Ticket #689: t689-r9099.diff

django/contrib/auth/backends.py

@@ -78 +78 @@
             return User.objects.get(pk=user_id)
         except User.DoesNotExist:
             return None
+
+class RemoteUserAuthBackend:
+
+    def authenticate(self, username, password=None):
+        """
+        Authenticate user - RemoteUserAuth middleware passes REMOTE_USER
+        as username.
+        """
+        if password is not None:
+            return None
+        user = None
+        if username:
+            username = self.parse_user(username)
+            try:
+                user = User.objects.get(username=username)
+            except User.DoesNotExist:
+                user = self.unknown_user(username)
+                user = self.configure_user(user)
+        return user
+
+    def parse_user(self, username):
+        """ Parse the provided username.
+        Override this method if you need to do special things with the
+        username, like stripping @realm or cleaning something like
+        cn=x,dc=sas,etc.
+        """
+        return username
+
+    def get_user(self, user_id):
+        try:
+            return User.objects.get(pk=user_id)
+        except User.DoesNotExist:
+            return None
+
+    def unknown_user(self, username):
+        """Auto-create user. Called only if User object doesn't already exist
+        for username.
+        """
+        user = User.objects.create_user(username, '')
+        user.is_staff = False
+        user.save()
+        return user
+
+    def configure_user(self, user):
+        """ Configure a user after login.
+        i.e: to read group membership from LDAP and so on.
+        Called only if user User object has just been created."
+        """
+        return user

django/contrib/auth/middleware.py

@@ -10 +10 @@
         assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'."
         request.__class__.user = LazyUser()
         return None
+
+class RemoteUserAuthMiddleware(object):
+    def process_request(self, request):
+        from django.contrib.auth import authenticate, login
+        # AuthenticationMiddleware is required to create request.user
+        error = """The Django RemoteUserAuth middleware requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES
+setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' *before* the RemoteUserMiddleware class."""
+        assert hasattr(request, 'user'), error
+        if request.user.is_anonymous():
+            user = None
+            try:
+                user = authenticate(username=request.META['REMOTE_USER'])
+            except KeyError:
+                pass # No remote user available
+            if user is not None:
+                request.user = user    # set request.user to the authenticated user
+                login(request, user)   # auto-login the user to Django
+        return None

django/contrib/auth/tests/__init__.py

@@ -1 @@
-from django.contrib.auth.tests.basic import BASIC_TESTS
+from django.contrib.auth.tests.basic import BASIC_TESTS, HttpAuthTest
 from django.contrib.auth.tests.views import PasswordResetTest, ChangePasswordTest
 from django.contrib.auth.tests.forms import FORM_TESTS
 from django.contrib.auth.tests.tokens import TOKEN_GENERATOR_TESTS
@@ -11 +11 @@
     'FORM_TESTS': FORM_TESTS,
     'TOKEN_GENERATOR_TESTS': TOKEN_GENERATOR_TESTS,
     'CHANGEPASSWORD_TESTS': ChangePasswordTest,
+    'HTTPAUTH_TESTS': HttpAuthTest,
 }

django/contrib/auth/tests/basic.py

@@ -54 +54 @@
 >>> u.password
 u'!'
 """
+
+from django.contrib.auth.models import User
+from django.conf import settings
+from django.test import TestCase
+
+class HttpAuthTest(TestCase):
+    def setUp(self):
+        self.curr_middleware = settings.MIDDLEWARE_CLASSES
+        self.curr_auth = settings.AUTHENTICATION_BACKENDS
+
+        settings.MIDDLEWARE_CLASSES +=\
+            ('django.contrib.auth.middleware.RemoteUserAuthMiddleware', )
+        settings.AUTHENTICATION_BACKENDS =\
+            ('django.contrib.auth.backends.RemoteUserAuthBackend',)
+
+    def test_remote_user(self):
+        "REMOTE_USER variable set by Web server is respected"
+        extra_headers = {'REMOTE_USER': 'iamnotanuser'}
+        response = self.client.get('/', **extra_headers)
+
+        u = User.objects.get(username='iamnotanuser')
+        # if no exception ws raises above it means this works.
+
+    def tearDown(self):
+        # Restore settings to avoid breaking other tests.
+        settings.MIDDLEWARE_CLASSES = self.curr_middleware
+        settings.AUTHENTICATION_BACKENDS = self.curr_auth

