Produits Entr'ouvert » Authentic 2

================================

Enable SSL Client authentication

================================

Intro

=====

Tested with Apache 2 and mod_ssl.

Django over mod_wsgi. From http://docs.djangoproject.com/en/dev/howto/deployment/modwsgi/

"Deploying Django with Apache and mod_wsgi is the recommended way to get Django into production."

Generate Keys

=============

* Create a CA (passphrase)

openssl genrsa -des3 -out ca.key 2048

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

openssl x509 -in ca.crt -text -noout

* Server key material (challenge)

openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr

openssl x509 -req -in server.csr -out server.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

openssl x509 -in server.crt -text -noout

* User Key material (challenge/password)

openssl genrsa -des3 -out c.key 1024

openssl req -new -key c.key -out c.csr

openssl x509 -req -in c.csr -out c.crt -sha1 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

openssl pkcs12 -export -in c.crt -inkey c.key -name "Mikael Ates" -out c.p12

openssl pkcs12 -in c.p12 -clcerts -nokeys -info

Configure Apache and WSGI

=========================

Add a file django.wsgi, e.g.:

"""

import os

import sys

sys.path.append("/usr/local/lib/python2.6/site-packages/")

try:

    import lasso

except:

    print("Unable to import Lasso.", file=sys.stderr)

apache_configuration= os.path.dirname(__file__)

project = os.path.dirname(apache_configuration)

sys.path.append(project)

try:

    import authentic2.settings

    os.environ['DJANGO_SETTINGS_MODULE'] = 'authentic2.settings'

except:

    print("Unable to import settings.", file=sys.stderr)

import django.core.handlers.wsgi

application = django.core.handlers.wsgi.WSGIHandler()

"""

Activate apache2 modules:

* a2enmod wsgi

* a2enmod ssl

Add a Apache vhost for SSL.

"""

<IfModule mod_ssl.c>

<VirtualHost *:443>

LimitInternalRecursion 1000

ServerAdmin webmaster@entrouvert.org

ServerName localhost

Alias /media/admin/ /usr/local/lib/python2.6/dist-packages/django/contrib/admin/media/

WSGIScriptAlias / /Donnees/devs/authentic/apache/django.wsgi

<Directory /Donnees/devs/authentic/>

SSLVerifyClient optional_no_ca

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Allow from all

</Directory>

SSLEngine on

SSLCipherSuite HIGH:MEDIUM

SSLProtocol all -SSLv2

SSLCertificateFile /Donnees/devs/authentic/apache/key_mat/server.crt

SSLCertificateKeyFile /Donnees/devs/authentic/apache/key_mat/server.key

SSLCertificateChainFile /Donnees/devs/authentic/apache/key_mat/ca.crt

SSLCACertificateFile /Donnees/devs/authentic/apache/key_mat/ca.crt

SSLOptions +StdEnvVars +ExportCertData

BrowserMatch "MSIE [2-6]" \

	nokeepalive ssl-unclean-shutdown \

	downgrade-1.0 force-response-1.0

BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

</IfModule>

"""

Give rights to Apache on your Authentic directory.

Reload Apache.

Configure Authentic

===================

Key                        Description

-------------------------- ----------------------------------------

ACCEPT_SELF_SIGNED         accept certificate for which the validation failed,

                           default: False

STRICT_MATCH               do a binary compare to match certificate and users,

                           default: False

SUBJECT_MATCH_KEYS         SSL information to use to match recorded

                           certificates. default: ('subject_dn', 'issuer_dn'),

                           possible values: serial, subject_dn, issuer_dn, cert.

