cas_server.models module

models for the app

cas_server.models.logger = <logging.Logger object>

logger facility

class cas_server.models.JsonAttributes(*args, **kwargs)[source]

Bases: django.db.models.Model

A base class for models storing attributes as a json

class Meta[source]
abstract = False
JsonAttributes.attributs

The attributes

class cas_server.models.FederatedIendityProvider(*args, **kwargs)[source]

Bases: django.db.models.Model

An identity provider for the federated mode

suffix = None

Suffix append to backend CAS returned username: returned_username @ suffix. it must be unique.

server_url = None

URL to the root of the CAS server application. If login page is https://cas.example.net/cas/login then server_url should be https://cas.example.net/cas/

cas_protocol_version = None

Version of the CAS protocol to use when sending requests the the backend CAS.

verbose_name = None

Name for this identity provider displayed on the login page.

pos = None

Position of the identity provider on the login page. Identity provider are sorted using the (pos, verbose_name, suffix) attributes.

display = None

Display the provider on the login page. Beware that this do not disable the identity provider, it just hide it on the login page. User will always be able to log in using this provider by fetching /federate/suffix.

static build_username_from_suffix(username, suffix)[source]

Transform backend username into federated username using suffix

Parameters:
  • username (unicode) – A CAS backend returned username
  • suffix (unicode) – A suffix identifying the CAS backend
Returns:

The federated username: username @ suffix.

Return type:

unicode

build_username(username)[source]

Transform backend username into federated username

Parameters:username (unicode) – A CAS backend returned username
Returns:The federated username: username @ suffix.
Return type:unicode
exception DoesNotExist
exception FederatedIendityProvider.MultipleObjectsReturned
FederatedIendityProvider.federateduser_set

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

FederatedIendityProvider.get_cas_protocol_version_display(*moreargs, **morekwargs)
FederatedIendityProvider.objects = <django.db.models.manager.Manager object>
class cas_server.models.FederatedUser(*args, **kwargs)[source]

Bases: JsonAttributes

A federated user as returner by a CAS provider (username and attributes)

username = None

The user username returned by the CAS backend on successful ticket validation

provider

A foreign key to FederatedIendityProvider

ticket = None

The last ticket used to authenticate username against provider

last_update = None

Last update timespampt. Usually, the last time ticket has been set.

federated_username

The federated username with a suffix for the current FederatedUser.

classmethod get_from_federated_username(username)[source]
Returns:A FederatedUser object from a federated username
Return type:FederatedUser
classmethod clean_old_entries()[source]

remove old unused FederatedUser

exception DoesNotExist
exception FederatedUser.MultipleObjectsReturned
FederatedUser.get_next_by_last_update(*moreargs, **morekwargs)
FederatedUser.get_previous_by_last_update(*moreargs, **morekwargs)
FederatedUser.objects = <django.db.models.manager.Manager object>
class cas_server.models.FederateSLO(*args, **kwargs)[source]

Bases: django.db.models.Model

An association between a CAS provider ticket and a (username, session) for processing SLO

username = None

the federated username with the ``@``component

session_key = None

the session key for the session username has been authenticated using ticket

ticket = None

The ticket used to authenticate username

classmethod clean_deleted_sessions()[source]

remove old FederateSLO object for which the session do not exists anymore

exception DoesNotExist
exception FederateSLO.MultipleObjectsReturned
FederateSLO.objects = <django.db.models.manager.Manager object>
class cas_server.models.User(*args, **kwargs)[source]

Bases: django.db.models.Model

A user logged into the CAS

session_key = None

The session key of the current authenticated user

username = None

The username of the current authenticated user

date = None

Last time the authenticated user has do something (auth, fetch ticket, etc…)

delete(*args, **kwargs)[source]

Remove the current User. If settings.CAS_FEDERATE is True, also delete the corresponding FederateSLO object.

classmethod clean_old_entries()[source]

Remove User objects inactive since more that SESSION_COOKIE_AGE and send corresponding SingleLogOut requests.

classmethod clean_deleted_sessions()[source]

Remove User objects where the corresponding session do not exists anymore.

attributs

Property. A fresh dict for the user attributes, using settings.CAS_AUTH_CLASS

logout(request=None)[source]

Send SLO requests to all services the user is logged in.

