Merge pull request #47 from kstateome/develop

Release 1.2.0

Author: dstegelman

.travis.yml

@@ -9,6 +9,7 @@ env:
   - DJANGO_VERSION=Django==1.5
   - DJANGO_VERSION=Django==1.6
   - DJANGO_VERSION=Django==1.7
+  - DJANGO_VERSION=Django==1.8
 
 # command to install dependencies
 install:

CHANGELOG.md

@@ -1,4 +1,11 @@
+### 1.2.0
+
+- Allow opt out of time delay caused by fetching PGT tickets
+- Add support for gateway not returning a response
+- Allow forcing service URL over HTTPS (https://github.com/kstateome/django-cas/pull/48)
+- Allow user creation on first login to be optional (https://github.com/kstateome/django-cas/pull/49)
+
 ### 1.1.1
 
 - Add a few logging statements
-- Add official change log.
+- Add official change log.

CONTRIBUTORS

@@ -1,3 +1,4 @@
 epicserve
 rlmv
-bryankaplan
+bryankaplan
+cordmata

README.md

@@ -2,7 +2,7 @@
 
 CAS client for Django.  This library requires Django 1.5 or above, and Python 2.6, 2.7, 3.4
 
-Current version: 1.1.1
+Current version: 1.2.0
 
 This is [K-State's fork](https://github.com/kstateome/django-cas) of [the original](https://bitbucket.org/cpcc/django-cas/overview) and includes [several additional features](https://github.com/kstateome/django-cas/#additional-features) as well as features merged from
 
@@ -14,9 +14,9 @@ This is [K-State's fork](https://github.com/kstateome/django-cas) of [the or
 
 This project is registered on PyPi as django-cas-client.  To install::
 
-    pip install django-cas-client==1.1.1
-    
-    
+    pip install django-cas-client==1.2.0
+
+
 ### Add to URLs
 
 Add the login and logout patterns to your main URLS conf.
@@ -34,9 +34,9 @@ Set your CAS server URL
 Add cas to middleware classes
 
     'cas.middleware.CASMiddleware',
-    
 
-### Add authentication backends 
+
+### Add authentication backends
 
     AUTHENTICATION_BACKENDS = (
         'django.contrib.auth.backends.ModelBackend',
@@ -138,8 +138,21 @@ Then, add the ``gateway`` decorator to a view:
 To show a custom forbidden page, set ``CAS_CUSTOM_FORBIDDEN`` to a ``path.to.some_view``.  Otherwise,
 a generic ``HttpResponseForbidden`` will be returned.
 
+## Require SSL Login
+
+To force the service url to always target HTTPS, set ``CAS_FORCE_SSL_SERVICE_URL`` to ``True``.
+
+## Automatically Create Users on First Login
+
+By default, a stub user record will be created on the first successful CAS authentication
+using the username in the response. If this behavior is not desired set
+``CAS_AUTO_CREATE_USER`` to ``Flase``.
 
 ## Proxy Tickets
 
 This fork also includes
 [Edmund Crewe's proxy ticket patch](http://code.google.com/r/edmundcrewe-proxypatch/source/browse/django-cas-proxy.patch).
+
+You can opt out of the time delay sometimes caused by proxy ticket validation by setting:
+
+    CAS_PGT_FETCH_WAIT = False

cas/__init__.py

@@ -17,6 +17,9 @@
     'CAS_PROXY_CALLBACK': None,
     'CAS_RESPONSE_CALLBACKS': None,
     'CAS_CUSTOM_FORBIDDEN': None,
+    'CAS_PGT_FETCH_WAIT': True,
+    'CAS_FORCE_SSL_SERVICE_URL': False,
+    'CAS_AUTO_CREATE_USER': True,
 }
 
 for key, value in _DEFAULTS.items():

cas/backends.py

@@ -112,9 +112,14 @@ def _internal_verify_cas(ticket, service, suffix):
                     pgtIou.delete()
                 except Tgt.DoesNotExist:
                     Tgt.objects.create(username=username, tgt=pgtIou.tgt)
+                    logger.info('Creating TGT ticket for {user}'.format(
+                        user=username
+                    ))
                     pgtIou.delete()
-                except Exception:
-                    logger.error('Failed to do proxy authentication.')
+                except Exception as e:
+                    logger.warning('Failed to do proxy authentication. {message}'.format(
+                        message=e
+                    ))
 
         else:
             failure = document.getElementsByTagName('cas:authenticationFailure')
@@ -123,7 +128,9 @@ def _internal_verify_cas(ticket, service, suffix):
                             failure[0].firstChild.nodeValue)
 
     except Exception as e:
-        logger.error('Failed to verify CAS authentication: %s', e)
+        logger.error('Failed to verify CAS authentication: {message}'.format(
+            message=e
+        ))
 
     finally:
         page.close()
@@ -181,17 +188,28 @@ def _get_pgtiou(pgt):
     ticket is retried for up to 5 seconds. This should be handled some
     better way.
 
