From: Sebastian Annies Date: Mon, 10 Oct 2011 11:14:40 +0000 (+0200) Subject: proxy chaining is now working X-Git-Tag: 22.4~32^2~10 X-Git-Url: https://git.mdrn.pl/django-cas-provider.git/commitdiff_plain/09adf9da3df6fc5807c5b1710f967b39c101ba6c?ds=inline proxy chaining is now working --- diff --git a/cas_provider/models.py b/cas_provider/models.py index cb14c35..0c21f39 100644 --- a/cas_provider/models.py +++ b/cas_provider/models.py @@ -66,6 +66,7 @@ class LoginTicket(BaseTicket): class ProxyGrantingTicket(BaseTicket): serviceTicket = models.ForeignKey(ServiceTicket, null=True) pgtiou = models.CharField(max_length=256, verbose_name=_('PGTiou')) + targetService = models.URLField(_('service'), verify_exists=False) prefix = 'PGT' def __init__(self, *args, **kwargs): diff --git a/cas_provider/tests.py b/cas_provider/tests.py index 2165fee..3dd9791 100644 --- a/cas_provider/tests.py +++ b/cas_provider/tests.py @@ -49,22 +49,106 @@ class ViewsTest(TestCase): proxyTicket = proxyTicketResponseXml.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP); #Step 3: I have the proxy ticket I can talk to some other backend service as the currently logged in user! - proxyValidateResponse = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket.text, 'service': proxyTarget, 'pgtUrl': None}) + proxyValidateResponse = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket.text, 'service': proxyTarget}) proxyValidateResponseXml = ElementTree.parse(StringIO.StringIO(proxyValidateResponse.content)) auth_success_2 = proxyValidateResponseXml.find(CAS + 'authenticationSuccess', namespaces=NSMAP) user_2 = auth_success.find(CAS + "user", namespaces=NSMAP) - proxies = auth_success.find(CAS + "proxies") - self.assertIsNotNone(auth_success_2) + proxies_1 = auth_success_2.find(CAS + "proxies") + self.assertIsNone(proxies_1) # there are no proxies. I am issued by a Service Ticket + self.assertEqual(user.text, user_2.text) - self.assertIsNotNone(proxies) def test_successful_proxy_chaining(self): - self.assertFalse(True) + urllib2.urlopen = dummy_urlopen # monkey patching urllib2.urlopen so that the testcase doesnt really opens a url + proxyTarget_1 = "http://my.sweet.service_1" + proxyTarget_2 = "http://my.sweet.service_2" + + response = self._login_user('root', '123') + response = self._validate_cas2(response, True, proxyTarget_1 ) + + # Test: I'm acting as the service that will call another service + # Step 1: Get the proxy granting ticket + responseXml = ElementTree.parse(StringIO.StringIO(response.content)) + auth_success_1 = responseXml.find(CAS + 'authenticationSuccess', namespaces=NSMAP) + pgt_1 = auth_success_1.find(CAS + "proxyGrantingTicket", namespaces=NSMAP) + user_1 = auth_success_1.find(CAS + "user", namespaces=NSMAP) + self.assertEqual('root', user_1.text) + self.assertIsNotNone(pgt_1.text) + self.assertTrue(pgt_1.text.startswith('PGTIOU')) + + #Step 2: Get the actual proxy ticket + proxyTicketResponse_1 = self.client.get(reverse('proxy'), {'targetService': proxyTarget_1, 'pgt': pgt_1.text}, follow=False) + proxyTicketResponseXml_1 = ElementTree.parse(StringIO.StringIO(proxyTicketResponse_1.content)) + self.assertIsNotNone(proxyTicketResponseXml_1.find(CAS + "proxySuccess", namespaces=NSMAP)) + self.assertIsNotNone(proxyTicketResponseXml_1.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP)) + proxyTicket_1 = proxyTicketResponseXml_1.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP); + + #Step 3: I'm backend service 1 - I have the proxy ticket - I want to talk to back service 2 + # + proxyValidateResponse_1 = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket_1.text, 'service': proxyTarget_1, 'pgtUrl': proxyTarget_2}) + proxyValidateResponseXml_1 = ElementTree.parse(StringIO.StringIO(proxyValidateResponse_1.content)) + + auth_success_2 = proxyValidateResponseXml_1.find(CAS + 'authenticationSuccess', namespaces=NSMAP) + user_2 = auth_success_2.find(CAS + "user", namespaces=NSMAP) + + proxies_1 = auth_success_2.find(CAS + "proxies") + self.assertIsNone(proxies_1) # there are no proxies. I am issued by a Service Ticket + self.assertIsNotNone(auth_success_2) + self.assertEqual('root', user_2.text) + + pgt_2 = auth_success_2.find(CAS + "proxyGrantingTicket", namespaces=NSMAP) + user = auth_success_2.find(CAS + "user", namespaces=NSMAP) + self.assertEqual('root', user.text) + self.assertIsNotNone(pgt_2.text) + self.assertTrue(pgt_2.text.startswith('PGTIOU')) + + #Step 4: Get the second proxy ticket + proxyTicketResponse_2 = self.client.get(reverse('proxy'), {'targetService': proxyTarget_2, 'pgt': pgt_2.text}) + proxyTicketResponseXml_2 = ElementTree.parse(StringIO.StringIO(proxyTicketResponse_2.content)) + self.assertIsNotNone(proxyTicketResponseXml_2.find(CAS + "proxySuccess", namespaces=NSMAP)) + self.assertIsNotNone(proxyTicketResponseXml_2.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP)) + proxyTicket_2 = proxyTicketResponseXml_2.find(CAS + "proxySuccess/cas:proxyTicket", namespaces=NSMAP) + + proxyValidateResponse_3 = self.client.get(reverse('cas_proxy_validate'), {'ticket': proxyTicket_2.text, 'service': proxyTarget_2, 'pgtUrl': None}) + proxyValidateResponseXml_3 = ElementTree.parse(StringIO.StringIO(proxyValidateResponse_3.content)) + + auth_success_3 = proxyValidateResponseXml_3.find(CAS + 'authenticationSuccess', namespaces=NSMAP) + user_3 = auth_success_3.find(CAS + "user", namespaces=NSMAP) + + proxies_3 = auth_success_3.find(CAS + "proxies") + self.assertIsNotNone(proxies_3) # there should be a proxy. I am issued by a Proxy Ticket + proxy_3 = proxies_3.find(CAS + "proxy", namespaces=NSMAP) + self.assertEqual(proxyTarget_1, proxy_3.text ) + + self.assertIsNotNone(auth_success_2) + self.assertEqual('root', user_3.text) + + def test_successful_service_not_matching_in_request_to_proxy(self): - self.assertFalse(True) + urllib2.urlopen = dummy_urlopen # monkey patching urllib2.urlopen so that the testcase doesnt really opens a url + proxyTarget_1 = "http://my.sweet.service" + proxyTarget_2 = "http://my.malicious.service" + + response = self._login_user('root', '123') + response = self._validate_cas2(response, True, proxyTarget_1 ) + + # Test: I'm acting as the service that will call another service + # Step 1: Get the proxy granting ticket + responseXml = ElementTree.parse(StringIO.StringIO(response.content)) + auth_success = responseXml.find(CAS + 'authenticationSuccess', namespaces=NSMAP) + pgt = auth_success.find(CAS + "proxyGrantingTicket", namespaces=NSMAP) + user = auth_success.find(CAS + "user", namespaces=NSMAP) + self.assertEqual('root', user.text) + self.assertIsNotNone(pgt.text) + self.assertTrue(pgt.text.startswith('PGTIOU')) + + #Step 2: Get the actual proxy ticket + proxyTicketResponse = self.client.get(reverse('proxy'), {'targetService': proxyTarget_2, 'pgt': pgt.text}, follow=False) + proxyTicketResponseXml = ElementTree.parse(StringIO.StringIO(proxyTicketResponse.content)) + self.assertIsNotNone(proxyTicketResponseXml.find(CAS + "authenticationFailure", namespaces=NSMAP)) def test_succeessful_login(self): diff --git a/cas_provider/views.py b/cas_provider/views.py index 717aa6f..2769e52 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -90,16 +90,17 @@ def logout(request, template_name='cas/logout.html', auto_redirect=settings.CAS_AUTO_REDIRECT_AFTER_LOGOUT): url = request.GET.get('url', None) if request.user.is_authenticated(): - for ticket in ServiceTicket.objects.filter(user = request.user): + for ticket in ServiceTicket.objects.filter(user=request.user): ticket.delete() auth_logout(request) if url and auto_redirect: return HttpResponseRedirect(url) - return render_to_response(template_name, {'url': url},\ - context_instance=RequestContext(request)) + return render_to_response(template_name, {'url': url}, + context_instance=RequestContext(request)) + def proxy(request): - targetService = request.GET['targetService'] + targetService = request.GET['targetService'] pgtiou = request.GET['pgt'] try: @@ -107,7 +108,12 @@ def proxy(request): except ProxyGrantingTicket.DoesNotExist: return _cas2_error_response(INVALID_TICKET) - pt = ProxyTicket.objects.create(proxyGrantingTicket = proxyGrantingTicket, + if not proxyGrantingTicket.targetService == targetService: + return _cas2_error_response(INVALID_SERVICE, + "The PGT was issued for %(original)s but the PT was requested for %(but)s" % dict( + original=proxyGrantingTicket.targetService, but=targetService)) + + pt = ProxyTicket.objects.create(proxyGrantingTicket=proxyGrantingTicket, user=proxyGrantingTicket.serviceTicket.user, service=targetService) return _cas2_proxy_success(pt.ticket) @@ -118,14 +124,20 @@ def ticket_validate(service, ticket_string, pgtUrl): return _cas2_error_response(INVALID_REQUEST) try: - ticket = ServiceTicket.objects.get(ticket=ticket_string) + if ticket_string.startswith('ST'): + ticket = ServiceTicket.objects.get(ticket=ticket_string) + elif ticket_string.startswith('PT'): + ticket = ProxyTicket.objects.get(ticket=ticket_string) + else: + return _cas2_error_response(INVALID_TICKET, + '%(ticket)s is neither Service (ST-...) nor Proxy Ticket (PT-...)' % { + 'ticket': ticket_string}) except ServiceTicket.DoesNotExist: return _cas2_error_response(INVALID_TICKET) if ticket.service != service: return _cas2_error_response(INVALID_SERVICE) - pgtIouId = None proxies = () if pgtUrl is not None: @@ -133,10 +145,16 @@ def ticket_validate(service, ticket_string, pgtUrl): if pgt: pgtIouId = pgt.pgtiou + if hasattr(ticket, 'proxyticket'): + pgt = ticket.proxyticket.proxyGrantingTicket + # I am issued by this proxy granting ticket + if hasattr(pgt.serviceTicket, 'proxyticket'): while pgt: - proxies += (pgt.serviceTicket.service,) - pgt = pgt.serviceTicket.proxyGrantingTicket if hasattr(pgt.serviceTicket, 'proxyGrantingTicket') else None - + if hasattr(pgt.serviceTicket, 'proxyticket'): + proxies += (pgt.serviceTicket.service,) + pgt = pgt.serviceTicket.proxyticket.proxyGrantingTicket + else: + pgt = None user = ticket.user return _cas2_sucess_response(user, pgtIouId, proxies) @@ -160,12 +178,14 @@ def proxy_validate(request): pgtUrl = request.GET.get('pgtUrl', None) return ticket_validate(service, ticket_string, pgtUrl) + def generate_proxy_granting_ticket(pgt_url, ticket): proxy_callback_good_status = (200, 202, 301, 302, 304) uri = list(urlparse.urlsplit(pgt_url)) pgt = ProxyGrantingTicket() pgt.serviceTicket = ticket + pgt.targetService = pgt_url if hasattr(ticket, 'proxyGrantingTicket'): # here we got a proxy ticket! tata! @@ -178,7 +198,6 @@ def generate_proxy_granting_ticket(pgt_url, ticket): uri[4] = urlencode(query) - try: response = urllib2.urlopen(urlparse.urlunsplit(uri)) except urllib2.HTTPError, e: @@ -194,19 +213,22 @@ def generate_proxy_granting_ticket(pgt_url, ticket): def _cas2_proxy_success(pt): return HttpResponse(proxy_success(pt)) -def _cas2_sucess_response(user, pgt = None, proxies = None): + +def _cas2_sucess_response(user, pgt=None, proxies=None): return HttpResponse(auth_success_response(user, pgt, proxies), mimetype='text/xml') -def _cas2_error_response(code, message = None): - return HttpResponse(u'''' + +def _cas2_error_response(code, message=None): + return HttpResponse(u''' %(message)s ''' % { - 'code': code, - 'message': message if message else dict(ERROR_MESSAGES).get(code) + 'code': code, + 'message': message if message else dict(ERROR_MESSAGES).get(code) }, mimetype='text/xml') + def proxy_success(pt): response = etree.Element(CAS + 'serviceResponse', nsmap=NSMAP) proxySuccess = etree.SubElement(response, CAS + 'proxySuccess') @@ -214,9 +236,8 @@ def proxy_success(pt): proxyTicket.text = pt return unicode(etree.tostring(response, encoding='utf-8'), 'utf-8') -def auth_success_response(user, pgt, proxies): - +def auth_success_response(user, pgt, proxies): response = etree.Element(CAS + 'serviceResponse', nsmap=NSMAP) auth_success = etree.SubElement(response, CAS + 'authenticationSuccess') username = etree.SubElement(auth_success, CAS + 'user') @@ -229,17 +250,14 @@ def auth_success_response(user, pgt, proxies): formater = get_callable(settings.CAS_CUSTOM_ATTRIBUTES_FORMATER) formater(auth_success, attrs) - if pgt: pgtElement = etree.SubElement(auth_success, CAS + 'proxyGrantingTicket') pgtElement.text = pgt if proxies: - proxiesElement = etree.SubElement(auth_success , CAS + "proxies") + proxiesElement = etree.SubElement(auth_success, CAS + "proxies") for proxy in proxies: proxyElement = etree.SubElement(proxiesElement, CAS + "proxy") proxyElement.text = proxy - - return unicode(etree.tostring(response, encoding='utf-8'), 'utf-8')