utils.py 25.9 KB
Newer Older
Valentin Samir's avatar
Valentin Samir committed
1
# -*- coding: utf-8 -*-
Valentin Samir's avatar
Valentin Samir committed
2 3 4 5 6 7 8 9 10
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
# more details.
#
# You should have received a copy of the GNU General Public License version 3
# along with this program; if not, write to the Free Software Foundation, Inc., 51
# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
Valentin Samir's avatar
Valentin Samir committed
11
# (c) 2015-2016 Valentin Samir
Valentin Samir's avatar
Valentin Samir committed
12
"""Some util function for the app"""
13
from .default_settings import settings
14

15 16
from django.http import HttpResponseRedirect, HttpResponse
from django.contrib import messages
17 18
from django.contrib.messages import constants as DEFAULT_MESSAGE_LEVELS
from django.core.serializers.json import DjangoJSONEncoder
19
from django.utils import timezone
20 21
from django.core.exceptions import ValidationError
from django.utils.translation import ugettext_lazy as _
22 23 24 25
try:
    from django.urls import reverse
except ImportError:
    from django.core.urlresolvers import reverse
26

27
import re
28 29
import random
import string
30
import json
31 32 33 34
import hashlib
import crypt
import base64
import six
35 36 37
import requests
import time
import logging
38
import binascii
39

40
from importlib import import_module
Valentin Samir's avatar
Valentin Samir committed
41
from datetime import datetime, timedelta
Valentin Samir's avatar
Valentin Samir committed
42
from six.moves.urllib.parse import urlparse, urlunparse, parse_qsl, urlencode
Valentin Samir's avatar
Valentin Samir committed
43

44 45 46 47 48
from . import VERSION

#: logger facility
logger = logging.getLogger(__name__)

Valentin Samir's avatar
Valentin Samir committed
49

50 51 52 53 54 55 56 57 58
def json_encode(obj):
    """Encode a python object to json"""
    try:
        return json_encode.encoder.encode(obj)
    except AttributeError:
        json_encode.encoder = DjangoJSONEncoder(default=six.text_type)
        return json_encode(obj)


59
def context(params):
60 61 62 63 64 65 66 67
    """
        Function that add somes variable to the context before template rendering

        :param dict params: The context dictionary used to render templates.
        :return: The ``params`` dictionary with the key ``settings`` set to
            :obj:`django.conf.settings`.
        :rtype: dict
    """
68
    params["settings"] = settings
69
    params["message_levels"] = DEFAULT_MESSAGE_LEVELS
70

71 72 73 74 75
    if settings.CAS_NEW_VERSION_HTML_WARNING:
        LAST_VERSION = last_version()
        params["VERSION"] = VERSION
        params["LAST_VERSION"] = LAST_VERSION
        if LAST_VERSION is not None:
Valentin Samir's avatar
Valentin Samir committed
76
            params["upgrade_available"] = decode_version(VERSION) < decode_version(LAST_VERSION)
77 78
        else:
            params["upgrade_available"] = False
79 80 81 82 83

    if settings.CAS_INFO_MESSAGES_ORDER:
        params["CAS_INFO_RENDER"] = []
        for msg_name in settings.CAS_INFO_MESSAGES_ORDER:
            if msg_name in settings.CAS_INFO_MESSAGES:
84
                if not isinstance(settings.CAS_INFO_MESSAGES[msg_name], dict):
85
                    continue
86
                msg = settings.CAS_INFO_MESSAGES[msg_name].copy()
87 88 89 90 91 92 93 94 95 96 97 98 99
                if "message" in msg:
                    msg["name"] = msg_name
                    # use info as default infox type
                    msg["type"] = msg.get("type", "info")
                    # make box discardable by default
                    msg["discardable"] = msg.get("discardable", True)
                    msg_hash = (
                        six.text_type(msg["message"]).encode("utf-8") +
                        msg["type"].encode("utf-8")
                    )
                    # hash depend of the rendering language
                    msg["hash"] = hashlib.md5(msg_hash).hexdigest()
                    params["CAS_INFO_RENDER"].append(msg)
100 101 102
    return params


Valentin Samir's avatar
Valentin Samir committed
103
def json_response(request, data):
104 105 106 107 108 109 110 111
    """
        Wrapper dumping `data` to a json and sending it to the user with an HttpResponse

