0005-models-mind-auth-level-at-service-access-authorizati.patch
| src/authentic2/idp/saml/saml2_endpoints.py | ||
|---|---|---|
| 694 | 694 |
set_saml2_response_responder_status_code(login.response, lasso.SAML2_STATUS_CODE_NO_PASSIVE) |
| 695 | 695 |
return finish_sso(request, login) |
| 696 | 696 | |
| 697 |
service.authorize(request.user)
|
|
| 697 |
service.authorize(request) |
|
| 698 | 698 | |
| 699 | 699 |
hooks.call_hooks('event', name='sso-request', idp='saml2', service=service)
|
| 700 | 700 | |
| src/authentic2/manager/role_views.py | ||
|---|---|---|
| 30 | 30 |
from django_rbac.exceptions import InsufficientAuthLevel |
| 31 | 31 |
from django_rbac.utils import get_role_model, get_permission_model, get_ou_model |
| 32 | 32 | |
| 33 |
from authentic2.utils import redirect |
|
| 33 |
from authentic2.utils import redirect, increase_auth_level
|
|
| 34 | 34 |
from authentic2 import hooks, data_transfer |
| 35 | 35 | |
| 36 | 36 |
from . import tables, views, resources, forms, app_settings, utils |
| ... | ... | |
| 178 | 178 |
user=self.request.user, role=self.object, member=user) |
| 179 | 179 |
else: |
| 180 | 180 |
if self.could_change: |
| 181 |
return utils.increase_auth_level(self.request)
|
|
| 181 |
return increase_auth_level(self.request) |
|
| 182 | 182 |
messages.warning(self.request, _('You are not authorized'))
|
| 183 | 183 |
return super(RoleMembersView, self).form_valid(form) |
| 184 | 184 | |
| ... | ... | |
| 209 | 209 |
def post(self, request, *args, **kwargs): |
| 210 | 210 |
if not self.can_delete: |
| 211 | 211 |
if self.could_delete: |
| 212 |
return utils.increase_auth_level(self.request)
|
|
| 212 |
return increase_auth_level(self.request) |
|
| 213 | 213 |
raise PermissionDenied |
| 214 | 214 |
return super(RoleDeleteView, self).post(request, *args, **kwargs) |
| 215 | 215 | |
| ... | ... | |
| 265 | 265 |
user=self.request.user, role=self.object, permission=perm) |
| 266 | 266 |
else: |
| 267 | 267 |
if self.could_change: |
| 268 |
return utils.increase_auth_level(self.request)
|
|
| 268 |
return increase_auth_level(self.request) |
|
| 269 | 269 |
messages.warning(self.request, _('You are not authorized'))
|
| 270 | 270 |
return super(RolePermissionsView, self).form_valid(form) |
| 271 | 271 | |
| src/authentic2/manager/utils.py | ||
|---|---|---|
| 41 | 41 |
@GlobalCache(timeout=10) |
| 42 | 42 |
def get_ou_count(): |
| 43 | 43 |
return get_ou_model().objects.count() |
| 44 | ||
| 45 | ||
| 46 |
def increase_auth_level(request): |
|
| 47 |
current_auth_level = request.session.get('auth_level', 1)
|
|
| 48 |
return login_require(request, params={'auth_level': current_auth_level + 1})
|
|
| src/authentic2/manager/views.py | ||
|---|---|---|
| 43 | 43 | |
| 44 | 44 |
from authentic2.data_transfer import export_site, import_site, DataImportError, ImportContext |
| 45 | 45 |
from authentic2.forms.profile import modelform_factory |
| 46 |
from authentic2.utils import redirect, batch_queryset |
|
| 46 |
from authentic2.utils import redirect, batch_queryset, increase_auth_level
|
|
| 47 | 47 |
from authentic2.decorators import json as json_view |
| 48 | 48 |
from authentic2 import hooks |
| 49 | 49 | |
| ... | ... | |
| 150 | 150 |
try: |
| 151 | 151 |
response = self.authorize(request, *args, **kwargs) |
| 152 | 152 |
except InsufficientAuthLevel: |
| 153 |
return utils.increase_auth_level(request)
|
|
| 153 |
return increase_auth_level(request) |
|
| 154 | 154 |
if response is not None: |
| 155 | 155 |
return response |
| 156 | 156 |
return super(PermissionMixin, self).dispatch(request, *args, **kwargs) |
