2011-02-19 16:12:35 +03:00
|
|
|
"""The :mod:`authenticators` modules provides for pluggable authentication behaviour.
|
|
|
|
|
|
|
|
Authentication behaviour is provided by adding the mixin class :class:`AuthenticatorMixin` to a :class:`.Resource` or Django :class:`View` class.
|
|
|
|
|
|
|
|
The set of authenticators which are use is then specified by setting the :attr:`authenticators` attribute on the class, and listing a set of authenticator classes.
|
|
|
|
"""
|
2011-01-24 21:59:23 +03:00
|
|
|
from django.contrib.auth import authenticate
|
2011-02-19 13:26:27 +03:00
|
|
|
from django.middleware.csrf import CsrfViewMiddleware
|
|
|
|
from djangorestframework.utils import as_tuple
|
2011-01-24 21:59:23 +03:00
|
|
|
import base64
|
|
|
|
|
2011-02-19 13:26:27 +03:00
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
class BaseAuthenticator(object):
|
|
|
|
"""All authenticators should extend BaseAuthenticator."""
|
|
|
|
|
2011-04-25 04:03:23 +04:00
|
|
|
def __init__(self, view):
|
2011-02-19 13:26:27 +03:00
|
|
|
"""Initialise the authenticator with the mixin instance as state,
|
|
|
|
in case the authenticator needs to access any metadata on the mixin object."""
|
2011-04-25 04:03:23 +04:00
|
|
|
self.view = view
|
2011-01-24 21:59:23 +03:00
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""Authenticate the request and return the authentication context or None.
|
|
|
|
|
2011-02-19 13:26:27 +03:00
|
|
|
An authentication context might be something as simple as a User object, or it might
|
|
|
|
be some more complicated token, for example authentication tokens which are signed
|
|
|
|
against a particular set of permissions for a given user, over a given timeframe.
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
The default permission checking on Resource will use the allowed_methods attribute
|
|
|
|
for permissions if the authentication context is not None, and use anon_allowed_methods otherwise.
|
|
|
|
|
2011-04-11 20:13:11 +04:00
|
|
|
The authentication context is available to the method calls eg Resource.get(request)
|
|
|
|
by accessing self.auth in order to allow them to apply any more fine grained permission
|
|
|
|
checking at the point the response is being generated.
|
2011-01-24 21:59:23 +03:00
|
|
|
|
|
|
|
This function must be overridden to be implemented."""
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
class BasicAuthenticator(BaseAuthenticator):
|
|
|
|
"""Use HTTP Basic authentication"""
|
|
|
|
def authenticate(self, request):
|
2011-04-05 05:40:18 +04:00
|
|
|
from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
if 'HTTP_AUTHORIZATION' in request.META:
|
|
|
|
auth = request.META['HTTP_AUTHORIZATION'].split()
|
|
|
|
if len(auth) == 2 and auth[0].lower() == "basic":
|
2011-04-05 05:40:18 +04:00
|
|
|
try:
|
|
|
|
auth_parts = base64.b64decode(auth[1]).partition(':')
|
|
|
|
except TypeError:
|
|
|
|
return None
|
|
|
|
|
|
|
|
try:
|
|
|
|
uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
|
|
|
|
except DjangoUnicodeDecodeError:
|
|
|
|
return None
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
user = authenticate(username=uname, password=passwd)
|
|
|
|
if user is not None and user.is_active:
|
|
|
|
return user
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
class UserLoggedInAuthenticator(BaseAuthenticator):
|
2011-04-25 04:03:23 +04:00
|
|
|
"""Use Django's built-in request session for authentication."""
|
2011-01-24 21:59:23 +03:00
|
|
|
def authenticate(self, request):
|
2011-04-04 12:19:49 +04:00
|
|
|
if getattr(request, 'user', None) and request.user.is_active:
|
2011-04-27 00:08:36 +04:00
|
|
|
# If this is a POST request we enforce CSRF validation.
|
|
|
|
if request.method.upper() == 'POST':
|
|
|
|
# Temporarily replace request.POST with .RAW_CONTENT,
|
|
|
|
# so that we use our more generic request parsing
|
2011-04-27 21:44:21 +04:00
|
|
|
request._post = self.view.RAW_CONTENT
|
2011-04-27 00:08:36 +04:00
|
|
|
resp = CsrfViewMiddleware().process_view(request, None, (), {})
|
|
|
|
del(request._post)
|
|
|
|
if resp is not None: # csrf failed
|
|
|
|
return None
|
|
|
|
return request.user
|
2011-01-24 21:59:23 +03:00
|
|
|
return None
|
2011-04-27 21:07:28 +04:00
|
|
|
|
|
|
|
|
|
|
|
#class DigestAuthentication(BaseAuthentication):
|
|
|
|
# pass
|
|
|
|
#
|
|
|
|
#class OAuthAuthentication(BaseAuthentication):
|
|
|
|
# pass
|