CREATE_USERNAME_CALLBACK   function receiving a SSLInfo object as first

                           parameter and returning a username, default: None

CREATE_USER                function receiving a SSLInfo object as first

                           parameter and returning a user, default: None

USE_COOKIE                 to be described

in settings.py:

Set AUTH_SSL = True

To create a user with the mail adress as identifier:

SSLAUTH_CREATE_USER = True

To use another identifier:

def myusernamegen(ssl_info):

    import re

    if(ssl_info.subject_cn):

        return return re.sub('[^a-zA-Z0-9]', '_', ssl_info.subject_cn)

    else:

        return return re.sub('[^a-zA-Z0-9]', '_', ssl_info.serial)

SSLAUTH_CREATE_USERNAME_CALLBACK = myusernamegen

Nginx configuration

===================

You must be able to retrieve SSL environment variable, for example with the

SCGI backend you must add those lines to /etc/nginx/scgi_params::

    scgi_param SSL_CLIENT_CERT $ssl_client_cert;

    scgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert;

    scgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;

    scgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;

    scgi_param SSL_CLIENT_SERIAL $ssl_client_serial;

    scgi_param SSL_CLIENT_M_SERIAL $ssl_client_serial;

    scgi_param SSL_CLIENT_VERIFY $ssl_client_verify;

It would be the same with FCGI but using the fcgi_param directive in the

fcgi_params file. It does not currently work when using proxy_pass.

A virtualhost configuration example::

    server {

      listen 80;

      server_name authentic.localhost;

      rewrite ^ https://$server_name$request_uri? permanent;

    }

    server {

      listen 443;

      server_name authentic.localhost;

      ssl on;

      ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;

      ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

      ssl_verify_client optional_no_ca;

      location / {

      include scgi_params;

            scgi_pass localhost:8000;

      }

    }

The serveur must be run using the SCGI protocol, with this command line for

example::

    ./manage.py runfcgi protocol=scgi method=threaded daemonize=false host=localhost port=8000

    def get_before_urls(self):

        from . import app_settings

        from django.conf.urls import include, url

        from authentic2.decorators import setting_enabled, required

        return required(

            setting_enabled('ENABLE', settings=app_settings),

            [url(r'^accounts/sslauth/', include(__name__ + '.urls'))])

    def get_authentication_backends(self):

        return ['authentic2.auth2_auth.auth2_ssl.backends.SSLBackend']

    def get_authenticators(self):

        return ['authentic2.auth2_auth.auth2_ssl.authenticators.SSLAuthenticator']

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.contrib import admin

from . import models

class ClientCertificateAdmin(admin.ModelAdmin):

    list_display = ('user', 'subject_dn', 'issuer_dn', 'serial')

admin.site.register(models.ClientCertificate, ClientCertificateAdmin)

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import sys

class AppSettings(object):

    '''Thanks django-allauth'''

    __DEFAULTS = dict(

        # settings for TEST only, make it easy to simulate the SSL

        # environment

        ENABLE=False,

        FORCE_ENV={},

        ACCEPT_SELF_SIGNED=False,

        STRICT_MATCH=False,

        SUBJECT_MATCH_KEYS=('subject_dn', 'issuer_dn'),

        CREATE_USERNAME_CALLBACK=None,

        USE_COOKIE=False,

        CREATE_USER=False,

    )

    def __init__(self, prefix):

        self.prefix = prefix

    def _setting(self, name, dflt):

        from django.conf import settings

        return getattr(settings, self.prefix + name, dflt)

    def __getattr__(self, name):

        if name not in self.__DEFAULTS:

            raise AttributeError(name)

        return self._setting(name, self.__DEFAULTS[name])

app_settings = AppSettings('SSLAUTH_')

app_settings.__name__ = __name__

app_settings.__file__ = __file__

sys.modules[__name__] = app_settings

<IfModule mod_ssl.c>

<VirtualHost *:443>

LimitInternalRecursion 1000

ServerAdmin webmaster@entrouvert.org

ServerName localhost

#Alias /media/ /Donnees/devs/Authentic/authentic/media/

Alias /media/admin/ /usr/local/lib/python2.6/dist-packages/django/contrib/admin/media/

WSGIScriptAlias / /Donnees/devs/Authentic/authentic/apache/django.wsgi

<Location />

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Allow from all

</Location>

<Location /sslauth/>

SSLVerifyClient require

Options Indexes MultiViews FollowSymLinks

AllowOverride None

Order deny,allow

Allow from all

</Location>

SSLEngine on

SSLCipherSuite HIGH:MEDIUM

SSLProtocol all -SSLv2

SSLCertificateFile /Donnees/devs/Authentic/authentic/apache/key_mat/server.crt

SSLCertificateKeyFile /Donnees/devs/Authentic/authentic/apache/key_mat/server.key

SSLCertificateChainFile /Donnees/devs/Authentic/authentic/apache/key_mat/ca.crt

SSLCACertificateFile /Donnees/devs/Authentic/authentic/apache/key_mat/ca.crt

SSLOptions +StdEnvVars +ExportCertData

#SSLProtocol all

	BrowserMatch "MSIE [2-6]" \

		nokeepalive ssl-unclean-shutdown \

		downgrade-1.0 force-response-1.0

	BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

</VirtualHost>

</IfModule>

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.utils.translation import ugettext_lazy as _

import django.forms

from . import views, app_settings

from authentic2.utils import redirect_to_login

class SSLAuthenticator(object):

    def enabled(self):

        return app_settings.ENABLE

    def id(self):

        return 'ssl'

    def name(self):

        return _('SSL with certificates')

    def form(self):

        return django.forms.Form

    def post(self, request, form, nonce, next_url):

        return redirect_to_login(request, login_url='user_signin_ssl',)

    def template(self):

        return 'auth/login_form_ssl.html'

    def profile(self, request, *args, **kwargs):

        return views.profile(request, *args, **kwargs)

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.contrib.auth import get_user_model

from django.db.models import Q

import logging

from authentic2.backends import is_user_authenticable

from . import models, app_settings

logger = logging.getLogger(__name__)

User = get_user_model()

class AuthenticationError(Exception):

    pass

class SSLBackend:

    """

    authenticates a client certificate against the records stored

    in ClientCertificate model and looks up the corresponding django user

    In all methods, the ssl_info parameter is supposed to be an SSLInfo

    instance

    """

    supports_object_permissions = False

    supports_anonymous_user = False

    def authenticate(self, ssl_info):

        cert = self.get_certificate(ssl_info)

        if cert is None:

            return None

        else:

            if not is_user_authenticable(cert.user):

                logger.info('SSLAuth: authentication refused by user filters')

                return None

            return cert.user

    def get_user(self, user_id):

        """

        simply return the user object. That way, we only need top look-up the

        certificate once, when loggin in

        """

        try:

            return User.objects.get(id=user_id)

        except User.DoesNotExist:

            return None

    def get_certificate(self, ssl_info):

        """

        returns a ClientCertificate object for the passed

        cert data or None if not found

        """

        if app_settings.STRICT_MATCH:

            # compare complete certificate in strict match

            if not ssl_info.cert:

                logger.error('SSLAuth: strict match required but PEM encoded certificate '

                             'not found in environment. Check your server settings')

                return None

            query = Q(cert=ssl_info.cert)

        else:

            query_args = {}

            for key in app_settings.SUBJECT_MATCH_KEYS:

                if not ssl_info.get(key):

                    logger.error(u'SSLAuth: key %s is missing from ssl_info', key)

                    return None

                query_args[key] = ssl_info.get(key)

            query = Q(**query_args)

        try:

            cert = models.ClientCertificate.objects.select_related().get(query)

            return cert

        except models.ClientCertificate.DoesNotExist:

            return None

    def create_user(self, ssl_info):

        """

        This method creates a new django User and ClientCertificate record

        for the passed certificate info. It does not create an issuer record,

        just a subject for the ClientCertificate.

