cas_server.models module

models for the app

cas_server.models.logger = <Logger cas_server.models (INFO)>: logger facility

class cas_server.models.JsonAttributes(*args, **kwargs)[source]

Bases: django.db.models.Model

A base class for models storing attributes as a json

class Meta[source]

abstract = False

property attributs: The attributes

class cas_server.models.FederatedIendityProvider(*args, **kwargs)[source]

Bases: django.db.models.Model

An identity provider for the federated mode

suffix: Suffix append to backend CAS returned username: returned_username @ suffix. it must be unique.

server_url: URL to the root of the CAS server application. If login page is https://cas.example.net/cas/login then server_url should be https://cas.example.net/cas/

cas_protocol_version: Version of the CAS protocol to use when sending requests the the backend CAS.

verbose_name: Name for this identity provider displayed on the login page.

pos: Position of the identity provider on the login page. Identity provider are sorted using the (pos, verbose_name, suffix) attributes.

display: Display the provider on the login page. Beware that this do not disable the identity provider, it just hide it on the login page. User will always be able to log in using this provider by fetching /federate/suffix.

static build_username_from_suffix(username, suffix)[source]

Transform backend username into federated username using suffix

Parameters

username (unicode) – A CAS backend returned username
suffix (unicode) – A suffix identifying the CAS backend

Returns

The federated username: username @ suffix.

Return type

unicode

build_username(username)[source]

Transform backend username into federated username

Parameters: username (unicode) – A CAS backend returned username
Returns: The federated username: username @ suffix.
Return type: unicode

exception DoesNotExist

exception MultipleObjectsReturned

federateduser_set

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

get_cas_protocol_version_display(*, field=<django.db.models.fields.CharField: cas_protocol_version>)

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

class cas_server.models.FederatedUser(*args, **kwargs)[source]

Bases: JsonAttributes

A federated user as returner by a CAS provider (username and attributes)

username: The user username returned by the CAS backend on successful ticket validation

provider: A foreign key to FederatedIendityProvider

ticket: The last ticket used to authenticate username against provider

last_update: Last update timespampt. Usually, the last time ticket has been set.

property federated_username: The federated username with a suffix for the current FederatedUser.

classmethod get_from_federated_username(username)[source]

Returns: A FederatedUser object from a federated username
Return type: FederatedUser

classmethod clean_old_entries()[source]: remove old unused FederatedUser

exception DoesNotExist

exception MultipleObjectsReturned

get_next_by_last_update(*, field=<django.db.models.fields.DateTimeField: last_update>, is_next=True, **kwargs)

get_previous_by_last_update(*, field=<django.db.models.fields.DateTimeField: last_update>, is_next=False, **kwargs)

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

provider_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.FederateSLO(*args, **kwargs)[source]

Bases: django.db.models.Model

An association between a CAS provider ticket and a (username, session) for processing SLO

username: the federated username with the @ component

session_key: the session key for the session username has been authenticated using ticket

ticket: The ticket used to authenticate username

classmethod clean_deleted_sessions()[source]: remove old FederateSLO object for which the session do not exists anymore

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

class cas_server.models.UserAttributes(*args, **kwargs)[source]

Bases: JsonAttributes

Local cache of the user attributes, used then needed

username: The username of the user for which we cache attributes

classmethod clean_old_entries()[source]: Remove UserAttributes for which no more User exists.

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

class cas_server.models.User(*args, **kwargs)[source]

Bases: django.db.models.Model

A user logged into the CAS

session_key: The session key of the current authenticated user

username: The username of the current authenticated user

date: Last time the authenticated user has do something (auth, fetch ticket, etc…)

last_login: last time the user logged

delete(*args, **kwargs)[source]: Remove the current User. If settings.CAS_FEDERATE is True, also delete the corresponding FederateSLO object.

classmethod clean_old_entries()[source]: Remove User objects inactive since more that SESSION_COOKIE_AGE and send corresponding SingleLogOut requests.

classmethod clean_deleted_sessions()[source]: Remove User objects where the corresponding session do not exists anymore.

property attributs: Property. A fresh dict for the user attributes, using settings.CAS_AUTH_CLASS if possible, and if not, try to fallback to cached attributes (actually only used for ldap auth class with bind password check mthode).

logout(request=None)[source]

Send SLO requests to all services the user is logged in.

