Initial commit

Author: bdalpe

.github/workflows/unit_tests.yml

@@ -0,0 +1,31 @@
+on: [push, pull_request]
+
+jobs:
+  pypi:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-versions: [ 3.6, 3.7, 3.8, 3.9 ]
+        django-versions: [ 2.2.0, 3.0.0, 3.1.0 ]
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Set up Python ${{ matrix.python-versions }}
+        uses: actions/setup-python@v2
+        with:
+          python-version: ${{ matrix.python-versions }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          if [ -f requirements.txt ]; then pip install -r requirements.txt; fi
+          pip install Django~=${{ matrix.django-versions }}
+
+      - name: Run tests
+        env:
+          DJANGO_SETTINGS_MODULE: tests.settings
+        run: |
+          python django-admin.py test

.gitignore

@@ -0,0 +1,7 @@
+.idea/
+venv/
+build/
+dist/
+*.egg-info
+*.egg
+*.pyc

LICENSE

@@ -0,0 +1,9 @@
+MIT License
+
+Copyright 2021 Brendan Dalpe
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

README.md

@@ -0,0 +1,88 @@
+# django-vouch-proxy-auth
+Django Middleware enabling the use of the Vouch Proxy cookie for single sign-on.
+
+This package subclasses Django's `RemoteUserMiddleware` and `RemoteUserBackend`.
+
+## How it Works
+
+1. The middleware checks for the presence of the Vouch Proxy cookie.
+2. If the cookie exists, it attempts to load a previous validation from Django cache.
+3. If the validation result is not in the Cache, send the contents of the `VouchCookie` cookie to the Vouch Proxy `/validate` endpoint.
+4. If the validation is successful, decode and decompress the cookie and extract the username from the JWT payload.
+5. Save the username in cache with a short expiration and use the SHA256 sum of the `VouchCookie` as the key. (i.e. `VouchCookie_` + `sha256sum(VouchCookie)`)
+
+## Installation and Usage 
+
+`pip install django-vouch-proxy-auth` or add `django-vouch-proxy-auth` to your requirements file.
+
+To enable the middleware, add `django_vouch_proxy_auth.middleware.VouchProxyMiddleware` after Django's `AuthenticationMiddleware`.
+
+```python
+MIDDLEWARE = [
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    ...
+    'django_vouch_proxy_auth.middleware.VouchProxyMiddleware'
+]
+```
+
+This middleware is also dependent on the `VouchProxyUserBackend` Authentication Backend. Add anywhere in your `AUTHENTICATION_BACKENDS`.
+
+```python
+AUTHENTICATION_BACKENDS = (
+    'django_vouch_proxy_auth.backends.VouchProxyUserBackend'
+)
+```
+
+Finally, you MUST tell the middleware where the `/validate` endpoint is. Add the `VOUCH_PROXY_VALIDATE_ENDPOINT` to your Django `settings.py` file.
+
+```python
+VOUCH_PROXY_VALIDATE_ENDPOINT = 'https://login.avacado.lol/validate'
+```
+
+## Settings
+### `VOUCH_PROXY_VALIDATE_ENDPOINT`
+Location of the Vouch Proxy validation endpoint. You MUST provide this value, or the Middleware will raise an `ImproperlyConfigured` exception.
+
+### `VOUCH_PROXY_COOKIE_NAME`
+Default: `VouchCookie`
+
+Change this setting if you are using a custom Vouch Proxy cookie name.
+
+### `VOUCH_PROXY_CACHE_TIMEOUT`
+Default: `300` (seconds)
+
+This middleware will cache the username if a successful response from the `/validate` query is returned. To reduce the load on Vouch Proxy, the middleware will only validate the cookie every 300 seconds (5 minutes) by default.
+
+Set this value to a positive integer if you want to change the cache timeout.
+
+Set this to `0` if you want Django to query the Vouch Proxy `/validate` endpoint on every request.
+
+### `VOUCH_PROXY_CACHE_PREFIX`
+Default: defaults to the configured value for `VOUCH_PROXY_COOKIE_NAME` plus underscore (i.e. `VouchCookie_`)
+
+Set this value if you want to change the prefix for the CacheKey.
+
+### `VOUCH_PROXY_CACHE_BACKEND`
+Default: `default`
+
+Set this value if you want to store cached results in a different cache.
+
+### `VOUCH_PROXY_DISABLED_PATHS`
+Default: `[]`
+
+Set this value (as an array) to full paths that you want to disable the middleware. 
+
+For example, if you have other middleware that causes conflict:
+```python
+VOUCH_PROXY_DISABLED_PATHS = ['/oidc/authenticate/', '/oidc/callback/']
+```
+
+### `VOUCH_PROXY_CREATE_UNKNOWN_USER`
+Default: `True`
+
+Set this to False if you do not want the middleware to automatically create a user entry on first login. You must use the
+
+### `VOUCH_PROXY_FORCE_LOGOUT_IF_NO_COOKIE`
+Default: `False`
+
+Set this to `True` if you want Django to logout the user if the Vouch Cookie is not present.

