Skip to content

E
edx-platform
Commit 082f20db by Carson Gee
Options

Remove SSL Certifcate auth reliance on internal password

parent 29857036
Showing with 16 additions and 11 deletions
common/djangoapps/external_auth/tests/test_ssl.py
...@@ -235,23 +235,22 @@ class SSLClientTest(TestCase): ...@@ -235,23 +235,22 @@ class SSLClientTest(TestCase):
This tests the response when a user exists but their eamap This tests the response when a user exists but their eamap
password doesn't match their internal password. password doesn't match their internal password.
This should start failing and can be removed when the The internal password use for certificates has been removed
eamap.internal_password dependency is removed. and this should not fail.
""" """
# Create account, break internal password, and activate account
external_auth.views.ssl_login(self._create_ssl_request('/')) external_auth.views.ssl_login(self._create_ssl_request('/'))
user = User.objects.get(email=self.USER_EMAIL) user = User.objects.get(email=self.USER_EMAIL)
user.set_password('not autogenerated') user.set_password('not autogenerated')
user.is_active = True
user.save() user.save()
# Validate user failed by checking log # Make sure we can still login
output = StringIO.StringIO() response = self.client.get(
audit_log_handler = logging.StreamHandler(output) reverse('signin_user'), follow=True,
audit_log = logging.getLogger("audit") SSL_CLIENT_S_DN=self.AUTH_DN.format(self.USER_NAME, self.USER_EMAIL))
audit_log.addHandler(audit_log_handler) print(response)
self.assertIn('_auth_user_id', self.client.session)
request = self._create_ssl_request('/')
external_auth.views.ssl_login(request)
self.assertIn('External Auth Login failed for', output.getvalue())
@unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms') @unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms')
@override_settings(FEATURES=FEATURES_WITHOUT_SSL_AUTH) @override_settings(FEATURES=FEATURES_WITHOUT_SSL_AUTH)
......
common/djangoapps/external_auth/views.py
...@@ -151,6 +151,7 @@ def _external_login_or_signup(request, ...@@ -151,6 +151,7 @@ def _external_login_or_signup(request,
log.info(u"External_Auth login_or_signup for %s : %s : %s : %s", external_domain, external_id, email, fullname) log.info(u"External_Auth login_or_signup for %s : %s : %s : %s", external_domain, external_id, email, fullname)
uses_shibboleth = settings.FEATURES.get('AUTH_USE_SHIB') and external_domain.startswith(SHIBBOLETH_DOMAIN_PREFIX) uses_shibboleth = settings.FEATURES.get('AUTH_USE_SHIB') and external_domain.startswith(SHIBBOLETH_DOMAIN_PREFIX)
uses_certs = settings.FEATURES.get('AUTH_USE_CERTIFICATES')
internal_user = eamap.user internal_user = eamap.user
if internal_user is None: if internal_user is None:
if uses_shibboleth: if uses_shibboleth:
...@@ -193,6 +194,11 @@ def _external_login_or_signup(request, ...@@ -193,6 +194,11 @@ def _external_login_or_signup(request,
auth_backend = 'django.contrib.auth.backends.ModelBackend' auth_backend = 'django.contrib.auth.backends.ModelBackend'
user.backend = auth_backend user.backend = auth_backend
AUDIT_LOG.info('Linked user "%s" logged in via Shibboleth', user.email) AUDIT_LOG.info('Linked user "%s" logged in via Shibboleth', user.email)
elif uses_certs:
# Certificates are trusted, so just link the user and log the action
user = internal_user
user.backend = 'django.contrib.auth.backens.ModelBackend'
AUDIT_LOG.info('Linked user "%s" logged in via SSL certificate', user.email)
else: else:
user = authenticate(username=uname, password=eamap.internal_password, request=request) user = authenticate(username=uname, password=eamap.internal_password, request=request)
if user is None: if user is None:
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment