Merge pull request #330 from MITx/ExternalAuth

External auth

Merge pull request #330 from MITx/ExternalAuth
External auth
b1494da0 · Calen Pennington · 3b6f33f5 · dff380e8 · b1494da0 · b1494da0
Commit b1494da0 authored Aug 03, 2012 by Calen Pennington
14 changed files
--- a/lms/djangoapps/ssl_auth/__init__.py
+++ b/lms/djangoapps/ssl_auth/__init__.py
--- a/common/djangoapps/external_auth/admin.py
+++ b/common/djangoapps/external_auth/admin.py
+'''
+django admin pages for courseware model
+'''
+
+from external_auth.models import *
+from django.contrib import admin
+
+admin.site.register(ExternalAuthMap)
--- a/common/djangoapps/external_auth/models.py
+++ b/common/djangoapps/external_auth/models.py
+"""
+WE'RE USING MIGRATIONS!
+
+If you make changes to this model, be sure to create an appropriate migration
+file and check it in at the same time as your model changes. To do that,
+
+1. Go to the mitx dir
+2. django-admin.py schemamigration student --auto --settings=lms.envs.dev --pythonpath=. description_of_your_change
+3. Add the migration file created in mitx/common/djangoapps/external_auth/migrations/
+"""
+
+from django.db import models
+from django.contrib.auth.models import User
+
+class ExternalAuthMap(models.Model):
+    class Meta:
+        unique_together = (('external_id', 'external_domain'), )
+    external_id = models.CharField(max_length=255, db_index=True)
+    external_domain = models.CharField(max_length=255, db_index=True)
+    external_credentials = models.TextField(blank=True)  # JSON dictionary 
+    external_email = models.CharField(max_length=255, db_index=True)
+    external_name = models.CharField(blank=True,max_length=255, db_index=True)
+    user = models.OneToOneField(User, unique=True, db_index=True, null=True)
+    internal_password = models.CharField(blank=True, max_length=31)	# randomly generated
+    dtcreated = models.DateTimeField('creation date',auto_now_add=True)
+    dtsignup = models.DateTimeField('signup date',null=True)		# set after signup
+    
+    def __unicode__(self):
+        s = "[%s] = (%s / %s)" % (self.external_id, self.external_name, self.external_email)
+        return s
+    
--- a/common/djangoapps/external_auth/views.py
+++ b/common/djangoapps/external_auth/views.py
+import json
+import logging
+import random
+import re
+import string
+
+from external_auth.models import ExternalAuthMap
+
+from django.conf import settings
+from django.contrib.auth import REDIRECT_FIELD_NAME, authenticate, login
+from django.contrib.auth.models import Group
+from django.contrib.auth.models import User
+
+from django.core.urlresolvers import reverse
+from django.http import HttpResponse, HttpResponseRedirect
+from django.shortcuts import render_to_response
+from django.shortcuts import redirect
+from django.template import RequestContext
+from mitxmako.shortcuts import render_to_response, render_to_string
+try:
+    from django.views.decorators.csrf import csrf_exempt
+except ImportError:
+    from django.contrib.csrf.middleware import csrf_exempt
+from django_future.csrf import ensure_csrf_cookie
+from util.cache import cache_if_anonymous
+    
+from django_openid_auth import auth as openid_auth
+from openid.consumer.consumer import (Consumer, SUCCESS, CANCEL, FAILURE)
+import django_openid_auth.views as openid_views
+
+import student.views as student_views
+
+log = logging.getLogger("mitx.external_auth")
+
+@csrf_exempt
+def default_render_failure(request, message, status=403, template_name='extauth_failure.html', exception=None):
+    """Render an Openid error page to the user."""
+    message = "In openid_failure " + message
+    log.debug(message)
+    data = render_to_string( template_name, dict(message=message, exception=exception))
+    return HttpResponse(data, status=status)
+
+#-----------------------------------------------------------------------------
+# Openid
+
