Merge pull request #6 from nitmir/federate

Add a federated mode.

When the settings CAS_FEDERATE is True, django-cas-server will offer to the user to choose its CAS backend to authenticate. Hence the login page do not display anymore a username/password form but a select form with configured CASs backend.

This allow to give access to CAS supported applications to users from multiple organization seamlessly.

It was originally developped to mach the need of https://myares.fr (Federated CAS at https://cas.myares.fr, example of an application using it as https://chat.myares.fr)

.coveragerc

@@ -5,12 +5,14 @@ omit =
     cas_server/migrations*
     cas_server/management/*
     cas_server/tests/*
+    cas_server/cas.py
 
 [report]
 exclude_lines =
     pragma: no cover
     def __repr__
     def __unicode__
+    def __str__
     raise AssertionError
     raise NotImplementedError
     if six.PY3:

.gitignore

@@ -15,3 +15,5 @@ coverage.xml
 test_venv
 .coverage
 htmlcov/
+tox_logs/
+.cache/

README.rst

@@ -40,6 +40,7 @@ Features
 * Fine control on which user's attributes are passed to which service
 * Possibility to rename/rewrite attributes per service
 * Possibility to require some attribute values per service
+* Federated mode between multiple CAS
 * Supports Django 1.7, 1.8 and 1.9
 * Supports Python 2.7, 3.x
 
@@ -158,6 +159,17 @@ Authentication settings
   If more requests need to be send, there are queued. The default is ``10``.
 * ``CAS_SLO_TIMEOUT``: Timeout for a single SLO request in seconds. The default is ``5``.
 
+
+Federation settings
+-------------------
+
+* ``CAS_FEDERATE``: A boolean for activating the federated mode (see the federate section below).
+  The default is ``False``.
+* ``CAS_FEDERATE_REMEMBER_TIMEOUT``: Time after witch the cookie use for "remember my identity
+  provider" expire. The default is ``604800``, one week. The cookie is called
+  ``_remember_provider``.
+
+
 Tickets validity settings
 -------------------------
 
@@ -245,6 +257,8 @@ Authentication backend
   This is the default backend. The returned attributes are the fields available on the user model.
 * mysql backend ``cas_server.auth.MysqlAuthUser``: see the 'Mysql backend settings' section.
   The returned attributes are those return by sql query ``CAS_SQL_USER_QUERY``.
+* federated backend ``cas_server.auth.CASFederateAuth``: It is automatically used then ``CAS_FEDERATE`` is ``True``.
+  You should not set it manually without setting ``CAS_FEDERATE`` to ``True``.
 
 Logs
 ====
@@ -313,3 +327,51 @@ Or to log to a file:
             },
         },
     }
+
+
+Federation mode
+===============
+
+``django-cas-server`` comes with a federation mode. Then ``CAS_FEDERATE`` is ``True``,
+user are invited to choose an identity provider on the login page, then, they are redirected
+to the provider CAS to authenticate. This provider transmit to ``django-cas-server`` the user
+username and attributes. The user is now logged in on ``django-cas-server`` and can use
+services using ``django-cas-server`` as CAS.
+
+The list of allowed identity providers is defined using the django admin application.
+With the development server started, visit http://127.0.0.1:8000/admin/ to add identity providers.
+
+An identity provider comes with 5 fields:
+
+* `Position`: an integer used to tweak the order in which identity providers are displayed on
+  the login page. Identity providers are sorted using position first, then, on equal position,
+  using `verbose name` and then, on equal `verbose name`, using `suffix`.
+* `Suffix`: the suffix that will be append to the username returned by the identity provider.
+  It must be unique.
+* `Server url`: the url to the identity provider CAS. For instance, if you are using
+  `https://cas.example.org/login` to authenticate on the CAS, the `server url` is
+  `https://cas.example.org`
+* `CAS protocol version`: the version of the CAS protocol to use to contact the identity provider.
+  The default is version 3.
+* `Verbose name`: the name used on the login page to display the identity provider.
+* `Display`: a boolean controlling the display of the identity provider on the login page.
+  Beware that this do not disable the identity provider, it just hide it on the login page.
+  User will always be able to log in using this provider by fetching `/federate/provider_suffix`.
+
+
+In federation mode, ``django-cas-server`` build user's username as follow:
+``provider_returned_username@provider_suffix``.
+Choose the provider returned username for ``django-cas-server`` and the provider suffix
+in order to make sense, as this built username is likely to be displayed to end users in
+applications.
+
+
+Then using federate mode, you should add one command to a daily crontab: ``cas_clean_federate``.
+This command clean the local cache of federated user from old unused users.
+
+
+You could for example do as bellow :
+
+.. code-block::
+
+    10   0  * * * cas-user /path/to/project/manage.py cas_clean_federate

cas_server/admin.py

@@ -12,6 +12,7 @@
 from django.contrib import admin
 from .models import ServiceTicket, ProxyTicket, ProxyGrantingTicket, User, ServicePattern
 from .models import Username, ReplaceAttributName, ReplaceAttributValue, FilterAttributValue
+from .models import FederatedIendityProvider
 from .forms import TicketForm
 
