cas_server.models module¶

models for the app

cas_server.models.logger = <Logger cas_server.models (INFO)>¶: logger facility

class cas_server.models.JsonAttributes(*args, **kwargs)[source]¶

Bases: django.db.models.Model

A base class for models storing attributes as a json

class Meta[source]¶

abstract = False¶

attributs¶: The attributes

class cas_server.models.FederatedIendityProvider(*args, **kwargs)[source]¶

Bases: django.db.models.Model

An identity provider for the federated mode

suffix¶: Suffix append to backend CAS returned username: returned_username @ suffix. it must be unique.

server_url¶: URL to the root of the CAS server application. If login page is https://cas.example.net/cas/login then server_url should be https://cas.example.net/cas/

cas_protocol_version¶: Version of the CAS protocol to use when sending requests the the backend CAS.

verbose_name¶: Name for this identity provider displayed on the login page.

pos¶: Position of the identity provider on the login page. Identity provider are sorted using the (pos, verbose_name, suffix) attributes.

display¶: Display the provider on the login page. Beware that this do not disable the identity provider, it just hide it on the login page. User will always be able to log in using this provider by fetching /federate/suffix.

static build_username_from_suffix(username, suffix)[source]¶

Transform backend username into federated username using suffix

Parameters:	username (unicode) – A CAS backend returned username suffix (unicode) – A suffix identifying the CAS backend
Returns:	The federated username: `username` @ `suffix`.
Return type:	unicode

build_username(username)[source]¶

Transform backend username into federated username

Parameters:	username (unicode) – A CAS backend returned username
Returns:	The federated username: `username` @ `suffix`.
Return type:	unicode

exception DoesNotExist¶

exception MultipleObjectsReturned¶

federateduser_set¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

get_cas_protocol_version_display(**morekwargs)¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

class cas_server.models.FederatedUser(*args, **kwargs)[source]¶

Bases: JsonAttributes

A federated user as returner by a CAS provider (username and attributes)

username¶: The user username returned by the CAS backend on successful ticket validation

provider¶: A foreign key to FederatedIendityProvider

ticket¶: The last ticket used to authenticate username against provider

last_update¶: Last update timespampt. Usually, the last time ticket has been set.

federated_username¶: The federated username with a suffix for the current FederatedUser.

classmethod get_from_federated_username(username)[source]¶

Returns:	A `FederatedUser` object from a federated `username`
Return type:	`FederatedUser`

classmethod clean_old_entries()[source]¶: remove old unused FederatedUser

exception DoesNotExist¶

exception MultipleObjectsReturned¶

get_next_by_last_update(**morekwargs)¶

get_previous_by_last_update(**morekwargs)¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

provider_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.FederateSLO(*args, **kwargs)[source]¶

Bases: django.db.models.Model

An association between a CAS provider ticket and a (username, session) for processing SLO

username¶: the federated username with the ``@``component

session_key¶: the session key for the session username has been authenticated using ticket

ticket¶: The ticket used to authenticate username

classmethod clean_deleted_sessions()[source]¶: remove old FederateSLO object for which the session do not exists anymore

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

class cas_server.models.UserAttributes(*args, **kwargs)[source]¶

Bases: JsonAttributes

Local cache of the user attributes, used then needed

username¶: The username of the user for which we cache attributes

classmethod clean_old_entries()[source]¶: Remove UserAttributes for which no more User exists.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

class cas_server.models.User(*args, **kwargs)[source]¶

Bases: django.db.models.Model

A user logged into the CAS

session_key¶: The session key of the current authenticated user

username¶: The username of the current authenticated user

date¶: Last time the authenticated user has do something (auth, fetch ticket, etc…)

last_login¶: last time the user logged

delete(*args, **kwargs)[source]¶: Remove the current User. If settings.CAS_FEDERATE is True, also delete the corresponding FederateSLO object.

classmethod clean_old_entries()[source]¶: Remove User objects inactive since more that SESSION_COOKIE_AGE and send corresponding SingleLogOut requests.

classmethod clean_deleted_sessions()[source]¶: Remove User objects where the corresponding session do not exists anymore.

attributs¶: Property. A fresh dict for the user attributes, using settings.CAS_AUTH_CLASS if possible, and if not, try to fallback to cached attributes (actually only used for ldap auth class with bind password check mthode).

logout(request=None)[source]¶

Send SLO requests to all services the user is logged in.