+def edXauth_generate_password(length=12, chars=string.letters + string.digits):
+    """Generate internal password for externally authenticated user"""
+    return ''.join([random.choice(chars) for i in range(length)])
+
+@csrf_exempt
+def edXauth_openid_login_complete(request,  redirect_field_name=REDIRECT_FIELD_NAME, render_failure=None):
+    """Complete the openid login process"""
+
+    redirect_to = request.REQUEST.get(redirect_field_name, '')
+    render_failure = render_failure or \
+                     getattr(settings, 'OPENID_RENDER_FAILURE', None) or \
+                     default_render_failure
+                                                   
+    openid_response = openid_views.parse_openid_response(request)
+    if not openid_response:
+        return render_failure(request, 'This is an OpenID relying party endpoint.')
+
+    if openid_response.status == SUCCESS:
+        external_id = openid_response.identity_url
+        oid_backend =  openid_auth.OpenIDBackend()
+        details = oid_backend._extract_user_details(openid_response)
+
+        log.debug('openid success, details=%s' % details)
+
+        return edXauth_external_login_or_signup(request,
+                                                external_id, 
+                                                "openid:%s" % settings.OPENID_SSO_SERVER_URL,
+                                                details,
+                                                details.get('email',''),
+                                                '%s %s' % (details.get('first_name',''),details.get('last_name',''))
+                                                )
+                                 
+    return render_failure(request, 'Openid failure')
+
+#-----------------------------------------------------------------------------
+# generic external auth login or signup
+
+def edXauth_external_login_or_signup(request, external_id, external_domain, credentials, email, fullname,
+                                     retfun=None):
+    # see if we have a map from this external_id to an edX username
+    try:
+        eamap = ExternalAuthMap.objects.get(external_id = external_id,
+                                            external_domain = external_domain,
+                                            )
+        log.debug('Found eamap=%s' % eamap)
+    except ExternalAuthMap.DoesNotExist:
+        # go render form for creating edX user
+        eamap = ExternalAuthMap(external_id = external_id,
+                                external_domain = external_domain,
+                                external_credentials = json.dumps(credentials),
+                                )
+        eamap.external_email = email
+        eamap.external_name = fullname
+        eamap.internal_password = edXauth_generate_password()
+        log.debug('created eamap=%s' % eamap)
+
+        eamap.save()
+
+    internal_user = eamap.user
+    if internal_user is None:
+        log.debug('ExtAuth: no user for %s yet, doing signup' % eamap.external_email)
+        return edXauth_signup(request, eamap)
+    
+    uname = internal_user.username
+    user = authenticate(username=uname, password=eamap.internal_password)
+    if user is None:
+        log.warning("External Auth Login failed for %s / %s" % (uname,eamap.internal_password))
+        return edXauth_signup(request, eamap)
+
+    if not user.is_active:
+        log.warning("External Auth: user %s is not active" % (uname))
+        # TODO: improve error page
+        return render_failure(request, 'Account not yet activated: please look for link in your email')
+     
+    login(request, user)
+    request.session.set_expiry(0)
+    student_views.try_change_enrollment(request)
+    log.info("Login success - {0} ({1})".format(user.username, user.email))
+    if retfun is None:
+        return redirect('/')
+    return retfun()
