2015-11-06 13:30:53 +01:00
|
|
|
import logging
|
|
|
|
|
|
2022-08-22 14:23:04 +02:00
|
|
|
import requests
|
2015-11-06 13:30:53 +01:00
|
|
|
from django.conf import settings
|
|
|
|
|
from django.contrib.auth import get_user_model
|
|
|
|
|
from django.contrib.auth.models import AnonymousUser
|
2022-04-18 16:55:24 +02:00
|
|
|
from django.core.exceptions import FieldDoesNotExist
|
2016-01-29 17:33:45 +01:00
|
|
|
from django.utils.module_loading import import_string
|
2020-03-09 12:02:55 +01:00
|
|
|
from rest_framework import authentication, exceptions, status
|
2021-05-14 18:39:27 +02:00
|
|
|
|
2015-11-06 13:30:53 +01:00
|
|
|
from hobo import signature
|
2022-08-22 14:23:04 +02:00
|
|
|
from hobo.requests_wrapper import Requests
|
2015-11-06 13:30:53 +01:00
|
|
|
|
2016-02-13 09:13:27 +01:00
|
|
|
try:
|
|
|
|
|
from mellon.models import UserSAMLIdentifier
|
|
|
|
|
except ImportError:
|
|
|
|
|
UserSAMLIdentifier = None
|
|
|
|
|
|
2016-01-29 17:33:45 +01:00
|
|
|
|
|
|
|
|
class AnonymousAuthenticServiceUser(AnonymousUser):
|
2015-11-06 13:30:53 +01:00
|
|
|
'''This virtual user hold permissions for other publik services'''
|
2021-05-14 18:39:27 +02:00
|
|
|
|
2020-04-01 19:50:06 +02:00
|
|
|
is_anonymous = True
|
|
|
|
|
is_authenticated = True
|
2022-02-25 16:21:48 +01:00
|
|
|
ou = None
|
2022-11-02 14:17:07 +01:00
|
|
|
is_publik_service = True
|
2015-11-06 13:30:53 +01:00
|
|
|
|
2021-03-16 16:52:44 +01:00
|
|
|
def has_perm(self, *args, **kwargs):
|
2016-07-15 15:49:18 +02:00
|
|
|
return True
|
|
|
|
|
|
2021-03-16 16:52:44 +01:00
|
|
|
def has_ou_perm(self, *args, **kwargs):
|
2016-07-15 15:49:18 +02:00
|
|
|
return True
|
|
|
|
|
|
2021-03-16 16:52:44 +01:00
|
|
|
def has_perm_any(self, *args, **kwargs):
|
2016-07-15 15:49:18 +02:00
|
|
|
return True
|
2015-11-06 13:30:53 +01:00
|
|
|
|
2016-07-14 11:21:43 +02:00
|
|
|
def filter_by_perm(self, perm_or_perms, qs):
|
|
|
|
|
# all objects are reachable
|
|
|
|
|
return qs
|
|
|
|
|
|
2015-11-06 13:30:53 +01:00
|
|
|
def __unicode__(self):
|
2016-01-29 17:33:45 +01:00
|
|
|
return 'Publik Service User'
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class AnonymousAdminServiceUser(AnonymousUser):
|
|
|
|
|
'''This virtual user hold permissions for other publik services'''
|
2021-05-14 18:39:27 +02:00
|
|
|
|
2016-01-29 17:33:45 +01:00
|
|
|
is_staff = True
|
2020-04-01 19:50:06 +02:00
|
|
|
is_anonymous = True
|
|
|
|
|
is_authenticated = True
|
2022-02-25 16:21:48 +01:00
|
|
|
ou = None
|
2022-11-02 14:17:07 +01:00
|
|
|
is_publik_service = True
|
2016-01-29 17:33:45 +01:00
|
|
|
|
|
|
|
|
def __unicode__(self):
|
|
|
|
|
return 'Publik Service Admin'
|
2015-11-06 13:30:53 +01:00
|
|
|
|
|
|
|
|
|
2022-08-22 14:23:04 +02:00
|
|
|
class APIClientUser:
|
|
|
|
|
is_active = True
|
|
|
|
|
is_anonymous = False
|
|
|
|
|
is_authenticated = True
|
|
|
|
|
is_superuser = False
|
|
|
|
|
roles = []
|
|
|
|
|
|
|
|
|
|
def __init__(self, is_active, is_anonymous, is_authenticated, is_superuser, roles):
|
|
|
|
