[Scripts/git/.git] / django / mit / __init__.py

import os
import subprocess
import tempfile
import ldap
import ldap.filter

from django.contrib.auth.backends import RemoteUserBackend
from django.contrib.auth.middleware import RemoteUserMiddleware
from django.contrib.auth.views import login
from django.contrib.auth import REDIRECT_FIELD_NAME
from django.http import HttpResponseRedirect
from django.contrib import auth
from django.core.exceptions import ObjectDoesNotExist
from django.core.validators import URLValidator, ValidationError

from django.conf import settings

def zephyr(msg, clas='message', instance='log', rcpt='nobody',):
    proc = subprocess.Popen(
        ['zwrite', '-d', '-n', '-c', clas, '-i', instance, rcpt, ],
        stdin=subprocess.PIPE, stdout=subprocess.PIPE
    )
    proc.communicate(msg)

def UrlOrAfsValidator(value):
    if value.startswith('/mit/') or value.startswith('/afs/'):
        return
    else:
        try:
            URLValidator()(value)
        except ValidationError:
            raise ValidationError('Provide a valid URL or AFS path')

def pag_check_helper(fn, args, aklog=False, ccname=None, **kwargs):
    if 'executable' in kwargs:
        raise ValueError('"executable" not supported with pag_check_*')

    env = None
    if 'env' in kwargs:
        env = kwargs['env']
        del kwargs['env']
    if ccname:
        if env is not None:
            env = dict(env)
        else:
            env = dict(os.environ)
        env['KRB5CCNAME'] = ccname

    pagsh_cmd = 'exec "$@"'
    if aklog: pagsh_cmd = "aklog && " + pagsh_cmd
    args = ['pagsh', '-c', pagsh_cmd, 'exec', ] + args

    return fn(args, env=env, **kwargs)

def pag_check_call(args, **kwargs):
    return pag_check_helper(subprocess.check_call, args, **kwargs)
def pag_check_output(args, **kwargs):
    return pag_check_helper(subprocess.check_output, args, **kwargs)

def kinit(keytab=None, principal=None, autodelete=True, ):
    if not keytab:
        keytab = settings.KRB_KEYTAB
    if not principal:
        principal = settings.KRB_PRINCIPAL
    assert keytab and principal
    fd = tempfile.NamedTemporaryFile(mode='rb', prefix="krb5cc_djmit_", delete=autodelete, )
    env = dict(KRB5CCNAME=fd.name)
    kinit_cmd = ['kinit', '-k', '-t', keytab, principal, ]
    subprocess.check_call(kinit_cmd, env=env)
    return fd

class ScriptsRemoteUserMiddleware(RemoteUserMiddleware):
    header = 'SSL_CLIENT_S_DN_Email'

class ScriptsRemoteUserBackend(RemoteUserBackend):
    def clean_username(self, username, ):
        if '@' in username:
            name, domain = username.split('@')
            assert domain.upper() == 'MIT.EDU'
            return name
        else:
            return username
    def configure_user(self, user, ):
        username = user.username
        user.set_unusable_password()
        con = ldap.open('ldap-too.mit.edu')
        con.simple_bind_s("", "")
        dn = "dc=mit,dc=edu"
        fields = ['cn', 'sn', 'givenName', 'mail', ]
        userfilter = ldap.filter.filter_format('uid=%s', [username])
        result = con.search_s('dc=mit,dc=edu', ldap.SCOPE_SUBTREE, userfilter, fields)
        if len(result) == 1:
            user.first_name = result[0][1]['givenName'][0]
            user.last_name = result[0][1]['sn'][0]
            try:
                user.email = result[0][1]['mail'][0]
            except KeyError:
                user.email = username + '@mit.edu'
            try:
                user.groups.add(auth.models.Group.objects.get(name='mit'))
            except ObjectDoesNotExist:
                print "Failed to retrieve mit group"
        else:
            raise ValueError, ("Could not find user with username '%s' (filter '%s')"%(username, userfilter))
        try:
            user.groups.add(auth.models.Group.objects.get(name='autocreated'))
        except ObjectDoesNotExist:
            print "Failed to retrieve autocreated group"
        user.save()
        return user

