kstateome / django-cas Goto Github PK

Hello,

I have a problem using django-cas. when I try to use the Django has_perm method to authorize some access with user permissions in code. When I use the method has perm with Middleware and Auth Backend from CAS the method does not work as it should, it always returns False unless the user is superuser. could you please help me with this? . I try the same action deactivating CAS auth and using local Auth and the method work propertly.
Thanks in advance.

Django Version 1.11.4 and 1.11.5

Pdb without CAS client active (Local Auth).

(Pdb) user
<User: baseproject>
(Pdb) perm
'auth.pruebaapi'
(Pdb) user.user_permissions.all()[0]
<Permission: auth | permiso | pruebaapi>
(Pdb) user.user_permissions.all()[0].codename
'pruebaapi'
(Pdb) user.has_perm(perm)
True
(Pdb)

Pdb with Cas client active

(Pdb) user
<User: baseproject>
(Pdb) perm
'auth.pruebaapi'
(Pdb) user.user_permissions.all()[0]
<Permission: auth | permiso | pruebaapi>
(Pdb) user.user_permissions.all()[0].codename
'pruebaapi'
(Pdb) user.has_perm(perm)
False
(Pdb) Why ?

ient 10.99.6.24] raise exceptions.ImproperlyConfigured('Error importing middleware %s: "%s"' % (mw_module, e))
[Thu Feb 28 18:48:51 2013] [error] [client 10.99.6.24] ImproperlyConfigured: Error importing middleware cas.middleware: "cannot import name get_host"

In main urls.py, I write

    url(r'^accounts/login/$', 'cas.views.login', name='login'),
    url(r'^accounts/logout/$', 'cas.views.logout', name='logout'),

I add everything mention in the README.md in settings.py

When I run command to start the server, error Throw

  File "/home/hexin/Work/项目管理/06-程序代码/website/website/urls.py", line 22, in <module>
    url(r'^accounts/login/$', 'cas.views.login', name='login'),
  File "/usr/local/lib/python3.5/dist-packages/django/conf/urls/__init__.py", line 13, in url
    return re_path(regex, view, kwargs, name)
  File "/usr/local/lib/python3.5/dist-packages/django/urls/conf.py", line 73, in _path
    raise TypeError('view must be a callable or a list/tuple in the case of include().')
TypeError: view must be a callable or a list/tuple in the case of include().

Link is two links pushed together: root app and sign out location

Hi,

Since the CAS server version 4.0.0 which implements the CAS protocol v3, there are new endpoints : /p3/serviceValidate and /p3/proxyValidate which return user attributes in addition to the user name (XML format). Example:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
    <cas:authenticationSuccess>
        <cas:user>jleleu</cas:user>
        <cas:attributes>
            <cas:firstname>Jerome</cas:firstname>
            <cas:lastname>LELEU</cas:lastname>
        </cas:attributes>
    </cas:authenticationSuccess>
</cas:serviceResponse>

It doesn't seem to be supported by this CAS client.
I tried using the following settings to get the new XML response:

LOGIN_URL = "https://myserver/cas/login"
CAS_SERVER_URL = "https://myserver/cas/p3/"

but it doesn't work: I'm stuck on my login page with: https://myserver/cas/login?next=http%3A//localhost%3A8000/protected/index instead of https://myserver/cas/login?service=http%3A//localhost%3A8000/protected/index.

Am I missing something on this problem?

Do you plan to support CAS protocol v3?

Thanks.

I want to put some permissions in the session after the user finished the CAS authentication
so that i can show the permissions in the page:index.html
I find the 'CAS_RESPONSE_CALLBACKS ' to define a callback function,but it seens not enough for me
i don't know the way to get the 'request',so that i can do...request.session["modules"] = utils.get_user_modules(user)

Should this be apart of django-cas?

def get_proxy_ticket(username):
    from cas.models import Tgt
    from django.core.exceptions import ObjectDoesNotExist

    try:
        tgt = Tgt.objects.get(username=username)
        proxy_ticket = tgt.get_proxy_ticket_for(getattr(settings, 'TICKET_SERVICE_URL', None))

        return proxy_ticket
    except ObjectDoesNotExist:
        return None

Allow user to opt out of this wait loop

pgtIou = None
    retries_left = 5
    while not pgtIou and retries_left:
        try:
            p = PgtIOU.objects.get(tgt=pgt)
            logger.warning('PgtIOU retrieved.')
            return p
        except PgtIOU.DoesNotExist:
            time.sleep(1)
            retries_left -= 1

Description:
It appears that part of the url is lost when logging in from a page with a hash in the url. This is an issue for front-end dynamic page navigation causing user to return to a different page.