Parameters: request (django.http.HttpRequest or NoneType) – The current django HttpRequest to display possible failure to the user.

get_ticket(ticket_class, service, service_pattern, renew)[source]

Generate a ticket using ticket_class for the service service matching service_pattern and asking or not for authentication renewal with renew

Parameters

ticket_class (type) – ServiceTicket or ProxyTicket or ProxyGrantingTicket.
service (unicode) – The service url for which we want a ticket.
service_pattern (ServicePattern) – The service pattern matching service. Beware that service must match ServicePattern.pattern and the current User must pass ServicePattern.check_user(). These checks are not done here and you must perform them before calling this method.
renew (bool) – Should be True if authentication has been renewed. Must be False otherwise.

Returns

A Ticket object.

Return type

ServiceTicket or ProxyTicket or ProxyGrantingTicket.

get_service_url(service, service_pattern, renew)[source]

Return the url to which the user must be redirected to after a Service Ticket has been generated

Parameters

service (unicode) – The service url for which we want a ticket.
service_pattern (ServicePattern) – The service pattern matching service. Beware that service must match ServicePattern.pattern and the current User must pass ServicePattern.check_user(). These checks are not done here and you must perform them before calling this method.
renew (bool) – Should be True if authentication has been renewed. Must be False otherwise.

Return unicode

The service url with the ticket GET param added.

Return type

unicode

exception DoesNotExist

exception MultipleObjectsReturned

get_next_by_date(*, field=<django.db.models.fields.DateTimeField: date>, is_next=True, **kwargs)

get_next_by_last_login(*, field=<django.db.models.fields.DateTimeField: last_login>, is_next=True, **kwargs)

get_previous_by_date(*, field=<django.db.models.fields.DateTimeField: date>, is_next=False, **kwargs)

get_previous_by_last_login(*, field=<django.db.models.fields.DateTimeField: last_login>, is_next=False, **kwargs)

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

proxygrantingticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

proxyticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

serviceticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

exception cas_server.models.ServicePatternException[source]

Bases: exceptions.Exception

Base exception of exceptions raised in the ServicePattern model

exception cas_server.models.BadUsername[source]

Bases: ServicePatternException

Exception raised then an non allowed username try to get a ticket for a service

exception cas_server.models.BadFilter[source]

Bases: ServicePatternException

Exception raised then a user try to get a ticket for a service and do not reach a condition

exception cas_server.models.UserFieldNotDefined[source]

Bases: ServicePatternException

Exception raised then a user try to get a ticket for a service using as username an attribut not present on this user

class cas_server.models.ServicePattern(*args, **kwargs)[source]

Bases: django.db.models.Model

Allowed services pattern against services are tested to

pos: service patterns are sorted using the pos attribute

name: A name for the service (this can bedisplayed to the user on the login page)

pattern: A regular expression matching services. “Will usually looks like ‘^https://some\.server\.com/path/.*$’. As it is a regular expression, special character must be escaped with a ‘\’.

user_field: Name of the attribute to transmit as username, if empty the user login is used

restrict_users: A boolean allowing to limit username allowed to connect to usernames.

proxy: A boolean allowing to deliver ProxyTicket to the service.

proxy_callback: A boolean allowing the service to be used as a proxy callback (via the pgtUrl GET param) to deliver ProxyGrantingTicket.

single_log_out: Enable SingleLogOut for the service. Old validaed tickets for the service will be kept until settings.CAS_TICKET_TIMEOUT after what a SLO request is send to the service and the ticket is purged from database. A SLO can be send earlier if the user log-out.

single_log_out_callback: An URL where the SLO request will be POST. If empty the service url will be used. This is usefull for non HTTP proxied services like smtp or imap.

check_user(user)[source]

Check if user if allowed to use theses services. If user is not allowed, raises one of BadFilter, UserFieldNotDefined, BadUsername

Parameters

user (User) – a User object

Raises

BadUsername – if restrict_users if True and User.username is not within usernames.
BadFilter – if a FilterAttributValue condition of filters connot be verified.
UserFieldNotDefined – if user_field is defined and its value is not within User.attributs.

