cas_server.models module¶
models for the app
-
cas_server.models.
logger
= <logging.Logger object>¶ logger facility
-
class
cas_server.models.
JsonAttributes
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
A base class for models storing attributes as a json
-
attributs
¶ The attributes
-
-
class
cas_server.models.
FederatedIendityProvider
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
An identity provider for the federated mode
-
suffix
¶ Suffix append to backend CAS returned username:
returned_username
@suffix
. it must be unique.
-
server_url
¶ URL to the root of the CAS server application. If login page is https://cas.example.net/cas/login then
server_url
should be https://cas.example.net/cas/
-
cas_protocol_version
¶ Version of the CAS protocol to use when sending requests the the backend CAS.
-
verbose_name
¶ Name for this identity provider displayed on the login page.
-
pos
¶ Position of the identity provider on the login page. Identity provider are sorted using the (
pos
,verbose_name
,suffix
) attributes.
-
display
¶ Display the provider on the login page. Beware that this do not disable the identity provider, it just hide it on the login page. User will always be able to log in using this provider by fetching
/federate/suffix
.
-
static
build_username_from_suffix
(username, suffix)[source]¶ Transform backend username into federated username using
suffix
Parameters: Returns: The federated username:
username
@suffix
.Return type:
-
build_username
(username)[source]¶ Transform backend username into federated username
Parameters: username (unicode) – A CAS backend returned username Returns: The federated username: username
@suffix
.Return type: unicode
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
federateduser_set
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
get_cas_protocol_version_display
(*moreargs, **morekwargs)¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
-
class
cas_server.models.
FederatedUser
(*args, **kwargs)[source]¶ Bases:
JsonAttributes
A federated user as returner by a CAS provider (username and attributes)
-
username
¶ The user username returned by the CAS backend on successful ticket validation
-
provider
¶ A foreign key to
FederatedIendityProvider
-
federated_username
¶ The federated username with a suffix for the current
FederatedUser
.
-
classmethod
get_from_federated_username
(username)[source]¶ Returns: A FederatedUser
object from a federatedusername
Return type: FederatedUser
-
classmethod
clean_old_entries
()[source]¶ remove old unused
FederatedUser
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
get_next_by_last_update
(*moreargs, **morekwargs)¶
-
get_previous_by_last_update
(*moreargs, **morekwargs)¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
provider_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
-
class
cas_server.models.
FederateSLO
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
An association between a CAS provider ticket and a (username, session) for processing SLO
-
classmethod
clean_deleted_sessions
()[source]¶ remove old
FederateSLO
object for which the session do not exists anymore
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
classmethod
-
class
cas_server.models.
UserAttributes
(*args, **kwargs)[source]¶ Bases:
JsonAttributes
Local cache of the user attributes, used then needed
-
username
¶ The username of the user for which we cache attributes
-
classmethod
clean_old_entries
()[source]¶ Remove
UserAttributes
for which no moreUser
exists.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
-
class
cas_server.models.
User
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
A user logged into the CAS
-
session_key
¶ The session key of the current authenticated user
-
username
¶ The username of the current authenticated user
-
date
¶ Last time the authenticated user has do something (auth, fetch ticket, etc…)
-
last_login
¶ last time the user logged
-
delete
(*args, **kwargs)[source]¶ Remove the current
User
. Ifsettings.CAS_FEDERATE
isTrue
, also delete the correspondingFederateSLO
object.
-
classmethod
clean_old_entries
()[source]¶ Remove
User
objects inactive since more thatSESSION_COOKIE_AGE
and send corresponding SingleLogOut requests.
-
classmethod
clean_deleted_sessions
()[source]¶ Remove
User
objects where the corresponding session do not exists anymore.
-
attributs
¶ Property. A fresh
dict
for the user attributes, usingsettings.CAS_AUTH_CLASS
if possible, and if not, try to fallback to cached attributes (actually only used for ldap auth class with bind password check mthode).
-
logout
(request=None)[source]¶ Send SLO requests to all services the user is logged in.