Steps to reproduce:
If one is on a page with a hash in the url, http://localhost/some/path/#hash for example, the hash is dropped when redirecting to the CAS_URL resulting in http://cas_url/?service=http://localhost/some/path/.

Using version: 1.5.3
Django version: 3.0

[EDIT]
CLOSING as not fixable

It appears no servers can see pass the #hash portion of the url without some effort and custom config to pass them in via headers or other workarounds.

One possible front end workaround: generate the SSO login URL using JS and encode the landing page path similar to:

[unencoded for the sake of readability]
http://cas_sso_server/cas/login/?service=http://localhost/login?next=/path/to/#hash-here

note the ?next param will tell django to redirect to the given path after login

Hi

I'm working on installation of this git project : https://github.com/EsupPortail/Esup-Pod
This project use django-cas-client 1.5.2.
I encounter some problems with CAS Auth configuration.

In order to debug I'm looking for a way to get the CAS_RESPONSE_CALLBACKS tree value.

What the best way to do get the tree value return by my CAS server?

If i understand well, in this project in settings.py, I have :

CAS_RESPONSE_CALLBACKS = (
        'pod.authentication.populatedCASbackend.populateUser',
        # function call to add some information to user login by CAS
    )

This call the function populateUser in pod/authentication/populatedCASbackend.py :

def populateUser(tree):
    username_element = tree.find(
        './/{http://www.yale.edu/tp/cas}%s' % AUTH_CAS_USER_SEARCH)
    username = username_element.text
    user, user_created = User.objects.get_or_create(username=username)
    owner, owner_created = Owner.objects.get_or_create(user=user)
    owner.auth_type = 'CAS'
    owner.save()

    if POPULATE_USER == 'CAS':
        #raise Exception(tree)
        populate_user_from_tree(user, owner, tree)
    if POPULATE_USER == 'LDAP' and LDAP_SERVER['url'] != '':
        list_value = []
        for val in USER_LDAP_MAPPING_ATTRIBUTES.values():
            list_value.append(str(val))
        conn = get_ldap_conn()
        if conn is not None:
            entry = get_entry(conn, username, list_value)
            if entry is not None:
                populate_user_from_entry(user, owner, entry)

I try to put raise Exception(tree) in order to force django to show me the tree value in browser, but seems doesn't work.

What the best way to get value of tree CAS_RESPONSE_CALLBACKS ?

cordialy,

This doesn't seem to support having multiple CAS endpoints for a single project.

For example, if I have a Django project that has to support multiple institutions, all of which have a different CAS endpoint, there isn't a way to setup so that:

institution1views = cas.views.Institution(server_url='https://cas.institution1.edu/cas/')
institution2views = cas.views.Institution(server_url='https://cas.institution2.edu/cas/')
urlpatterns = [
    url(r'^institution1/login/$', institution1views.login, name='inst1-login'),
    url(r'^institution1/logout/$', institution1views.logout, name='inst1-logout'),
    url(r'^institution2/login/$', institution2views.login, name='inst2-login'),
    url(r'^institution2/logout/$', institution2views.logout, name='inst2-logout'),
]

This is just an example of how it might be setup. But essentially, I'm finding that it would be helpful to configure a "different" backend for different institutions within the same Django project.

I'm attempting to add CAS authentication to an existing Django/DRF app using django-cas. I've been successful so far except for redirecting to the CAS login page via the "Login" link in the DRF API page. If I explicitly navigate to the CAS login page and again explicitly to the DRF API page I'm properly authenticated; it's just redirecting within the app that seems to be giving me a problem. This perhaps has more to do with my unfamiliarity with Django, but I'm hoping I might at least get some confirmation on my setup.