        """

        # auto creation only created a DN for the subject, not the issuer

        # get username and check if the user exists already

        if app_settings.CREATE_USERNAME_CALLBACK:

            build_username = app_settings.CEATE_USERNAME_CALLBACK

        else:

            build_username = self.build_username

        username = build_username(ssl_info)

        try:

            user = User.objects.get(username=username)

        except User.DoesNotExist:

            if app_settings.CREATE_USER_CALLBACK:

                build_user = app_settings.CREATE_USER_CALLBACK

            else:

                build_user = self.build_user

            user = build_user(username, ssl_info)

        # create the certificate record and save

        self.link_user(ssl_info, user)

        return user

    def link_user(self, ssl_info, user):

        """

        This method creates a new django User and ClientCertificate record

        for the passed certificate info. It does not create an issuer record,

        just a subject for the ClientCertificate.

        """

        # create the certificate record and save

        cert = models.ClientCertificate()

        cert.user = user

        cert.subject_dn = ssl_info.subject_dn

        cert.issuer_dn = ssl_info.issuer_dn

        cert.serial = ssl_info.serial

        cert.cert = ssl_info.cert

        cert.save()

        return user

    def build_user(self, username, ssl_info):

        """

        create a valid (and stored) django user to be associated with the

        newly created certificate record. This method can be "overwritten" by

        using the SSLAUTH_CREATE_USER_CALLBACK setting.

        """

        User = get_user_model()

        user = User()

        setattr(user, User.USERNAME_FIELD, username)

        if hasattr(User, 'set_unusable_password'):

            user.set_unusable_password()

        user.is_active = True

        user.save()

        return user

    @classmethod

    def get_saml2_authn_context(cls):

        from authentic2.compat_lasso import lasso

        return lasso.SAML2_AUTHN_CONTEXT_X509

# authentic2 auth ssl french l10n

# Copyright (C) 2015 Entr'ouvert

# This file is distributed under the same license as the Authentic package.

# Frederic Peters <fpeters@entrouvert.com>, 2010.

#

msgid ""

msgstr ""

"Project-Id-Version: Authentic\n"

"Report-Msgid-Bugs-To: \n"

"POT-Creation-Date: 2019-03-08 10:43+0100\n"

"PO-Revision-Date: 2013-07-23 17:41+0200\n"

"Last-Translator: Mikaël Ates <mates@entrouvert.com>\n"

"Language-Team: None\n"

"Language: fr\n"

"MIME-Version: 1.0\n"

"Content-Type: text/plain; charset=UTF-8\n"

"Content-Transfer-Encoding: 8bit\n"

"Plural-Forms: nplurals=2; plural=n>1;\n"

#: src/authentic2/auth2_auth/auth2_ssl/frontends.py:16

msgid "SSL with certificates"

msgstr "Certificats SSL"

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:5

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:9

msgid "Log in to link your certificate with an existing account"

msgstr "connectez-vous pour lier votre certificat avec un compte existant"

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:18

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:25

msgid "Username:"

msgstr "Nom d'utilisateur :"

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:21

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:29

msgid "Password:"

msgstr "Mot de passe :"

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:34

msgid "Create me a new account"

msgstr "Me créer un nouveau compte"

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/account_linking_ssl.html:38

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/login_form_ssl.html:9

msgid "Log in"

msgstr "S'identifier"

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/login_form_ssl.html:4

msgid "Login using a certificate."

msgstr "Connexion par certificat."

#: src/authentic2/auth2_auth/auth2_ssl/templates/auth/login_form_ssl.html:11

msgid "Cancel"

msgstr "Annuler"

#: src/authentic2/auth2_auth/auth2_ssl/templates/ssl/profile.html:3

msgid "SSL Certificates"

msgstr "Certificats SSL"

#: src/authentic2/auth2_auth/auth2_ssl/templates/ssl/profile.html:21

msgid "Delete"

msgstr "Supprimer"

#: src/authentic2/auth2_auth/auth2_ssl/templates/ssl/profile.html:28

msgid "Add a certificate?"

msgstr "Ajouter un certificat ?"

#: src/authentic2/auth2_auth/auth2_ssl/templates/ssl/profile.html:30

msgid "Add"

msgstr "Ajouter"

#: src/authentic2/auth2_auth/auth2_ssl/views.py:28

msgid "SSL Client Authentication failed. No client certificate found."

msgstr "Echec de l'authentification cliente SSL. Aucun certificat trouvé."

