From d49f1c192506e97590f1c253a21f6b6e95228ea5 Mon Sep 17 00:00:00 2001 From: deyk Date: Fri, 3 Feb 2012 15:00:52 -0800 Subject: [PATCH 01/16] Made logging of failed validation more explicit. --- cas_provider/views.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index 108bc38..eed2d64 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -135,6 +135,9 @@ def validate(request): if service is not None and ticket_string is not None: try: ticket = ServiceTicket.objects.get(ticket=ticket_string) + except ServiceTicket.DoesNotExist: + logger.exception("Tried to validate with an invalid ticket: %s / %s", ticket_string, service) + else: username = ticket.user.username ticket.delete() @@ -143,9 +146,6 @@ def validate(request): return HttpResponse("yes\n%s\n%s" % (username, histories)) - except Exception as e: - logger.exception("Got an exception!: %s"% e) - return HttpResponse("no\n\n") -- 2.20.1 From 2e6b29407ab1eabe814f664663c1f3dd1b523f82 Mon Sep 17 00:00:00 2001 From: deyk Date: Fri, 3 Feb 2012 15:15:02 -0800 Subject: [PATCH 02/16] Clarified validation logging. --- cas_provider/views.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index eed2d64..b67635d 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -130,13 +130,12 @@ def socialauth_login(request, template_name='cas/login.html', success_redirect=' def validate(request): service = request.GET.get('service', None) ticket_string = request.GET.get('ticket', None) - logger.debug("service: %s"% service) - logger.debug("ticket_string: %s"% ticket_string) + logger.info('Validating ticket %s for %s', ticket_string, service) if service is not None and ticket_string is not None: try: ticket = ServiceTicket.objects.get(ticket=ticket_string) except ServiceTicket.DoesNotExist: - logger.exception("Tried to validate with an invalid ticket: %s / %s", ticket_string, service) + logger.exception("Tried to validate with an invalid ticket %s for %s", ticket_string, service) else: username = ticket.user.username ticket.delete() -- 2.20.1 From ee96de13f0492bc9a783cb1097621b14a84e72b7 Mon Sep 17 00:00:00 2001 From: deyk Date: Fri, 3 Feb 2012 15:21:44 -0800 Subject: [PATCH 03/16] Clarified logging on validation --- cas_provider/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index b67635d..ea72805 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -142,7 +142,7 @@ def validate(request): results = signals.on_cas_collect_histories.send(sender=validate, for_email=ticket.user.email) histories = '\n'.join('\n'.join(rs) for rc, rs in results) - + logger.info('Validated %s %s', username, "(also %s)" % histories if histories else '') return HttpResponse("yes\n%s\n%s" % (username, histories)) return HttpResponse("no\n\n") -- 2.20.1 From 605ad870b8d8b0154b3f27e730d1b3fff02c789b Mon Sep 17 00:00:00 2001 From: dwickwire Date: Mon, 6 Feb 2012 08:54:52 -0600 Subject: [PATCH 04/16] Adding autofocus to Email field --- cas_provider/forms.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cas_provider/forms.py b/cas_provider/forms.py index df62a41..b3a4012 100644 --- a/cas_provider/forms.py +++ b/cas_provider/forms.py @@ -4,7 +4,7 @@ from django.contrib.auth import authenticate class LoginForm(forms.Form): - email = forms.CharField(max_length=255) + email = forms.CharField(widget=forms.TextInput(attrs={'autofocus':'autofocus', 'max_length':'255'})) password = forms.CharField(widget=forms.PasswordInput) service = forms.CharField(widget=forms.HiddenInput, required=False) remember_me = forms.BooleanField(required=False, label="Keep me signed in", widget=forms.CheckboxInput(attrs={'class':'remember_me'})) -- 2.20.1 From 1f20c11056173d0b46b51b43beb4a2d66327e326 Mon Sep 17 00:00:00 2001 From: deyk Date: Tue, 7 Feb 2012 11:40:31 -0800 Subject: [PATCH 05/16] Fixed faulty redirect if user is already logged in. Added some better logging. --- cas_provider/views.