More specifically, I'm seeing this error:

Environment:


Request Method: GET
Request URL: http://localhost:8000/api-auth/login/?next=/api/

Django Version: 1.8.2
Python Version: 3.4.4
Installed Applications:
('django.contrib.admin',
 'django.contrib.contenttypes',
 'django.contrib.auth',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'rest_framework',
 'django_extensions',
 'rest_framework_swagger',
 'corsheaders',
 'cas')
Installed Middleware:
('django.contrib.sessions.middleware.SessionMiddleware',
 'corsheaders.middleware.CorsMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'django.middleware.security.SecurityMiddleware',
 'cas.middleware.CASMiddleware')


Traceback:
File "C:\Users\chazzlabs\Envs\backend-project\lib\site-packages\django\core\handlers\base.py" in get_response
  125.                     response = middleware_method(request, callback, callback_args, callback_kwargs)
File "C:\Users\chazzlabs\Envs\backend-project\lib\site-packages\cas\middleware.py" in process_view
  49.             return cas_login(request, *view_args, **view_kwargs)

Exception Type: TypeError at /api-auth/login/
Exception Value: login() got an unexpected keyword argument 'template_name'

It seems my issue is that, since the app is using the default DRF rest_framework.urls login view, it's sending a template_name keyword arg to the login() function of django-cas, which doesn't support the argument. I've configured django-cas according to the README, setting CAS_SERVER_URL, adding cas.middleware.CASMiddleware, adding the CAS login/logout URLs, and adding the AUTHENTICATION_BACKENDS. I've also configured DRF to use rest_framework.authentication.SessionAuthentication.

Is it possible to have the default DRF login views redirect to CAS, or is there perhaps another way I should go about this?

def login(request, next_page=None, required=False, gateway=False)
next_page is null
eg. url(r'^inbox/$', 'cas.views.login')
i want the logged user after passing cas authentication redirect to the page 'inbox.html' they need authentication

I ran into a situation today where duplicate user accounts were being created. After some digging around I noticed that if a user typed in a leading or trailing space while typing their username then it would treat these accounts as unique and create a new record in auth_user. This can lead to confusing results for the end user as anything associated with an account they might of had previously looks to them as if it disappeared.

Would you be willing to accept a patch for backends.py[1] with something to the effect of:

username = _verify(ticket, service)

if not username:
    return None

username = username.strip()

[1] https://github.com/kstateome/django-cas/blob/develop/cas/backends.py#L231

There are a lot of Middlewares affected by an update on Django 1.10, the error thrown is:/
........... /site-packages/django/core/handlers/base.py", line 82, in load_middleware
mw_instance = middleware(handler)
TypeError: object() takes no parameters

Are there plans on fixing this soon?

It seems like when using HTTPS it doesn't display the correct url to click on the CAS site to log back in. For example if the site is https://example.com/ and you sign out the CAS site will display http://example.com/http://example.com/ for the link to click to log back in. Using https://ngrok.com/ so I could debug https locally, I was able to trace down where the bug happens. It seems like it happens in the _redirect_url function found in cas/views.py. I was able to get around the bug by adding the following settings:

CAS_IGNORE_REFERER = True
CAS_REDIRECT_URL = '/'

https://github.com/kstateome/django-cas/blob/develop/cas/views.py#L107

Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/django/utils/autoreload.py", line 225, in wrapper
fn(*args, **kwargs)
File "/usr/lib/python3.6/site-packages/django/core/management/commands/runserver.py", line 137, in inner_run
handler = self.get_handler(*args, **options)
File "/usr/lib/python3.6/site-packages/django/contrib/staticfiles/management/commands/runserver.py", line 27, in get_handler
handler = super().get_handler(*args, **options)
File "/usr/lib/python3.6/site-packages/django/core/management/commands/runserver.py", line 64, in get_handler
return get_internal_wsgi_application()
File "/usr/lib/python3.6/site-packages/django/core/servers/basehttp.py", line 49, in get_internal_wsgi_application
) from err
django.core.exceptions.ImproperlyConfigured: WSGI application 'catalog_db.wsgi.application' could not be loaded; Error importing module.

Current error message when attempted running server. Reverted back to Django 2.0.6 and cas backend works properly again.

RemovedInDjango19Warning: Model class cas.models.PgtIOU doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. This will no longer be supported in Django 1.9.

RemovedInDjango19Warning: Model class cas.models.Tgt doesn't declare an explicit app_label and either isn't in an application in INSTALLED_APPS or else was imported before its application was loaded. This will no longer be supported in Django 1.9.