#: src/authentic2/auth2_auth/auth2_ssl/views.py:35

msgid "SSL Client Authentication failed. Your client certificate is not valid."

msgstr ""

"Echec de l'authentification cliente SSL. Votre certificat n'est pas valide."

#: src/authentic2/auth2_auth/auth2_ssl/views.py:54

#: src/authentic2/auth2_auth/auth2_ssl/views.py:70

#: src/authentic2/auth2_auth/auth2_ssl/views.py:118

msgid "SSL Client Authentication failed. Internal server error."

msgstr "Echec de l'authentification SSL. Erreur interne du serveur."

#: src/authentic2/auth2_auth/auth2_ssl/views.py:140

msgid "Certificate deleted."

msgstr "Certificat supprimé."

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.contrib.auth import authenticate, login

from . import util, app_settings

class SSLAuthMiddleware(object):

    """

    attempts to find a valid user based on the client certificate info

    """

    def process_request(self, request):

        if app_settings.USE_COOKIE and request.user.is_authenticated():

            return

        ssl_info = util.SSLInfo(request)

        user = authenticate(ssl_info=ssl_info)

        if user and request.user != user:

            login(request, user)

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.db import models

from django.conf import settings

from django.utils import six

from . import util

@six.python_2_unicode_compatible

class ClientCertificate(models.Model):

    serial = models.CharField(max_length=255, blank=True)

    subject_dn = models.CharField(max_length=255)

    issuer_dn = models.CharField(max_length=255)

    cert = models.TextField()

    user = models.ForeignKey(settings.AUTH_USER_MODEL)

    def __str__(self):

        return self.subject_dn

    def explode_subject_dn(self):

        return util.explode_dn(self.subject_dn)

    def explode_issuer_dn(self):

        return util.explode_dn(self.issuer_dn)

{% extends "authentic2/base-page.html" %}

{% load i18n %}

{% block title %}

{% trans "Log in to link your certificate with an existing account" %}

{% endblock %}

{% block content %}

<p>* {% trans "Log in to link your certificate with an existing account" %}</p>

<div id="login-actions">

  <form id="login-form" method="post" action="{% url "post_account_linking" %}">

  {% csrf_token %}

  <ul class="errorlist">

    {% for error in form.non_field_errors %}

      <li>{{ error|escape }}</li>

    {% endfor %}

    {% for error in form.username.errors %}

      <li>{% trans "Username:" %} {{ error|escape }}</li>

    {% endfor %}

    {% for error in form.password.errors %}

      <li>{% trans "Password:" %} {{ error|escape }}</li>

    {% endfor %}

  </ul>

  <p>

    <label for="id_username">{% trans "Username:" %}</label>

    <input id="id_username" type="text" name="username" maxlength="30" />

  </p>

  <p>

    <label for="id_password">{% trans "Password:" %}</label>

    <input type="password" name="password" id="id_password" />

  </p>

  <p>

    <label for="id_do_creation">{% trans "Create me a new account" %}</label>

    <input type="checkbox" name="do_creation" id="id_do_creation" />

  </p>

  <button class="submit-button">{% trans 'Log in' %}</button>

  <input type="hidden" name="next" value="{{ next_url }}" />

</form>

</div>

<script type="text/javascript">

document.getElementById('id_username').focus();

</script>

{% endblock %}

{% load i18n %}

<div id="login-ssl">

<p>

{% trans "Login using a certificate." %}

</p>

<form method="post" action="">

{% csrf_token %}

{{ form.as_p }}

<button class="submit-button" name="{{ submit_name }}">{% trans "Log in" %}</button>

{% if cancel %}

<button class="cancel-button" name="cancel" formnovalidate>{% trans 'Cancel' %}"</button>

