0004-to-be-fixed-up-use-a-decorator-to-indicate-views-whe.patch
src/authentic2/idp/saml/saml2_endpoints.py | ||
---|---|---|
112 | 112 |
from authentic2.utils.misc import datetime_to_xs_datetime, find_authentication_event |
113 | 113 |
from authentic2.utils.misc import get_backends as get_idp_backends |
114 | 114 |
from authentic2.utils.misc import login_require, make_url |
115 |
from authentic2.utils.view_decorators import enable_view_restriction |
|
115 | 116 | |
116 | 117 |
from . import app_settings |
117 | 118 | |
... | ... | |
494 | 495 |
return kwargs['name_id_content'] |
495 | 496 | |
496 | 497 | |
498 |
@enable_view_restriction |
|
497 | 499 |
@never_cache |
498 | 500 |
@csrf_exempt |
499 | 501 |
@log_assert |
... | ... | |
624 | 626 |
""" |
625 | 627 |
nonce = login.request.id or get_nonce() |
626 | 628 |
save_key_values(nonce, force_text(login.dump()), False, nid_format) |
627 |
next_url = make_url(continue_sso, params={NONCE_FIELD_NAME: nonce})
|
|
629 |
next_url = make_url('a2-idp-saml-continue', params={NONCE_FIELD_NAME: nonce})
|
|
628 | 630 |
logger.debug('redirect to login page with next url %s', next_url) |
629 | 631 |
return login_require( |
630 | 632 |
request, |
... | ... | |
662 | 664 |
return HttpResponseRedirect(url) |
663 | 665 | |
664 | 666 | |
667 |
@enable_view_restriction |
|
665 | 668 |
@never_cache |
666 | 669 |
def continue_sso(request): |
667 | 670 |
consent_answer = None |
... | ... | |
1025 | 1028 |
return request.user.is_superuser() |
1026 | 1029 | |
1027 | 1030 | |
1031 |
@enable_view_restriction |
|
1028 | 1032 |
@never_cache |
1029 | 1033 |
@csrf_exempt |
1030 | 1034 |
@login_required |
... | ... | |
1126 | 1130 |
return return_saml2_response(request, logout, title=_('You are being redirected to "%s"') % provider.name) |
1127 | 1131 | |
1128 | 1132 | |
1129 |
finish_slo.no_view_restriction = True |
|
1130 | ||
1131 | ||
1132 | 1133 |
def return_logout_error(request, logout, error): |
1133 | 1134 |
logout.buildResponseMsg() |
1134 | 1135 |
set_saml2_response_responder_status_code(logout.response, error) |
... | ... | |
1448 | 1449 |
return a2_views.logout(request, next_url=next_url, do_local=False, check_referer=False) |
1449 | 1450 | |
1450 | 1451 | |
1451 |
slo.no_view_restriction = True |
|
1452 | ||
1453 | ||
1454 | 1452 |
def icon_url(name): |
1455 | 1453 |
return '%s/authentic2/images/%s.png' % (settings.STATIC_URL, name) |
1456 | 1454 | |
... | ... | |
1535 | 1533 |
return HttpResponseRedirect(logout.msgUrl) |
1536 | 1534 | |
1537 | 1535 | |
1538 |
idp_slo.no_view_restriction = True |
|
1539 | ||
1540 | ||
1541 | 1536 |
def process_logout_response(request, logout, soap_response, next): |
1542 | 1537 |
logger.debug('logout response is %r', soap_response) |
1543 | 1538 |
try: |
... | ... | |
1579 | 1574 |
return process_logout_response(request, logout, get_saml2_query_request(request), next) |
1580 | 1575 | |
1581 | 1576 | |
1582 |
slo_return.no_view_restriction = True |
|
1583 | ||
1584 | ||
1585 | 1577 |
# Helpers |
1586 | 1578 | |
1587 | 1579 |
# Mapping to generate the metadata file, must be kept in sync with the url |
src/authentic2/middleware.py | ||
---|---|---|
166 | 166 | |
167 | 167 |
def process_view(self, request, view_func, view_args, view_kwargs): |
168 | 168 |
'''If current view is not the one where we should be, redirect''' |
169 |
if not getattr(view_func, 'enable_view_restriction', False): |
|
170 |
return |
|
171 | ||
169 | 172 |
view = self.check_view_restrictions(request) |
170 | 173 |
if not view: |
171 | 174 |
return |
... | ... | |
174 | 177 |
# do not block on the restricted view |
175 | 178 |
if url_name == view: |
176 | 179 |
return |
177 | ||
178 |
# prevent blocking some views, like logout views |
|
179 |
if getattr(request.resolver_match.func, 'no_view_restriction', False): |
|
180 |
return |
|
181 | 180 |
return utils_misc.redirect_and_come_back(request, view) |
182 | 181 | |
183 | 182 |
src/authentic2/utils/view_decorators.py | ||
---|---|---|
1 |
# authentic2 - versatile identity manager |
|
2 |
# Copyright (C) 2010-2021 Entr'ouvert |
|
3 |
# |
|
4 |
# This program is free software: you can redistribute it and/or modify it |
|
5 |
# under the terms of the GNU Affero General Public License as published |
|
6 |
# by the Free Software Foundation, either version 3 of the License, or |
|
7 |
# (at your option) any later version. |
|
8 |
# |
|
9 |
# This program is distributed in the hope that it will be useful, |
|
10 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
11 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
12 |
# GNU Affero General Public License for more details. |
|
13 |
# |
|
14 |
# You should have received a copy of the GNU Affero General Public License |
|
15 |
# along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
16 | ||
17 | ||
18 |
def enable_view_restriction(view): |
|
19 |
view.enable_view_restriction = True |
|
20 |
return view |
src/authentic2/views.py | ||
---|---|---|
63 | 63 |
from .utils import switch_user as utils_switch_user |
64 | 64 |
from .utils.evaluate import HTTPHeaders |
65 | 65 |
from .utils.service import get_service_from_request, get_service_from_token, set_service_ref |
66 |
from .utils.view_decorators import enable_view_restriction |
|
66 | 67 | |
67 | 68 |
User = get_user_model() |
68 | 69 | |
... | ... | |
427 | 428 |
return ctx |
428 | 429 | |
429 | 430 | |
430 |
homepage = Homepage.as_view()
|
|
431 |
homepage = enable_view_restriction(Homepage.as_view())
|
|
431 | 432 | |
432 | 433 | |
433 | 434 |
class ProfileView(cbv.TemplateNamesMixin, TemplateView): |
... | ... | |
559 | 560 |
return context |
560 | 561 | |
561 | 562 | |
562 |
profile = login_required(ProfileView.as_view())
|
|
563 |
profile = enable_view_restriction(login_required(ProfileView.as_view()))
|
|
563 | 564 | |
564 | 565 | |
565 | 566 |
def logout_list(request): |
... | ... | |
630 | 631 |
return response |
631 | 632 | |
632 | 633 | |
633 |
logout.no_view_restriction = True |
|
634 | ||
635 | ||
636 | 634 |
def login_password_profile(request, *args, **kwargs): |
637 | 635 |
context = kwargs.pop('context', {}) |
638 | 636 |
can_change_password = utils_misc.user_can_change_password(request=request) |
src/authentic2_auth_fc/views.py | ||
---|---|---|
572 | 572 | |
573 | 573 | |
574 | 574 |
logout = LogoutReturnView.as_view() |
575 |
logout.no_view_restriction = True |
src/authentic2_idp_cas/views.py | ||
---|---|---|
36 | 36 |
normalize_attribute_values, |
37 | 37 |
redirect, |
38 | 38 |
) |
39 |
from authentic2.utils.view_decorators import enable_view_restriction |
|
39 | 40 |
from authentic2.views import logout as logout_view |
40 | 41 |
from authentic2_idp_cas.constants import ( |
41 | 42 |
ATTRIBUTES_ELT, |
... | ... | |
467 | 468 |
return redirect(request, next_url) |
468 | 469 | |
469 | 470 | |
470 |
login = LoginView.as_view()
|
|
471 |
login = enable_view_restriction(LoginView.as_view())
|
|
471 | 472 |
logout = LogoutView.as_view() |
472 |
logout.no_view_restriction = True |
|
473 |
_continue = ContinueView.as_view() |
|
473 |
_continue = enable_view_restriction(ContinueView.as_view()) |
|
474 | 474 |
validate = ValidateView.as_view() |
475 | 475 |
service_validate = ServiceValidateView.as_view() |
476 | 476 |
proxy = ProxyView.as_view() |
src/authentic2_idp_oidc/views.py | ||
---|---|---|
48 | 48 |
from authentic2.decorators import setting_enabled |
49 | 49 |
from authentic2.exponential_retry_timeout import ExponentialRetryTimeout |
50 | 50 |
from authentic2.utils.misc import last_authentication_event, login_require, make_url, redirect |
51 |
from authentic2.utils.view_decorators import enable_view_restriction |
|
51 | 52 |
from authentic2.views import logout as a2_logout |
52 | 53 |
from django_rbac.utils import get_ou_model |
53 | 54 | |
... | ... | |
228 | 229 |
return HttpResponse(utils.get_jwkset().export(private_keys=False), content_type='application/json') |
229 | 230 | |
230 | 231 | |
232 |
@enable_view_restriction |
|
231 | 233 |
@setting_enabled('ENABLE', settings=app_settings) |
232 | 234 |
def authorize(request, *args, **kwargs): |
233 | 235 |
validated_redirect_uri = None |
... | ... | |
811 | 813 |
# FIXME: do something with id_token_hint |
812 | 814 |
id_token_hint = request.GET.get('id_token_hint') |
813 | 815 |
return a2_logout(request, next_url=post_logout_redirect_uri, do_local=False, check_referer=False) |
814 | ||
815 | ||
816 |
logout.no_view_restriction = True |
tests/test_user_manager.py | ||
---|---|---|
336 | 336 |
user_count = User.objects.count() |
337 | 337 |
# queries should be batched to keep prefetching working without |
338 | 338 |
# overspending memory for the queryset cache, 4 queries by batches |
339 |
num_queries = int(4 + 4 * (user_count / DEFAULT_BATCH_SIZE + bool(user_count % DEFAULT_BATCH_SIZE)))
|
|
339 |
num_queries = int(4 * (user_count / DEFAULT_BATCH_SIZE + bool(user_count % DEFAULT_BATCH_SIZE))) |
|
340 | 340 |
# export task also perform one query to set trigram an another to get users count |
341 | 341 |
num_queries += 3 |
342 | 342 |
with django_assert_num_queries(num_queries): |
343 |
- |