new file docs/topics/auth-remote-user.txt

@@ +1 @@
+.. _topics-auth-remote-user:
+
+======================================================
+Authenticating against REMOTE_USER from the Web Server
+======================================================
+
+Typically on intranet sites users are already authenticated by the web server
+(e.g. a Windows domain using IIS Integrated Authentication, or an environment
+using solutions like Apache `mod_authnz_ldap`_, `CAS`_, `Cosign`_, `WebAuth`_,
+etc.)
+
+.. _mod_authnz_ldap: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
+.. _CAS: http://www.ja-sig.org/products/cas/
+.. _Cosign: http://weblogin.org
+.. _WebAuth: http://www.stanford.edu/services/webauth/
+
+When the web server takes care of authentication it sets the ``REMOTE_USER``
+variable for use in the underlying application. Then it's up to this
+application to take care of the authorization.
+
+Django can be configured to make use of the ``REMOTE_USER`` variable making it
+possible to integrate your Django applications with a pre-existing single
+sign-on enterprise infrastructure.
+
+We assume that you have already configured your web server to authenticate
+users (i.e. by using ``mod_auth_sspi`` in Apache, Integrated Authentication in
+IIS or one of the solutions listed above).
+
+Configuring Django
+==================
+
+First of all, you must add the ``RemoteUserAuthMiddleware`` to the
+``MIDDLEWARE_CLASSES`` setting just **after** (never before)
+``AuthenticationMiddleware``.
+
+With this setup, ``RemoteUserAuthMiddleware`` will detect the ``REMOTE_USER``
+variable in the requests and will auto-login the user by using the username
+contained in such variable. The user must already exist in the authentication
+backend being used by Django.
+
+Additionally, if you want the non-existent users to be automatically added
+to the store of the authentication backend being used by Django , include the
+``RemoteUserAuthBackend`` in the ``AUTHENTICATION_BACKENDS`` setting.
+
+If you want even more control, you can create your own authentication backend
+that inherits from ``RemoteUserAuthBackend``, override a few methods:
+
+   * ``parse_user``: Should cleanup ``REMOTE_USER`` (i.e. strip @realm from
+     it). It takes the ``username`` as argument, and must return the cleaned
+     ``username``.
+   * ``unkown_user``: Will be called when no ``User`` object exist for
+     ``REMOTE_USER``. Takes ``username`` as it's only argument. Should create
+     and return an ``User`` object.
+   * ``configure_user``: Will be called after ``unknown_user`` only when a new
+     ``User`` object has been created so you can configure it. Takes the
+     newly created ``User`` instance as it's only argument. Should also return
+     the ``User`` instance that represents the user.
+
+and use it in the ``AUTHENTICATION_BACKENDS`` setting.
+
+Examples:
+
+    settings.py::
+
+        MIDDLEWARE_CLASSES = (
+            'django.contrib.auth.middleware.AuthenticationMiddleware',
+            'django.contrib.auth.middleware.RemoteUserAuthMiddleware',
+            ...
+            )
+
+        AUTHENTICATION_BACKENDS = (
+            'django.contrib.auth.backends.RemoteUserAuthBackend',
+        )

docs/topics/auth.txt

@@ -1201 +1201 @@
 database-based scheme, or you can use the default system in tandem with other
 systems.
 
+**New in Django development version**
+
+.. admonition:: Handling authentication at the web server
+
+    There's a very specific situation/scenario in which you want to handle
+    authentication at the web server's level (i.e. standard HTTP AUTH) and want
+    Django to honour this authentication. This is covered in
+    :ref:`Authenticating against REMOTE_USER<topics-auth-remote-user>`
+
 Specifying authentication backends
 ----------------------------------
 

docs/topics/index.txt

@@ -17 +17 @@
    files
    testing
    auth
+   auth-remote-user
    cache
    email
    i18n