Parameters:request (django.http.HttpRequest or NoneType) – The current django HttpRequest to display possible failure to the user.
get_ticket(ticket_class, service, service_pattern, renew)[source]

Generate a ticket using ticket_class for the service service matching service_pattern and asking or not for authentication renewal with renew

Parameters:
Returns:

A Ticket object.

Return type:

ServiceTicket or ProxyTicket or ProxyGrantingTicket.

get_service_url(service, service_pattern, renew)[source]

Return the url to which the user must be redirected to after a Service Ticket has been generated

Parameters:
  • service (unicode) – The service url for which we want a ticket.
  • service_pattern (ServicePattern) – The service pattern matching service. Beware that service must match ServicePattern.pattern and the current User must pass ServicePattern.check_user(). These checks are not done here and you must perform them before calling this method.
  • renew (bool) – Should be True if authentication has been renewed. Must be False otherwise.
Return unicode:

The service url with the ticket GET param added.

Return type:

unicode

exception DoesNotExist
exception User.MultipleObjectsReturned
User.get_next_by_date(*moreargs, **morekwargs)
User.get_previous_by_date(*moreargs, **morekwargs)
User.objects = <django.db.models.manager.Manager object>
User.proxygrantingticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

User.proxyticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

User.serviceticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

exception cas_server.models.ServicePatternException[source]

Bases: exceptions.Exception

Base exception of exceptions raised in the ServicePattern model

exception cas_server.models.BadUsername[source]

Bases: ServicePatternException

Exception raised then an non allowed username try to get a ticket for a service

exception cas_server.models.BadFilter[source]

Bases: ServicePatternException

Exception raised then a user try to get a ticket for a service and do not reach a condition

exception cas_server.models.UserFieldNotDefined[source]

Bases: ServicePatternException

Exception raised then a user try to get a ticket for a service using as username an attribut not present on this user

class cas_server.models.ServicePattern(*args, **kwargs)[source]

Bases: django.db.models.Model

Allowed services pattern agains services are tested to

pos = None

service patterns are sorted using the pos attribute

name = None

A name for the service (this can bedisplayed to the user on the login page)

pattern = None

A regular expression matching services. “Will usually looks like ‘^https://some\.server\.com/path/.*$’. As it is a regular expression, special character must be escaped with a ‘\’.

user_field = None

Name of the attribute to transmit as username, if empty the user login is used

restrict_users = None

A boolean allowing to limit username allowed to connect to usernames.

proxy = None

A boolean allowing to deliver ProxyTicket to the service.

proxy_callback = None

A boolean allowing the service to be used as a proxy callback (via the pgtUrl GET param) to deliver ProxyGrantingTicket.

single_log_out = None

Enable SingleLogOut for the service. Old validaed tickets for the service will be kept until settings.CAS_TICKET_TIMEOUT after what a SLO request is send to the service and the ticket is purged from database. A SLO can be send earlier if the user log-out.

single_log_out_callback = None

An URL where the SLO request will be POST. If empty the service url will be used. This is usefull for non HTTP proxied services like smtp or imap.

check_user(user)[source]

Check if user if allowed to use theses services. If user is not allowed, raises one of BadFilter, UserFieldNotDefined, BadUsername

Parameters:

user (User) – a User object

Raises:
Returns:

True

Return type:

bool

classmethod validate(service)[source]

Get a ServicePattern intance from a service url.

Parameters:service (unicode) – A service url
Returns:A ServicePattern instance matching service.
Return type:ServicePattern
Raises:ServicePattern.DoesNotExist – if no ServicePattern is matching service.
exception DoesNotExist
exception ServicePattern.MultipleObjectsReturned
ServicePattern.attributs

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

ServicePattern.filters

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

ServicePattern.objects = <django.db.models.manager.Manager object>
ServicePattern.proxygrantingticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

ServicePattern.proxyticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

ServicePattern.replacements

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

ServicePattern.serviceticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

ServicePattern.usernames

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

class cas_server.models.Username(*args, **kwargs)[source]

Bases: django.db.models.Model

A list of allowed usernames on a ServicePattern

value = None

username allowed to connect to the service

service_pattern

ForeignKey to a ServicePattern. Username instances for a ServicePattern are accessible thought its ServicePattern.usernames attribute.

