2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2013-04-25 15:47:34 +04:00
|
|
|
Provides various authentication policies.
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2013-03-27 21:05:46 +04:00
|
|
|
import base64
|
2016-05-03 11:24:55 +03:00
|
|
|
import binascii
|
2015-06-18 16:38:29 +03:00
|
|
|
|
2018-07-06 13:14:31 +03:00
|
|
|
from django.contrib.auth import authenticate, get_user_model
|
2013-09-25 13:30:04 +04:00
|
|
|
from django.middleware.csrf import CsrfViewMiddleware
|
2015-01-07 15:01:11 +03:00
|
|
|
from django.utils.translation import ugettext_lazy as _
|
2015-06-18 16:38:29 +03:00
|
|
|
|
2015-06-25 23:55:51 +03:00
|
|
|
from rest_framework import HTTP_HEADER_ENCODING, exceptions
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2015-05-19 19:48:53 +03:00
|
|
|
|
2013-03-09 00:23:11 +04:00
|
|
|
def get_authorization_header(request):
|
|
|
|
"""
|
|
|
|
Return request's 'Authorization:' header, as a bytestring.
|
|
|
|
|
|
|
|
Hide some test client ickyness where the header can be unicode.
|
|
|
|
"""
|
|
|
|
auth = request.META.get('HTTP_AUTHORIZATION', b'')
|
2019-04-30 18:53:44 +03:00
|
|
|
if isinstance(auth, str):
|
2013-03-09 00:23:11 +04:00
|
|
|
# Work around django test client oddness
|
|
|
|
auth = auth.encode(HTTP_HEADER_ENCODING)
|
|
|
|
return auth
|
|
|
|
|
|
|
|
|
2013-06-29 11:14:05 +04:00
|
|
|
class CSRFCheck(CsrfViewMiddleware):
|
|
|
|
def _reject(self, request, reason):
|
|
|
|
# Return the failure reason instead of an HttpResponse
|
|
|
|
return reason
|
|
|
|
|
|
|
|
|
2019-04-30 18:53:44 +03:00
|
|
|
class BaseAuthentication:
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
|
|
|
All authentication classes should extend BaseAuthentication.
|
|
|
|
"""
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
Authenticate the request and return a two-tuple of (user, token).
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
raise NotImplementedError(".authenticate() must be overridden.")
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2012-10-17 17:59:53 +04:00
|
|
|
def authenticate_header(self, request):
|
|
|
|
"""
|
|
|
|
Return a string to be used as the value of the `WWW-Authenticate`
|
|
|
|
header in a `401 Unauthenticated` response, or `None` if the
|
|
|
|
authentication scheme should return `403 Permission Denied` responses.
|
|
|
|
"""
|
|
|
|
pass
|
|
|
|
|
2012-09-20 16:06:27 +04:00
|
|
|
|
|
|
|
class BasicAuthentication(BaseAuthentication):
|
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
HTTP Basic authentication against username/password.
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2012-11-13 15:27:09 +04:00
|
|
|
www_authenticate_realm = 'api'
|
2012-09-20 16:06:27 +04:00
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""
|
|
|
|
Returns a `User` if a correct username and password have been supplied
|
|
|
|
using HTTP Basic authentication. Otherwise returns `None`.
|
|
|
|
"""
|
2013-03-09 00:23:11 +04:00
|
|
|
auth = get_authorization_header(request).split()
|
2012-11-13 15:27:09 +04:00
|
|
|
|
2013-02-01 18:03:28 +04:00
|
|
|
if not auth or auth[0].lower() != b'basic':
|
2012-11-13 15:27:09 +04:00
|
|
|
return None
|
|
|
|
|
2013-03-09 00:23:11 +04:00
|
|
|
if len(auth) == 1:
|
2015-01-07 15:46:23 +03:00
|
|
|
msg = _('Invalid basic header. No credentials provided.')
|
2013-03-09 02:56:24 +04:00
|
|
|
raise exceptions.AuthenticationFailed(msg)
|
|
|
|
elif len(auth) > 2:
|
2015-01-07 15:46:23 +03:00
|
|
|
msg = _('Invalid basic header. Credentials string should not contain spaces.')
|
2013-03-09 00:23:11 +04:00
|
|
|
raise exceptions.AuthenticationFailed(msg)
|
2012-11-13 15:27:09 +04:00
|
|
|
|
|
|
|
try:
|
2013-02-01 18:03:28 +04:00
|
|
|
auth_parts = base64.b64decode(auth[1]).decode(HTTP_HEADER_ENCODING).partition(':')
|
2016-05-03 11:24:55 +03:00
|
|
|
except (TypeError, UnicodeDecodeError, binascii.Error):
|
2015-01-07 15:46:23 +03:00
|
|
|
msg = _('Invalid basic header. Credentials not correctly base64 encoded.')