+    Users can opt out of this waiting period by setting CAS_PGT_FETCH_WAIT = False
+
     :param: pgt
 
     """
+
     pgtIou = None
     retries_left = 5
+
+    if not settings.CAS_PGT_FETCH_WAIT:
+        retries_left = 1
+
     while not pgtIou and retries_left:
         try:
             return PgtIOU.objects.get(tgt=pgt)
         except PgtIOU.DoesNotExist:
-            time.sleep(1)
+            if settings.CAS_PGT_FETCH_WAIT:
+                time.sleep(1)
             retries_left -= 1
+            logger.info('Did not fetch ticket, trying again.  {tries} tries left.'.format(
+                tries=retries_left
+            ))
     raise CasTicketException("Could not find pgtIou for pgt %s" % pgt)
 
 
@@ -219,8 +237,11 @@ def authenticate(self, ticket, service):
             user = User.objects.get(username__iexact=username)
         except User.DoesNotExist:
             # user will have an "unusable" password
-            user = User.objects.create_user(username, '')
-            user.save()
+            if settings.CAS_AUTO_CREATE_USER:
+                user = User.objects.create_user(username, '')
+                user.save()
+            else:
+                user = None
         return user
 
     def get_user(self, user_id):

cas/decorators.py

@@ -66,22 +66,27 @@ def wrapped_f(*args):
             request = args[0]
 
             if request.user.is_authenticated():
-                #Is Authed, fine
+                # Is Authed, fine
                 pass
             else:
                 path_with_params = request.path + '?' + urlencode(request.GET.copy())
                 if request.GET.get('ticket'):
-                    #Not Authed, but have a ticket!
-                    #Try to authenticate
-                    return login(request, path_with_params, False, True)
+                    # Not Authed, but have a ticket!
+                    # Try to authenticate
+                    response = login(request, path_with_params, False, True)
+                    if isinstance(response, HttpResponseRedirect):
+                        # For certain instances where a forbidden occurs, we need to pass instead of return a response.
+                        return response
                 else:
                     #Not Authed, but no ticket
                     gatewayed = request.GET.get('gatewayed')
                     if gatewayed == 'true':
                         pass
                     else:
-                        #Not Authed, try to authenticate
-                        return login(request, path_with_params, False, True)
+                        # Not Authed, try to authenticate
+                        response = login(request, path_with_params, False, True)
+                        if isinstance(response, HttpResponseRedirect):
+                            return response
 
             return func(*args)
         return wrapped_f

cas/tests/test_backend.py

@@ -13,4 +13,18 @@ def setUp(self):
     def test_get_user(self):
         backend = CASBackend()
 
-        self.assertEqual(backend.get_user(self.user.pk), self.user)
+        self.assertEqual(backend.get_user(self.user.pk), self.user)
+
+    @mock.patch('cas.backends._verify')
+    def test_user_auto_create(self, verify):
+        username = 'faker'
+        verify.return_value = username
+        backend = CASBackend()
+
+        with self.settings(CAS_AUTO_CREATE_USER=False):
+            user = backend.authenticate('fake', 'fake')
+            self.assertIsNone(user)
+
+        with self.settings(CAS_AUTO_CREATE_USER=True):
+            user = backend.authenticate('fake', 'fake')
+            self.assertEquals(user.username, username)

cas/tests/test_views.py

@@ -1,4 +1,5 @@
 from django.test import TestCase, RequestFactory
+from django.test.utils import override_settings
 
 from cas.views import _redirect_url, _login_url, _logout_url, _service_url
 
@@ -24,6 +25,10 @@ def setUp(self):
     def test_service_url(self):
         self.assertEqual(_service_url(self.request), 'http://signin.k-state.edu/')
 
+    @override_settings(CAS_FORCE_SSL_SERVICE_URL=True)
+    def test_service_url_forced_ssl(self):
+        self.assertEqual(_service_url(self.request), 'https://signin.k-state.edu/')
+
     def test_redirect_url(self):
         self.assertEqual(_redirect_url(self.request), '/')
 
@@ -38,4 +43,4 @@ def test_login_url(self):
                          'http://signin.cas.com/login?service=http%3A%2F%2Flocalhost%3A8000%2Faccounts%2Flogin%2F')
 
     def test_logout_url(self):
-        self.assertEqual(_logout_url(self.request), 'http://signin.cas.com/logout')
+        self.assertEqual(_logout_url(self.request), 'http://signin.cas.com/logout')

cas/views.py

@@ -35,7 +35,10 @@ def _service_url(request, redirect_to=None, gateway=False):
 
     """
 
-    protocol = ('http://', 'https://')[request.is_secure()]
+    if settings.CAS_FORCE_SSL_SERVICE_URL:
+        protocol = 'https://'
+    else:
+        protocol = ('http://', 'https://')[request.is_secure()]
     host = request.get_host()
     service = protocol + host + request.path
     if redirect_to:
@@ -188,6 +191,11 @@ def login(request, next_page=None, required=False, gateway=False):
         else:
             logger.warning('User has a valid ticket but not a valid session')
             # Has ticket, not session
+
+            if gateway:
+                # Gatewayed responses should nto redirect.
+                return False
+
             if getattr(settings, 'CAS_CUSTOM_FORBIDDEN'):
                 return HttpResponseRedirect(reverse(settings.CAS_CUSTOM_FORBIDDEN) + "?" + request.META['QUERY_STRING'])
             else:
@@ -233,13 +241,17 @@ def proxy_callback(request):
     tgt = request.GET.get('pgtId')
 
     if not (pgtIou and tgt):
+        logger.info('No pgtIou or tgt found in request.GET')
         return HttpResponse('No pgtIOO', content_type="text/plain")
 
     try:
         PgtIOU.objects.create(tgt=tgt, pgtIou=pgtIou, created=datetime.datetime.now())
-        request.session['pgt-TICKET'] = ticket
-        return HttpResponse('PGT ticket is: %s' % str(ticket, content_type="text/plain"))
-    except:
-        logger.warning('PGT storage failed.')
-        return HttpResponse('PGT storage failed for %s' % str(request.GET), content_type="text/plain")
+        request.session['pgt-TICKET'] = pgtIou
+        return HttpResponse('PGT ticket is: {ticket}'.format(ticket=pgtIou), content_type="text/plain")
+    except Exception as e:
+        logger.warning('PGT storage failed. {message}'.format(
+            message=e
+        ))
+        return HttpResponse('PGT storage failed for {request}'.format(request=str(request.GET)),
+                            content_type="text/plain")