exception DoesNotExist
exception Username.MultipleObjectsReturned
Username.objects = <django.db.models.manager.Manager object>
class cas_server.models.ReplaceAttributName(*args, **kwargs)[source]

Bases: django.db.models.Model

A replacement of an attribute name for a ServicePattern. It also tell to transmit an attribute of User.attributs to the service. An empty replace mean to use the original attribute name.

name = None

Name the attribute: a key of User.attributs

replace = None

The name of the attribute to transmit to the service. If empty, the value of name is used.

service_pattern

ForeignKey to a ServicePattern. ReplaceAttributName instances for a ServicePattern are accessible thought its ServicePattern.attributs attribute.

exception DoesNotExist
exception ReplaceAttributName.MultipleObjectsReturned
ReplaceAttributName.objects = <django.db.models.manager.Manager object>
class cas_server.models.FilterAttributValue(*args, **kwargs)[source]

Bases: django.db.models.Model

A filter on User.attributs for a ServicePattern. If a User do not have an attribute attribut or its value do not match pattern, then ServicePattern.check_user() will raises BadFilter if called with that user.

attribut = None

The name of a user attribute

pattern = None

A regular expression the attribute attribut value must verify. If attribut if a list, only one of the list values needs to match.

service_pattern

ForeignKey to a ServicePattern. FilterAttributValue instances for a ServicePattern are accessible thought its ServicePattern.filters attribute.

exception DoesNotExist
exception FilterAttributValue.MultipleObjectsReturned
FilterAttributValue.objects = <django.db.models.manager.Manager object>
class cas_server.models.ReplaceAttributValue(*args, **kwargs)[source]

Bases: django.db.models.Model

A replacement (using a regular expression) of an attribute value for a ServicePattern.

attribut = None

Name the attribute: a key of User.attributs

pattern = None

A regular expression matching the part of the attribute value that need to be changed

replace = None

The replacement to what is mached by pattern. groups are capture by \1, \2 …

service_pattern

ForeignKey to a ServicePattern. ReplaceAttributValue instances for a ServicePattern are accessible thought its ServicePattern.replacements attribute.

exception DoesNotExist
exception ReplaceAttributValue.MultipleObjectsReturned
ReplaceAttributValue.objects = <django.db.models.manager.Manager object>
class cas_server.models.Ticket(*args, **kwargs)[source]

Bases: JsonAttributes

Generic class for a Ticket

class Meta[source]
abstract = False
Ticket.user

ForeignKey to a User.

Ticket.validate = None

A boolean. True if the ticket has been validated

Ticket.service = None

The service url for the ticket

Ticket.service_pattern

ForeignKey to a ServicePattern. The ServicePattern corresponding to service. Use ServicePattern.validate() to find it.

Ticket.creation = None

Date of the ticket creation

Ticket.renew = None

A boolean. True if the user has just renew his authentication

Ticket.single_log_out = None

A boolean. Set to service_pattern attribute ServicePattern.single_log_out value.

Ticket.VALIDITY = 60

Max duration between ticket creation and its validation. Any validation attempt for the ticket after creation + VALIDITY will fail as if the ticket do not exists.

Ticket.TIMEOUT = 86400

Time we keep ticket with single_log_out set to True before sending SingleLogOut requests.

exception Ticket.DoesNotExist[source]

raised in Ticket.get() then ticket prefix and ticket classes mismatch

static Ticket.send_slos(queryset_list)[source]

Send SLO requests to each ticket of each queryset of queryset_list

Parameters:queryset_list (list) – A list a Ticket queryset
Returns:A list of possibly encoutered Exception
Return type:list
classmethod Ticket.clean_old_entries()[source]

Remove old ticket and send SLO to timed-out services

Ticket.logout(session, async_list=None)[source]

Send a SLO request to the ticket service

static Ticket.get_class(ticket, classes=None)[source]

Return the ticket class of ticket

Parameters:
  • ticket (unicode) – A ticket
  • classes (list) – Optinal arguement. A list of possible Ticket subclasses
Returns:

The class corresponding to ticket (ServiceTicket or ProxyTicket or ProxyGrantingTicket) if found among classes, ``None otherwise.

Return type:

type or NoneType

Ticket.username()[source]

The username to send on ticket validation

Returns:The value of the corresponding user attribute if service_pattern.user_field is set, the user username otherwise.
Ticket.attributs_flat()[source]

generate attributes list for template rendering

Returns:An list of (attribute name, attribute value) of all user attributes flatened (no nested list)
Return type:list of tuple of unicode
classmethod Ticket.get(ticket, renew=False, service=None)[source]
Search the database for a valid ticket with provided arguments
Parameters:
  • ticket (unicode) – A ticket value
  • renew (bool) – Is authentication renewal needed
  • service (unicode) – Optional argument. The ticket service
Raises:
  • Ticket.DoesNotExist – if no class is found for the ticket prefix
  • cls.DoesNotExist – if ticket value is not found in th database
Returns:

a Ticket instance

Return type:

Ticket

Ticket.get_next_by_creation(*moreargs, **morekwargs)
Ticket.get_previous_by_creation(*moreargs, **morekwargs)
class cas_server.models.ServiceTicket(*args, **kwargs)[source]

Bases: Ticket

A Service Ticket

PREFIX = u'ST'

The ticket prefix used to differentiate it from other tickets types

value = None

The ticket value

exception DoesNotExist
exception ServiceTicket.MultipleObjectsReturned
ServiceTicket.get_next_by_creation(*moreargs, **morekwargs)
ServiceTicket.get_previous_by_creation(*moreargs, **morekwargs)
ServiceTicket.objects = <django.db.models.manager.Manager object>
ServiceTicket.service_pattern

Accessor to the related object on the forward side of a many-to-one or one-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

ServiceTicket.user

Accessor to the related object on the forward side of a many-to-one or one-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

class cas_server.models.ProxyTicket(*args, **kwargs)[source]

Bases: Ticket

A Proxy Ticket

PREFIX = u'PT'

The ticket prefix used to differentiate it from other tickets types

value = None

The ticket value

exception DoesNotExist
exception ProxyTicket.MultipleObjectsReturned
ProxyTicket.get_next_by_creation(*moreargs, **morekwargs)
ProxyTicket.get_previous_by_creation(*moreargs, **morekwargs)
ProxyTicket.objects = <django.db.models.manager.Manager object>
ProxyTicket.proxies

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

ProxyTicket.service_pattern

Accessor to the related object on the forward side of a many-to-one or one-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

ProxyTicket.user

Accessor to the related object on the forward side of a many-to-one or one-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

class cas_server.models.ProxyGrantingTicket(*args, **kwargs)[source]

Bases: Ticket

A Proxy Granting Ticket

PREFIX = u'PGT'

The ticket prefix used to differentiate it from other tickets types

VALIDITY = 3600

ProxyGranting ticket are never validated. However, they can be used during VALIDITY to get ProxyTicket for user

value = None

The ticket value

exception DoesNotExist
exception ProxyGrantingTicket.MultipleObjectsReturned
ProxyGrantingTicket.get_next_by_creation(*moreargs, **morekwargs)
ProxyGrantingTicket.get_previous_by_creation(*moreargs, **morekwargs)
ProxyGrantingTicket.objects = <django.db.models.manager.Manager object>
ProxyGrantingTicket.service_pattern

Accessor to the related object on the forward side of a many-to-one or one-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

ProxyGrantingTicket.user

Accessor to the related object on the forward side of a many-to-one or one-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

class cas_server.models.Proxy(*args, **kwargs)[source]

Bases: django.db.models.Model

A list of proxies on ProxyTicket

url = None

Service url of the PGT used for getting the associated ProxyTicket

proxy_ticket

ForeignKey to a ProxyTicket. Proxy instances for a ProxyTicket are accessible thought its ProxyTicket.proxies attribute.

exception DoesNotExist
exception Proxy.MultipleObjectsReturned
Proxy.objects = <django.db.models.manager.Manager object>
class cas_server.models.NewVersionWarning(*args, **kwargs)[source]

Bases: django.db.models.Model

The last new version available version sent

exception DoesNotExist
exception NewVersionWarning.MultipleObjectsReturned
NewVersionWarning.objects = <django.db.models.manager.Manager object>
classmethod NewVersionWarning.send_mails()[source]

For each new django-cas-server version, if the current instance is not up to date send one mail to settings.ADMINS.