Returns

True

Return type

bool

classmethod validate(service)[source]

Get a ServicePattern intance from a service url.

Parameters: service (unicode) – A service url
Returns: A ServicePattern instance matching service.
Return type: ServicePattern
Raises: ServicePattern.DoesNotExist – if no ServicePattern is matching service.

exception DoesNotExist

exception MultipleObjectsReturned

attributs

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

filters

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

proxygrantingticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

proxyticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

replacements

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

serviceticket

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

usernames

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

class cas_server.models.Username(*args, **kwargs)[source]

Bases: django.db.models.Model

A list of allowed usernames on a ServicePattern

value: username allowed to connect to the service

service_pattern: ForeignKey to a ServicePattern. Username instances for a ServicePattern are accessible thought its ServicePattern.usernames attribute.

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

service_pattern_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.ReplaceAttributName(*args, **kwargs)[source]

Bases: django.db.models.Model

A replacement of an attribute name for a ServicePattern. It also tell to transmit an attribute of User.attributs to the service. An empty replace mean to use the original attribute name.

name: Name the attribute: a key of User.attributs

replace: The name of the attribute to transmit to the service. If empty, the value of name is used.

service_pattern: ForeignKey to a ServicePattern. ReplaceAttributName instances for a ServicePattern are accessible thought its ServicePattern.attributs attribute.

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

service_pattern_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.FilterAttributValue(*args, **kwargs)[source]

Bases: django.db.models.Model

A filter on User.attributs for a ServicePattern. If a User do not have an attribute attribut or its value do not match pattern, then ServicePattern.check_user() will raises BadFilter if called with that user.

attribut: The name of a user attribute

pattern: A regular expression the attribute attribut value must verify. If attribut if a list, only one of the list values needs to match.

service_pattern: ForeignKey to a ServicePattern. FilterAttributValue instances for a ServicePattern are accessible thought its ServicePattern.filters attribute.

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

service_pattern_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.ReplaceAttributValue(*args, **kwargs)[source]

Bases: django.db.models.Model

A replacement (using a regular expression) of an attribute value for a ServicePattern.

attribut: Name the attribute: a key of User.attributs

pattern: A regular expression matching the part of the attribute value that need to be changed

replace: The replacement to what is mached by pattern. groups are capture by \1, \2 …

service_pattern: ForeignKey to a ServicePattern. ReplaceAttributValue instances for a ServicePattern are accessible thought its ServicePattern.replacements attribute.

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

service_pattern_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.Ticket(*args, **kwargs)[source]

Bases: JsonAttributes

Generic class for a Ticket

class Meta[source]

abstract = False

user: ForeignKey to a User.

validate: A boolean. True if the ticket has been validated

service: The service url for the ticket

service_pattern: ForeignKey to a ServicePattern. The ServicePattern corresponding to service. Use ServicePattern.validate() to find it.

creation: Date of the ticket creation

renew: A boolean. True if the user has just renew his authentication

single_log_out: A boolean. Set to service_pattern attribute ServicePattern.single_log_out value.

VALIDITY = 60: Max duration between ticket creation and its validation. Any validation attempt for the ticket after creation + VALIDITY will fail as if the ticket do not exists.

TIMEOUT = 86400: Time we keep ticket with single_log_out set to True before sending SingleLogOut requests.

exception DoesNotExist[source]: raised in Ticket.get() then ticket prefix and ticket classes mismatch

static send_slos(queryset_list)[source]

Send SLO requests to each ticket of each queryset of queryset_list

Parameters: queryset_list (list) – A list a Ticket queryset
Returns: A list of possibly encoutered Exception
Return type: list

classmethod clean_old_entries()[source]: Remove old ticket and send SLO to timed-out services

logout(session, async_list=None)[source]: Send a SLO request to the ticket service

static get_class(ticket, classes=None)[source]

Return the ticket class of ticket

Parameters

ticket (unicode) – A ticket
classes (list) – Optinal arguement. A list of possible Ticket subclasses

Returns

The class corresponding to ticket (ServiceTicket or ProxyTicket or ProxyGrantingTicket) if found among classes, ``None otherwise.

