okupy/common/auth.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

# vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python

from django.contrib.auth import get_user_model
from django.contrib.auth.backends import ModelBackend
from django.db import IntegrityError

from ..accounts.models import LDAPUser

from OpenSSL.crypto import load_certificate, FILETYPE_PEM


class SSLCertAuthBackend(ModelBackend):
    """
    Authentication backend taht uses client certificate information.
    It requires one of owner e-mails to match in LDAP.
    """

    def authenticate(self, request):
        # it can be: SUCCESS, NONE and likely some string for failure ;)
        cert_verify = request.META.get('SSL_CLIENT_VERIFY', None)
        if cert_verify != 'SUCCESS':
            return None

        # curious enough, it's easier to parse the whole certificate
        # than DN obtained from it by nginx...
        cert = load_certificate(FILETYPE_PEM,
                                request.META['SSL_CLIENT_RAW_CERT'])
        dn = cert.get_subject().get_components()

        # for multiple addresses, there are multiple emailAddress fields
        for k, v in dn:
            if k == 'emailAddress':
                try:
                    u = LDAPUser.objects.get(email__contains=v)
                except LDAPUser.DoesNotExist:
                    pass
                else:
                    UserModel = get_user_model()
                    attr_dict = {
                        UserModel.USERNAME_FIELD: u.username
                    }

                    user = UserModel(**attr_dict)
                    try:
                        user.save()
                    except IntegrityError:
                        user = UserModel.objects.get(**attr_dict)
                    return user
        return None