keep local cache of fedict metadata (#31128)

2019-03-06 13:08:46 +01:00 · 2019-03-06 13:08:46 +01:00 · 6f94d38764
parent c0fb61b15c
commit 6f94d38764
1 changed files with 34 additions and 1 deletions
--- a/src/authentic2_auth_fedict/adapters.py
+++ b/src/authentic2_auth_fedict/adapters.py
@ -15,15 +15,20 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 import datetime
+import hashlib
 import logging
+import os
+
 import requests

 from django.conf import settings
 from django.contrib.auth import get_user_model
+from django.core.files.storage import default_storage

 import lasso

-from mellon.adapters import DefaultAdapter
+from mellon.adapters import DefaultAdapter, app_settings
+import mellon.utils as mellon_utils
 from authentic2.models import Attribute
 from authentic2 import utils
 from authentic2.a2_rbac.utils import get_default_ou
@ -46,6 +51,34 @@ class AuthenticAdapter(DefaultAdapter):
    def auth_login(self, request, user):
        utils.login(request, user, 'fedict')

+    def get_identity_providers_setting(self):
+        providers = app_settings.IDENTITY_PROVIDERS
+        cache_path = default_storage.path('fedict-cache')
+        if not os.path.exists(cache_path):
+            os.makedirs(cache_path)
+        for idp in providers:
+            if 'METADATA_URL' in idp and 'METADATA' not in idp:
+                url_hash = hashlib.sha1(idp['METADATA_URL']).hexdigest()
+                metadata_cache_filename = os.path.join(cache_path, url_hash)
+                if os.path.exists(metadata_cache_filename):
+                    stat_info = os.stat(metadata_cache_filename)
+                    if stat_info.st_size and stat_info.st_mtime > (time.time() - 86400):
+                        idp['METADATA'] = open(metadata_cache_filename).read().decode('utf-8')
+                        continue
+                verify_ssl_certificate = mellon_utils.get_setting(idp, 'VERIFY_SSL_CERTIFICATE')
+                try:
+                    response = requests.get(idp['METADATA_URL'], verify=verify_ssl_certificate)
+                    response.raise_for_status()
+                except requests.exceptions.RequestException as e:
+                    if os.path.exists(metadata_cache_filename):
+                        # accept older cache in case of error
+                        idp['METADATA'] = open(metadata_cache_filename).read().decode('utf-8')
+                    continue
+                idp['METADATA'] = response.text
+                with open(metadata_cache_filename, 'w') as fd:
+                    fd.write(response.text.encode('utf-8'))
+        return providers
+
    def lookup_user(self, idp, saml_attributes):
        if 'email' in saml_attributes:
            # XXX: remove email from received attributes for now, this