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index ea72805..2979d1b 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -35,7 +35,7 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', else: url = service + '&ticket=' + ticket.ticket logging.debug('Redirecting to %s', url) - return HttpResponseRedirect() + return HttpResponseRedirect(url) else: logging.debug('Redirecting to %s', success_redirect) return HttpResponseRedirect(success_redirect) @@ -136,6 +136,8 @@ def validate(request): ticket = ServiceTicket.objects.get(ticket=ticket_string) except ServiceTicket.DoesNotExist: logger.exception("Tried to validate with an invalid ticket %s for %s", ticket_string, service) + except Exception as e: + logger.exception('Got an exception: %s', e) else: username = ticket.user.username ticket.delete() @@ -145,6 +147,7 @@ def validate(request): logger.info('Validated %s %s', username, "(also %s)" % histories if histories else '') return HttpResponse("yes\n%s\n%s" % (username, histories)) + logger.info('Validation failed.') return HttpResponse("no\n\n") -- 2.20.1 From cdc7ab05f77d2866dd8c42bc16e900cb0e2908d5 Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 10:55:26 -0700 Subject: [PATCH 06/16] Cleaned up long lines, unused imports. --- cas_provider/forms.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cas_provider/forms.py b/cas_provider/forms.py index b3a4012..d9974a2 100644 --- a/cas_provider/forms.py +++ b/cas_provider/forms.py @@ -1,13 +1,13 @@ from django import forms -from django.contrib.auth.forms import AuthenticationForm -from django.contrib.auth import authenticate class LoginForm(forms.Form): - email = forms.CharField(widget=forms.TextInput(attrs={'autofocus':'autofocus', 'max_length':'255'})) + email = forms.CharField(widget=forms.TextInput(attrs={'autofocus': 'autofocus', + 'max_length': '255'})) password = forms.CharField(widget=forms.PasswordInput) service = forms.CharField(widget=forms.HiddenInput, required=False) - remember_me = forms.BooleanField(required=False, label="Keep me signed in", widget=forms.CheckboxInput(attrs={'class':'remember_me'})) + remember_me = forms.BooleanField(required=False, label="Keep me signed in", + widget=forms.CheckboxInput(attrs={'class': 'remember_me'})) def __init__(self, *args, **kwargs): # renew = kwargs.pop('renew', None) -- 2.20.1 From 462661051d92c19e3b4a6bd60207cebf28cc50b8 Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 10:55:56 -0700 Subject: [PATCH 07/16] Removed duplicated service-related code branches in `views.login`. --- cas_provider/views.py | 63 +++++++++++++++++++++++-------------------- 1 file changed, 34 insertions(+), 29 deletions(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index 2979d1b..a692ba5 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -22,24 +22,17 @@ __all__ = ['login', 'validate', 'logout'] def login(request, template_name='cas/login.html', success_redirect='/account/', merge=False): logging.debug('CAS Provider Login view. Method is %s, merge is %s, template is %s.', request.method, merge, template_name) + service = request.GET.get('service', None) if service is not None: + # Save the service on the session, for later use if we end up + # in one of the more complicated workflows. request.session['service'] = service - if request.user.is_authenticated(): - if service is not None: - ticket = create_service_ticket(request.user, service) - if service.find('?') == -1: - url = service + '?ticket=' + ticket.ticket - logging.debug('Redirecting to %s', url) - return HttpResponseRedirect(url) - else: - url = service + '&ticket=' + ticket.ticket - logging.debug('Redirecting to %s', url) - return HttpResponseRedirect(url) - else: - logging.debug('Redirecting to %s', success_redirect) - return HttpResponseRedirect(success_redirect) + + user = request.user + errors = [] + if request.method == 'POST': if merge: form = MergeLoginForm(request.POST, request=request) @@ -76,26 +69,38 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', logging.debug('Redirecting to %s', url) return HttpResponseRedirect(url) - if user is not None: + if user is None: + errors.append('Incorrect username and/or password.') + else: if user.is_active: auth_login(request, user) - if service is not None: - ticket = create_service_ticket(user, service) - url = service + '?ticket=' + ticket.ticket - logging.debug('Redirecting to %s', url) - return HttpResponseRedirect(url) - else: - logging.debug('Redirecting to %s', success_redirect) - return HttpResponseRedirect(success_redirect) - else: - errors.append('This account is disabled.') - else: - errors.append('Incorrect username and/or password.') - else: + + else: # Not a POST... if merge: form = MergeLoginForm(initial={'service': service, 'email': request.GET.get('email')}) else: form = LoginForm(initial={'service': service}) + + if user is not None and user.is_authenticated(): + if not user.is_active: + errors.append('This account is disabled.') + else: + if service is None: + # Normal internal success redirection. + logging.debug('Redirecting to %s', success_redirect) + return HttpResponseRedirect(success_redirect) + else: + # Create a service ticket and redirect. + ticket = create_service_ticket(request.user, service) + if service.find('?') == -1: + url = service + '?ticket=' + ticket.ticket + logging.debug('Redirecting to %s', url) + return HttpResponseRedirect(url) + else: + url = service + '&ticket=' + ticket.ticket + logging.debug('Redirecting to %s', url) + return HttpResponseRedirect(url) + logging.debug('Rendering response on %s, merge is %s', template_name, merge) return render_to_response(template_name, {'form': form, 'errors': errors}, context_instance=RequestContext(request)) @@ -123,7 +128,7 @@ def socialauth_login(request, template_name='cas/login.html', success_redirect=' else: errors.append('This account is disabled.') else: - errors.append('Incorrect username and/or password.') + errors.append('Incorrect username and/or password.') return render_to_response(template_name, {'errors': errors}, context_instance=RequestContext(request)) -- 2.20.1 From d36533f533bc0420622298afb19c61991d48eba8 Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 11:13:19 -0700 Subject: [PATCH 08/16] Fixed: Service URL was getting built in two different ways, depending on login method. Also: - Removing 'service' from session dict upon successful login. - Switched from `has_key` to `in`. --- cas_provider/views.py | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index a692ba5..2e5e1f5 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -19,6 +19,13 @@ from . import signals __all__ = ['login', 'validate', 'logout'] +def _build_service_url(service, ticket): + if service.find('?') == -1: + return service + '?ticket=' + ticket.ticket + else: + return service + '&ticket=' + ticket.ticket + + def login(request, template_name='cas/login.html', success_redirect='/account/', merge=False): logging.debug('CAS Provider Login view. Method is %s, merge is %s, template is %s.', request.method, merge, template_name) @@ -82,6 +89,7 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', form = LoginForm(initial={'service': service}) if user is not None and user.is_authenticated(): + # We have an authenticated user. if not user.is_active: errors.append('This account is disabled.') else: @@ -90,16 +98,15 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', logging.debug('Redirecting to %s', success_redirect) return HttpResponseRedirect(success_redirect) else: - # Create a service ticket and redirect. + # Create a service ticket and redirect to the service. ticket = create_service_ticket(request.user, service) - if service.find('?') == -1: - url = service + '?ticket=' + ticket.ticket - logging.debug('Redirecting to %s', url) - return HttpResponseRedirect(url) - else: - url = service + '&ticket=' + ticket.ticket - logging.debug('Redirecting to %s', url) - return HttpResponseRedirect(url) + if 'service' in request.session: + # Don't need this any more. + del request.session['service'] + + url = _build_service_url(service, ticket.ticket) + logging.debug('Redirecting to %s', url) + return HttpResponseRedirect(url) logging.debug('Rendering response on %s, merge is %s', template_name, merge) return render_to_response(template_name, {'form': form, 'errors': errors}, context_instance=RequestContext(request)) @@ -111,7 +118,7 @@ def socialauth_login(request, template_name='cas/login.html', success_redirect=' """ user = request.user user.backend = 'django.contrib.auth.backends.ModelBackend' - if request.session.has_key('service'): + if 'service' in request.session: service = request.session['service'] del request.session['service'] else: @@ -122,7 +129,7 @@ def socialauth_login(request, template_name='cas/login.html', success_redirect=' auth_login(request, user) if service is not None: ticket = create_service_ticket(user, service) - return HttpResponseRedirect(service + '?ticket=' + ticket.ticket) + return HttpResponseRedirect(_build_service_url(service, ticket.ticket)) else: return HttpResponseRedirect(success_redirect) else: -- 2.20.1 From c0233065b189d69f16d18cbdb2c4b503042bac51 Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 11:22:38 -0700 Subject: [PATCH 09/16] Simplified getting the service off the session for social login. --- cas_provider/views.