{% endif %}

</form>

</div>

{% load i18n %}

<h4 id="a2-ssl-certificate-profile" class="a2-ssl-certificate-profile-title">

  {% trans "SSL Certificates" %}

</h4>

<div class="a2-ssl-certificate-profile-body">

  <ul class="a2-ssl-certificate-list">

  {% for certificate in certificates %}

    <li class="a2-ssl-certificate-item">

      <form action="{% url "delete_certificate" certificate_pk=certificate.pk %}"

            method="post">

        {% csrf_token %}

        <p class="a2-ssl-certificate-dn">

          <dl class="a2-ssl-certificate-dn-parts">

            {% for k, v in certificate.explode_subject_dn %}

              <dt class="a2-ssl-certificate-dn-part-name">{{ k }}</dt>

              <dd class="a2-ssl-certificate-dn-part-value">{{ v }}</dd>

            {% endfor %}

          </dl>

        </p>

        <button class="submit-button a2-ssl-certificate-submit-button">{% trans "Delete" %}</button>

      </form>

    </p>

  {% endfor %}

  </ul>

  <p>

    <form action="{% url "user_signin_ssl" %}" method="get">

      <label for="id_del_cert">{% trans "Add a certificate?" %}</label>

      <input type="hidden" name="next" value="{% url "account_management" %}#a2-ssl-certificate-profile" />

      <button class="submit-button a2-ssl-certificate-submit-button">{% trans "Add" %}</button>

    </form>

  </p>

</div>

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from django.conf.urls import url

from .views import (handle_request, post_account_linking, delete_certificate, error_ssl)

urlpatterns = [

    url(r'^$',

        handle_request,

        name='user_signin_ssl'),

    url(r'^post_account_linking/$',

        post_account_linking,

        name='post_account_linking'),

    url(r'^delete_certificate/(?P<certificate_pk>\d+)/$',

        delete_certificate,

        name='delete_certificate'),

    url(r'^error_ssl/$',

        error_ssl,

        name='error_ssl'),

]

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import base64

import six

from . import app_settings

X509_KEYS = {

    'subject_dn': 'SSL_CLIENT_S_DN',

    'issuer_dn': 'SSL_CLIENT_I_DN',

    'serial': ('SSL_CLIENT_M_SERIAL', 'SSL_CLIENT_SERIAL'),

    'cert': 'SSL_CLIENT_CERT',

    'verify': 'SSL_CLIENT_VERIFY',

}

def normalize_cert(certificate_pem):

    '''Normalize content of the certificate'''

    base64_content = ''.join(certificate_pem.splitlines()[1:-1])

    content = base64.b64decode(base64_content)

    return base64.b64encode(content)

def explode_dn(dn):

    '''Extract sub element of a DN as displayed by mod_ssl or nginx_ssl'''

    dn = dn.strip('/')

    parts = dn.split('/')

    parts = [part.split('=') for part in parts]

    parts = [(part[0], part[1].decode('string_escape').decode('utf-8')) for part in parts]

    return parts

TRANSFORM = {

    'cert': normalize_cert,

}

class SSLInfo(object):

    """

    Encapsulates the SSL environment variables in a read-only object. It

    attempts to find the ssl vars based on the type of request passed to the

    constructor. Currently only WSGIRequest and ModPythonRequest are

    supported.

    """

    def __init__(self, request):

        name = request.__class__.__name__

        if app_settings.FORCE_ENV:

            env = app_settings.FORCE_ENV

        elif name == 'WSGIRequest':

            env = request.environ

        elif name == 'ModPythonRequest':

            env = request._req.subprocess_env

        else:

            raise EnvironmentError('The SSL authentication currently only \

                works with mod_python or wsgi requests')

        self.read_env(env)

        pass

    def read_env(self, env):

        for attr, keys in X509_KEYS.items():

            if isinstance(keys, six.string_types):

                keys = [keys]

            for key in keys:

                if key in env and env[key]:

                    v = env[key]

                    if attr in TRANSFORM:

                        v = TRANSFORM[attr](v)

                    self.__dict__[attr] = v

                else:

                    self.__dict__[attr] = None

        if self.__dict__['verify'] == 'SUCCESS':

            self.__dict__['verify'] = True

        else:

            self.__dict__['verify'] = False

    def get(self, attr):

        return self.__getattr__(attr)

    def __getattr__(self, attr):

        if attr in self.__dict__:

            return self.__dict__[attr]

        else:

            raise AttributeError('SSLInfo does not contain key %s' % attr)

    def __setattr__(self, attr, value):

        raise AttributeError('SSL vars are read only!')

    def __repr__(self):

        return '<SSLInfo %s>' % self.__dict__

# authentic2 - versatile identity manager

# Copyright (C) 2010-2019 Entr'ouvert

#

# This program is free software: you can redistribute it and/or modify it

# under the terms of the GNU Affero General Public License as published

# by the Free Software Foundation, either version 3 of the License, or

# (at your option) any later version.

#

# This program is distributed in the hope that it will be useful,

# but WITHOUT ANY WARRANTY; without even the implied warranty of

# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

# GNU Affero General Public License for more details.

#

# You should have received a copy of the GNU Affero General Public License

# along with this program.  If not, see <http://www.gnu.org/licenses/>.

import logging

from django.utils.translation import ugettext as _

from django.shortcuts import render

from django.views.decorators.csrf import csrf_exempt

from django.views.generic.base import TemplateView

from django.template.loader import render_to_string

from django.contrib import messages

from django.contrib.auth.forms import AuthenticationForm

from django.contrib.auth import authenticate, login

from authentic2.utils import continue_to_next_url, record_authentication_event, redirect, redirect_to_login

from . import models, util, app_settings

logger = logging.getLogger(__name__)

def handle_request(request):

    # Check certificate validity

    ssl_info = util.SSLInfo(request)

    accept_self_signed = app_settings.ACCEPT_SELF_SIGNED

    if not ssl_info.cert:

        logger.error('SSL Client Authentication failed: SSL CGI variable CERT is missing')

        messages.add_message(request, messages.ERROR,

                             _('SSL Client Authentication failed. No client certificate found.'))

        return redirect_to_login(request)

    elif not accept_self_signed and not ssl_info.verify:

        logger.error('SSL Client Authentication failed: SSL CGI variable VERIFY is not SUCCESS')

        messages.add_message(request, messages.ERROR,

                             _('SSL Client Authentication failed. Your client certificate is not valid.'))

        return redirect_to_login(request)

    # SSL entries for this certificate?

    user = authenticate(ssl_info=ssl_info)

    # If the user is logged in, no need to create an account

    # If there is an SSL entries, no need for account creation,

    # just need to login, treated after

    if 'do_creation' in request.session and not user \

            and not request.user.is_authenticated():

        from backends import SSLBackend

        if SSLBackend().create_user(ssl_info):

            user = authenticate(ssl_info=ssl_info)

            logger.info(u'account created for %s', user)

        else:

            logger.error('account creation failure')

            messages.add_message(request, messages.ERROR,

                                 _('SSL Client Authentication failed. Internal server error.'))

            return redirect_to_login(request)

    # No SSL entries and no user session, redirect account linking page

    if not user and not request.user.is_authenticated():

        return render(request, 'auth/account_linking_ssl.html')

    # No SSL entries but active user session, perform account linking

    if not user and request.user.is_authenticated():

        from backend import SSLBackend

        if not SSLBackend().link_user(ssl_info, request.user):

            logger.error('login() failed')

            messages.add_message(request, messages.ERROR,

                                 _('SSL Client Authentication failed. Internal server error.'))

            return redirect_to_login(request)

        logger.info('Successful linking of the SSL Certificate to an account')

    # SSL Entries found for this certificate,

    # if the user is logged out, we login

    if not request.user.is_authenticated():

        login(request, user)

        record_authentication_event(request, how='ssl')

        return continue_to_next_url(request)