def get_or_create_mit_user(username, ):
    """
    Given an MIT username, return a Django user object for them.
    If necessary, create (and save) the Django user for them.
    If the MIT user doesn't exist, raises ValueError.
    """
    user, created = auth.models.User.objects.get_or_create(username=username, )
    if created:
        backend = ScriptsRemoteUserBackend()
        # Raises ValueError if the user doesn't exist
        try:
            return backend.configure_user(user), created
        except ValueError:
            user.delete()
            raise
    else:
        return user, created

def scripts_login(request, **kwargs):
    host = request.META['HTTP_HOST'].split(':')[0]
    if host in ('localhost', '127.0.0.1'):
        return login(request, **kwargs)
    elif request.META['SERVER_PORT'] == '444':
        if request.user.is_authenticated():
            # They're already authenticated --- go ahead and redirect
            if 'redirect_field_name' in kwargs:
                redirect_field_name = kwargs['redirect_field_names']
            else:
                from django.contrib.auth import REDIRECT_FIELD_NAME
                redirect_field_name = REDIRECT_FIELD_NAME
            redirect_to = request.REQUEST.get(redirect_field_name, '')
            if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
                redirect_to = settings.LOGIN_REDIRECT_URL
            return HttpResponseRedirect(redirect_to)
        else:
            return login(request, **kwargs)
    else:
        # Move to port 444
        redirect_to = "https://%s:444%s" % (host, request.META['REQUEST_URI'], )
        return HttpResponseRedirect(redirect_to)
Commit	Line	Data
20e2c5bc	1	import os
aec307d9	2	import subprocess
be3f03e7	3	import tempfile
aec307d9 AD	4	import ldap
	5	import ldap.filter
	6
e2ce65b9	7	from django.contrib.auth.backends import RemoteUserBackend
c6b6a6b9	8	from django.contrib.auth.middleware import RemoteUserMiddleware
2e0bd8fa AD	9	from django.contrib.auth.views import login
	10	from django.contrib.auth import REDIRECT_FIELD_NAME
	11	from django.http import HttpResponseRedirect
e2ce65b9 AD	12	from django.contrib import auth
e2ce65b9 AD	13	from django.core.exceptions import ObjectDoesNotExist
6650ee78 AD	14	from django.core.validators import URLValidator, ValidationError
6650ee78 AD	15
be3f03e7	16	from django.conf import settings
e2ce65b9	17
aec307d9 AD	18	def zephyr(msg, clas='message', instance='log', rcpt='nobody',):
	19	proc = subprocess.Popen(
	20	['zwrite', '-d', '-n', '-c', clas, '-i', instance, rcpt, ],
	21	stdin=subprocess.PIPE, stdout=subprocess.PIPE
	22	)
	23	proc.communicate(msg)
e2ce65b9	24
6650ee78 AD	25	def UrlOrAfsValidator(value):
	26	if value.startswith('/mit/') or value.startswith('/afs/'):
	27	return
	28	else:
	29	try:
	30	URLValidator()(value)
	31	except ValidationError:
	32	raise ValidationError('Provide a valid URL or AFS path')
	33
20e2c5bc AD	34	def pag_check_helper(fn, args, aklog=False, ccname=None, **kwargs):
	35	if 'executable' in kwargs:
	36	raise ValueError('"executable" not supported with pag_check_*')
	37
	38	env = None
	39	if 'env' in kwargs:
	40	env = kwargs['env']
	41	del kwargs['env']
	42	if ccname:
	43	if env is not None:
	44	env = dict(env)
	45	else:
	46	env = dict(os.environ)
	47	env['KRB5CCNAME'] = ccname
	48
	49	pagsh_cmd = 'exec "$@"'
	50	if aklog: pagsh_cmd = "aklog && " + pagsh_cmd
	51	args = ['pagsh', '-c', pagsh_cmd, 'exec', ] + args
	52
	53	return fn(args, env=env, **kwargs)
	54
	55	def pag_check_call(args, **kwargs):
	56	return pag_check_helper(subprocess.check_call, args, **kwargs)
	57	def pag_check_output(args, **kwargs):
	58	return pag_check_helper(subprocess.check_output, args, **kwargs)