|
self.is_active = is_active
|
|
|
|
|
self.is_anonymous = is_anonymous
|
|
|
|
|
self.is_authenticated = is_authenticated
|
|
|
|
|
self.is_superuser = is_superuser
|
|
|
|
|
self.roles = roles
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def from_dict(cls, data):
|
|
|
|
|
return cls(
|
|
|
|
|
is_active=data['is_active'],
|
|
|
|
|
is_anonymous=data['is_anonymous'],
|
|
|
|
|
is_authenticated=data['is_authenticated'],
|
|
|
|
|
is_superuser=data['is_superuser'],
|
|
|
|
|
roles=data['roles'],
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
2020-03-09 12:02:55 +01:00
|
|
|
class PublikAuthenticationFailed(exceptions.APIException):
|
|
|
|
|
status_code = status.HTTP_401_UNAUTHORIZED
|
|
|
|
|
default_code = 'invalid-signature'
|
|
|
|
|
|
|
|
|
|
def __init__(self, code):
|
2021-09-30 13:19:39 +02:00
|
|
|
self.detail = {'err': 1, 'err_desc': code}
|
2020-03-09 12:02:55 +01:00
|
|
|
|
|
|
|
|
|
2015-11-06 13:30:53 +01:00
|
|
|
class PublikAuthentication(authentication.BaseAuthentication):
|
|
|
|
|
def __init__(self, *args, **kwargs):
|
|
|
|
|
self.logger = logging.getLogger(__name__)
|
|
|
|
|
super().__init__(*args, **kwargs)
|
|
|
|
|
|
|
|
|
|
def resolve_user(self, request):
|
2016-04-18 23:25:58 +02:00
|
|
|
User = get_user_model()
|
2015-11-06 13:30:53 +01:00
|
|
|
if 'NameID' in request.GET:
|
|
|
|
|
name_id = request.GET['NameID']
|
2016-02-13 09:13:27 +01:00
|
|
|
is_authentic = True
|
2015-11-06 13:30:53 +01:00
|
|
|
try:
|
2018-01-11 10:48:16 +01:00
|
|
|
User._meta.get_field('uuid')
|
2016-02-13 09:13:27 +01:00
|
|
|
except FieldDoesNotExist:
|
|
|
|
|
is_authentic = False
|
|
|
|
|
|
|
|
|
|
if is_authentic:
|
|
|
|
|
try:
|
|
|
|
|
return User.objects.get(uuid=name_id)
|
|
|
|
|
except User.DoesNotExist:
|
2020-03-09 12:02:55 +01:00
|
|
|
raise PublikAuthenticationFailed('user-not-found')
|
|
|
|
|
|
2016-02-13 09:13:27 +01:00
|
|
|
elif UserSAMLIdentifier:
|
|
|
|
|
try:
|
|
|
|
|
return UserSAMLIdentifier.objects.get(name_id=name_id).user
|
|
|
|
|
except UserSAMLIdentifier.DoesNotExist:
|
2020-03-09 12:02:55 +01:00
|
|
|
raise PublikAuthenticationFailed('user-not-found')
|
2016-02-13 09:13:27 +01:00
|
|
|
else:
|
2020-03-09 12:02:55 +01:00
|
|
|
raise PublikAuthenticationFailed('no-usable-model')
|
2015-11-06 13:30:53 +01:00
|
|
|
else:
|
2016-04-18 23:25:58 +02:00
|
|
|
orig = request.GET['orig']
|
|
|
|
|
try:
|
|
|
|
|
return User.objects.get(username=orig)
|
|
|
|
|
except User.DoesNotExist:
|
|
|
|
|
pass
|
2016-01-29 17:33:45 +01:00
|
|
|
if hasattr(settings, 'HOBO_ANONYMOUS_SERVICE_USER_CLASS'):
|
|
|
|
|
klass = import_string(settings.HOBO_ANONYMOUS_SERVICE_USER_CLASS)
|
|
|
|
|
self.logger.info('anonymous signature validated')
|
|
|
|
|
return klass()
|
2020-03-09 12:02:55 +01:00
|
|
|
raise PublikAuthenticationFailed('no-user-for-orig')
|
2015-11-06 13:30:53 +01:00
|
|
|
|
|
|
|
|
def get_orig_key(self, orig):
|
|
|
|
|
if not hasattr(settings, 'KNOWN_SERVICES'):
|
|
|
|
|
self.logger.warning('no known services')
|