|
2013-03-09 00:23:11 +04:00
|
|
|
raise exceptions.AuthenticationFailed(msg)
|
2012-11-13 15:27:09 +04:00
|
|
|
|
2013-03-07 13:01:53 +04:00
|
|
|
userid, password = auth_parts[0], auth_parts[2]
|
2017-10-05 12:43:49 +03:00
|
|
|
return self.authenticate_credentials(userid, password, request)
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2017-10-05 12:43:49 +03:00
|
|
|
def authenticate_credentials(self, userid, password, request=None):
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2017-10-05 12:43:49 +03:00
|
|
|
Authenticate the userid and password against username and password
|
|
|
|
with optional request for context.
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2015-05-19 17:42:44 +03:00
|
|
|
credentials = {
|
2015-08-07 00:51:35 +03:00
|
|
|
get_user_model().USERNAME_FIELD: userid,
|
2015-05-19 17:42:44 +03:00
|
|
|
'password': password
|
|
|
|
}
|
2017-10-05 12:43:49 +03:00
|
|
|
user = authenticate(request=request, **credentials)
|
2015-02-04 12:07:10 +03:00
|
|
|
|
|
|
|
if user is None:
|
2015-01-07 15:46:23 +03:00
|
|
|
raise exceptions.AuthenticationFailed(_('Invalid username/password.'))
|
2015-02-04 12:07:10 +03:00
|
|
|
|
|
|
|
if not user.is_active:
|
|
|
|
raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))
|
|
|
|
|
2013-03-09 00:23:11 +04:00
|
|
|
return (user, None)
|
2012-11-13 15:27:09 +04:00
|
|
|
|
2013-01-22 01:29:49 +04:00
|
|
|
def authenticate_header(self, request):
|
2012-11-13 15:27:09 +04:00
|
|
|
return 'Basic realm="%s"' % self.www_authenticate_realm
|
2012-09-20 16:06:27 +04:00
|
|
|
|
|
|
|
|
|
|
|
class SessionAuthentication(BaseAuthentication):
|
|
|
|
"""
|
|
|
|
Use Django's session framework for authentication.
|
|
|
|
"""
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""
|
2012-10-15 16:27:50 +04:00
|
|
|
Returns a `User` if the request session currently has a logged in user.
|
|
|
|
Otherwise returns `None`.
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
2012-10-10 19:36:25 +04:00
|
|
|
|
2015-11-04 17:10:51 +03:00
|
|
|
# Get the session-based user from the underlying HttpRequest object
|
|
|
|
user = getattr(request._request, 'user', None)
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2012-10-15 17:03:36 +04:00
|
|
|
# Unauthenticated, CSRF validation not required
|
|
|
|
if not user or not user.is_active:
|
2012-11-13 15:27:09 +04:00
|
|
|
return None
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2013-06-30 00:34:47 +04:00
|
|
|
self.enforce_csrf(request)
|
2013-06-29 11:14:05 +04:00
|
|
|
|
|
|
|
# CSRF passed with authenticated user
|
|
|
|
return (user, None)
|
2012-10-15 17:03:36 +04:00
|
|
|
|
2013-06-29 11:14:05 +04:00
|
|
|
def enforce_csrf(self, request):
|
|
|
|
"""
|
|
|
|
Enforce CSRF validation for session based authentication.
|
|
|
|
"""
|
2018-08-07 10:18:56 +03:00
|
|
|
check = CSRFCheck()
|
|
|
|
# populates request.META['CSRF_COOKIE'], which is used in process_view()
|
|
|
|
check.process_request(request)
|
|
|
|
reason = check.process_view(request, None, (), {})
|
2012-10-15 17:03:36 +04:00
|
|
|
if reason:
|
|
|
|
# CSRF failed, bail with explicit error message
|
2014-06-02 02:41:58 +04:00
|
|
|
raise exceptions.PermissionDenied('CSRF Failed: %s' % reason)
|
2012-10-15 17:03:36 +04:00
|
|
|
|
2012-09-20 16:06:27 +04:00
|
|
|
|
|
|
|
class TokenAuthentication(BaseAuthentication):
|
|
|
|
"""
|
|
|
|
Simple token based authentication.