 TICKETS_READONLY_FIELDS = ('validate', 'service', 'service_pattern',
@@ -91,5 +92,12 @@ class ServicePatternAdmin(admin.ModelAdmin):
                     'single_log_out', 'proxy_callback', 'restrict_users')
 
 
+class FederatedIendityProviderAdmin(admin.ModelAdmin):
+    """`FederatedIendityProvider` in admin interface"""
+    fields = ('pos', 'suffix', 'server_url', 'cas_protocol_version', 'verbose_name', 'display')
+    list_display = ('verbose_name', 'suffix', 'display')
+
+
 admin.site.register(User, UserAdmin)
 admin.site.register(ServicePattern, ServicePatternAdmin)
+admin.site.register(FederatedIendityProvider, FederatedIendityProviderAdmin)

cas_server/auth.py

-# ⁻*- coding: utf-8 -*-
+# -*- coding: utf-8 -*-
 # This program is distributed in the hope that it will be useful, but WITHOUT
 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 # FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
@@ -12,6 +12,9 @@
 """Some authentication classes for the CAS"""
 from django.conf import settings
 from django.contrib.auth import get_user_model
+from django.utils import timezone
+
+from datetime import timedelta
 try:  # pragma: no cover
     import MySQLdb
     import MySQLdb.cursors
@@ -19,6 +22,8 @@ try:  # pragma: no cover
 except ImportError:
     MySQLdb = None
 
+from .models import FederatedUser
+
 
 class AuthUser(object):
     """Authentication base class"""
@@ -136,3 +141,35 @@ class DjangoAuthUser(AuthUser):  # pragma: no cover
             return attr
         else:
             return {}
+
+
+class CASFederateAuth(AuthUser):
+    """Authentication class used then CAS_FEDERATE is True"""
+    user = None
+
+    def __init__(self, username):
+        try:
+            self.user = FederatedUser.get_from_federated_username(username)
+            super(CASFederateAuth, self).__init__(
+                self.user.federated_username
+            )
+        except FederatedUser.DoesNotExist:
+            super(CASFederateAuth, self).__init__(username)
+
+    def test_password(self, ticket):
+        """test `password` agains the user"""
+        if not self.user or not self.user.ticket:
+            return False
+        else:
+            return (
+                ticket == self.user.ticket and
+                self.user.last_update >
+                (timezone.now() - timedelta(seconds=settings.CAS_TICKET_VALIDITY))
+            )
+
+    def attributs(self):
+        """return a dict of user attributes"""
+        if not self.user:  # pragma: no cover (should not happen)
+            return {}
+        else:
+            return self.user.attributs

cas_server/cas.py

+# Copyright (C) 2014, Ming Chen
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is furnished
+# to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
+# IN THE SOFTWARE.
+
+# This file is originated from https://github.com/python-cas/python-cas
+# at commit ec1f2d4779625229398547b9234d0e9e874a2c9a
+# some modifications have been made to be unicode coherent between python2 and python2
+
+import six
+from six.moves.urllib import parse as urllib_parse
+from six.moves.urllib import request as urllib_request
+from six.moves.urllib.request import Request
+from uuid import uuid4
+import datetime
+
+
+class CASError(ValueError):
+    pass
+
+
+class ReturnUnicode(object):
+    @staticmethod
+    def unicode(string, charset):
+        if not isinstance(string, six.text_type):
+            return string.decode(charset)
+        else:
+            return string
+
+
+class SingleLogoutMixin(object):
+    @classmethod
+    def get_saml_slos(cls, logout_request):
+        """returns saml logout ticket info"""
+        from lxml import etree
+        try:
+            root = etree.fromstring(logout_request)
+            return root.xpath(
+                "//samlp:SessionIndex",
+                namespaces={'samlp': "urn:oasis:names:tc:SAML:2.0:protocol"})
+        except etree.XMLSyntaxError:
+            pass
+
+
+class CASClient(object):
+    def __new__(self, *args, **kwargs):
+        version = kwargs.pop('version')
+        if version in (1, '1'):
+            return CASClientV1(*args, **kwargs)
+        elif version in (2, '2'):
+            return CASClientV2(*args, **kwargs)
+        elif version in (3, '3'):
+            return CASClientV3(*args, **kwargs)
+        elif version == 'CAS_2_SAML_1_0':
+            return CASClientWithSAMLV1(*args, **kwargs)
+        raise ValueError('Unsupported CAS_VERSION %r' % version)
+
+
+class CASClientBase(object):
+
+    logout_redirect_param_name = 'service'
+
+    def __init__(self, service_url=None, server_url=None,
+                 extra_login_params=None, renew=False,
+                 username_attribute=None):
+
+        self.service_url = service_url
+        self.server_url = server_url
+        self.extra_login_params = extra_login_params or {}
+        self.renew = renew
+        self.username_attribute = username_attribute
+        pass
+
+    def verify_ticket(self, ticket):
+        """must return a triple"""
+        raise NotImplementedError()
+
+    def get_login_url(self):
+        """Generates CAS login URL"""
+        params = {'service': self.service_url}
+        if self.renew:
+            params.update({'renew': 'true'})
+
+        params.update(self.extra_login_params)
+        url = urllib_parse.urljoin(self.server_url, 'login')
+        query = urllib_parse.urlencode(params)
+        return url + '?' + query
+
+    def get_logout_url(self, redirect_url=None):
+        """Generates CAS logout URL"""
+        url = urllib_parse.urljoin(self.server_url, 'logout')
+        if redirect_url:
+            params = {self.logout_redirect_param_name: redirect_url}
+            url += '?' + urllib_parse.urlencode(params)
+        return url
+
+    def get_proxy_url(self, pgt):
+        """Returns proxy url, given the proxy granting ticket"""
+        params = urllib_parse.urlencode({'pgt': pgt, 'targetService': self.service_url})
+        return "%s/proxy?%s" % (self.server_url, params)
+
+    def get_proxy_ticket(self, pgt):
+        """Returns proxy ticket given the proxy granting ticket"""
+        response = urllib_request.urlopen(self.get_proxy_url(pgt))
+        if response.code == 200:
+            from lxml import etree
+            root = etree.fromstring(response.read())
+            tickets = root.xpath(
+                "//cas:proxyTicket",
+                namespaces={"cas": "http://www.yale.edu/tp/cas"}
+            )
+            if len(tickets) == 1:
+                return tickets[0].text
+            errors = root.xpath(
+                "//cas:authenticationFailure",
+                namespaces={"cas": "http://www.yale.edu/tp/cas"}
+            )
+            if len(errors) == 1:
+                raise CASError(errors[0].attrib['code'], errors[0].text)
+        raise CASError("Bad http code %s" % response.code)
+
+
+class CASClientV1(CASClientBase, ReturnUnicode):
+    """CAS Client Version 1"""
+
+    logout_redirect_param_name = 'url'
+
+    def verify_ticket(self, ticket):
+        """Verifies CAS 1.0 authentication ticket.
+
+        Returns username on success and None on failure.
+        """
+        params = [('ticket', ticket), ('service', self.service_url)]
+        url = (urllib_parse.urljoin(self.server_url, 'validate') + '?' +
+               urllib_parse.urlencode(params))
+        page = urllib_request.urlopen(url)
+        try:
+            verified = page.readline().strip()
+            if verified == b'yes':
+                content_type = page.info().get('Content-type')
+                if "charset=" in content_type:
+                    charset = content_type.split("charset=")[-1]
+                else:
+                    charset = "ascii"
+                user = self.unicode(page.readline().strip(), charset)
+                return user, None, None
+            else:
+                return None, None, None
+        finally:
+            page.close()
+
+
+class CASClientV2(CASClientBase, ReturnUnicode):
+    """CAS Client Version 2"""
+
+    url_suffix = 'serviceValidate'
+    logout_redirect_param_name = 'url'
+
+    def __init__(self, proxy_callback=None, *args, **kwargs):
+        """proxy_callback is for V2 and V3 so V3 is subclass of V2"""
+        self.proxy_callback = proxy_callback
+        super(CASClientV2, self).__init__(*args, **kwargs)
+
+    def verify_ticket(self, ticket):
+        """Verifies CAS 2.0+/3.0+ XML-based authentication ticket and returns extended attributes"""
+        (response, charset) = self.get_verification_response(ticket)
+        return self.verify_response(response, charset)
+
+    def get_verification_response(self, ticket):
+        params = [('ticket', ticket), ('service', self.service_url)]
+        if self.proxy_callback:
+            params.append(('pgtUrl', self.proxy_callback))
+        base_url = urllib_parse.urljoin(self.server_url, self.url_suffix)
+        url = base_url + '?' + urllib_parse.urlencode(params)
+        page = urllib_request.urlopen(url)
+        try:
+            content_type = page.info().get('Content-type')
+            if "charset=" in content_type:
+                charset = content_type.split("charset=")[-1]
+            else:
+                charset = "ascii"
+            return (page.read(), charset)
+        finally:
+            page.close()
+
+    @classmethod
+    def parse_attributes_xml_element(cls, element, charset):
+        attributes = dict()
+        for attribute in element:
+            tag = cls.self.unicode(attribute.tag, charset).split(u"}").pop()
+            if tag in attributes:
+                if isinstance(attributes[tag], list):
+                    attributes[tag].append(cls.unicode(attribute.text, charset))
+                else:
+                    attributes[tag] = [attributes[tag]]
+                    attributes[tag].append(cls.unicode(attribute.text, charset))
+            else:
+                if tag == u'attraStyle':
+                    pass
+                else:
+                    attributes[tag] = cls.unicode(attribute.text, charset)
+        return attributes
+
+    @classmethod
+    def verify_response(cls, response, charset):
+        user, attributes, pgtiou = cls.parse_response_xml(response, charset)
+        if len(attributes) == 0:
+            attributes = None
+        return user, attributes, pgtiou
+
+    @classmethod
+    def parse_response_xml(cls, response, charset):
+        try:
+            from xml.etree import ElementTree
+        except ImportError:
+            from elementtree import ElementTree
+
+        user = None
+        attributes = {}
+        pgtiou = None
+
+        tree = ElementTree.fromstring(response)
+        if tree[0].tag.endswith('authenticationSuccess'):
+            for element in tree[0]:
+                if element.tag.endswith('user'):
+                    user = cls.unicode(element.text, charset)
+                elif element.tag.endswith('proxyGrantingTicket'):
+                    pgtiou = cls.unicode(element.text, charset)
+                elif element.tag.endswith('attributes'):
+                    attributes = cls.parse_attributes_xml_element(element, charset)
+        return user, attributes, pgtiou
+
+
+class CASClientV3(CASClientV2, SingleLogoutMixin):
+    """CAS Client Version 3"""
+    url_suffix = 'serviceValidate'
+    logout_redirect_param_name = 'service'
+
+    @classmethod
+    def parse_attributes_xml_element(cls, element, charset):
+        attributes = dict()
+        for attribute in element:
+            tag = cls.unicode(attribute.tag, charset).split(u"}").pop()
+            if tag in attributes:
+                if isinstance(attributes[tag], list):
+                    attributes[tag].append(cls.unicode(attribute.text, charset))
+                else:
+                    attributes[tag] = [attributes[tag]]
+                    attributes[tag].append(cls.unicode(attribute.text, charset))
+            else:
+                attributes[tag] = cls.unicode(attribute.text, charset)
+        return attributes
+
+    @classmethod
+    def verify_response(cls, response, charset):
+        return cls.parse_response_xml(response, charset)
+
+
+SAML_1_0_NS = 'urn:oasis:names:tc:SAML:1.0:'
+SAML_1_0_PROTOCOL_NS = '{' + SAML_1_0_NS + 'protocol' + '}'
+SAML_1_0_ASSERTION_NS = '{' + SAML_1_0_NS + 'assertion' + '}'
+SAML_ASSERTION_TEMPLATE = """<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+<SOAP-ENV:Header/>
+<SOAP-ENV:Body>
+<samlp:Request xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"
+MajorVersion="1"
+MinorVersion="1"
+RequestID="{request_id}"
+IssueInstant="{timestamp}">
+<samlp:AssertionArtifact>{ticket}</samlp:AssertionArtifact></samlp:Request>
+</SOAP-ENV:Body>
+</SOAP-ENV:Envelope>"""
+
+
+class CASClientWithSAMLV1(CASClientV2, SingleLogoutMixin):