Parameters: request ( django.http.HttpRequest
orNoneType
) – The current django HttpRequest to display possible failure to the user.
-
get_ticket
(ticket_class, service, service_pattern, renew)[source]¶ Generate a ticket using
ticket_class
for the serviceservice
matchingservice_pattern
and asking or not for authentication renewal withrenew
Parameters: - ticket_class (type) –
ServiceTicket
orProxyTicket
orProxyGrantingTicket
. - service (unicode) – The service url for which we want a ticket.
- service_pattern (ServicePattern) – The service pattern matching
service
. Beware thatservice
must matchServicePattern.pattern
and the currentUser
must passServicePattern.check_user()
. These checks are not done here and you must perform them before calling this method. - renew (bool) – Should be
True
if authentication has been renewed. Must beFalse
otherwise.
Returns: A
Ticket
object.Return type: - ticket_class (type) –
-
get_service_url
(service, service_pattern, renew)[source]¶ Return the url to which the user must be redirected to after a Service Ticket has been generated
Parameters: - service (unicode) – The service url for which we want a ticket.
- service_pattern (ServicePattern) – The service pattern matching
service
. Beware thatservice
must matchServicePattern.pattern
and the currentUser
must passServicePattern.check_user()
. These checks are not done here and you must perform them before calling this method. - renew (bool) – Should be
True
if authentication has been renewed. Must beFalse
otherwise.
Return unicode: The service url with the ticket GET param added.
Return type:
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
get_next_by_date
(*moreargs, **morekwargs)¶
-
get_next_by_last_login
(*moreargs, **morekwargs)¶
-
get_previous_by_date
(*moreargs, **morekwargs)¶
-
get_previous_by_last_login
(*moreargs, **morekwargs)¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
proxygrantingticket
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
proxyticket
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
serviceticket
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
-
exception
cas_server.models.
ServicePatternException
[source]¶ Bases:
exceptions.Exception
Base exception of exceptions raised in the ServicePattern model
-
exception
cas_server.models.
BadUsername
[source]¶ Bases:
ServicePatternException
Exception raised then an non allowed username try to get a ticket for a service
-
exception
cas_server.models.
BadFilter
[source]¶ Bases:
ServicePatternException
Exception raised then a user try to get a ticket for a service and do not reach a condition
-
exception
cas_server.models.
UserFieldNotDefined
[source]¶ Bases:
ServicePatternException
Exception raised then a user try to get a ticket for a service using as username an attribut not present on this user
-
class
cas_server.models.
ServicePattern
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
Allowed services pattern against services are tested to
-
name
¶ A name for the service (this can bedisplayed to the user on the login page)
-
pattern
¶ A regular expression matching services. “Will usually looks like ‘^https://some\.server\.com/path/.*$’. As it is a regular expression, special character must be escaped with a ‘\’.
-
user_field
¶ Name of the attribute to transmit as username, if empty the user login is used
-
proxy
¶ A boolean allowing to deliver
ProxyTicket
to the service.
-
proxy_callback
¶ A boolean allowing the service to be used as a proxy callback (via the pgtUrl GET param) to deliver
ProxyGrantingTicket
.
-
single_log_out
¶ Enable SingleLogOut for the service. Old validaed tickets for the service will be kept until
settings.CAS_TICKET_TIMEOUT
after what a SLO request is send to the service and the ticket is purged from database. A SLO can be send earlier if the user log-out.
-
single_log_out_callback
¶ An URL where the SLO request will be POST. If empty the service url will be used. This is usefull for non HTTP proxied services like smtp or imap.
-
check_user
(user)[source]¶ Check if
user
if allowed to use theses services. Ifuser
is not allowed, raises one ofBadFilter
,UserFieldNotDefined
,BadUsername
Parameters: Raises: - BadUsername – if
restrict_users
ifTrue
andUser.username
is not withinusernames
. - BadFilter – if a
FilterAttributValue
condition offilters
connot be verified. - UserFieldNotDefined – if
user_field
is defined and its value is not withinUser.attributs
.
