2023-02-26 21:24:07 +01:00
|
|
|
# -*- coding: UTF-8 -*
|
|
|
|
|
"""
|
|
|
|
|
auth.cas.py
|
|
|
|
|
"""
|
|
|
|
|
import datetime
|
|
|
|
|
|
|
|
|
|
import flask
|
|
|
|
|
from flask import current_app, flash, url_for
|
|
|
|
|
from flask_login import login_user
|
|
|
|
|
|
|
|
|
|
from app.auth import bp
|
|
|
|
|
from app.auth.models import User
|
|
|
|
|
from app.models.config import ScoDocSiteConfig
|
2023-02-27 09:46:15 +01:00
|
|
|
from app.scodoc.sco_exceptions import ScoValueError
|
2023-02-26 21:24:07 +01:00
|
|
|
|
|
|
|
|
# after_cas_login/after_cas_logout : routes appelées par redirect depuis le serveur CAS.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@bp.route("/after_cas_login")
|
|
|
|
|
def after_cas_login():
|
|
|
|
|
"Called by CAS after CAS authentication"
|
|
|
|
|
# Ici on a les infos dans flask.session["CAS_ATTRIBUTES"]
|
|
|
|
|
if ScoDocSiteConfig.is_cas_enabled() and ("CAS_ATTRIBUTES" in flask.session):
|
|
|
|
|
# Lookup user:
|
|
|
|
|
cas_id = flask.session["CAS_ATTRIBUTES"].get(
|
|
|
|
|
"cas:" + ScoDocSiteConfig.get("cas_attribute_id")
|
|
|
|
|
)
|
|
|
|
|
if cas_id is not None:
|
|
|
|
|
user = User.query.filter_by(cas_id=cas_id).first()
|
|
|
|
|
if user and user.active:
|
|
|
|
|
if user.cas_allow_login:
|
|
|
|
|
current_app.logger.info(f"CAS: login {user.user_name}")
|
|
|
|
|
if login_user(user):
|
|
|
|
|
flask.session[
|
|
|
|
|
"scodoc_cas_login_date"
|
|
|
|
|
] = datetime.datetime.now().isoformat()
|
|
|
|
|
return flask.redirect(url_for("scodoc.index"))
|
|
|
|
|
else:
|
|
|
|
|
current_app.logger.info(
|
|
|
|
|
f"CAS login denied for {user.user_name} (not allowed to use CAS)"
|
|
|
|
|
)
|
|
|
|
|
else:
|
|
|
|
|
current_app.logger.info(
|
|
|
|
|
f"""CAS login denied for {user.user_name if user else ""} cas_id={cas_id} (unknown or inactive)"""
|
|
|
|
|
)
|
2023-02-26 21:40:15 +01:00
|
|
|
else:
|
|
|
|
|
current_app.logger.info(
|
|
|
|
|
f"""CAS attribute '{ScoDocSiteConfig.get("cas_attribute_id")}' not found !
|
|
|
|
|
(check your ScoDoc config)"""
|
|
|
|
|
)
|
2023-02-26 21:24:07 +01:00
|
|
|
|
|
|
|
|
# Echec:
|
|
|
|
|
flash("échec de l'authentification")
|
|
|
|
|
return flask.redirect(url_for("auth.login"))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@bp.route("/after_cas_logout")
|
|
|
|
|
def after_cas_logout():
|
|
|
|
|
"Called by CAS after CAS logout"
|
|
|
|
|
flash("Vous êtes déconnecté")
|
|
|
|
|
current_app.logger.info("after_cas_logout")
|
|
|
|
|
return flask.redirect(url_for("scodoc.index"))
|
|
|
|
|
|
|
|
|
|
|
2023-02-27 09:46:15 +01:00
|
|
|
def cas_error_callback(message):
|
|
|
|
|
"Called by CAS when an error occurs, with a message"
|
|
|
|
|
raise ScoValueError(f"Erreur authentification CAS: {message}")
|
|
|
|
|
|
|
|
|
|
|
2023-02-26 21:36:25 +01:00
|
|
|
def set_cas_configuration(app: flask.app.Flask = None):
|
2023-02-26 21:24:07 +01:00
|
|
|
"""Force la configuration du module flask_cas à partir des paramètres de
|
|
|
|
|
la config de ScoDoc.
|
|
|
|
|
Appelé au démarrage et à chaque modif des paramètres.
|
|
|
|
|
"""
|
2023-02-26 21:36:25 +01:00
|
|
|
app = app or current_app
|
2023-02-26 21:24:07 +01:00
|
|
|
if ScoDocSiteConfig.is_cas_enabled():
|
|
|
|
|
app.config["CAS_SERVER"] = ScoDocSiteConfig.get("cas_server")
|
|
|
|
|
app.config["CAS_AFTER_LOGIN"] = "auth.after_cas_login"
|
|
|
|
|
app.config["CAS_AFTER_LOGOUT"] = "auth.after_cas_logout"
|
2023-02-27 09:46:15 +01:00
|
|
|
app.config["CAS_ERROR_CALLBACK"] = cas_error_callback
|
2023-02-26 23:27:40 +01:00
|
|
|
app.config["CAS_SSL_VERIFY"] = ScoDocSiteConfig.get("cas_ssl_verify")
|
|
|
|
|
app.config["CAS_SSL_CERTIFICATE"] = ScoDocSiteConfig.get("cas_ssl_certificate")
|
2023-02-26 21:24:07 +01:00
|
|
|
else:
|
|
|
|
|
app.config.pop("CAS_SERVER", None)
|
|
|
|
|
app.config.pop("CAS_AFTER_LOGIN", None)
|
|
|
|
|
app.config.pop("CAS_AFTER_LOGOUT", None)
|
2023-02-26 23:27:40 +01:00
|
|
|
app.config.pop("CAS_SSL_VERIFY", None)
|
|
|
|
|
app.config.pop("CAS_SSL_CERTIFICATE", None)
|