django_vouch_proxy_auth/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.1"

django_vouch_proxy_auth/backends.py

@@ -0,0 +1,9 @@
+from django.contrib.auth.backends import RemoteUserBackend
+from django.conf import settings
+
+
+class VouchProxyUserBackend(RemoteUserBackend):
+    def __init__(self, *args, **kwargs):
+        self.create_unknown_user = getattr(settings, 'VOUCH_PROXY_CREATE_UNKNOWN_USER', True)
+
+        super(VouchProxyUserBackend).__init__(*args, **kwargs)

django_vouch_proxy_auth/middleware.py

@@ -0,0 +1,79 @@
+from django.contrib import auth
+from django.contrib.auth.middleware import RemoteUserMiddleware
+from django.core.exceptions import ImproperlyConfigured
+from django.conf import settings
+from django.core.cache import caches
+import gzip
+import base64
+import jwt
+import requests
+import hashlib
+from requests import HTTPError
+
+
+class VouchProxyMiddleware(RemoteUserMiddleware):
+    def __init__(self, *args, **kwargs):
+        self.cookie_name = getattr(settings, 'VOUCH_PROXY_COOKIE_NAME', 'VouchCookie')
+        self.cache_prefix = format(getattr(settings, 'VOUCH_PROXY_CACHE_PREFIX', '{}_'.format(self.cookie_name)))
+        self.expiry_time = getattr(settings, 'VOUCH_PROXY_CACHE_TIMEOUT', 300)
+        self.cache = caches[getattr(settings, 'VOUCH_PROXY_CACHE_BACKEND', 'default')]
+        self.force_logout_if_no_cookie = getattr(settings, 'VOUCH_PROXY_FORCE_LOGOUT_IF_NO_COOKIE', False)
+
+        super(VouchProxyMiddleware).__init__(*args, **kwargs)
+
+    def process_request(self, request):
+        if request.path in getattr(settings, 'VOUCH_PROXY_DISABLED_PATHS', []):
+            return
+
+        if not hasattr(request, 'user'):
+            raise ImproperlyConfigured(
+                "The Django Vouch Proxy auth middleware requires the"
+                " authentication middleware to be installed.  Edit your"
+                " MIDDLEWARE setting to insert"
+                " 'django.contrib.auth.middleware.AuthenticationMiddleware'"
+                " before the VouchProxyMiddleware class.")
+        if not hasattr(settings, 'VOUCH_PROXY_VALIDATE_ENDPOINT'):
+            raise ImproperlyConfigured(
+                "You must provide a valid URL in VOUCH_PROXY_VALIDATE_ENDPOINT"
+                " for the Vouch Proxy validation endpoint in your Django settings.")
+        try:
+            cookie = request.COOKIES[self.cookie_name]
+
+            cache_key = '{}{}'.format(self.cache_prefix, hashlib.sha256(cookie.encode('ascii')).hexdigest())
+            username = self.cache.get(cache_key)
+            if not username:
+                validate = requests.get(settings.VOUCH_PROXY_VALIDATE_ENDPOINT, cookies={self.cookie_name: cookie})
+                validate.raise_for_status()
+
+                # Vouch cookie is URL-safe Base64 encoded Gzipped data
+                decompressed = gzip.decompress(base64.urlsafe_b64decode(cookie))
+                payload = jwt.decode(decompressed, options={'verify_signature': False})
+                username = payload['username']
+                self.cache.set(cache_key, username, self.expiry_time)
+        except (KeyError, HTTPError):
+            # If specified header doesn't exist then remove any existing
+            # authenticated remote-user, or return (leaving request.user set to
+            # AnonymousUser by the AuthenticationMiddleware).
+            if self.force_logout_if_no_cookie and request.user.is_authenticated:
+                self._remove_invalid_user(request)
+            return
+
+        # If the user is already authenticated and that user is the user we are
+        # getting passed in the headers, then the correct user is already
+        # persisted in the session and we don't need to continue.
+        if request.user.is_authenticated:
+            if request.user.get_username() == self.clean_username(username, request):
+                return
+            else:
+                # An authenticated user is associated with the request, but
+                # it does not match the authorized user in the header.
+                self._remove_invalid_user(request)
+
+        # We are seeing this user for the first time in this session, attempt
+        # to authenticate the user.
+        user = auth.authenticate(request, remote_user=username)
+        if user:
+            # User is valid.  Set request.user and persist user in the session
+            # by logging the user in.
+            request.user = user
+            auth.login(request, user)

requirements.txt

@@ -0,0 +1,2 @@
+PyJWT>=2.0.0
+requests>=2.0.0

setup.cfg

@@ -0,0 +1,45 @@
+[metadata]
+name = django-vouch-proxy-auth
+version = attr: django_vouch_proxy_auth.__version__
+author = Brendan Dalpe
+author_email = bdalpe@gmail.com
+description = Django Middleware to enable SSO using Vouch Proxy
+license = MIT
+keywords =
+    sso
+    django
+    vouch
+url = https://github.com/bdalpe/django-vouch-proxy-auth
+long_description = file: README.md
+long_description_content_type = text/markdown
+classifiers =
+    Development Status :: 5 - Production/Stable
+    Intended Audience :: Developers
+    Natural Language :: English
+    License :: OSI Approved :: MIT License
+    Programming Language :: Python
+    Programming Language :: Python :: 3
+    Programming Language :: Python :: 3 :: Only
+    Programming Language :: Python :: 3.6
+    Programming Language :: Python :: 3.7
+    Programming Language :: Python :: 3.8
+    Programming Language :: Python :: 3.9
+    Topic :: Utilities
+    Framework :: Django
+    Framework :: Django :: 2.2
+    Framework :: Django :: 3.0
+    Framework :: Django :: 3.1
+
+[options]
+zip_safe = false
+include_package_data = true
+python_requires = >= 3.6
+packages = find:
+install_requires =
+    PyJWT >= 2.0.0
+    requests >= 2.0.0
+
+[options.packages.find]
+exclude =
+    tests
+    tests.*

setup.py

@@ -0,0 +1,5 @@
+#!/usr/bin/env python3
+
+from setuptools import setup
+
+setup()