Returns: True
Return type: - BadUsername – if
-
classmethod
validate
(service)[source]¶ Get a
ServicePattern
intance from a service url.Parameters: service (unicode) – A service url Returns: A ServicePattern
instance matchingservice
.Return type: ServicePattern
Raises: ServicePattern.DoesNotExist – if no ServicePattern
is matchingservice
.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
attributs
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
filters
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
proxygrantingticket
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
proxyticket
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
replacements
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
serviceticket
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
usernames
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
-
class
cas_server.models.
Username
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
A list of allowed usernames on a
ServicePattern
-
value
¶ username allowed to connect to the service
-
service_pattern
¶ ForeignKey to a
ServicePattern
.Username
instances for aServicePattern
are accessible thought itsServicePattern.usernames
attribute.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
service_pattern_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
-
class
cas_server.models.
ReplaceAttributName
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
A replacement of an attribute name for a
ServicePattern
. It also tell to transmit an attribute ofUser.attributs
to the service. An emptyreplace
mean to use the original attribute name.-
name
¶ Name the attribute: a key of
User.attributs
-
service_pattern
¶ ForeignKey to a
ServicePattern
.ReplaceAttributName
instances for aServicePattern
are accessible thought itsServicePattern.attributs
attribute.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
service_pattern_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
-
class
cas_server.models.
FilterAttributValue
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
A filter on
User.attributs
for aServicePattern
. If aUser
do not have an attributeattribut
or its value do not matchpattern
, thenServicePattern.check_user()
will raisesBadFilter
if called with that user.-
attribut
¶ The name of a user attribute
-
pattern
¶ A regular expression the attribute
attribut
value must verify. Ifattribut
if a list, only one of the list values needs to match.
-
service_pattern
¶ ForeignKey to a
ServicePattern
.FilterAttributValue
instances for aServicePattern
are accessible thought itsServicePattern.filters
attribute.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
service_pattern_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
-
class
cas_server.models.
ReplaceAttributValue
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
A replacement (using a regular expression) of an attribute value for a
ServicePattern
.-
attribut
¶ Name the attribute: a key of
User.attributs
-
pattern
¶ A regular expression matching the part of the attribute value that need to be changed
-
service_pattern
¶ ForeignKey to a
ServicePattern
.ReplaceAttributValue
instances for aServicePattern
are accessible thought itsServicePattern.replacements
attribute.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
service_pattern_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
-
class
cas_server.models.
Ticket
(*args, **kwargs)[source]¶ Bases:
JsonAttributes
Generic class for a Ticket
-
validate
¶ A boolean.
True
if the ticket has been validated
-
service
¶ The service url for the ticket
-
service_pattern
¶ ForeignKey to a
ServicePattern
. TheServicePattern
corresponding toservice
. UseServicePattern.validate()
to find it.
-
creation
¶ Date of the ticket creation
-
renew
¶ A boolean.
True
if the user has just renew his authentication
-
single_log_out
¶ A boolean. Set to
service_pattern
attributeServicePattern.single_log_out
value.
-
VALIDITY
= 60¶ Max duration between ticket creation and its validation. Any validation attempt for the ticket after
creation
+ VALIDITY will fail as if the ticket do not exists.
-
TIMEOUT
= 86400¶ Time we keep ticket with
single_log_out
set toTrue
before sending SingleLogOut requests.
-
exception
DoesNotExist
[source]¶ raised in
Ticket.get()
then ticket prefix and ticket classes mismatch
-
static
send_slos
(queryset_list)[source]¶ Send SLO requests to each ticket of each queryset of
queryset_list
Parameters: queryset_list (list) – A list a Ticket
querysetReturns: A list of possibly encoutered Exception
Return type: list
-
static
get_class
(ticket, classes=None)[source]¶ Return the ticket class of
ticket
Parameters: Returns: The class corresponding to
ticket
(ServiceTicket
orProxyTicket
orProxyGrantingTicket
) if found amongclasses, ``None
otherwise.Return type:
-
username
()[source]¶ The username to send on ticket validation
Returns: The value of the corresponding user attribute if service_pattern
.user_field is set, the user username otherwise.
-
attributs_flat
()[source]¶ generate attributes list for template rendering
Returns: An list of (attribute name, attribute value) of all user attributes flatened (no nested list) Return type: list
oftuple
ofunicode
-
classmethod
get
(ticket, renew=False, service=None)[source]¶ - Search the database for a valid ticket with provided arguments
Parameters: Raises: - Ticket.DoesNotExist – if no class is found for the ticket prefix
- cls.DoesNotExist – if
ticket
value is not found in th database
Returns: a
Ticket
instanceReturn type:
-
get_next_by_creation
(*moreargs, **morekwargs)¶
-
get_previous_by_creation
(*moreargs, **morekwargs)¶
-
service_pattern_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
user_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
-
class
cas_server.models.
ServiceTicket
(*args, **kwargs)[source]¶ Bases:
Ticket
A Service Ticket
-
PREFIX
= u'ST'¶ The ticket prefix used to differentiate it from other tickets types
-
value
¶ The ticket value
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
get_next_by_creation
(*moreargs, **morekwargs)¶
-
get_previous_by_creation
(*moreargs, **morekwargs)¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
service_pattern
¶ Accessor to the related object on the forward side of a many-to-one or one-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
child.parent
is aForwardManyToOneDescriptor
instance.
-
user
¶ Accessor to the related object on the forward side of a many-to-one or one-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
child.parent
is aForwardManyToOneDescriptor
instance.
-
-
class
cas_server.models.
ProxyTicket
(*args, **kwargs)[source]¶ Bases:
Ticket
A Proxy Ticket
-
PREFIX
= u'PT'¶ The ticket prefix used to differentiate it from other tickets types
-
value
¶ The ticket value
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
get_next_by_creation
(*moreargs, **morekwargs)¶
-
get_previous_by_creation
(*moreargs, **morekwargs)¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
proxies
¶ Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
parent.children
is aReverseManyToOneDescriptor
instance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()
defined below.
-
service_pattern
¶ Accessor to the related object on the forward side of a many-to-one or one-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
child.parent
is aForwardManyToOneDescriptor
instance.
-
user
¶ Accessor to the related object on the forward side of a many-to-one or one-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
child.parent
is aForwardManyToOneDescriptor
instance.
-
-
class
cas_server.models.
ProxyGrantingTicket
(*args, **kwargs)[source]¶ Bases:
Ticket
A Proxy Granting Ticket
-
PREFIX
= u'PGT'¶ The ticket prefix used to differentiate it from other tickets types
-
VALIDITY
= 3600¶ ProxyGranting ticket are never validated. However, they can be used during
VALIDITY
to getProxyTicket
foruser
-
value
¶ The ticket value
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
get_next_by_creation
(*moreargs, **morekwargs)¶
-
get_previous_by_creation
(*moreargs, **morekwargs)¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
service_pattern
¶ Accessor to the related object on the forward side of a many-to-one or one-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
child.parent
is aForwardManyToOneDescriptor
instance.
-
user
¶ Accessor to the related object on the forward side of a many-to-one or one-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
child.parent
is aForwardManyToOneDescriptor
instance.
-
-
class
cas_server.models.
Proxy
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
A list of proxies on
ProxyTicket
-
url
¶ Service url of the PGT used for getting the associated
ProxyTicket
-
proxy_ticket
¶ ForeignKey to a
ProxyTicket
.Proxy
instances for aProxyTicket
are accessible thought itsProxyTicket.proxies
attribute.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-
proxy_ticket_id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
-
class
cas_server.models.
NewVersionWarning
(*args, **kwargs)[source]¶ Bases:
django.db.models.Model
The last new version available version sent
-
version
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
exception
DoesNotExist
¶
-
exception
MultipleObjectsReturned
¶
-
id
¶ A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
-
objects
= <django.db.models.manager.Manager object>¶
-