        :param django.http.HttpRequest request: The request object used to generate this response.
        :param dict data: The python dictionnary to return as a json
        :return: The content of ``data`` serialized in json
        :rtype: django.http.HttpResponse
    """
112 113 114 115 116 117
    data["messages"] = []
    for msg in messages.get_messages(request):
        data["messages"].append({'message': msg.message, 'level': msg.level_tag})
    return HttpResponse(json.dumps(data), content_type="application/json")


118
def import_attr(path):
119 120 121 122
    """
        transform a python dotted path to the attr

        :param path: A dotted path to a python object or a python object
123
        :type path: :obj:`unicode` or :obj:`str` or anything
124 125
        :return: The python object pointed by the dotted path or the python object unchanged
    """
126 127 128 129 130
    # if we got a str, decode it to unicode (normally it should only contain ascii)
    if isinstance(path, six.binary_type):
        path = path.decode("utf-8")
    # if path is not an unicode, return it unchanged (may be it is already the attribute to import)
    if not isinstance(path, six.text_type):
Valentin Samir's avatar
Valentin Samir committed
131
        return path
132
    if u"." not in path:
133
        ValueError("%r should be of the form `module.attr` and we just got `attr`" % path)
134
    module, attr = path.rsplit(u'.', 1)
135 136 137 138 139 140
    try:
        return getattr(import_module(module), attr)
    except ImportError:
        raise ImportError("Module %r not found" % module)
    except AttributeError:
        raise AttributeError("Module %r has not attribut %r" % (module, attr))
141

Valentin Samir's avatar
Valentin Samir committed
142

143
def redirect_params(url_name, params=None):
144 145 146 147 148 149 150 151 152
    """
        Redirect to ``url_name`` with ``params`` as querystring

        :param unicode url_name: a URL pattern name
        :param params: Some parameter to append to the reversed URL
        :type params: :obj:`dict` or :obj:`NoneType<types.NoneType>`
        :return: A redirection to the URL with name ``url_name`` with ``params`` as querystring.
        :rtype: django.http.HttpResponseRedirect
    """
153
    url = reverse(url_name)
Valentin Samir's avatar
Valentin Samir committed
154
    params = urlencode(params if params else {})
155 156
    return HttpResponseRedirect(url + "?%s" % params)

Valentin Samir's avatar
Valentin Samir committed
157

158
def reverse_params(url_name, params=None, **kwargs):
159 160 161 162 163 164 165 166 167 168 169
    """
        compute the reverse url of ``url_name`` and add to it parameters from ``params``
        as querystring

        :param unicode url_name: a URL pattern name
        :param params: Some parameter to append to the reversed URL
        :type params: :obj:`dict` or :obj:`NoneType<types.NoneType>`
        :param **kwargs: additional parameters needed to compure the reverse URL
        :return: The computed reverse URL of ``url_name`` with possible querystring from ``params``
        :rtype: unicode
    """
170 171
    url = reverse(url_name, **kwargs)
    params = urlencode(params if params else {})
Valentin Samir's avatar
Valentin Samir committed
172
    if params:
173
        return u"%s?%s" % (url, params)
Valentin Samir's avatar
Valentin Samir committed
174 175 176 177
    else:
        return url


178
def copy_params(get_or_post_params, ignore=None):
179 180 181 182 183 184 185 186 187
    """
        copy a :class:`django.http.QueryDict` in a :obj:`dict` ignoring keys in the set ``ignore``

        :param django.http.QueryDict get_or_post_params: A GET or POST
            :class:`QueryDict<django.http.QueryDict>`
        :param set ignore: An optinal set of keys to ignore during the copy
        :return: A copy of get_or_post_params
        :rtype: dict
    """
188 189
    if ignore is None:
        ignore = set()
Valentin Samir's avatar
Valentin Samir committed
190 191 192 193 194 195 196 197
    params = {}
    for key in get_or_post_params:
        if key not in ignore and get_or_post_params[key]:
            params[key] = get_or_post_params[key]
    return params


def set_cookie(response, key, value, max_age):
198 199 200 201 202 203 204 205
    """
        Set the cookie ``key`` on ``response`` with value ``value`` valid for ``max_age`` secondes