    # SSL Entries found for this certificate, if the user is logged in, we

    # check that the SSL entry for the certificate is this user.

    # else, we make this certificate point on that user.

    if user.username != request.user.username:

        logger.warning(u'The certificate belongs to %s, but %s is logged with, we change the association!',

                       user, request.user)

        from backends import SSLBackend

        cert = SSLBackend().get_certificate(ssl_info)

        cert.user = request.user

        cert.save()

    return continue_to_next_url(request)

@csrf_exempt

def post_account_linking(request):

    if request.method == "POST":

        if 'do_creation' in request.POST and request.POST['do_creation'] == 'on':

            request.session['do_creation'] = 'do_creation'

            return redirect_to_login(request, login_url='user_signin_ssl')

        form = AuthenticationForm(data=request.POST)

        if form.is_valid():

            user = form.get_user()

            login(request, user)

            record_authentication_event(request, how='password')

            return redirect_to_login(request, login_url='user_signin_ssl')

        else:

            return render(request, 'auth/account_linking_ssl.html')

    else:

        return render(request, 'auth/account_linking_ssl.html')

def profile(request, template_name='ssl/profile.html', *args, **kwargs):

    context = kwargs.pop('context', {})

    certificates = models.ClientCertificate.objects.filter(user=request.user)

    context.update({'certificates': certificates})

    return render_to_string(template_name, context, request=request)

def delete_certificate(request, certificate_pk):

    qs = models.ClientCertificate.objects.filter(pk=certificate_pk)

    count = qs.count()

    qs.delete()

    if count:

        logger.info('client certificate %s deleted', certificate_pk)

        messages.info(request, _('Certificate deleted.'))

    return redirect(request, 'account_management', fragment='a2-ssl-certificate-profile')

class SslErrorView(TemplateView):

    template_name = 'error_ssl.html'

error_ssl = SslErrorView.as_view()

# French translation of Authentic

# Copyright (C) 2010, 2011 Entr'ouvert

# This file is distributed under the same license as the Authentic package.

# Frederic Peters <fpeters@entrouvert.com>, 2010.

#

msgid ""

msgstr ""

"Project-Id-Version: Authentic\n"

"Report-Msgid-Bugs-To: \n"

"POT-Creation-Date: 2013-07-23 18:01+0200\n"

"PO-Revision-Date: 2013-07-23 18:01+0200\n"

"Last-Translator: Mikaël Ates <mates@entrouvert.com>\n"

"Language-Team: None\n"

"Language: fr\n"

"MIME-Version: 1.0\n"

"Content-Type: text/plain; charset=UTF-8\n"

"Content-Transfer-Encoding: 8bit\n"

"Plural-Forms: nplurals=2; plural=n>1;\n"

#: backend.py:17 templates/auth/login_password_profile.html:2

msgid "Password"

msgstr "Mot de passe"

#: models.py:23

#, python-format

msgid "Authentication of %(who)s by %(how)s at %(when)s"

msgstr "Authentification de %(who)s par la méthode %(how)s à %(when)s"

#: templates/error_ssl.html:4

msgid "Error: authentication failure"

msgstr "Erreur: Echec de l'authentification"

#: templates/error_ssl.html:8

msgid "Authentication failure"

msgstr "Échec d'authentification"

#: templates/error_ssl.html:10

msgid "The SSL authentication has failed"

msgstr "L'authentification par certificat électronique a échouée."

#: templates/auth/login.html:5 templates/auth/login_form.html:6

msgid "Log in"

msgstr "S'identifier"

#: templates/auth/login_form.html:8

msgid "Cancel"

msgstr "Annuler"

#: templates/auth/login_form.html:14

msgid "Forgot password?"

msgstr "Mot de passe oublié ?"

#: templates/auth/login_form.html:14

msgid "Reset it!"

msgstr "Le réinitialiser !"

#: templates/auth/login_form.html:15

msgid "Not a member?"

msgstr "Pas un membre ?"

#: templates/auth/login_form.html:15

msgid "Register!"

msgstr "S'inscrire !"

#: templates/auth/login_password_profile.html:6

msgid "Change password"

msgstr "Modifier votre mot de passe"

    'authentic2.auth2_auth',

-