	59
be3f03e7 AD	60	def kinit(keytab=None, principal=None, autodelete=True, ):
	61	if not keytab:
	62	keytab = settings.KRB_KEYTAB
	63	if not principal:
	64	principal = settings.KRB_PRINCIPAL
	65	assert keytab and principal
	66	fd = tempfile.NamedTemporaryFile(mode='rb', prefix="krb5cc_djmit_", delete=autodelete, )
	67	env = dict(KRB5CCNAME=fd.name)
	68	kinit_cmd = ['kinit', '-k', '-t', keytab, principal, ]
	69	subprocess.check_call(kinit_cmd, env=env)
	70	return fd
	71
e2ce65b9 AD	72	class ScriptsRemoteUserMiddleware(RemoteUserMiddleware):
	73	header = 'SSL_CLIENT_S_DN_Email'
	74
	75	class ScriptsRemoteUserBackend(RemoteUserBackend):
	76	def clean_username(self, username, ):
	77	if '@' in username:
	78	name, domain = username.split('@')
	79	assert domain.upper() == 'MIT.EDU'
	80	return name
	81	else:
	82	return username
	83	def configure_user(self, user, ):
	84	username = user.username
fb128813	85	user.set_unusable_password()
abab96a3	86	con = ldap.open('ldap-too.mit.edu')
e2ce65b9 AD	87	con.simple_bind_s("", "")
	88	dn = "dc=mit,dc=edu"
	89	fields = ['cn', 'sn', 'givenName', 'mail', ]
aec307d9 AD	90	userfilter = ldap.filter.filter_format('uid=%s', [username])
aec307d9 AD	91	result = con.search_s('dc=mit,dc=edu', ldap.SCOPE_SUBTREE, userfilter, fields)
e2ce65b9 AD	92	if len(result) == 1:
	93	user.first_name = result[0][1]['givenName'][0]
	94	user.last_name = result[0][1]['sn'][0]
23bea0e4 GT	95	try:
	96	user.email = result[0][1]['mail'][0]
	97	except KeyError:
	98	user.email = username + '@mit.edu'
e2ce65b9 AD	99	try:
	100	user.groups.add(auth.models.Group.objects.get(name='mit'))
	101	except ObjectDoesNotExist:
	102	print "Failed to retrieve mit group"
aec307d9 AD	103	else:
aec307d9 AD	104	raise ValueError, ("Could not find user with username '%s' (filter '%s')"%(username, userfilter))
e2ce65b9 AD	105	try:
	106	user.groups.add(auth.models.Group.objects.get(name='autocreated'))
	107	except ObjectDoesNotExist:
	108	print "Failed to retrieve autocreated group"
aec307d9	109	user.save()
e2ce65b9	110	return user
2e0bd8fa	111
d4bd5af8 AD	112	def get_or_create_mit_user(username, ):
	113	"""
	114	Given an MIT username, return a Django user object for them.
	115	If necessary, create (and save) the Django user for them.
	116	If the MIT user doesn't exist, raises ValueError.
	117	"""
	118	user, created = auth.models.User.objects.get_or_create(username=username, )
	119	if created:
	120	backend = ScriptsRemoteUserBackend()
	121	# Raises ValueError if the user doesn't exist
	122	try:
	123	return backend.configure_user(user), created
	124	except ValueError:
	125	user.delete()
	126	raise
	127	else:
	128	return user, created
	129
2e0bd8fa	130	def scripts_login(request, **kwargs):
4df1aef4	131	host = request.META['HTTP_HOST'].split(':')[0]
5ba5fe8d	132	if host in ('localhost', '127.0.0.1'):
2e0bd8fa AD	133	return login(request, **kwargs)
	134	elif request.META['SERVER_PORT'] == '444':
	135	if request.user.is_authenticated():
	136	# They're already authenticated --- go ahead and redirect
	137	if 'redirect_field_name' in kwargs:
	138	redirect_field_name = kwargs['redirect_field_names']
	139	else:
	140	from django.contrib.auth import REDIRECT_FIELD_NAME
	141	redirect_field_name = REDIRECT_FIELD_NAME
	142	redirect_to = request.REQUEST.get(redirect_field_name, '')
	143	if not redirect_to or '//' in redirect_to or ' ' in redirect_to:
	144	redirect_to = settings.LOGIN_REDIRECT_URL
	145	return HttpResponseRedirect(redirect_to)
	146	else:
	147	return login(request, **kwargs)
	148	else:
	149	# Move to port 444
2e0bd8fa AD	150	redirect_to = "https://%s:444%s" % (host, request.META['REQUEST_URI'], )
2e0bd8fa AD	151	return HttpResponseRedirect(redirect_to)