        :param django.http.HttpResponse response: a django response where to set the cookie
        :param unicode key: the cookie key
        :param unicode value: the cookie value
        :param int max_age: the maximum validity age of the cookie
    """
Valentin Samir's avatar
Valentin Samir committed
206 207 208 209 210 211 212 213 214 215 216 217 218 219
    expires = datetime.strftime(
        datetime.utcnow() + timedelta(seconds=max_age),
        "%a, %d-%b-%Y %H:%M:%S GMT"
    )
    response.set_cookie(
        key,
        value,
        max_age=max_age,
        expires=expires,
        domain=settings.SESSION_COOKIE_DOMAIN,
        secure=settings.SESSION_COOKIE_SECURE or None
    )


220
def get_current_url(request, ignore_params=None):
221 222 223 224 225 226 227 228 229
    """
        Giving a django request, return the current http url, possibly ignoring some GET parameters

        :param django.http.HttpRequest request: The current request object.
        :param set ignore_params: An optional set of GET parameters to ignore
        :return: The URL of the current page, possibly omitting some parameters from
            ``ignore_params`` in the querystring.
        :rtype: unicode
    """
230 231
    if ignore_params is None:
        ignore_params = set()
232 233
    protocol = u'https' if request.is_secure() else u"http"
    service_url = u"%s://%s%s" % (protocol, request.get_host(), request.path)
Valentin Samir's avatar
Valentin Samir committed
234 235 236
    if request.GET:
        params = copy_params(request.GET, ignore_params)
        if params:
237
            service_url += u"?%s" % urlencode(params)
Valentin Samir's avatar
Valentin Samir committed
238
    return service_url
239 240


Valentin Samir's avatar
Valentin Samir committed
241
def update_url(url, params):
242 243 244 245 246 247 248 249 250
    """
        update parameters using ``params`` in the ``url`` query string

        :param url: An URL possibily with a querystring
        :type url: :obj:`unicode` or :obj:`str`
        :param dict params: A dictionary of parameters for updating the url querystring
        :return: The URL with an updated querystring
        :rtype: unicode
    """
Valentin Samir's avatar
Valentin Samir committed
251
    if not isinstance(url, bytes):
Valentin Samir's avatar
Valentin Samir committed
252
        url = url.encode('utf-8')
Valentin Samir's avatar
Valentin Samir committed
253 254
    for key, value in list(params.items()):
        if not isinstance(key, bytes):
Valentin Samir's avatar
Valentin Samir committed
255 256
            del params[key]
            key = key.encode('utf-8')
Valentin Samir's avatar
Valentin Samir committed
257
        if not isinstance(value, bytes):
Valentin Samir's avatar
Valentin Samir committed
258 259
            value = value.encode('utf-8')
        params[key] = value
Valentin Samir's avatar
Valentin Samir committed
260 261
    url_parts = list(urlparse(url))
    query = dict(parse_qsl(url_parts[4]))
Valentin Samir's avatar
Valentin Samir committed
262
    query.update(params)
263 264 265 266
    # make the params order deterministic
    query = list(query.items())
    query.sort()
    url_query = urlencode(query)
267
    if not isinstance(url_query, bytes):  # pragma: no cover in python3 urlencode return an unicode
268 269
        url_query = url_query.encode("utf-8")
    url_parts[4] = url_query
Valentin Samir's avatar
Valentin Samir committed
270
    return urlunparse(url_parts).decode('utf-8')
271

Valentin Samir's avatar
Valentin Samir committed
272

273
def unpack_nested_exception(error):
274 275 276 277 278 279
    """
        If exception are stacked, return the first one

        :param error: A python exception with possible exception embeded within
        :return: A python exception with no exception embeded within
    """
280 281 282 283 284 285 286 287 288 289 290 291 292
    i = 0
    while True:
        if error.args[i:]:
            if isinstance(error.args[i], Exception):
                error = error.args[i]
                i = 0
            else:
                i += 1
        else:
            break
    return error


293 294 295 296 297 298 299 300 301 302 303 304 305
def _gen_ticket(prefix=None, lg=settings.CAS_TICKET_LEN):
    """
        Generate a ticket with prefix ``prefix`` and length ``lg``

        :param unicode prefix: An optional prefix (probably ST, PT, PGT or PGTIOU)
        :param int lg: The length of the generated ticket (with the prefix)
        :return: A randomlly generated ticket of length ``lg``
        :rtype: unicode
    """
    random_part = u''.join(
        random.choice(
            string.ascii_letters + string.digits
        ) for _ in range(lg - len(prefix or "") - 1)
306
    )
307 308 309 310
    if prefix is not None:
        return u'%s-%s' % (prefix, random_part)
    else:
        return random_part
311

