Enable the new SSO certificates

72a1d409 · Enrico Zini · 6cd174cd · 72a1d409 · 72a1d409
Commit 72a1d409 authored Aug 26, 2015 by Enrico Zini
--- a/django_dacs/auth.py
+++ b/django_dacs/auth.py
@@ -6,21 +6,26 @@ from collections import namedtuple
 # Name the various bits of information DACS gives us
 DACSInfo = namedtuple('DACSInfo', ('federation', 'unknown1', "jurisdiction", "username"))

-TEST_REMOTE_USER = getattr(settings, "DACS_TEST_USERNAME", None)
+DACS_TEST_USERNAME = getattr(settings, "DACS_TEST_USERNAME", None)
+CERT_TEST_USERNAME = getattr(settings, "CERT_TEST_USERNAME", None)

 def _clean_dacs_username(username):
    """
    Map usernames from DACS to usernames in our auth database
    """
-    # Take the username out of DACS parts
-    info = DACSInfo(*username.split(":"))
-    if '@' in info.username:
-        return info.username
+    if ":" in username:
+        # Take the username out of DACS parts
+        info = DACSInfo(*username.split(":"))
+        if '@' in info.username:
+            return info.username
+        else:
+            return info.username + "@debian.org"
    else:
-        return info.username + "@debian.org"
+        return username

 class DACSRemoteUserMiddleware(django.contrib.auth.middleware.RemoteUserMiddleware):
    header = 'REMOTE_USER'
+    cert_header = "SSL_CLIENT_S_DN_CN"

    def process_request(self, request):
        from django.contrib import auth
@@ -35,31 +40,40 @@ class DACSRemoteUserMiddleware(django.contrib.auth.middleware.RemoteUserMiddlewa
                " 'django.contrib.auth.middleware.AuthenticationMiddleware'"
                " before the RemoteUserMiddleware class.")

-        # Allow to force a DACS user string during testing
-        if TEST_REMOTE_USER is not None:
-            request.META[self.header] = TEST_REMOTE_USER
+        cert_user = request.META.get(self.cert_header, CERT_TEST_USERNAME)
+        if cert_user is not None:
+            request.debsso_uses_certs = True
+            remote_user = cert_user
+            request.sso_username = cert_user
+        else:
+            request.debsso_uses_certs = False

-        try:
-            dacs_user = request.META[self.header]
-        except KeyError:
-            request.sso_username = None
-            # If specified header doesn't exist then return (leaving
-            # request.user set to AnonymousUser by the
-            # AuthenticationMiddleware).
+            # Allow to force a DACS user string during testing
+            if DACS_TEST_USERNAME is not None:
+                request.META[self.header] = DACS_TEST_USERNAME

-            # Actually, make really sure we are logged out!
-            # See django bug #17869
-            if request.user.is_authenticated():
-                auth.logout(request)
-            return
+            try:
+                dacs_user = request.META[self.header]
+            except KeyError:
+                request.sso_username = None
+                # If specified header doesn't exist then return (leaving
+                # request.user set to AnonymousUser by the
+                # AuthenticationMiddleware).
+
+                # Actually, make really sure we are logged out!
+                # See django bug #17869
+                if request.user.is_authenticated():
+                    auth.logout(request)
+                return

-        request.sso_username = _clean_dacs_username(dacs_user)
+            remote_user = dacs_user
+            request.sso_username = _clean_dacs_username(dacs_user)

        # If the user is already authenticated and that user is the user we are
        # getting passed in the headers, then the correct user is already
        # persisted in the session and we don't need to continue.
        if request.user.is_authenticated():
-            if request.user.username == self.clean_username(dacs_user, request):
+            if request.user.username == self.clean_username(remote_user, request):
                return
            else:
                # sso username does not match the current person: we may have
@@ -68,7 +82,7 @@ class DACSRemoteUserMiddleware(django.contrib.auth.middleware.RemoteUserMiddlewa

        # We are seeing this user for the first time in this session, attempt
        # to authenticate the user.
-        user = auth.authenticate(remote_user=dacs_user)
+        user = auth.authenticate(remote_user=remote_user)
        if user:
            # User is valid.  Set request.user and persist user in the session
            # by logging the user in.

--- a/nmlayout/templates/nm-base.html
+++ b/nmlayout/templates/nm-base.html
@@ -45,7 +45,7 @@
 {% endif %}
 {% endif %}
 {% if request.sso_username %}
-  <a href="https://sso.debian.org/sso/logout?url={{request.build_absolute_uri}}">logout</a>
+ {% if not request.debsso_uses_certs %}<a href="https://sso.debian.org/sso/logout?url={{request.build_absolute_uri}}">logout</a>{% endif %}
 {% endif %}
 {% comment %}
    <a href="{% url 'search_packages' %}">Search</a>