SLO is not supported, please see:

http://jasig.github.io/cas/development/protocol/CAS-Protocol-Specification.html#head_appdx_c
https://github.com/unistra/django-cas
https://github.com/KTHse/django-cas2

Please update the code for django 1.9.6.
Hoping for best.
Thanks.

I need the ability to restrict people in certain groups from using parts of my app. I'm using mama-cas talking to LDAP as my provider and have enabled mama_cas.callbacks.user_model_attributes callbacks. Is there a way to get group membership from CAS?

hello,
I've just fixed a bug with the gateway feature in python 3.5 in this line :
https://github.com/kstateome/django-cas/blob/develop/cas/views.py#L70
I replaced extra_params = gateway_params + list(query_list) by extra_params = gateway_params + list(query_dict.items())
Without this change, the query_list is empty
Can you check if it's ok for you and add it in your code ?
Thx

Hi,

Do you plan to release django-cas to pypi?

There are some imports happening within view functions and other cruft that has built up. Let's remove it.

Is there any way to keep the CAS session and Django sessions in sync?

It seems like if I log into a Django project using CAS and I continue using the site (keeping the Django session active, not expiring), eventually I notice that the CAS session has expired.

This might be from my not understanding what CAS is doing or how the django-cas-client app is working, but it seems like I should be able to more closely link up or connect (sync) the single sign-on feature of CAS with Django. I guess this might also mean that if I log out of CAS somewhere else, I should be logged out of my Django app too.

when run app, I got

File "<frozen importlib._bootstrap>", line 978, in _gcd_import
  File "<frozen importlib._bootstrap>", line 961, in _find_and_load
  File "<frozen importlib._bootstrap>", line 936, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 205, in _call_with_frames_removed
  File "<frozen importlib._bootstrap>", line 978, in _gcd_import
  File "<frozen importlib._bootstrap>", line 961, in _find_and_load
  File "<frozen importlib._bootstrap>", line 950, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 655, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 205, in _call_with_frames_removed
  File "/Users/tony/env/kunlun/lib/python3.6/site-packages/cas/views.py", line 19, in <module>
    from django.core.urlresolvers import reverse
ModuleNotFoundError: No module named 'django.core.urlresolvers'

django.core.urlresolvers does not exists in django2.0

Any chance you are planning on getting a version of this in pypi?

Hello,

I am running on Django 1.9. Instead of redirecting to the CAS url, I just get the error page. I am attempting to access https://localhost:8000/accounts/login as defined in my urls.py:

Here is my urls.py:

urlpatterns = [
    url(r'^proctors/admin/', admin.site.urls),
    url(r'^coaches/login/$', 'django.contrib.auth.views.login', {'template_name':'loginform.html'}, name='login'),
    url(r'^coaches/', include('registration.urls')),
    url(r'^proctors/', include('grading.urls')),
    url(r'^proctors/progress/$', 'grading.views.progress', name='progress'),
    url(r'^accounts/login/$', 'cas.views.login', name='proctor_login'),
    url(r'^accounts/logout/$', 'cas.views.logout', name='proctor_logout'),
]

"Forbidden

You do not have staff privileges."

Here is my settings.py:

CAS_SERVER_URL = 'https://fed.princeton.edu/cas/'

CAS_RETRY_LOGIN = True

CAS_REDIRECT_URL = '/proctors/'

I'm starting working on: #28 and for that, I only defined one callback:

CAS_RESPONSE_CALLBACKS = (
    'webapp.cas.callbackresponse'
)

In that case, I get a 500 error and the callback method is never called.

After a successful CAS authentication, from: https://github.com/kstateome/django-cas/blob/develop/cas/backends.py#L70, the cas_response_callbacks method is called: https://github.com/kstateome/django-cas/blob/develop/cas/utils.py#L6.
With only one callback method defined (like above), the callbacks property is strangely an array of all characters: ['w', 'e', 'b', 'a', 'p', 'p', '.', 'c', 'a', 's', '.', 'c', 'a', 'l', 'l', 'b', 'a', 'c', 'k', 'r', 'e', 's', 'p', 'o', 'n', 's', 'e'] and thus, the callback is never properly called.
With two callback methods defined or more, it works.