Valentin Samir's avatar
Valentin Samir committed
312

313
def gen_lt():
314 315 316 317 318 319 320
    """
        Generate a Login Ticket

        :return: A ticket with prefix ``settings.CAS_LOGIN_TICKET_PREFIX`` and length
            ``settings.CAS_LT_LEN``
        :rtype: unicode
    """
321 322
    return _gen_ticket(settings.CAS_LOGIN_TICKET_PREFIX, settings.CAS_LT_LEN)

Valentin Samir's avatar
Valentin Samir committed
323

324
def gen_st():
325 326 327 328 329 330 331
    """
        Generate a Service Ticket

        :return: A ticket with prefix ``settings.CAS_SERVICE_TICKET_PREFIX`` and length
            ``settings.CAS_ST_LEN``
        :rtype: unicode
    """
332
    return _gen_ticket(settings.CAS_SERVICE_TICKET_PREFIX, settings.CAS_ST_LEN)
333

Valentin Samir's avatar
Valentin Samir committed
334

335
def gen_pt():
336 337 338 339 340 341 342
    """
        Generate a Proxy Ticket

        :return: A ticket with prefix ``settings.CAS_PROXY_TICKET_PREFIX`` and length
            ``settings.CAS_PT_LEN``
        :rtype: unicode
    """
343
    return _gen_ticket(settings.CAS_PROXY_TICKET_PREFIX, settings.CAS_PT_LEN)
344

Valentin Samir's avatar
Valentin Samir committed
345

346
def gen_pgt():
347 348 349 350 351 352 353
    """
        Generate a Proxy Granting Ticket

        :return: A ticket with prefix ``settings.CAS_PROXY_GRANTING_TICKET_PREFIX`` and length
            ``settings.CAS_PGT_LEN``
        :rtype: unicode
    """
354
    return _gen_ticket(settings.CAS_PROXY_GRANTING_TICKET_PREFIX, settings.CAS_PGT_LEN)
355

Valentin Samir's avatar
Valentin Samir committed
356

357
def gen_pgtiou():
358 359 360 361 362 363 364
    """
        Generate a Proxy Granting Ticket IOU

        :return: A ticket with prefix ``settings.CAS_PROXY_GRANTING_TICKET_IOU_PREFIX`` and length
            ``settings.CAS_PGTIOU_LEN``
        :rtype: unicode
    """
365
    return _gen_ticket(settings.CAS_PROXY_GRANTING_TICKET_IOU_PREFIX, settings.CAS_PGTIOU_LEN)
366

367 368

def gen_saml_id():
369 370 371 372 373 374 375
    """
        Generate an saml id

        :return: A random id of length ``settings.CAS_TICKET_LEN``
        :rtype: unicode
    """
    return _gen_ticket()
376 377


378
def get_tuple(nuplet, index, default=None):
Valentin Samir's avatar
Valentin Samir committed
379
    """
380 381 382 383
        :param tuple nuplet: A tuple
        :param int index: An index
        :param default: An optional default value
        :return: ``nuplet[index]`` if defined, else ``default`` (possibly ``None``)
Valentin Samir's avatar
Valentin Samir committed
384
    """
385
    if nuplet is None:
386
        return default
387
    try:
388
        return nuplet[index]
389 390
    except IndexError:
        return default
391

392

393
def crypt_salt_is_valid(salt):
394 395 396 397 398 399 400
    """
        Validate a salt as crypt salt

        :param str salt: a password salt
        :return: ``True`` if ``salt`` is a valid crypt salt on this system, ``False`` otherwise
        :rtype: bool
    """
401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417
    if len(salt) < 2:
        return False
    else:
        if salt[0] == '$':
            if salt[1] == '$':
                return False
            else:
                if '$' not in salt[1:]:
                    return False
                else:
                    hashed = crypt.crypt("", salt)
                    if not hashed or '$' not in hashed[1:]:
                        return False
                    else:
                        return True
        else:
            return True
418

419

420
class LdapHashUserPassword(object):
421 422 423 424
    """
        Class to deal with hashed password as defined at
        https://tools.ietf.org/id/draft-stroeder-hashed-userpassword-values-01.html
    """
425

