summaryrefslogtreecommitdiffstats
path: root/django/sp_sso/saml/decorators.py
blob: 91eda4fa735323766cfb9ea6d4c51266c19e2acb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import logging
from django.shortcuts import redirect
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext_lazy as _

from .utils import ldap_contains_user, saml_collect_data, \
        ldap_get_affectations, render_message

from .views import MSG_USERNONE

logger = logging.getLogger('django')

MSG_USER_REGISTERED = _("Your account is already registered to the Campus.")

MSG_STRUCT_NOT_IN_CAMPUS = _("You are not allowed to register to the Campus.")

MSG_USER_NOT_REGISTERED = _("Please register to the campus before sending "
                            "invites.")

def user_not_in_ldap(function):
    """
    Restricts access to users whose eduPersonPrincipalName attribute value
    doesn't appear in a ou=people sub-entry in the Campus LDAP.
    """
    def wrapped(request, *args, **kwargs):
        if 'type' in kwargs and kwargs['type'] == 'mellon':
            user_data = saml_collect_data(request)
            if ldap_contains_user(user_data):
                logger.info(u'usernone error for request %s' % request)
                return render_message(request, MSG_USERNONE)
        return function(request, *args, **kwargs)
    return wrapped

def user_in_ldap(function):
    """
    Restricts access to users whose eduPersonPrincipalName attribute value
    appear in a `ou=people...` sub-entry in the Campus LDAP.
    """
    def wrapped(request, *args, **kwargs):
        if not 'mellon_session' in request.session:
            return redirect(reverse('auth_login') + "?next=/invite/")
        user_data = saml_collect_data(request)
        if not ldap_contains_user(user_data):
            logger.info(u'user not registered error for request %s' % request)
            return render_message(request, MSG_USER_NOT_REGISTERED)
        return function(request, *args, **kwargs)
    return wrapped

def user_can_declare(function):
    """
    Ensure that all conditions are met for a user to self-subscribe to the
    Campus. At the moment, these two conditions are:
    - the user's EduPersonPrincipalName attribute value mustn't appear in the
    Campus LDAP base
    - the user's institution or research unit should appear as registered
    structures in the Campus LDAP base
    """
    def wrapped(request, *args, **kwargs):
        if not request.session.get('mellon_session'):
            return redirect(reverse('auth_login') + '?next=/declare/')
        user_data = saml_collect_data(request)

        if ldap_contains_user(user_data):
            return render_message(request, MSG_USER_REGISTERED)

        affectations = [code for code, _ in ldap_get_affectations()]
        try:
            affectations.remove(None) # remove extra null entry
        except:
            pass
        user_affectations = set([user_data.get('s_etablissement'),
                             user_data.get('s_entite_affectation')])
        if user_affectations & set(affectations):
            return function(request, *args, **kwargs)
        return render_message(request, MSG_STRUCT_NOT_IN_CAMPUS)
    return wrapped