+    """CASClient 3.0+ with SAML"""
+
+    def verify_ticket(self, ticket, **kwargs):
+        """Verifies CAS 3.0+ XML-based authentication ticket and returns extended attributes.
+
+        @date: 2011-11-30
+        @author: Carlos Gonzalez Vila <carlewis@gmail.com>
+
+        Returns username and attributes on success and None,None on failure.
+        """
+
+        try:
+            from xml.etree import ElementTree
+        except ImportError:
+            from elementtree import ElementTree
+
+        page = self.fetch_saml_validation(ticket)
+        content_type = page.info().get('Content-type')
+        if "charset=" in content_type:
+            charset = content_type.split("charset=")[-1]
+        else:
+            charset = "ascii"
+
+        try:
+            user = None
+            attributes = {}
+            response = page.read()
+            tree = ElementTree.fromstring(response)
+            # Find the authentication status
+            success = tree.find('.//' + SAML_1_0_PROTOCOL_NS + 'StatusCode')
+            if success is not None and success.attrib['Value'].endswith(':Success'):
+                # User is validated
+                name_identifier = tree.find('.//' + SAML_1_0_ASSERTION_NS + 'NameIdentifier')
+                if name_identifier is not None:
+                    user = self.unicode(name_identifier.text, charset)
+                attrs = tree.findall('.//' + SAML_1_0_ASSERTION_NS + 'Attribute')
+                for at in attrs:
+                    if self.username_attribute in list(at.attrib.values()):
+                        user = self.unicode(
+                            at.find(SAML_1_0_ASSERTION_NS + 'AttributeValue').text,
+                            charset
+                        )
+                        attributes[u'uid'] = user
+
+                    values = at.findall(SAML_1_0_ASSERTION_NS + 'AttributeValue')
+                    key = self.unicode(at.attrib['AttributeName'], charset)
+                    if len(values) > 1:
+                        values_array = []
+                        for v in values:
+                            values_array.append(self.unicode(v.text, charset))
+                            attributes[key] = values_array
+                    else:
+                        attributes[key] = self.unicode(values[0].text, charset)
+            return user, attributes, None
+        finally:
+            page.close()
+
+    def fetch_saml_validation(self, ticket):
+        # We do the SAML validation
+        headers = {
+            'soapaction': 'http://www.oasis-open.org/committees/security',
+            'cache-control': 'no-cache',
+            'pragma': 'no-cache',
+            'accept': 'text/xml',
+            'connection': 'keep-alive',
+            'content-type': 'text/xml; charset=utf-8',
+        }
+        params = [('TARGET', self.service_url)]
+        saml_validate_url = urllib_parse.urljoin(
+            self.server_url, 'samlValidate',
+        )
+        request = Request(
+            saml_validate_url + '?' + urllib_parse.urlencode(params),
+            self.get_saml_assertion(ticket),
+            headers,
+        )
+        return urllib_request.urlopen(request)
+
+    @classmethod
+    def get_saml_assertion(cls, ticket):
+        """
+        http://www.jasig.org/cas/protocol#samlvalidate-cas-3.0
+
+        SAML request values:
+
+        RequestID [REQUIRED]:
+            unique identifier for the request
+        IssueInstant [REQUIRED]:
+            timestamp of the request
+        samlp:AssertionArtifact [REQUIRED]:
+            the valid CAS Service Ticket obtained as a response parameter at login.
+        """
+        # RequestID [REQUIRED] - unique identifier for the request
+        request_id = uuid4()
+
+        # e.g. 2014-06-02T09:21:03.071189
+        timestamp = datetime.datetime.now().isoformat()
+
+        return SAML_ASSERTION_TEMPLATE.format(
+            request_id=request_id,
+            timestamp=timestamp,
+            ticket=ticket,
+        ).encode('utf8')

cas_server/default_settings.py

+# -*- coding: utf-8 -*-
 # This program is distributed in the hope that it will be useful, but WITHOUT
 # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 # FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
@@ -7,7 +8,7 @@
 # along with this program; if not, write to the Free Software Foundation, Inc., 51
 # Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# (c) 2015 Valentin Samir
+# (c) 2015-2016 Valentin Samir
 """Default values for the app's settings"""
 from django.conf import settings
 from django.contrib.staticfiles.templatetags.staticfiles import static
@@ -87,3 +88,9 @@ setting_default(
 )
 
 setting_default('CAS_ENABLE_AJAX_AUTH', False)
+
+setting_default('CAS_FEDERATE', False)
+setting_default('CAS_FEDERATE_REMEMBER_TIMEOUT', 604800)  # one week
+
+if settings.CAS_FEDERATE:
+    settings.CAS_AUTH_CLASS = "cas_server.auth.CASFederateAuth"

cas_server/federate.py

+# -*- coding: utf-8 -*-
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
+# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for