apache_auth.py revision e8819cdf80ca0e0602d22551a50f970aa68e108d
1e8819cdf80ca0e0602d22551a50f970aa68e108dmblighfrom django.contrib.auth.models import User, Group, check_password 2e8819cdf80ca0e0602d22551a50f970aa68e108dmblighfrom django.contrib import auth 3e8819cdf80ca0e0602d22551a50f970aa68e108dmblighfrom django import http 4e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 5e8819cdf80ca0e0602d22551a50f970aa68e108dmblighfrom frontend.afe import models, management 6e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 7e8819cdf80ca0e0602d22551a50f970aa68e108dmblighDEBUG_USER = 'debug_user' 8e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 9e8819cdf80ca0e0602d22551a50f970aa68e108dmblighclass SimpleAuthBackend: 10e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh """ 11e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh Automatically allows any login. This backend is for use when Apache is 12e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh doing the real authentication. Also ensures logged-in user exists in 13e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh frontend.afe.models.User database. 14e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh """ 15e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh def authenticate(self, username=None, password=None): 16e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh try: 17e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user = User.objects.get(username=username) 18e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh except User.DoesNotExist: 19e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh # password is meaningless 20e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user = User(username=username, 21e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh password='apache authentication') 22e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user.is_staff = True 23e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user.save() # need to save before adding groups 24e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user.groups.add(Group.objects.get( 25e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh name=management.BASIC_ADMIN)) 26e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 27e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh SimpleAuthBackend.check_afe_user(username) 28e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh return user 29e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 30e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 31e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh @staticmethod 32e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh def check_afe_user(username): 33e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user, _ = models.User.objects.get_or_create(login=username) 34e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user.save() 35e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 36e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh def get_user(self, user_id): 37e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh try: 38e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh return User.objects.get(pk=user_id) 39e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh except User.DoesNotExist: 40e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh return None 41e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 42e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 43e8819cdf80ca0e0602d22551a50f970aa68e108dmblighclass ApacheAuthMiddleware(object): 44e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh """ 45e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh Middleware for use when Apache is doing authentication. Looks for 46e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh REQUEST_USER in requests and logs that user in. If no such header is 47e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh found, looks for HTTP_AUTHORIZATION header with username to login (this 48e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh allows CLI to authenticate). 49e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh """ 50e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh 51e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh def process_request(self, request): 52e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh # look for a username from Apache 53e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user = request.META.get('REMOTE_USER') 54e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh if user is None: 55e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh # look for a user in headers. This is insecure but 56e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh # it's our temporarily solution for CLI auth. 57e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user = request.META.get('HTTP_AUTHORIZATION') 58e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh if user is None: 59e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh # no user info - assume we're in development mode 60e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user = DEBUG_USER 61e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh user_object = auth.authenticate(username=user, 62e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh password='') 63e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh auth.login(request, user_object) 64e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh request.afe_user = models.User.objects.get(login=user) 65e8819cdf80ca0e0602d22551a50f970aa68e108dmbligh return None 66