426
    #: valide schemes that require a salt
427
    schemes_salt = {b"{SMD5}", b"{SSHA}", b"{SSHA256}", b"{SSHA384}", b"{SSHA512}", b"{CRYPT}"}
428
    #: valide sschemes that require no slat
429 430
    schemes_nosalt = {b"{MD5}", b"{SHA}", b"{SHA256}", b"{SHA384}", b"{SHA512}"}

431
    #: map beetween scheme and hash function
432 433 434 435 436 437 438 439 440 441 442 443 444
    _schemes_to_hash = {
        b"{SMD5}": hashlib.md5,
        b"{MD5}": hashlib.md5,
        b"{SSHA}": hashlib.sha1,
        b"{SHA}": hashlib.sha1,
        b"{SSHA256}": hashlib.sha256,
        b"{SHA256}": hashlib.sha256,
        b"{SSHA384}": hashlib.sha384,
        b"{SHA384}": hashlib.sha384,
        b"{SSHA512}": hashlib.sha512,
        b"{SHA512}": hashlib.sha512
    }

445
    #: map between scheme and hash length
446 447 448 449 450 451 452 453 454
    _schemes_to_len = {
        b"{SMD5}": 16,
        b"{SSHA}": 20,
        b"{SSHA256}": 32,
        b"{SSHA384}": 48,
        b"{SSHA512}": 64,
    }

    class BadScheme(ValueError):
455 456 457 458
        """
            Error raised then the hash scheme is not in
            :attr:`LdapHashUserPassword.schemes_salt` + :attr:`LdapHashUserPassword.schemes_nosalt`
        """
459 460 461
        pass

    class BadHash(ValueError):
Valentin Samir's avatar
Valentin Samir committed
462
        """Error raised then the hash is too short"""
463 464 465
        pass

    class BadSalt(ValueError):
466
        """Error raised then, with the scheme ``{CRYPT}``, the salt is invalid"""
467 468 469 470
        pass

    @classmethod
    def _raise_bad_scheme(cls, scheme, valid, msg):
Valentin Samir's avatar
Valentin Samir committed
471
        """
472 473 474 475 476 477 478
            Raise :attr:`BadScheme` error for ``scheme``, possible valid scheme are
            in ``valid``, the error message is ``msg``

            :param bytes scheme: A bad scheme
            :param list valid: A list a valid scheme
            :param str msg: The error template message
            :raises LdapHashUserPassword.BadScheme: always
Valentin Samir's avatar
Valentin Samir committed
479
        """
480
        valid_schemes = [s.decode() for s in valid]
481
        valid_schemes.sort()
482
        raise cls.BadScheme(msg % (scheme, u", ".join(valid_schemes)))
483 484 485

    @classmethod
    def _test_scheme(cls, scheme):
486 487 488 489 490 491
        """
            Test if a scheme is valide or raise BadScheme

            :param bytes scheme: A scheme
            :raises BadScheme: if ``scheme`` is not a valid scheme
        """
492 493 494 495 496 497 498 499 500
        if scheme not in cls.schemes_salt and scheme not in cls.schemes_nosalt:
            cls._raise_bad_scheme(
                scheme,
                cls.schemes_salt | cls.schemes_nosalt,
                "The scheme %r is not valid. Valide schemes are %s."
            )

    @classmethod
    def _test_scheme_salt(cls, scheme):
501 502 503 504 505 506
        """
            Test if the scheme need a salt or raise BadScheme

            :param bytes scheme: A scheme
            :raises BadScheme: if ``scheme` require no salt
        """
507 508 509 510 511 512 513 514 515
        if scheme not in cls.schemes_salt:
            cls._raise_bad_scheme(
                scheme,
                cls.schemes_salt,
                "The scheme %r is only valid without a salt. Valide schemes with salt are %s."
            )

    @classmethod
    def _test_scheme_nosalt(cls, scheme):
516 517 518 519 520 521
        """
            Test if the scheme need no salt or raise BadScheme

            :param bytes scheme: A scheme
            :raises BadScheme: if ``scheme` require a salt
        """
522 523 524 525 526 527 528 529 530
        if scheme not in cls.schemes_nosalt:
            cls._raise_bad_scheme(
                scheme,
                cls.schemes_nosalt,
                "The scheme %r is only valid with a salt. Valide schemes without salt are %s."
            )

    @classmethod
    def hash(cls, scheme, password, salt=None, charset="utf8"):
Valentin Samir's avatar
Valentin Samir committed
531
        """
532 533 534 535 536 537 538 539 540
           Hash ``password`` with ``scheme`` using ``salt``.
           This three variable beeing encoded in ``charset``.