|
|
|
|
|
|
|
|
Clients should authenticate by passing the token key in the "Authorization"
|
|
|
|
HTTP header, prepended with the string "Token ". For example:
|
|
|
|
|
|
|
|
Authorization: Token 401f7ac837da42b97f613d789819ff93537bee6a
|
|
|
|
"""
|
|
|
|
|
2016-05-04 12:53:34 +03:00
|
|
|
keyword = 'Token'
|
2015-12-31 00:44:19 +03:00
|
|
|
model = None
|
|
|
|
|
|
|
|
def get_model(self):
|
|
|
|
if self.model is not None:
|
|
|
|
return self.model
|
|
|
|
from rest_framework.authtoken.models import Token
|
|
|
|
return Token
|
|
|
|
|
2012-09-20 16:06:27 +04:00
|
|
|
"""
|
|
|
|
A custom token model may be used, but must have the following properties.
|
|
|
|
|
|
|
|
* key -- The string identifying the token
|
|
|
|
* user -- The user to which the token belongs
|
|
|
|
"""
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
2013-03-09 00:23:11 +04:00
|
|
|
auth = get_authorization_header(request).split()
|
2012-09-20 16:06:27 +04:00
|
|
|
|
2016-05-04 12:53:34 +03:00
|
|
|
if not auth or auth[0].lower() != self.keyword.lower().encode():
|
2012-11-13 15:27:09 +04:00
|
|
|
return None
|
|
|
|
|
2013-03-09 00:23:11 +04:00
|
|
|
if len(auth) == 1:
|
2015-01-07 15:46:23 +03:00
|
|
|
msg = _('Invalid token header. No credentials provided.')
|
2013-03-09 02:56:24 +04:00
|
|
|
raise exceptions.AuthenticationFailed(msg)
|
|
|
|
elif len(auth) > 2:
|
2015-01-07 15:46:23 +03:00
|
|
|
msg = _('Invalid token header. Token string should not contain spaces.')
|
2013-03-09 00:23:11 +04:00
|
|
|
raise exceptions.AuthenticationFailed(msg)
|
2012-11-13 15:27:09 +04:00
|
|
|
|
2015-06-03 20:55:34 +03:00
|
|
|
try:
|
|
|
|
token = auth[1].decode()
|
|
|
|
except UnicodeError:
|
|
|
|
msg = _('Invalid token header. Token string should not contain invalid characters.')
|
|
|
|
raise exceptions.AuthenticationFailed(msg)
|
|
|
|
|
|
|
|
return self.authenticate_credentials(token)
|
2012-11-13 15:27:09 +04:00
|
|
|
|
|
|
|
def authenticate_credentials(self, key):
|
2016-01-05 18:42:22 +03:00
|
|
|
model = self.get_model()
|
2012-11-13 15:27:09 +04:00
|
|
|
try:
|
2016-01-05 18:42:22 +03:00
|
|
|
token = model.objects.select_related('user').get(key=key)
|
|
|
|
except model.DoesNotExist:
|
2015-01-07 15:46:23 +03:00
|
|
|
raise exceptions.AuthenticationFailed(_('Invalid token.'))
|
2012-11-13 15:27:09 +04:00
|
|
|
|
2013-03-09 00:23:11 +04:00
|
|
|
if not token.user.is_active:
|
2015-01-07 15:46:23 +03:00
|
|
|
raise exceptions.AuthenticationFailed(_('User inactive or deleted.'))
|
2013-03-09 00:23:11 +04:00
|
|
|
|
|
|
|
return (token.user, token)
|
2012-11-13 15:27:09 +04:00
|
|
|
|
2013-01-22 01:29:49 +04:00
|
|
|
def authenticate_header(self, request):
|
2016-05-04 12:53:34 +03:00
|
|
|
return self.keyword
|
2017-08-11 12:35:00 +03:00
|
|
|
|
|
|
|
|
|
|
|
class RemoteUserAuthentication(BaseAuthentication):
|
|
|
|
"""
|
|
|
|
REMOTE_USER authentication.
|
|
|
|
|
|
|
|
To use this, set up your web server to perform authentication, which will
|
|
|
|
set the REMOTE_USER environment variable. You will need to have
|
|
|
|
'django.contrib.auth.backends.RemoteUserBackend in your
|
|
|
|
AUTHENTICATION_BACKENDS setting
|
|
|
|
"""
|
|
|
|
|
|
|
|
# Name of request header to grab username from. This will be the key as
|
|
|
|
# used in the request.META dictionary, i.e. the normalization of headers to
|
|
|
|
# all uppercase and the addition of "HTTP_" prefix apply.
|
|
|
|
header = "REMOTE_USER"
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
user = authenticate(remote_user=request.META.get(self.header))
|
|
|
|
if user and user.is_active:
|
|
|
|
return (user, None)
|