Parameters:	request (`django.http.HttpRequest` or `NoneType`) – The current django HttpRequest to display possible failure to the user.

get_ticket(ticket_class, service, service_pattern, renew)[source]¶

Generate a ticket using ticket_class for the service service matching service_pattern and asking or not for authentication renewal with renew

Parameters:	ticket_class (type) – `ServiceTicket` or `ProxyTicket` or `ProxyGrantingTicket`. service (unicode) – The service url for which we want a ticket. service_pattern (ServicePattern) – The service pattern matching `service`. Beware that `service` must match `ServicePattern.pattern` and the current `User` must pass `ServicePattern.check_user()`. These checks are not done here and you must perform them before calling this method. renew (bool) – Should be `True` if authentication has been renewed. Must be `False` otherwise.
Returns:	A `Ticket` object.
Return type:	`ServiceTicket` or `ProxyTicket` or `ProxyGrantingTicket`.

get_service_url(service, service_pattern, renew)[source]¶

Return the url to which the user must be redirected to after a Service Ticket has been generated

Parameters:	service (unicode) – The service url for which we want a ticket. service_pattern (ServicePattern) – The service pattern matching `service`. Beware that `service` must match `ServicePattern.pattern` and the current `User` must pass `ServicePattern.check_user()`. These checks are not done here and you must perform them before calling this method. renew (bool) – Should be `True` if authentication has been renewed. Must be `False` otherwise.
Return unicode:	The service url with the ticket GET param added.
Return type:	unicode

exception DoesNotExist¶

exception MultipleObjectsReturned¶

get_next_by_date(**morekwargs)¶

get_next_by_last_login(**morekwargs)¶

get_previous_by_date(**morekwargs)¶

get_previous_by_last_login(**morekwargs)¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

proxygrantingticket¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

proxyticket¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

serviceticket¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

exception cas_server.models.ServicePatternException[source]¶

Bases: exceptions.Exception

Base exception of exceptions raised in the ServicePattern model

exception cas_server.models.BadUsername[source]¶

Bases: ServicePatternException

Exception raised then an non allowed username try to get a ticket for a service

exception cas_server.models.BadFilter[source]¶

Bases: ServicePatternException

Exception raised then a user try to get a ticket for a service and do not reach a condition

exception cas_server.models.UserFieldNotDefined[source]¶

Bases: ServicePatternException

Exception raised then a user try to get a ticket for a service using as username an attribut not present on this user

class cas_server.models.ServicePattern(*args, **kwargs)[source]¶

Bases: django.db.models.Model

Allowed services pattern against services are tested to

pos¶: service patterns are sorted using the pos attribute

name¶: A name for the service (this can bedisplayed to the user on the login page)

pattern¶: A regular expression matching services. “Will usually looks like ‘^https://some.server.com/path/.*$’. As it is a regular expression, special character must be escaped with a ‘'.

user_field¶: Name of the attribute to transmit as username, if empty the user login is used

restrict_users¶: A boolean allowing to limit username allowed to connect to usernames.

proxy¶: A boolean allowing to deliver ProxyTicket to the service.

proxy_callback¶: A boolean allowing the service to be used as a proxy callback (via the pgtUrl GET param) to deliver ProxyGrantingTicket.

single_log_out¶: Enable SingleLogOut for the service. Old validaed tickets for the service will be kept until settings.CAS_TICKET_TIMEOUT after what a SLO request is send to the service and the ticket is purged from database. A SLO can be send earlier if the user log-out.

single_log_out_callback¶: An URL where the SLO request will be POST. If empty the service url will be used. This is usefull for non HTTP proxied services like smtp or imap.

check_user(user)[source]¶

Check if user if allowed to use theses services. If user is not allowed, raises one of BadFilter, UserFieldNotDefined, BadUsername

Parameters:	user (User) – a `User` object
Raises:	BadUsername – if `restrict_users` if `True` and `User.username` is not within `usernames`. BadFilter – if a `FilterAttributValue` condition of `filters` connot be verified. UserFieldNotDefined – if `user_field` is defined and its value is not within `User.attributs`.
Returns:	`True`
Return type:	bool

classmethod validate(service)[source]¶

Get a ServicePattern intance from a service url.

Parameters:	service (unicode) – A service url
Returns:	A `ServicePattern` instance matching `service`.
Return type:	`ServicePattern`
Raises:	ServicePattern.DoesNotExist – if no `ServicePattern` is matching `service`.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

attributs¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

filters¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

proxygrantingticket¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

proxyticket¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

replacements¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

serviceticket¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

usernames¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

class cas_server.models.Username(*args, **kwargs)[source]¶

Bases: django.db.models.Model

A list of allowed usernames on a ServicePattern

value¶: username allowed to connect to the service

service_pattern¶: ForeignKey to a ServicePattern. Username instances for a ServicePattern are accessible thought its ServicePattern.usernames attribute.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

service_pattern_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.ReplaceAttributName(*args, **kwargs)[source]¶

Bases: django.db.models.Model

A replacement of an attribute name for a ServicePattern. It also tell to transmit an attribute of User.attributs to the service. An empty replace mean to use the original attribute name.

name¶: Name the attribute: a key of User.attributs

replace¶: The name of the attribute to transmit to the service. If empty, the value of name is used.

service_pattern¶: ForeignKey to a ServicePattern. ReplaceAttributName instances for a ServicePattern are accessible thought its ServicePattern.attributs attribute.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

service_pattern_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.FilterAttributValue(*args, **kwargs)[source]¶

Bases: django.db.models.Model

A filter on User.attributs for a ServicePattern. If a User do not have an attribute attribut or its value do not match pattern, then ServicePattern.check_user() will raises BadFilter if called with that user.

attribut¶: The name of a user attribute

pattern¶: A regular expression the attribute attribut value must verify. If attribut if a list, only one of the list values needs to match.

service_pattern¶: ForeignKey to a ServicePattern. FilterAttributValue instances for a ServicePattern are accessible thought its ServicePattern.filters attribute.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

service_pattern_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.ReplaceAttributValue(*args, **kwargs)[source]¶

Bases: django.db.models.Model

A replacement (using a regular expression) of an attribute value for a ServicePattern.

attribut¶: Name the attribute: a key of User.attributs

pattern¶: A regular expression matching the part of the attribute value that need to be changed

replace¶: The replacement to what is mached by pattern. groups are capture by \1, \2 …

service_pattern¶: ForeignKey to a ServicePattern. ReplaceAttributValue instances for a ServicePattern are accessible thought its ServicePattern.replacements attribute.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

service_pattern_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.Ticket(*args, **kwargs)[source]¶

Bases: JsonAttributes

Generic class for a Ticket

class Meta[source]¶

abstract = False¶

user¶: ForeignKey to a User.

validate¶: A boolean. True if the ticket has been validated

service¶: The service url for the ticket

service_pattern¶: ForeignKey to a ServicePattern. The ServicePattern corresponding to service. Use ServicePattern.validate() to find it.

creation¶: Date of the ticket creation

renew¶: A boolean. True if the user has just renew his authentication

single_log_out¶: A boolean. Set to service_pattern attribute ServicePattern.single_log_out value.

VALIDITY = 60¶: Max duration between ticket creation and its validation. Any validation attempt for the ticket after creation + VALIDITY will fail as if the ticket do not exists.