           :param bytes scheme: A valid scheme
           :param bytes password: A byte string to hash using ``scheme``
           :param bytes salt: An optional salt to use if ``scheme`` requires any
           :param str charset: The encoding of ``scheme``, ``password`` and ``salt``
           :return: The hashed password encoded with ``charset``
           :rtype: bytes
Valentin Samir's avatar
Valentin Samir committed
541
        """
542 543 544 545 546
        scheme = scheme.upper()
        cls._test_scheme(scheme)
        if salt is None or salt == b"":
            salt = b""
            cls._test_scheme_nosalt(scheme)
Valentin Samir's avatar
Valentin Samir committed
547
        else:
548 549
            cls._test_scheme_salt(scheme)
        try:
550 551 552
            return scheme + base64.b64encode(
                cls._schemes_to_hash[scheme](password + salt).digest() + salt
            )
553 554 555 556
        except KeyError:
            if six.PY3:
                password = password.decode(charset)
                salt = salt.decode(charset)
557
            if not crypt_salt_is_valid(salt):
558
                raise cls.BadSalt("System crypt implementation do not support the salt %r" % salt)
559
            hashed_password = crypt.crypt(password, salt)
560 561 562 563 564 565
            if six.PY3:
                hashed_password = hashed_password.encode(charset)
            return scheme + hashed_password

    @classmethod
    def get_scheme(cls, hashed_passord):
566 567 568 569 570 571 572 573
        """
            Return the scheme of ``hashed_passord`` or raise :attr:`BadHash`

            :param bytes hashed_passord: A hashed password
            :return: The scheme used by the hashed password
            :rtype: bytes
            :raises BadHash: if no valid scheme is found within ``hashed_passord``
        """
574
        if not hashed_passord[0] == b'{'[0] or b'}' not in hashed_passord:
575 576 577 578 579 580 581
            raise cls.BadHash("%r should start with the scheme enclosed with { }" % hashed_passord)
        scheme = hashed_passord.split(b'}', 1)[0]
        scheme = scheme.upper() + b"}"
        return scheme

    @classmethod
    def get_salt(cls, hashed_passord):
582 583 584 585 586 587 588 589 590
        """
            Return the salt of ``hashed_passord`` possibly empty

            :param bytes hashed_passord: A hashed password
            :return: The salt used by the hashed password (empty if no salt is used)
            :rtype: bytes
            :raises BadHash: if no valid scheme is found within ``hashed_passord`` or if the
                hashed password is too short for the scheme found.
        """
591 592 593 594 595
        scheme = cls.get_scheme(hashed_passord)
        cls._test_scheme(scheme)
        if scheme in cls.schemes_nosalt:
            return b""
        elif scheme == b'{CRYPT}':
Valentin Samir's avatar
Valentin Samir committed
596
            return b'$'.join(hashed_passord.split(b'$', 3)[:-1])[len(scheme):]
597
        else:
598 599
            try:
                hashed_passord = base64.b64decode(hashed_passord[len(scheme):])
600
            except (TypeError, binascii.Error) as error:
601
                raise cls.BadHash("Bad base64: %s" % error)
602 603 604 605 606 607
            if len(hashed_passord) < cls._schemes_to_len[scheme]:
                raise cls.BadHash("Hash too short for the scheme %s" % scheme)
            return hashed_passord[cls._schemes_to_len[scheme]:]


def check_password(method, password, hashed_password, charset):
Valentin Samir's avatar
Valentin Samir committed
608
    """
609 610 611 612 613 614 615 616 617 618
        Check that ``password`` match `hashed_password` using ``method``,
        assuming the encoding is ``charset``.