Return type

type or NoneType

username()[source]

The username to send on ticket validation

Returns: The value of the corresponding user attribute if service_pattern.user_field is set, the user username otherwise.

attributs_flat()[source]

generate attributes list for template rendering

Returns: An list of (attribute name, attribute value) of all user attributes flatened (no nested list)
Return type: list of tuple of unicode

classmethod get(ticket, renew=False, service=None)[source]

Search the database for a valid ticket with provided arguments

Parameters

ticket (unicode) – A ticket value
renew (bool) – Is authentication renewal needed
service (unicode) – Optional argument. The ticket service

Raises

Ticket.DoesNotExist – if no class is found for the ticket prefix
cls.DoesNotExist – if ticket value is not found in th database

Returns

a Ticket instance

Return type

Ticket

get_next_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=True, **kwargs)

get_previous_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=False, **kwargs)

service_pattern_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

user_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.ServiceTicket(*args, **kwargs)[source]

Bases: Ticket

A Service Ticket

PREFIX = 'ST': The ticket prefix used to differentiate it from other tickets types

value: The ticket value

exception DoesNotExist

exception MultipleObjectsReturned

get_next_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=True, **kwargs)

get_previous_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=False, **kwargs)

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

service_pattern: ForeignKey to a ServicePattern. The ServicePattern corresponding to service. Use ServicePattern.validate() to find it.

user: ForeignKey to a User.

class cas_server.models.ProxyTicket(*args, **kwargs)[source]

Bases: Ticket

A Proxy Ticket

PREFIX = 'PT': The ticket prefix used to differentiate it from other tickets types

value: The ticket value

exception DoesNotExist

exception MultipleObjectsReturned

get_next_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=True, **kwargs)

get_previous_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=False, **kwargs)

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

proxies

Accessor to the related objects manager on the reverse side of a many-to-one relation.

In the example:

class Child(Model):
    parent = ForeignKey(Parent, related_name='children')

Parent.children is a ReverseManyToOneDescriptor instance.

Most of the implementation is delegated to a dynamically defined manager class built by create_forward_many_to_many_manager() defined below.

service_pattern: ForeignKey to a ServicePattern. The ServicePattern corresponding to service. Use ServicePattern.validate() to find it.

user: ForeignKey to a User.

class cas_server.models.ProxyGrantingTicket(*args, **kwargs)[source]

Bases: Ticket

A Proxy Granting Ticket

PREFIX = 'PGT': The ticket prefix used to differentiate it from other tickets types

VALIDITY = 3600: ProxyGranting ticket are never validated. However, they can be used during VALIDITY to get ProxyTicket for user

value: The ticket value

exception DoesNotExist

exception MultipleObjectsReturned

get_next_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=True, **kwargs)

get_previous_by_creation(*, field=<django.db.models.fields.DateTimeField: creation>, is_next=False, **kwargs)

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

service_pattern: ForeignKey to a ServicePattern. The ServicePattern corresponding to service. Use ServicePattern.validate() to find it.

user: ForeignKey to a User.

class cas_server.models.Proxy(*args, **kwargs)[source]

Bases: django.db.models.Model

A list of proxies on ProxyTicket

url: Service url of the PGT used for getting the associated ProxyTicket

proxy_ticket: ForeignKey to a ProxyTicket. Proxy instances for a ProxyTicket are accessible thought its ProxyTicket.proxies attribute.

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

proxy_ticket_id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

class cas_server.models.NewVersionWarning(*args, **kwargs)[source]

Bases: django.db.models.Model

The last new version available version sent

version: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

exception DoesNotExist

exception MultipleObjectsReturned

id: A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.

objects = <django.db.models.manager.Manager object>

classmethod send_mails()[source]: For each new django-cas-server version, if the current instance is not up to date send one mail to settings.ADMINS.