| src/authentic2/middleware.py | ||
|---|---|---|
| 265 | 265 |
def process_exception(self, request, exception): |
| 266 | 266 |
if not isinstance(exception, (utils.ServiceAccessDenied,)): |
| 267 | 267 |
return None |
| 268 |
if isinstance(exception, (utils.IncreaseAuthLevel,)): |
|
| 269 |
return utils.increase_auth_level(request) |
|
| 268 | 270 |
return utils.unauthorized_view(request, exception.service) |
| src/authentic2/models.py | ||
|---|---|---|
| 39 | 39 |
from . import managers |
| 40 | 40 |
# install our natural_key implementation |
| 41 | 41 |
from . import natural_key as unused_natural_key # noqa: F401 |
| 42 |
from .utils import ServiceAccessDenied |
|
| 42 |
from .utils import ServiceAccessDenied, IncreaseAuthLevel
|
|
| 43 | 43 | |
| 44 | 44 | |
| 45 | 45 |
class DeletedUser(models.Model): |
| ... | ... | |
| 369 | 369 |
def __repr__(self): |
| 370 | 370 |
return '<%s %r>' % (self.__class__.__name__, six.text_type(self)) |
| 371 | 371 | |
| 372 |
def authorize(self, user):
|
|
| 372 |
def authorize(self, request):
|
|
| 373 | 373 |
if not self.authorized_roles.exists(): |
| 374 | 374 |
return True |
| 375 |
if user.roles_and_parents().filter(allowed_services=self).exists(): |
|
| 376 |
return True |
|
| 375 |
allowed_roles = request.user.roles_and_parents() \ |
|
| 376 |
.filter(allowed_services=self) \ |
|
| 377 |
.set_needed_auth_levels(request.user) |
|
| 378 |
user_auth_level = request.session.get('auth_level', 1)
|
|
| 379 |
for role in allowed_roles: |
|
| 380 |
if role.needed_auth_level <= user_auth_level: |
|
| 381 |
return True |
|
| 382 |
if allowed_roles: |
|
| 383 |
raise IncreaseAuthLevel(service=self) |
|
| 377 | 384 |
raise ServiceAccessDenied(service=self) |
| 378 | 385 | |
| 379 | 386 |
def add_authorized_role(self, role): |
| src/authentic2/utils.py | ||
|---|---|---|
| 977 | 977 |
self.service = service |
| 978 | 978 | |
| 979 | 979 | |
| 980 |
class IncreaseAuthLevel(ServiceAccessDenied): |
|
| 981 |
pass |
|
| 982 | ||
| 983 | ||
| 980 | 984 |
def unauthorized_view(request, service): |
| 981 | 985 |
context = {'callback_url': service.unauthorized_url or reverse('auth_homepage')}
|
| 982 | 986 |
return render(request, 'authentic2/unauthorized.html', context=context) |
| ... | ... | |
| 1157 | 1161 |
if session is not None: |
| 1158 | 1162 |
return session.get(constants.AUTHENTICATION_EVENTS_SESSION_KEY, []) |
| 1159 | 1163 |
return [] |
| 1164 | ||
| 1165 | ||
| 1166 |
def increase_auth_level(request): |
|
| 1167 |
current_auth_level = request.session.get('auth_level', 1)
|
|
| 1168 |
return login_require(request, params={'auth_level': current_auth_level + 1})
|
|
| src/authentic2_idp_cas/views.py | ||
|---|---|---|
| 181 | 181 |
return self.authenticate(request, st) |
| 182 | 182 |
# if user not authorized, a ServiceAccessDenied exception |
| 183 | 183 |
# is raised and handled by ServiceAccessMiddleware |
| 184 |
st.service.authorize(request.user)
|
|
| 184 |
st.service.authorize(request) |
|
| 185 | 185 | |
| 186 | 186 |
self.validate_ticket(request, st) |
| 187 | 187 |
if st.valid(): |
| src/authentic2_idp_oidc/views.py | ||
|---|---|---|
| 202 | 202 | |
| 203 | 203 |
# if user not authorized, a ServiceAccessDenied exception |
| 204 | 204 |
# is raised and handled by ServiceAccessMiddleware |
| 205 |
client.authorize(request.user)
|
|
| 205 |
client.authorize(request) |
|
| 206 | 206 | |
| 207 | 207 |
last_auth = last_authentication_event(request=request) |
| 208 | 208 |
if max_age is not None and time.time() - last_auth['when'] >= max_age: |
| 209 |
- |
|