,
+ if not proxyGrantingTicket.targetService == targetService:
+ return _cas2_error_response(INVALID_SERVICE,
+ "The PGT was issued for %(original)s but the PT was requested for %(but)s" % dict(
+ original=proxyGrantingTicket.targetService, but=targetService))
+
+ pt = ProxyTicket.objects.create(proxyGrantingTicket=proxyGrantingTicket,
user=proxyGrantingTicket.serviceTicket.user,
service=targetService)
return _cas2_proxy_success(pt.ticket)
return _cas2_error_response(INVALID_REQUEST)
try:
- ticket = ServiceTicket.objects.get(ticket=ticket_string)
+ if ticket_string.startswith('ST'):
+ ticket = ServiceTicket.objects.get(ticket=ticket_string)
+ elif ticket_string.startswith('PT'):
+ ticket = ProxyTicket.objects.get(ticket=ticket_string)
+ else:
+ return _cas2_error_response(INVALID_TICKET,
+ '%(ticket)s is neither Service (ST-...) nor Proxy Ticket (PT-...)' % {
+ 'ticket': ticket_string})
except ServiceTicket.DoesNotExist:
return _cas2_error_response(INVALID_TICKET)
if ticket.service != service:
return _cas2_error_response(INVALID_SERVICE)
-
pgtIouId = None
proxies = ()
if pgtUrl is not None:
if pgt:
pgtIouId = pgt.pgtiou
+ if hasattr(ticket, 'proxyticket'):
+ pgt = ticket.proxyticket.proxyGrantingTicket
+ # I am issued by this proxy granting ticket
+ if hasattr(pgt.serviceTicket, 'proxyticket'):
while pgt:
- proxies += (pgt.serviceTicket.service,)
- pgt = pgt.serviceTicket.proxyGrantingTicket if hasattr(pgt.serviceTicket, 'proxyGrantingTicket') else None
-
+ if hasattr(pgt.serviceTicket, 'proxyticket'):
+ proxies += (pgt.serviceTicket.service,)
+ pgt = pgt.serviceTicket.proxyticket.proxyGrantingTicket
+ else:
+ pgt = None
user = ticket.user
return _cas2_sucess_response(user, pgtIouId, proxies)
pgtUrl = request.GET.get('pgtUrl', None)
return ticket_validate(service, ticket_string, pgtUrl)
+
def generate_proxy_granting_ticket(pgt_url, ticket):
proxy_callback_good_status = (200, 202, 301, 302, 304)
uri = list(urlparse.urlsplit(pgt_url))
pgt = ProxyGrantingTicket()
pgt.serviceTicket = ticket
+ pgt.targetService = pgt_url
if hasattr(ticket, 'proxyGrantingTicket'):
# here we got a proxy ticket! tata!
uri[4] = urlencode(query)
-
try:
response = urllib2.urlopen(urlparse.urlunsplit(uri))
except urllib2.HTTPError, e:
def _cas2_proxy_success(pt):
return HttpResponse(proxy_success(pt))
-def _cas2_sucess_response(user, pgt = None, proxies = None):
+
+def _cas2_sucess_response(user, pgt=None, proxies=None):
return HttpResponse(auth_success_response(user, pgt, proxies), mimetype='text/xml')
-def _cas2_error_response(code, message = None):
- return HttpResponse(u''''<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
+
+def _cas2_error_response(code, message=None):
+ return HttpResponse(u'''<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationFailure code="%(code)s">
%(message)s
</cas:authenticationFailure>
</cas:serviceResponse>''' % {
- 'code': code,
- 'message': message if message else dict(ERROR_MESSAGES).get(code)
+ 'code': code,
+ 'message': message if message else dict(ERROR_MESSAGES).get(code)
}, mimetype='text/xml')
+
def proxy_success(pt):
response = etree.Element(CAS + 'serviceResponse', nsmap=NSMAP)
proxySuccess = etree.SubElement(response, CAS + 'proxySuccess')
proxyTicket.text = pt
return unicode(etree.tostring(response, encoding='utf-8'), 'utf-8')
-def auth_success_response(user, pgt, proxies):
-
+def auth_success_response(user, pgt, proxies):
response = etree.Element(CAS + 'serviceResponse', nsmap=NSMAP)
auth_success = etree.SubElement(response, CAS + 'authenticationSuccess')
username = etree.SubElement(auth_success, CAS + 'user')
formater = get_callable(settings.CAS_CUSTOM_ATTRIBUTES_FORMATER)
formater(auth_success, attrs)
-
if pgt:
pgtElement = etree.SubElement(auth_success, CAS + 'proxyGrantingTicket')
pgtElement.text = pgt
if proxies:
- proxiesElement = etree.SubElement(auth_success , CAS + "proxies")
+ proxiesElement = etree.SubElement(auth_success, CAS + "proxies")
for proxy in proxies:
proxyElement = etree.SubElement(proxiesElement, CAS + "proxy")
proxyElement.text = proxy
-
-
return unicode(etree.tostring(response, encoding='utf-8'), 'utf-8')
fnp / django-cas-provider.git / commitdiff