Remove SSL Certifcate auth reliance on internal password

082f20db · Carson Gee · 29857036 · 082f20db · 082f20db
Commit 082f20db authored Feb 21, 2014 by Carson Gee
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 11 deletions

common/djangoapps/external_auth/tests/test_ssl.py
+10 -11

common/djangoapps/external_auth/views.py
+6 -0

No files found.
--- a/common/djangoapps/external_auth/tests/test_ssl.py
+++ b/common/djangoapps/external_auth/tests/test_ssl.py
@@ -235,23 +235,22 @@ class SSLClientTest(TestCase):
        This tests the response when a user exists but their eamap
        password doesn't match their internal password.

-        This should start failing and can be removed when the
-        eamap.internal_password dependency is removed.
+        The internal password use for certificates has been removed
+        and this should not fail.
        """
+        # Create account, break internal password, and activate account
        external_auth.views.ssl_login(self._create_ssl_request('/'))
        user = User.objects.get(email=self.USER_EMAIL)
        user.set_password('not autogenerated')
+        user.is_active = True
        user.save()

-        # Validate user failed by checking log
-        output = StringIO.StringIO()
-        audit_log_handler = logging.StreamHandler(output)
-        audit_log = logging.getLogger("audit")
-        audit_log.addHandler(audit_log_handler)
-
-        request = self._create_ssl_request('/')
-        external_auth.views.ssl_login(request)
-        self.assertIn('External Auth Login failed for', output.getvalue())
+        # Make sure we can still login
+        response = self.client.get(
+            reverse('signin_user'), follow=True,
+            SSL_CLIENT_S_DN=self.AUTH_DN.format(self.USER_NAME, self.USER_EMAIL))
+        print(response)
+        self.assertIn('_auth_user_id', self.client.session)

    @unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms')
    @override_settings(FEATURES=FEATURES_WITHOUT_SSL_AUTH)

--- a/common/djangoapps/external_auth/views.py
+++ b/common/djangoapps/external_auth/views.py
@@ -151,6 +151,7 @@ def _external_login_or_signup(request,

    log.info(u"External_Auth login_or_signup for %s : %s : %s : %s", external_domain, external_id, email, fullname)
    uses_shibboleth = settings.FEATURES.get('AUTH_USE_SHIB') and external_domain.startswith(SHIBBOLETH_DOMAIN_PREFIX)
+    uses_certs = settings.FEATURES.get('AUTH_USE_CERTIFICATES')
    internal_user = eamap.user
    if internal_user is None:
        if uses_shibboleth:
@@ -193,6 +194,11 @@ def _external_login_or_signup(request,
            auth_backend = 'django.contrib.auth.backends.ModelBackend'
        user.backend = auth_backend
        AUDIT_LOG.info('Linked user "%s" logged in via Shibboleth', user.email)
+    elif uses_certs:
+        # Certificates are trusted, so just link the user and log the action
+        user = internal_user
+        user.backend = 'django.contrib.auth.backens.ModelBackend'
+        AUDIT_LOG.info('Linked user "%s" logged in via SSL certificate', user.email)
    else:
        user = authenticate(username=uname, password=eamap.internal_password, request=request)
    if user is None: