Révision f2bfdcbb
Ajouté par Jérôme Schneider il y a plus de 9 ans
usr/local/univnautes/sp/sp/auth.py | ||
---|---|---|
1 | 1 |
# -*- encoding: utf-8 -*- |
2 | 2 |
|
3 |
import re |
|
3 | 4 |
import subprocess |
4 | 5 |
import syslog |
5 | 6 |
import xml.etree.ElementTree |
... | ... | |
8 | 9 |
from django.contrib import messages |
9 | 10 |
|
10 | 11 |
from authentic2.authsaml2 import signals |
12 |
from sp import pfconfigxml |
|
13 |
|
|
14 |
COMMENT=re.compile('^\s*($|#)') |
|
11 | 15 |
|
12 | 16 |
def user_login_cb(sender, request, attributes={}, **kwargs): |
13 | 17 |
if request and request.user.is_anonymous(): |
... | ... | |
35 | 39 |
# log needs eduPersonTargetedID + transientID + idp |
36 | 40 |
username = eduPersonTargetedID + '|' + eduPersonTargetedID_NameQualifier |
37 | 41 |
|
38 |
# TODO : blacklist |
|
39 |
|
|
40 | 42 |
ip = request.META['REMOTE_ADDR'] |
41 | 43 |
|
44 |
# user blacklist |
|
45 |
try: |
|
46 |
nameid_bl = pfconfigxml.get_blacklists('nameid') |
|
47 |
for line in nameid_bl.splitlines(True): |
|
48 |
if COMMENT.match(line): |
|
49 |
continue |
|
50 |
userbl = line.strip() |
|
51 |
# if the line starts with ~, it's a regex |
|
52 |
if userbl[0] == '~' and re.match(userbl[1::], username): |
|
53 |
request.session['pfsenseid'] = 'BLACKLISTED' |
|
54 |
messages.error(request, u"Connexion refusée (règle dans une liste noire).") |
|
55 |
syslog.openlog("logportalauth", syslog.LOG_PID) |
|
56 |
syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED-REGEX: %s,,%s" % (username, ip)) |
|
57 |
return False |
|
58 |
elif userbl.strip() == username: |
|
59 |
request.session['pfsenseid'] = 'BLACKLISTED' |
|
60 |
messages.error(request, u"Connexion refusée (présent dans une liste noire).") |
|
61 |
syslog.openlog("logportalauth", syslog.LOG_PID) |
|
62 |
syslog.syslog(syslog.LOG_LOCAL4 | syslog.LOG_INFO , "BLACKLISTED: %s,,%s" % (username, ip)) |
|
63 |
return False |
|
64 |
except: |
|
65 |
pass |
|
66 |
|
|
42 | 67 |
# univnautes idp returns univnautesPrivileges attribute (a list) |
43 | 68 |
multiple = 0 |
44 | 69 |
privileges = attributes.get((u'univnautesPrivileges', u'urn:oasis:names:tc:SAML:2.0:attrname-format:basic'), []) |
usr/local/univnautes/sp/sp/management/commands/configxml.py | ||
---|---|---|
18 | 18 |
|
19 | 19 |
from django.core.management.base import BaseCommand, CommandError |
20 | 20 |
import os |
21 |
import sys |
|
21 | 22 |
from sp import pfconfigxml |
22 | 23 |
|
23 |
def get(key): |
|
24 |
def get(key, args):
|
|
24 | 25 |
if key == 'cpnames': |
25 | 26 |
for n in pfconfigxml.get_saml_cps(): |
26 | 27 |
print n['name'] |
28 |
elif key == 'blacklist': |
|
29 |
if len(args) > 2: |
|
30 |
print pfconfigxml.get_blacklists(args[2]) |
|
31 |
else: |
|
32 |
print >> sys.stderr, 'you need to choose a blacklist (nameid or macadresses)' |
|
27 | 33 |
|
28 | 34 |
class Command(BaseCommand): |
29 | 35 |
help = 'get infos from config.xml' |
... | ... | |
35 | 41 |
print "syntax: configxml get|set key" |
36 | 42 |
return |
37 | 43 |
if action == 'get': |
38 |
return get(key) |
|
44 |
return get(key, args)
|
|
39 | 45 |
|
usr/local/univnautes/sp/sp/pfconfigxml.py | ||
---|---|---|
240 | 240 |
}) |
241 | 241 |
return whitelists |
242 | 242 |
|
243 |
|
|
244 |
def get_blacklists(list_type): |
|
245 |
""" |
|
246 |
<blacklists> |
|
247 |
<macaddresses>base64</macaddresses> |
|
248 |
<nameid>base64</nameid> |
|
249 |
</blacklists> |
|
250 |
""" |
|
251 |
xml_blacklist = root().find('univnautes/blacklists/%s' % list_type) |
|
252 |
if xml_blacklist is not None and xml_blacklist.text: |
|
253 |
return xml_blacklist.text.decode('base64') |
|
254 |
return '' |
|
255 |
|
Formats disponibles : Unified diff
Add support for nameIDs blacklist
Closes #5571