2011-02-19 16:12:35 +03:00
|
|
|
"""The :mod:`authenticators` modules provides for pluggable authentication behaviour.
|
|
|
|
|
|
|
|
Authentication behaviour is provided by adding the mixin class :class:`AuthenticatorMixin` to a :class:`.Resource` or Django :class:`View` class.
|
|
|
|
|
|
|
|
The set of authenticators which are use is then specified by setting the :attr:`authenticators` attribute on the class, and listing a set of authenticator classes.
|
|
|
|
"""
|
2011-01-24 21:59:23 +03:00
|
|
|
from django.contrib.auth import authenticate
|
2011-02-19 13:26:27 +03:00
|
|
|
from django.middleware.csrf import CsrfViewMiddleware
|
|
|
|
from djangorestframework.utils import as_tuple
|
2011-01-24 21:59:23 +03:00
|
|
|
import base64
|
|
|
|
|
2011-02-19 13:26:27 +03:00
|
|
|
|
|
|
|
class AuthenticatorMixin(object):
|
2011-02-19 16:12:35 +03:00
|
|
|
"""Adds pluggable authentication behaviour."""
|
|
|
|
|
|
|
|
"""The set of authenticators to use."""
|
2011-02-19 13:26:27 +03:00
|
|
|
authenticators = None
|
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""Attempt to authenticate the request, returning an authentication context or None.
|
2011-02-19 16:12:35 +03:00
|
|
|
An authentication context may be any object, although in many cases it will simply be a :class:`User` instance."""
|
2011-02-19 13:26:27 +03:00
|
|
|
|
|
|
|
# Attempt authentication against each authenticator in turn,
|
|
|
|
# and return None if no authenticators succeed in authenticating the request.
|
|
|
|
for authenticator in as_tuple(self.authenticators):
|
|
|
|
auth_context = authenticator(self).authenticate(request)
|
|
|
|
if auth_context:
|
|
|
|
return auth_context
|
|
|
|
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
class BaseAuthenticator(object):
|
|
|
|
"""All authenticators should extend BaseAuthenticator."""
|
|
|
|
|
2011-02-19 13:26:27 +03:00
|
|
|
def __init__(self, mixin):
|
|
|
|
"""Initialise the authenticator with the mixin instance as state,
|
|
|
|
in case the authenticator needs to access any metadata on the mixin object."""
|
|
|
|
self.mixin = mixin
|
2011-01-24 21:59:23 +03:00
|
|
|
|
|
|
|
def authenticate(self, request):
|
|
|
|
"""Authenticate the request and return the authentication context or None.
|
|
|
|
|
2011-02-19 13:26:27 +03:00
|
|
|
An authentication context might be something as simple as a User object, or it might
|
|
|
|
be some more complicated token, for example authentication tokens which are signed
|
|
|
|
against a particular set of permissions for a given user, over a given timeframe.
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
The default permission checking on Resource will use the allowed_methods attribute
|
|
|
|
for permissions if the authentication context is not None, and use anon_allowed_methods otherwise.
|
|
|
|
|
|
|
|
The authentication context is passed to the method calls eg Resource.get(request, auth) in order to
|
|
|
|
allow them to apply any more fine grained permission checking at the point the response is being generated.
|
|
|
|
|
|
|
|
This function must be overridden to be implemented."""
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
class BasicAuthenticator(BaseAuthenticator):
|
|
|
|
"""Use HTTP Basic authentication"""
|
|
|
|
def authenticate(self, request):
|
2011-04-05 05:40:18 +04:00
|
|
|
from django.utils.encoding import smart_unicode, DjangoUnicodeDecodeError
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
if 'HTTP_AUTHORIZATION' in request.META:
|
|
|
|
auth = request.META['HTTP_AUTHORIZATION'].split()
|
|
|
|
if len(auth) == 2 and auth[0].lower() == "basic":
|
2011-04-05 05:40:18 +04:00
|
|
|
try:
|
|
|
|
auth_parts = base64.b64decode(auth[1]).partition(':')
|
|
|
|
except TypeError:
|
|
|
|
return None
|
|
|
|
|
|
|
|
try:
|
|
|
|
uname, passwd = smart_unicode(auth_parts[0]), smart_unicode(auth_parts[2])
|
|
|
|
except DjangoUnicodeDecodeError:
|
|
|
|
return None
|
|
|
|
|
2011-01-24 21:59:23 +03:00
|
|
|
user = authenticate(username=uname, password=passwd)
|
|
|
|
if user is not None and user.is_active:
|
|
|
|
return user
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
class UserLoggedInAuthenticator(BaseAuthenticator):
|
2011-04-27 00:08:36 +04:00
|
|
|
"""Use Django's built-in request session for authentication."""
|
2011-01-24 21:59:23 +03:00
|
|
|
def authenticate(self, request):
|
2011-04-04 12:19:49 +04:00
|
|
|
if getattr(request, 'user', None) and request.user.is_active:
|
2011-04-27 00:08:36 +04:00
|
|
|
# If this is a POST request we enforce CSRF validation.
|
|
|
|
if request.method.upper() == 'POST':
|
|
|
|
# Temporarily replace request.POST with .RAW_CONTENT,
|
|
|
|
# so that we use our more generic request parsing
|
|
|
|
request._post = self.mixin.RAW_CONTENT
|
|
|
|
resp = CsrfViewMiddleware().process_view(request, None, (), {})
|
|
|
|
del(request._post)
|
|
|
|
if resp is not None: # csrf failed
|
|
|
|
return None
|
|
|
|
return request.user
|
2011-01-24 21:59:23 +03:00
|
|
|
return None
|
|
|
|
|