TIMEOUT = 86400¶: Time we keep ticket with single_log_out set to True before sending SingleLogOut requests.

exception DoesNotExist[source]¶: raised in Ticket.get() then ticket prefix and ticket classes mismatch

static send_slos(queryset_list)[source]¶

Send SLO requests to each ticket of each queryset of queryset_list

Parameters:	queryset_list (list) – A list a `Ticket` queryset
Returns:	A list of possibly encoutered `Exception`
Return type:	list

classmethod clean_old_entries()[source]¶: Remove old ticket and send SLO to timed-out services

logout(session, async_list=None)[source]¶: Send a SLO request to the ticket service

static get_class(ticket, classes=None)[source]¶

Return the ticket class of ticket

Parameters:	ticket (unicode) – A ticket classes (list) – Optinal arguement. A list of possible `Ticket` subclasses
Returns:	The class corresponding to `ticket` (`ServiceTicket` or `ProxyTicket` or `ProxyGrantingTicket`) if found among classes, ``None otherwise.
Return type:	`type` or `NoneType`

username()[source]¶

The username to send on ticket validation

Returns:	The value of the corresponding user attribute if `service_pattern`.user_field is set, the user username otherwise.

attributs_flat()[source]¶

generate attributes list for template rendering

Returns:	An list of (attribute name, attribute value) of all user attributes flatened (no nested list)
Return type:	`list` of `tuple` of `unicode`

classmethod get(ticket, renew=False, service=None)[source]¶

Search the database for a valid ticket with provided arguments

Parameters:	ticket (unicode) – A ticket value renew (bool) – Is authentication renewal needed service (unicode) – Optional argument. The ticket service
Raises:	Ticket.DoesNotExist – if no class is found for the ticket prefix cls.DoesNotExist – if `ticket` value is not found in th database
Returns:	a `Ticket` instance
Return type:	Ticket

get_next_by_creation(**morekwargs)¶

get_previous_by_creation(**morekwargs)¶

service_pattern_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

user_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.ServiceTicket(*args, **kwargs)[source]¶

Bases: Ticket

A Service Ticket

PREFIX = 'ST'¶: The ticket prefix used to differentiate it from other tickets types

value¶: The ticket value

exception DoesNotExist¶

exception MultipleObjectsReturned¶

get_next_by_creation(**morekwargs)¶

get_previous_by_creation(**morekwargs)¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

service_pattern¶

Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

user¶

Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

class cas_server.models.ProxyTicket(*args, **kwargs)[source]¶

Bases: Ticket

A Proxy Ticket

PREFIX = 'PT'¶: The ticket prefix used to differentiate it from other tickets types

value¶: The ticket value

exception DoesNotExist¶

exception MultipleObjectsReturned¶

get_next_by_creation(**morekwargs)¶

get_previous_by_creation(**morekwargs)¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

proxies¶

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

service_pattern¶

Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

user¶

Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

class cas_server.models.ProxyGrantingTicket(*args, **kwargs)[source]¶

Bases: Ticket

A Proxy Granting Ticket

PREFIX = 'PGT'¶: The ticket prefix used to differentiate it from other tickets types

VALIDITY = 3600¶: ProxyGranting ticket are never validated. However, they can be used during VALIDITY to get ProxyTicket for user

value¶: The ticket value

exception DoesNotExist¶

exception MultipleObjectsReturned¶

get_next_by_creation(**morekwargs)¶

get_previous_by_creation(**morekwargs)¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

service_pattern¶

Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

user¶

Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

child.parent is a ForwardManyToOneDescriptor instance.

class cas_server.models.Proxy(*args, **kwargs)[source]¶

Bases: django.db.models.Model

A list of proxies on ProxyTicket

url¶: Service url of the PGT used for getting the associated ProxyTicket

proxy_ticket¶: ForeignKey to a ProxyTicket. Proxy instances for a ProxyTicket are accessible thought its ProxyTicket.proxies attribute.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

proxy_ticket_id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.NewVersionWarning(*args, **kwargs)[source]¶

Bases: django.db.models.Model

The last new version available version sent

version¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

exception DoesNotExist¶

exception MultipleObjectsReturned¶

id¶: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>¶

classmethod send_mails()[source]¶: For each new django-cas-server version, if the current instance is not up to date send one mail to settings.ADMINS.