Ticket #689: t689-r7823.diff

django/contrib/auth/backends.py

@@ -78 +78 @@
             return User.objects.get(pk=user_id)
         except User.DoesNotExist:
             return None
+
+class RemoteUserAuthBackend:
+
+    def authenticate(self, username, password=None):
+        """
+        Authenticate user - RemoteUserAuth middleware passes REMOTE_USER
+        as username.
+        """
+        if password is not None:
+            return None
+        user = None
+        if username:
+            username = self.parse_user(username)
+            try:
+                user = User.objects.get(username=username)
+            except User.DoesNotExist:
+                user = self.unknown_user(username)
+                user = self.configure_user(user)
+        return user
+
+    def parse_user(self, username):
+        """ Parse the provided username.
+        Override this method if you need to do special things with the
+        username, like stripping @realm or cleaning something like
+        cn=x,dc=sas,etc.
+        """
+        return username
+
+    def get_user(self, user_id):
+        try:
+            return User.objects.get(pk=user_id)
+        except User.DoesNotExist:
+            return None
+
+    def unknown_user(self, username):
+        """Auto-create user. Called only if User object doesn't already exist
+        for username.
+        """
+        user = User.objects.create_user(username, '')
+        user.is_staff = False
+        user.save()
+        return user
+
+    def configure_user(self, user):
+        """ Configure a user after login.
+        i.e: to read group membership from LDAP and so on.
+        Called only if user User object has just benn created."
+        """
+        return user

django/contrib/auth/middleware.py

@@ -10 +10 @@
         assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'."
         request.__class__.user = LazyUser()
         return None
+
+class RemoteUserAuthMiddleware(object):
+    def process_request(self, request):
+        from django.contrib.auth import authenticate, login
+        # AuthenticationMiddleware is required to create request.user
+        error = """The Django RemoteUserAuth middleware requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES
+setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' *before* the RemoteUserMiddleware class."""
+        assert hasattr(request, 'user'), error
+        if request.user.is_anonymous():
+            user = None
+            try:
+                user = authenticate(username=request.META['REMOTE_USER'])
+            except KeyError:
+                pass # No remote user available
+            if user is not None:
+                request.user = user    # set request.user to the authenticated user
+                login(request, user)   # auto-login the user to Django
+        return None

django/contrib/auth/tests.py

@@ -73 +73 @@
         response = self.client.post('/password_reset/', {'email': 'staffmember@example.com'})
         self.assertEquals(response.status_code, 302)
         self.assertEquals(len(mail.outbox), 1)
+
+from django.contrib.auth.models import User
+from django.conf import settings
+
+class HttpAuthTest(TestCase):
+    def setUp(self):
+        self.curr_middleware = settings.MIDDLEWARE_CLASSES
+        self.curr_auth = settings.AUTHENTICATION_BACKENDS
+
+        settings.MIDDLEWARE_CLASSES +=\
+            ('django.contrib.auth.middleware.RemoteUserAuthMiddleware', )
+        settings.AUTHENTICATION_BACKENDS =\
+            ('django.contrib.auth.backends.RemoteUserAuthBackend',)
+
+    def test_remote_user(self):
+        "REMOTE_USER variable set by Web server is respected"
+        extra_headers = {'REMOTE_USER': 'iamnotanuser'}
+        response = self.client.get('/', **extra_headers)
+
+        u = User.objects.get(username='iamnotanuser')
+        # if no exception ws raises above it means this works.
+
+    def tearDown(self):
+        # Restore settings to avoid breaking other tests.
+        settings.MIDDLEWARE_CLASSES = self.curr_middleware
+        settings.AUTHENTICATION_BACKENDS = self.curr_auth

new file docs/auth_remote_user.txt

@@ +1 @@
+======================================================
+Authenticating against REMOTE_USER from the Web Server
+======================================================
+
+Typically on intranet sites users are already authenticated by the web server
+(e.g. a Windows domain using IIS Integrated Authentication, or an environment
+using solutions like Apache `mod_authnz_ldap`_, `CAS`_, `Cosign`_, `WebAuth`_,
+etc.)
+
+.. _mod_authnz_ldap: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
+.. _CAS: http://www.ja-sig.org/products/cas/
+.. _Cosign: http://weblogin.org
+.. _WebAuth: http://www.stanford.edu/services/webauth/
+
+When the web server takes care of authentication it sets the ``REMOTE_USER`` HTTP
+header for use in the underlying application (i.e. Django). Then it's up to
+this application take care of the authorization.
+
+Django brings all you need to make use of the ``REMOTE_USER`` header bringing you
+one step further to single sign-on on enterprise infrastructure.
+
+We assume that you have already configured your web server to authenticate
+users, maybe with mod_auth_sspi in Apache, Integrated Authentication in IIS
+and so on.
+
+Configuring Django
+==================
+
+First of all, you must add the ``RemoteUserAuthMiddleware`` just **after**
+(never before) ``AuthenticationMiddleware``.
+
+If you want more control, you can inherit from ``RemoteUserAuthBackend`` and
+override a few methods:
+
+   * ``parse_user``: Should cleanup ``REMOTE_USER`` (i.e. strip @realm from
+     it). It takes the ``username`` as argument, and must return the cleaned
+     ``username``.
+   * ``unkown_user``: Will be called when no ``User`` object exist for
+     ``REMOTE_USER``. Takes ``username`` as it's only argument. Should create
+     and return a ``User`` object.
+   * ``configure_user``: Will be called after ``unknown_user`` only when a new
+     ``User`` object has been created so you can configure it. Takes the
+     newly created ``User`` instance as it's only argument. Should also return
+     the ``User`` instance that represents the User.
+
+Examples:
+
+    settings.py::
+
+        MIDDLEWARE_CLASSES = (
+            'django.contrib.auth.middleware.AuthenticationMiddleware',
+            'django.contrib.auth.middleware.RemoteUserAuthMiddleware',
+            ...
+            )
+
+        AUTHENTICATION_BACKENDS = (
+            'django.contrib.auth.backends.RemoteUserAuthBackend',
+        )

docs/authentication.txt

@@ -1031 +1031 @@
 database-based scheme, or you can use the default system in tandem with other
 systems.
 
+**New in Django development version**
+
+.. admonition:: Handling authentication at the web server
+
+    There's a very specific situation/scenario in which you want to handle
+    authentication at the web server's level (i.e. standard HTTP AUTH) and want
+    Django to honour this authentication. This is covered in a separate page:
+    `Authenticating against REMOTE_USER from the Web Server`_
+
+.. _Authenticating against REMOTE_USER from the Web Server: ../auth_remote_user/
+
 Specifying authentication backends
 ----------------------------------