mygpo/userfeeds/auth.py

   1 #
   2 # This file is part of my.gpodder.org.
   3 #
   4 # my.gpodder.org is free software: you can redistribute it and/or modify it
   5 # under the terms of the GNU Affero General Public License as published by
   6 # the Free Software Foundation, either version 3 of the License, or (at your
   7 # option) any later version.
   8 #
   9 # my.gpodder.org is distributed in the hope that it will be useful, but
  10 # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  11 # or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public
  12 # License for more details.
  13 #
  14 # You should have received a copy of the GNU Affero General Public License
  15 # along with my.gpodder.org. If not, see <http://www.gnu.org/licenses/>.
  16 #
  17
  18 from functools import wraps
  19
  20 from django.http import HttpResponse, HttpResponseBadRequest, Http404
  21
  22 from mygpo.users.models import User
  23
  24
  25 #############################################################################
  26 #
  27 def view_or_basicauth(view, request, username, token_name, realm = "", *args, **kwargs):
  28
  29     user = User.get_user(username)
  30     if not user:
  31         raise Http404
  32
  33     token = getattr(user, token_name, '')
  34
  35     # check if a token is required at all
  36     if token == '':
  37         return view(request, username, *args, **kwargs)
  38
  39     # this header format is used when passing auth-headers
  40     # from Aapache to fcgi
  41     if 'AUTHORIZATION' in request.META:
  42         auth = request.META['AUTHORIZATION']
  43
  44     elif 'HTTP_AUTHORIZATION' in request.META:
  45         auth = request.META['HTTP_AUTHORIZATION']
  46
  47     else:
  48         return auth_request()
  49
  50
  51     auth = auth.split(None, 1)
  52
  53     if len(auth) == 2:
  54         auth_type, credentials = auth
  55
  56         # NOTE: We are only support basic authentication for now.
  57         if auth_type.lower() == 'basic':
  58             credentials = credentials.decode('base64').split(':', 1)
  59             if len(credentials) == 2:
  60
  61                 uname, passwd = credentials
  62
  63                 if uname != username:
  64                     return auth_request()
  65
  66                 if token == passwd:
  67                     return view(request, uname, *args, **kwargs)
  68
  69     return auth_request()
  70
  71
  72 def auth_request(realm=''):
  73     # Either they did not provide an authorization header or
  74     # something in the authorization attempt failed. Send a 401
  75     # back to them to ask them to authenticate.
  76     response = HttpResponse()
  77     response.status_code = 401
  78     response['WWW-Authenticate'] = 'Basic realm="%s"' % realm
  79     return response
  80
  81
  82 #############################################################################
  83 #
  84 def require_token_auth(token_name):
  85     def wrapper(protected_view):
  86
  87         @wraps(protected_view)
  88         def tmp(request, username, *args, **kwargs):
  89             return view_or_basicauth(protected_view, \
  90                                      request, \
  91                                      username, \
  92                                      token_name, \
  93                                      '', \
  94                                      *args, \
  95                                      **kwargs)
  96         return tmp
  97     return wrapper