+        
+    
+#-----------------------------------------------------------------------------
+# generic external auth signup
+
+@ensure_csrf_cookie
+@cache_if_anonymous
+def edXauth_signup(request, eamap=None):
+    """
+    Present form to complete for signup via external authentication.
+    Even though the user has external credentials, he/she still needs
+    to create an account on the edX system, and fill in the user
+    registration form.
+
+    eamap is an ExteralAuthMap object, specifying the external user
+    for which to complete the signup.
+    """
+    
+    if eamap is None:
+        pass
+
+    request.session['ExternalAuthMap'] = eamap	# save this for use by student.views.create_account
+    
+    context = {'has_extauth_info': True,
+               'show_signup_immediately' : True,
+               'extauth_email': eamap.external_email,
+               'extauth_username' : eamap.external_name.split(' ')[0],
+               'extauth_name': eamap.external_name,
+               }
+    
+    log.debug('ExtAuth: doing signup for %s' % eamap.external_email)
+
+    return student_views.main_index(extra_context=context)
+
+#-----------------------------------------------------------------------------
+# MIT SSL
+
+def ssl_dn_extract_info(dn):
+    '''
+    Extract username, email address (may be anyuser@anydomain.com) and full name
+    from the SSL DN string.  Return (user,email,fullname) if successful, and None
+    otherwise.
+    '''
+    ss = re.search('/emailAddress=(.*)@([^/]+)', dn)
+    if ss:
+        user = ss.group(1)
+        email = "%s@%s" % (user, ss.group(2))
+    else:
+        return None
+    ss = re.search('/CN=([^/]+)/', dn)
+    if ss:
+        fullname = ss.group(1)
+    else:
+        return None
+    return (user, email, fullname)
+
+@csrf_exempt
+def edXauth_ssl_login(request):
+    """
+    This is called by student.views.index when MITX_FEATURES['AUTH_USE_MIT_CERTIFICATES'] = True
+
+    Used for MIT user authentication.  This presumes the web server (nginx) has been configured 
+    to require specific client certificates.
+
+    If the incoming protocol is HTTPS (SSL) then authenticate via client certificate.  
+    The certificate provides user email and fullname; this populates the ExternalAuthMap.
+    The user is nevertheless still asked to complete the edX signup.  
+
+    Else continues on with student.views.main_index, and no authentication.
+    """
+    certkey = "SSL_CLIENT_S_DN"	 # specify the request.META field to use
+    
+    cert = request.META.get(certkey,'')
+    if not cert:
+        cert = request.META.get('HTTP_'+certkey,'')
+    if not cert:
+        try:
+            cert = request._req.subprocess_env.get(certkey,'')	 # try the direct apache2 SSL key
+        except Exception as err:
+            pass
+    if not cert:
+        # no certificate information - go onward to main index
+        return student_views.main_index()
+
+    (user, email, fullname) = ssl_dn_extract_info(cert)
+    
+    return edXauth_external_login_or_signup(request, 
+                                            external_id=email, 
+                                            external_domain="ssl:MIT", 
+                                            credentials=cert, 
+                                            email=email,
+                                            fullname=fullname,
+                                            retfun = student_views.main_index)
--- a/common/djangoapps/student/views.py
+++ b/common/djangoapps/student/views.py
@@ -23,7 +23,6 @@ from django.http import HttpResponse, Http404
 from django.shortcuts import redirect
 from mitxmako.shortcuts import render_to_response, render_to_string
 from django.core.urlresolvers import reverse
-#from BeautifulSoup import BeautifulSoup
 from bs4 import BeautifulSoup
 from django.core.cache import cache

@@ -61,6 +60,19 @@ def index(request):
    if settings.COURSEWARE_ENABLED and request.user.is_authenticated():
        return redirect(reverse('dashboard'))

+    if settings.MITX_FEATURES.get('AUTH_USE_MIT_CERTIFICATES'):
+        from external_auth.views import edXauth_ssl_login
+        return edXauth_ssl_login(request)
+
+    return main_index()
+
+def main_index(extra_context = {}):
+    '''
+    Render the edX main page.
+
+    extra_context is used to allow immediate display of certain modal windows, eg signup,
+    as used by external_auth.
+    '''
    feed_data = cache.get("students_index_rss_feed_data")
    if feed_data == None:
        if hasattr(settings, 'RSS_URL'):
@@ -81,8 +93,9 @@ def index(request):
    for course in courses:
        universities[course.org].append(course)

-    return render_to_response('index.html', {'universities': universities, 'entries': entries})
-
+    context = {'universities': universities, 'entries': entries}
+    context.update(extra_context)
+    return render_to_response('index.html', context)

 def course_from_id(id):
    course_loc = CourseDescriptor.id_to_location(id)
@@ -257,11 +270,26 @@ def change_setting(request):

 @ensure_csrf_cookie
 def create_account(request, post_override=None):
-    ''' JSON call to enroll in the course. '''
+    '''
+    JSON call to create new edX account.
+    Used by form in signup_modal.html, which is included into navigation.html
+    '''
    js = {'success': False}

    post_vars = post_override if post_override else request.POST

+    # if doing signup for an external authorization, then get email, password, name from the eamap
+    # don't use the ones from the form, since the user could have hacked those
+    DoExternalAuth = 'ExternalAuthMap' in request.session
+    if DoExternalAuth:
+        eamap = request.session['ExternalAuthMap']
+        email = eamap.external_email
+        name = eamap.external_name
+        password = eamap.internal_password
+        post_vars = dict(post_vars.items())
+        post_vars.update(dict(email=email, name=name, password=password))
+        log.debug('extauth test: post_vars = %s' % post_vars)
+
    # Confirm we have a properly formed request
    for a in ['username', 'email', 'password', 'name']:
        if a not in post_vars:
@@ -356,8 +384,9 @@ def create_account(request, post_override=None):
         'key': r.activation_key,
         }

+    # composes activation email
    subject = render_to_string('emails/activation_email_subject.txt', d)
-        # Email subject *must not* contain newlines
+    # Email subject *must not* contain newlines
    subject = ''.join(subject.splitlines())
    message = render_to_string('emails/activation_email.txt', d)

@@ -382,6 +411,17 @@ def create_account(request, post_override=None):

    try_change_enrollment(request)

+    if DoExternalAuth:
+        eamap.user = login_user
+        eamap.dtsignup = datetime.datetime.now()
+        eamap.save()
+        log.debug('Updated ExternalAuthMap for %s to be %s' % (post_vars['username'],eamap))
+
+        if settings.MITX_FEATURES.get('BYPASS_ACTIVATION_EMAIL_FOR_EXTAUTH'):
+            log.debug('bypassing activation email')
+            login_user.is_active = True
+            login_user.save()
+
    js = {'success': True}
    return HttpResponse(json.dumps(js), mimetype="application/json")


--- a/lms/djangoapps/ssl_auth/ssl_auth.py
+++ b/lms/djangoapps/ssl_auth/ssl_auth.py
--- a/lms/envs/dev.py
+++ b/lms/envs/dev.py
@@ -58,6 +58,21 @@ CACHE_TIMEOUT = 0
 # Dummy secret key for dev
 SECRET_KEY = '85920908f28904ed733fe576320db18cabd7b6cd'

+################################ OpenID Auth #################################
+MITX_FEATURES['AUTH_USE_OPENID'] = True
+MITX_FEATURES['BYPASS_ACTIVATION_EMAIL_FOR_EXTAUTH'] = True
+
+INSTALLED_APPS += ('external_auth',) 
+INSTALLED_APPS += ('django_openid_auth',)
+
+OPENID_CREATE_USERS = False
+OPENID_UPDATE_DETAILS_FROM_SREG = True
+OPENID_SSO_SERVER_URL = 'https://www.google.com/accounts/o8/id'	# TODO: accept more endpoints
+OPENID_USE_AS_ADMIN_LOGIN = False
+
+################################ MIT Certificates SSL Auth #################################
+MITX_FEATURES['AUTH_USE_MIT_CERTIFICATES'] = True
+
 ################################ DEBUG TOOLBAR #################################
 INSTALLED_APPS += ('debug_toolbar',)
 MIDDLEWARE_CLASSES += ('debug_toolbar.middleware.DebugToolbarMiddleware',)

--- a/lms/envs/dev_ike.py
+++ b/lms/envs/dev_ike.py
--- a/lms/templates/extauth_failure.html
+++ b/lms/templates/extauth_failure.html
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
+  "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+<head>
+    <title>OpenID failed</title>
+</head>
+<body>
+    <h1>OpenID failed</h1>
+    <p>${message}</p>
+</body>
+</html>
--- a/lms/templates/index.html
+++ b/lms/templates/index.html
@@ -144,3 +144,31 @@
    <iframe width="640" height="360" src="http://www.youtube.com/embed/C2OQ51tu7W4?showinfo=0" frameborder="0" allowfullscreen></iframe>
  </div>
 </section>
+
+% if show_signup_immediately is not UNDEFINED:
+<script type="text/javascript">
+function dosignup(){
+    comp = document.getElementById('signup');
+try { //in firefox
+    comp.click();
+    return;
+} catch(ex) {}
+try { // in old chrome
+    if(document.createEvent) {
+        var e = document.createEvent('MouseEvents');
+        e.initEvent( 'click', true, true );
+        comp.dispatchEvent(e);
+        return;
+    }
+} catch(ex) {}
+try { // in IE, safari
+    if(document.createEventObject) {
+         var evObj = document.createEventObject();
+         comp.fireEvent("onclick", evObj);
+         return;
+    }
+} catch(ex) {}
+}
+$(window).load(dosignup);
+</script>
+% endif
--- a/lms/templates/login_modal.html
+++ b/lms/templates/login_modal.html
@@ -27,6 +27,9 @@
        <span>Not enrolled? <a href="#signup-modal" class="close-login" rel="leanModal">Sign up.</a></span>
        <a href="#forgot-password-modal" rel="leanModal" class="pwd-reset">Forgot password?</a>
      </p>
+      <p>
+      <a href="${MITX_ROOT_URL}/openid/login/">login via openid</a>
+      </p>
    </section>

    <div class="close-modal">

--- a/lms/templates/signup_modal.html
+++ b/lms/templates/signup_modal.html
@@ -19,6 +19,7 @@
        <div id="register_error" name="register_error"></div>

        <div class="input-group">
+	  % if has_extauth_info is UNDEFINED:
          <label data-field="email">E-mail*</label>
          <input name="email" type="email" placeholder="E-mail*">
          <label data-field="password">Password*</label>
@@ -27,6 +28,12 @@
          <input name="username" type="text" placeholder="Public Username*">
          <label data-field="name">Full Name</label>
          <input name="name" type="text" placeholder="Full Name*">
+	  % else:
+	  <p><i>Welcome</i> ${extauth_email}</p><br/>
+	  <p><i>Enter a public username:</i></p>
+          <label data-field="username">Public Username*</label>
+          <input name="username" type="text" value="${extauth_username}" placeholder="Public Username*">
+	  % endif
        </div>

        <div class="input-group">
@@ -93,11 +100,13 @@
        </div>
      </form>

+      % if has_extauth_info is UNDEFINED:
      <section class="login-extra">
        <p>
          <span>Already have an account? <a href="#login-modal" class="close-signup" rel="leanModal">Login.</a></span>
        </p>
      </section>
+      % endif

    </div>


--- a/lms/urls.py
+++ b/lms/urls.py
@@ -162,12 +162,18 @@ if settings.DEBUG:
    ## Jasmine
    urlpatterns=urlpatterns + (url(r'^_jasmine/', include('django_jasmine.urls')),)

+if settings.MITX_FEATURES.get('AUTH_USE_OPENID'):
+    urlpatterns += (
+        url(r'^openid/login/$', 'django_openid_auth.views.login_begin', name='openid-login'),
+        url(r'^openid/complete/$', 'external_auth.views.edXauth_openid_login_complete', name='openid-complete'),
+        url(r'^openid/logo.gif$', 'django_openid_auth.views.logo', name='openid-logo'),
+        )
+
 urlpatterns = patterns(*urlpatterns)

 if settings.DEBUG:
    urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)

-
 #Custom error pages
 handler404 = 'static_template_view.views.render_404'
 handler500 = 'static_template_view.views.render_500'

--- a/requirements.txt
+++ b/requirements.txt
@@ -8,6 +8,7 @@ lxml
 boto
 mako
 python-memcached
+python-openid 
 path.py
 django_debug_toolbar
 -e git://github.com/MITx/django-pipeline.git#egg=django-pipeline
@@ -37,6 +38,7 @@ django-jasmine
 django-keyedcache
 django-mako
 django-masquerade
+django-openid-auth 
 django-robots
 django-ses
 django-storages