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index 2e5e1f5..87e5e78 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -118,11 +118,7 @@ def socialauth_login(request, template_name='cas/login.html', success_redirect=' """ user = request.user user.backend = 'django.contrib.auth.backends.ModelBackend' - if 'service' in request.session: - service = request.session['service'] - del request.session['service'] - else: - service = '/' + service = request.session.pop('service', '/') errors = [] if user is not None: if user.is_active: -- 2.20.1 From 53c2758ebc9b3166d51e86a128729470fc1d18be Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 13:12:49 -0700 Subject: [PATCH 10/16] Whoops. --- cas_provider/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index 87e5e78..5ed1c57 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -21,9 +21,9 @@ __all__ = ['login', 'validate', 'logout'] def _build_service_url(service, ticket): if service.find('?') == -1: - return service + '?ticket=' + ticket.ticket + return service + '?ticket=' + ticket else: - return service + '&ticket=' + ticket.ticket + return service + '&ticket=' + ticket def login(request, template_name='cas/login.html', success_redirect='/account/', merge=False): -- 2.20.1 From 2f16449ef5f7c06f5c1e82fdf4c64ac3be8143dc Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 13:32:56 -0700 Subject: [PATCH 11/16] Normal login now pull the service off the session, if it doesn't exist already. --- cas_provider/views.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/cas_provider/views.py b/cas_provider/views.py index 5ed1c57..5f457bd 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -93,6 +93,10 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', if not user.is_active: errors.append('This account is disabled.') else: + if service is None: + # Try and pull the service off the session + service = request.session.pop('service', service) + if service is None: # Normal internal success redirection. logging.debug('Redirecting to %s', success_redirect) -- 2.20.1 From 0b76f6154ffb5fabd7c0cd22ff3f2720cedeb48f Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 13:33:54 -0700 Subject: [PATCH 12/16] Removed `views.socialauth_login`, as `views.login` now has feature parity. --- cas_provider/views.py | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index 5f457bd..fdae99f 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -116,29 +116,6 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', return render_to_response(template_name, {'form': form, 'errors': errors}, context_instance=RequestContext(request)) -def socialauth_login(request, template_name='cas/login.html', success_redirect='/account/'): - """ Similiar to login but user has been authenticated already through social auth. - This step authenticates the login and generates a service ticket. - """ - user = request.user - user.backend = 'django.contrib.auth.backends.ModelBackend' - service = request.session.pop('service', '/') - errors = [] - if user is not None: - if user.is_active: - auth_login(request, user) - if service is not None: - ticket = create_service_ticket(user, service) - return HttpResponseRedirect(_build_service_url(service, ticket.ticket)) - else: - return HttpResponseRedirect(success_redirect) - else: - errors.append('This account is disabled.') - else: - errors.append('Incorrect username and/or password.') - return render_to_response(template_name, {'errors': errors}, context_instance=RequestContext(request)) - - def validate(request): service = request.GET.get('service', None) ticket_string = request.GET.get('ticket', None) -- 2.20.1 From 95d7d2c185aed481717d333e386dc0afc8465e19 Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 14:51:54 -0700 Subject: [PATCH 13/16] Moved `merge` argument into `**kwargs`. --- cas_provider/views.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cas_provider/views.py b/cas_provider/views.py index fdae99f..675150b 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -26,7 +26,8 @@ def _build_service_url(service, ticket): return service + '&ticket=' + ticket -def login(request, template_name='cas/login.html', success_redirect='/account/', merge=False): +def login(request, template_name='cas/login.html', success_redirect='/account/', **kwargs): + merge = kwargs.get('merge', False) logging.debug('CAS Provider Login view. Method is %s, merge is %s, template is %s.', request.method, merge, template_name) -- 2.20.1 From 6548c0a365b3e8f19e18e15e5051134361d254b3 Mon Sep 17 00:00:00 2001 From: deyk Date: Wed, 11 Apr 2012 15:19:32 -0700 Subject: [PATCH 14/16] Adding the `on_cas_login` signal, which is sent just before the final redirect upon successful login. --- cas_provider/signals.py | 2 ++ cas_provider/views.py | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/cas_provider/signals.py b/cas_provider/signals.py index be5e2a9..aa939a4 100644 --- a/cas_provider/signals.py +++ b/cas_provider/signals.py @@ -5,3 +5,5 @@ from django import dispatch on_cas_collect_histories = dispatch.Signal(providing_args=["for_email"]) + +on_cas_login = dispatch.Signal(providing_args=["request", "kwargs"]) diff --git a/cas_provider/views.py b/cas_provider/views.py index 675150b..4121a11 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -94,6 +94,12 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', if not user.is_active: errors.append('This account is disabled.') else: + # Send the on_cas_login signal. If we get an HttpResponse, return that. + for receiver, response in signals.on_cas_login(sender=login, request=request, + kwargs=kwargs): + if isinstance(response, HttpResponse): + return response + if service is None: # Try and pull the service off the session service = request.session.pop('service', service) -- 2.20.1 From 8ace0586471d741bbe1d55dca48f524a3d385852 Mon Sep 17 00:00:00 2001 From: deyk Date: Thu, 12 Apr 2012 10:50:57 -0700 Subject: [PATCH 15/16] Changed the signature of the login hijack signal. --- cas_provider/signals.py | 2 +- cas_provider/views.py | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/cas_provider/signals.py b/cas_provider/signals.py index aa939a4..5a16f9f 100644 --- a/cas_provider/signals.py +++ b/cas_provider/signals.py @@ -6,4 +6,4 @@ from django import dispatch on_cas_collect_histories = dispatch.Signal(providing_args=["for_email"]) -on_cas_login = dispatch.Signal(providing_args=["request", "kwargs"]) +on_cas_login = dispatch.Signal(providing_args=["request"]) diff --git a/cas_provider/views.py b/cas_provider/views.py index 4121a11..5ba62e6 100644 --- a/cas_provider/views.py +++ b/cas_provider/views.py @@ -95,8 +95,7 @@ def login(request, template_name='cas/login.html', success_redirect='/account/', errors.append('This account is disabled.') else: # Send the on_cas_login signal. If we get an HttpResponse, return that. - for receiver, response in signals.on_cas_login(sender=login, request=request, - kwargs=kwargs): + for receiver, response in signals.on_cas_login.send(sender=login, request=request, **kwargs): if isinstance(response, HttpResponse): return response -- 2.20.1 From 02f583590f9e4d26747fb699940f197b296d3f09 Mon Sep 17 00:00:00 2001 From: deyk Date: Fri, 13 Apr 2012 16:03:57 -0700 Subject: [PATCH 16/16] Whoops, we really don't want to use the Authentication Form. --- cas_provider/forms.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cas_provider/forms.py b/cas_provider/forms.py index 8ec7a22..662e517 100644 --- a/cas_provider/forms.py +++ b/cas_provider/forms.py @@ -1,14 +1,13 @@ from django import forms from django.conf import settings from django.contrib.auth import authenticate -from django.contrib.auth.forms import AuthenticationForm from django.forms import ValidationError from django.utils.translation import ugettext_lazy as _ from models import LoginTicket import datetime -class LoginForm(AuthenticationForm): +class LoginForm(forms.Form): email = forms.CharField(widget=forms.TextInput(attrs={'autofocus': 'autofocus', 'max_length': '255'})) password = forms.CharField(widget=forms.PasswordInput) -- 2.20.1