From 772564e13c50e171c47dc4845bb3478624880be4 Mon Sep 17 00:00:00 2001
From: Tanner Prestegard <tanner.prestegard@ligo.org>
Date: Fri, 9 Nov 2018 14:37:29 -0600
Subject: [PATCH] Updating login views and redirect handling
---
config/settings/base.py | 11 ++++++++---
config/urls.py | 10 ++++++----
gracedb/ligoauth/views.py | 39 +++++++++++++++++++++++++++++----------
3 files changed, 43 insertions(+), 17 deletions(-)
diff --git a/config/settings/base.py b/config/settings/base.py
index e08e45202..07f8861e8 100644
--- a/config/settings/base.py
+++ b/config/settings/base.py
@@ -69,7 +69,14 @@ ALLOWED_HOSTS = ['localhost', '127.0.0.1', SERVER_FQDN,
# Sessions settings -----------------------------------------------------------
SESSION_COOKIE_AGE = 3600
SESSION_ENGINE = 'user_sessions.backends.db'
-LOGOUT_REDIRECT_URL = '/'
+
+# Login/logout settings -------------------------------------------------------
+# Login pages
+# URL of Shibboleth login page
+LOGIN_URL = 'login'
+SHIB_LOGIN_URL = '/Shibboleth.sso/Login'
+LOGIN_REDIRECT_URL = 'home'
+LOGOUT_REDIRECT_URL = 'home'
# LVAlert and LVAlert Overseer settings ---------------------------------------
# Switches which control whether alerts are sent out
@@ -457,8 +464,6 @@ GUARDIAN_RENDER_403 = True
# See http://django-guardian.readthedocs.io/en/latest/userguide/custom-user-model.html
GUARDIAN_MONKEY_PATCH = False
-# URL of Shibboleth login page
-LOGIN_URL = '/Shibboleth.sso/Login'
# Basic auth passwords for LVEM scripted access expire after 365 days.
PASSWORD_EXPIRATION_TIME = timedelta(days=365)
diff --git a/config/urls.py b/config/urls.py
index 1a1781b2f..b2cdeb30d 100644
--- a/config/urls.py
+++ b/config/urls.py
@@ -15,7 +15,7 @@ from events.feeds import EventFeed, feedview
# than just using a string
import events.reports
import events.views
-from ligoauth.views import pre_login, shib_login, shib_logout
+from ligoauth.views import pre_login, post_login, shib_logout
import search.views
# Django admin auto-discover
@@ -47,13 +47,15 @@ urlpatterns = [
url(r'^reports/cbc_report/(?P<format>(json|flex))?$',
events.reports.cbc_report, name="cbc_report"),
url(r'^latest/$', search.views.latest, name="latest"),
- url(r'^login/$', pre_login, name='login'),
- url(r'^post_login/$', shib_login, name='post-login'),
- url(r'^logout/$', shib_logout, name='logout'),
#(r'^reports/(?P<path>.+)$', 'django.views.static.serve',
# {'document_root': settings.LATENCY_REPORT_DEST_DIR}),
url(r'^search/$', search.views.search, name="mainsearch"),
+ # Authentication
+ url(r'^login/$', pre_login, name='login'),
+ url(r'^post-login/$', post_login, name='post-login'),
+ url(r'^logout/$', shib_logout, name='logout'),
+
# API URLs
url(r'^api/', include('api.urls')),
# Legacy API URLs: can we get rid of these at some point? (TODO)
diff --git a/gracedb/ligoauth/views.py b/gracedb/ligoauth/views.py
index 8a29f6e7d..5a638689d 100644
--- a/gracedb/ligoauth/views.py
+++ b/gracedb/ligoauth/views.py
@@ -1,18 +1,29 @@
+import logging
+
from django.conf import settings
from django.contrib.auth import logout
from django.http import HttpResponseRedirect
+from django.shortcuts import resolve_url
from django.urls import reverse
-import logging
+# Set up logger
logger = logging.getLogger(__name__)
ORIGINAL_PAGE_KEY = 'login_from_page'
+# Three steps in login process:
+# 1. Pre-login view where we try to cache the page that the user was just on
+# and redirect to the Shibboleth SSO page for login through an IdP
+# 2. Login through IdP, redirect to post-login view.
+# 3. Post-login view, where Apache puts the user's attributes into the
+# session. Our Django middleware and auth backends consume the attributes
+# and use them to log into a user account in the database. The user is
+# then redirected to the original page where they logged in from.
def pre_login(request):
"""
- Sends user to settings.LOGIN_URL (Shibboleth login) and sets up a
+ Sends user to settings.SHIB_LOGIN_URL (Shibboleth login) and sets up a
redirect target to the actual login page where we parse the shib session
attributes. Saves the current page (where the login button was clicked
from) in the session so that our login page can then redirect back to
@@ -21,24 +32,30 @@ def pre_login(request):
If original URL is not found, redirect to the home page
"""
- # Set target for shibboleth to redirect to
+ # Set target for SSO page to redirect to
shib_target = reverse('post-login')
- # Get original url (page where the login button was clicked)
- original_url = request.META.get('HTTP_REFERER', reverse('home'))
+ # Get original url (page where the login button was clicked).
+ # First try to get referer header. If not available, try to get the 'next
+ # query string parameter (that's how the Django login_required
+ # handles it)
+ original_url = request.META.get('HTTP_REFERER', None)
+ if original_url is None:
+ original_url = request.GET.get('next',
+ resolve_url(settings.LOGIN_REDIRECT_URL))
# Store original url in session
request.session[ORIGINAL_PAGE_KEY] = original_url
# Set up url for shibboleth login with redirect target
- full_login_url = "{base}?target={target}".format(base=settings.LOGIN_URL,
- target=shib_target)
+ full_login_url = "{base}?target={target}".format(
+ base=settings.SHIB_LOGIN_URL, target=shib_target)
# Redirect to the shibboleth login
return HttpResponseRedirect(full_login_url)
-def shib_login(request):
+def post_login(request):
"""
pre_login should redirect to the URL which corresponds to this view.
@@ -51,7 +68,8 @@ def shib_login(request):
redirect to the home page.
"""
- original_url = request.session.get(ORIGINAL_PAGE_KEY, reverse('home'))
+ original_url = request.session.get(ORIGINAL_PAGE_KEY,
+ resolve_url(settings.LOGIN_REDIRECT_URL))
# Redirect to the original url
return HttpResponseRedirect(original_url)
@@ -63,6 +81,7 @@ def shib_logout(request):
logout(request)
# Get original url where the logout button was pressed from
- original_url = request.META.get('HTTP_REFERER', reverse('home'))
+ original_url = request.META.get('HTTP_REFERER',
+ resolve_url(settings.LOGOUT_REDIRECT_URL))
return HttpResponseRedirect(original_url)
--
GitLab