2020-03-09 12:02:55 +01:00
|
|
|
raise PublikAuthenticationFailed('no-known-services-setting')
|
2015-11-06 13:30:53 +01:00
|
|
|
for service_id in settings.KNOWN_SERVICES:
|
2018-03-27 16:13:33 +02:00
|
|
|
for slug, service in settings.KNOWN_SERVICES[service_id].items():
|
2015-11-06 13:30:53 +01:00
|
|
|
if service.get('verif_orig') == orig and service.get('secret'):
|
|
|
|
|
return service['secret']
|
|
|
|
|
self.logger.warning('no secret found for origin %r', orig)
|
2020-03-09 12:02:55 +01:00
|
|
|
raise PublikAuthenticationFailed('no-secret-found-for-orig')
|
2015-11-06 13:30:53 +01:00
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
|
full_path = request.get_full_path()
|
|
|
|
|
if not request.GET.get('orig') or not request.GET.get('signature'):
|
|
|
|
|
return None
|
|
|
|
|
key = self.get_orig_key(request.GET['orig'])
|
2021-09-30 13:19:39 +02:00
|
|
|
try:
|
|
|
|
|
assert signature.check_url(
|
|
|
|
|
full_path, key, raise_on_error=True
|
|
|
|
|
), 'signature.check_url should never return False with raise_on_error'
|
|
|
|
|
except signature.SignatureError as e:
|
|
|
|
|
self.logger.warning('publik rest-framework-authentication failed: %s', e)
|
|
|
|
|
raise PublikAuthenticationFailed(str(e))
|
2015-11-06 13:30:53 +01:00
|
|
|
user = self.resolve_user(request)
|
|
|
|
|
self.logger.info('user authenticated with signature %s', user)
|
|
|
|
|
return (user, None)
|
2022-08-22 14:23:04 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
class APIClientAuthenticationUnavailable(exceptions.APIException):
|
|
|
|
|
status_code = status.HTTP_503_SERVICE_UNAVAILABLE
|
|
|
|
|
default_code = 'IDP temporarily unavailable, try again later.'
|
|
|
|
|
|
|
|
|
|
def __init__(self):
|
|
|
|
|
self.detail = {'err': 1, 'err_desc': self.default_code}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class APIClientAuthentication(authentication.BasicAuthentication):
|
|
|
|
|
def authenticate_credentials(self, identifier, password, request=None):
|
|
|
|
|
idp_services = list(getattr(settings, 'KNOWN_SERVICES', {}).get('authentic', {}).values())
|
|
|
|
|
if not idp_services:
|
|
|
|
|
return None
|
|
|
|
|
authentic = idp_services[0]
|
|
|
|
|
url = authentic['url'] + 'api/check-api-client/'
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
response = Requests().post(url, json={'identifier': identifier, 'password': password})
|
|
|
|
|
except requests.Timeout:
|
|
|
|
|
raise APIClientAuthenticationUnavailable()
|
|
|
|
|
except requests.RequestException as err:
|
|
|
|
|
raise APIClientAuthenticationUnavailable()
|
|
|
|
|
|
|
|
|
|
try:
|
|
|
|
|
response.raise_for_status()
|
|
|
|
|
except requests.exceptions.RequestException:
|
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
result = response.json()
|
|
|
|
|
if 'err' not in result or 'data' not in result or result['err'] == 1:
|
|
|
|
|
return None
|
|
|
|
|
try:
|
|
|
|
|
api_client = APIClientUser.from_dict(result['data'])
|
|
|
|
|
except Exception:
|
|
|
|
|
return None
|
|
|
|
|
return api_client, None
|