        :param str method: on of ``"crypt"``, ``"ldap"``, ``"hex_md5"``, ``"hex_sha1"``,
            ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``, ``"hex_sha512"``, ``"plain"``
        :param password: The user inputed password
        :type password: :obj:`str` or :obj:`unicode`
        :param hashed_password: The hashed password as stored in the database
        :type hashed_password: :obj:`str` or :obj:`unicode`
        :param str charset: The used char encoding (also used internally, so it must be valid for
619
            the charset used by ``password`` when it was initially )
620 621 622
        :return: True if ``password`` match ``hashed_password`` using ``method``,
            ``False`` otherwise
        :rtype: bool
Valentin Samir's avatar
Valentin Samir committed
623
    """
624 625 626 627 628 629 630 631 632
    if not isinstance(password, six.binary_type):
        password = password.encode(charset)
    if not isinstance(hashed_password, six.binary_type):
        hashed_password = hashed_password.encode(charset)
    if method == "plain":
        return password == hashed_password
    elif method == "crypt":
        if hashed_password.startswith(b'$'):
            salt = b'$'.join(hashed_password.split(b'$', 3)[:-1])
Valentin Samir's avatar
Valentin Samir committed
633
        elif hashed_password.startswith(b'_'):  # pragma: no cover old BSD format not supported
634 635 636 637 638 639 640
            salt = hashed_password[:9]
        else:
            salt = hashed_password[:2]
        if six.PY3:
            password = password.decode(charset)
            salt = salt.decode(charset)
            hashed_password = hashed_password.decode(charset)
641
        if not crypt_salt_is_valid(salt):
642
            raise ValueError("System crypt implementation do not support the salt %r" % salt)
643
        crypted_password = crypt.crypt(password, salt)
644 645 646 647 648 649 650 651 652
        return crypted_password == hashed_password
    elif method == "ldap":
        scheme = LdapHashUserPassword.get_scheme(hashed_password)
        salt = LdapHashUserPassword.get_salt(hashed_password)
        return LdapHashUserPassword.hash(scheme, password, salt, charset=charset) == hashed_password
    elif (
       method.startswith("hex_") and
       method[4:] in {"md5", "sha1", "sha224", "sha256", "sha384", "sha512"}
    ):
653 654 655 656
        return getattr(
            hashlib,
            method[4:]
        )(password).hexdigest().encode("ascii") == hashed_password.lower()
657 658
    else:
        raise ValueError("Unknown password method check %r" % method)
659 660 661 662


def decode_version(version):
    """
663 664
        decode a version string following version semantic http://semver.org/ input a tuple of int.
        It will work as long as we do not use pre release versions.
665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692

        :param unicode version: A dotted version
        :return: A tuple a int
        :rtype: tuple
    """
    return tuple(int(sub_version) for sub_version in version.split('.'))


def last_version():
    """
        Fetch the last version from pypi and return it. On successful fetch from pypi, the response
        is cached 24h, on error, it is cached 10 min.

        :return: the last django-cas-server version
        :rtype: unicode
    """
    try:
        last_update, version, success = last_version._cache
    except AttributeError:
        last_update = 0
        version = None
        success = False
    cache_delta = 24 * 3600 if success else 600
    if (time.time() - last_update) < cache_delta:
        return version
    else:
        try:
            req = requests.get(settings.CAS_NEW_VERSION_JSON_URL)
693
            data = json.loads(req.text)
694
            version = data["info"]["version"]
695 696 697 698 699 700
            last_version._cache = (time.time(), version, True)
            return version
        except (
            KeyError,
            ValueError,
            requests.exceptions.RequestException
701
        ) as error:  # pragma: no cover (should not happen unless pypi is not available)
702 703 704 705
            logger.error(
                "Unable to fetch %s: %s" % (settings.CAS_NEW_VERSION_JSON_URL, error)
            )
            last_version._cache = (time.time(), version, False)
706 707 708 709 710 711 712 713 714


def dictfetchall(cursor):
    "Return all rows from a django cursor as a dict"
    columns = [col[0] for col in cursor.description]
    return [
        dict(zip(columns, row))
        for row in cursor.fetchall()
    ]
715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733


def logout_request(ticket):
    """
        Forge a SLO logout request

        :param unicode ticket: A ticket value
        :return: A SLO XML body request
        :rtype: unicode
    """
    return u"""<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
 ID="%(id)s" Version="2.0" IssueInstant="%(datetime)s">
<saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"></saml:NameID>
<samlp:SessionIndex>%(ticket)s</samlp:SessionIndex>
</samlp:LogoutRequest>""" % {
        'id': gen_saml_id(),
        'datetime': timezone.now().isoformat(),
        'ticket':  ticket
    }
734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749


def regexpr_validator(value):
    """
        Test that ``value`` is a valid regular expression

        :param unicode value: A regular expression to test
        :raises ValidationError: if ``value`` is not a valid regular expression
    """
    try:
        re.compile(value)
    except re.error:
        raise ValidationError(
            _('"%(value)s" is not a valid regular expression'),
            params={'value': value}
        )