Merge branch 'Aufinal/old_cas' into 'master'

Backend pour authentification des vieilleux

See merge request klub-dev-ens/authens!11

authens/backends.py

@@ -1,7 +1,7 @@
 from django.contrib.auth import get_user_model
 from django.db import transaction
 
-from authens.models import CASAccount
+from authens.models import CASAccount, OldCASAccount
 from authens.utils import get_cas_client
 
 UserModel = get_user_model()
@@ -101,8 +101,8 @@ class ENSCASBackend:
         """Handles account retrieval, creation and invalidation as described above.
 
         - If no CAS account exists, create one;
-        - If a CAS account exists, but with the wrong entrance year, remove it and
+        - If a CAS account exists, but with the wrong entrance year, convert it to
-          create a new one;
+        an OldCASAccount instance, and create a fresh CAS Account with the correct year.
         - If a matching CAS account exists, retrieve it.
         """
 
@@ -113,6 +113,11 @@ class ENSCASBackend:
             try:
                 user = UserModel.objects.get(cas_account__cas_login=cas_login)
                 if user.cas_account.entrance_year != entrance_year:
+                    OldCASAccount.objects.create(
+                        user=user,
+                        entrance_year=user.cas_account.entrance_year,
+                        cas_login=cas_login,
+                    )
                     user.cas_account.delete()
                     user = None
             except UserModel.DoesNotExist:
@@ -132,3 +137,34 @@ class ENSCASBackend:
             return UserModel.objects.get(pk=user_id)
         except UserModel.DoesNotExist:
             return None
+
+
+class OldCASBackend:
+    """Authentication backend for old CAS accounts.
+
+    Given a CAS login, an entrance year and a password, first finds the matching 
+    OldCASAccount instance (if it exists), then checks the given password with
+    the user associated to this account.
+    """
+
+    def authenticate(self, request, cas_login=None, password=None, entrance_year=None):
+        if cas_login is None or password is None or entrance_year is None:
+            return
+
+        try:
+            old_cas_acc = OldCASAccount.objects.get(
+                cas_login=cas_login, entrance_year=entrance_year
+            )
+            user = old_cas_acc.user
+        except OldCASAccount.DoesNotExist:
+            # As in Django's ModelBackend, we run the password hasher once
+            # to mitigate timing attacks
+            UserModel().set_password(password)
+        else:
+            if user.check_password(password) and self.user_can_authenticate(user):
+                return user
+
+    def user_can_authenticate(self, user):
+        # Taken from Django's ModelBackend
+        is_active = getattr(user, "is_active", None)
+        return is_active or is_active is None

authens/migrations/0002_old_cas_account.py

@@ -0,0 +1,59 @@
+# Generated by Django 3.0.6 on 2020-06-12 17:26
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ("authens", "0001_initial"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="OldCASAccount",
+            fields=[
+                (
+                    "id",
+                    models.AutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                (
+                    "cas_login",
+                    models.CharField(max_length=1023, verbose_name="ancien login CAS"),
+                ),
+                (
+                    "entrance_year",
+                    models.SmallIntegerField(
+                        verbose_name="année de création du compte CAS"
+                    ),
+                ),
+                (
+                    "user",
+                    models.OneToOneField(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="old_cas_account",
+                        to=settings.AUTH_USER_MODEL,
+                        verbose_name="utilisateurice",
+                    ),
+                ),
+            ],
+            options={
+                "verbose_name": "Ancien compte CAS",
+                "verbose_name_plural": "Anciens comptes CAS",
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="oldcasaccount",
+            constraint=models.UniqueConstraint(
+                fields=("cas_login", "entrance_year"), name="clipper_year_uniqueness"
+            ),
+        ),
+    ]

authens/models.py

@@ -8,7 +8,7 @@ User = get_user_model()
 class CASAccount(models.Model):
     """Information about CAS accounts.
 
-    A user is given an instance of this model iff she has a CAS account.
+    A user is given an instance of this model iff they have a CAS account.
 
     Instances of this model should only be created by the `ENSCASBackend` authentication
     backend.
@@ -37,3 +37,46 @@ class CASAccount(models.Model):
             "entrance_year": self.entrance_year,
             "user": self.user.username,
         }
+
+
+class OldCASAccount(models.Model):
+    """Information about expired CAS accounts
+
+    A user is given an instance of this model iff they had a CAS account that expired.
+
+    Instances of this model should not be created with a new user.
+    """
+
+    user = models.OneToOneField(
+        User,
+        verbose_name=_("utilisateurice"),
+        on_delete=models.CASCADE,
+        related_name="old_cas_account",
+    )
+
+    cas_login = models.CharField(
+        verbose_name=_("ancien login CAS"), max_length=1023, blank=False
+    )
+
+    entrance_year = models.SmallIntegerField(
+        verbose_name=_("année de création du compte CAS"), blank=False, null=False
+    )
+
+    class Meta:
+        # `unique_together` to be deprecated soon : we use `constraints`
+        constraints = [
+            models.UniqueConstraint(
+                fields=["cas_login", "entrance_year"], name="clipper_year_uniqueness",
+            )
+        ]
+        verbose_name = _("Ancien compte CAS")
+        verbose_name_plural = _("Anciens comptes CAS")
+
+    def __str__(self):
+        return _(
+            "Ancien compte CAS %(cas_login) (promo %(entrance_year)s) lié à %(user)s"
+        ) % {
+            "cas_login": self.cas_login,
+            "entrance_year": self.entrance_year,
+            "user": self.user.username,
+        }

authens/tests/test_backend.py

@@ -4,7 +4,7 @@ from django.contrib.auth import authenticate, get_user_model
 from django.test import TestCase
 
 from authens.backends import ENSCASBackend
-from authens.models import CASAccount
+from authens.models import CASAccount, OldCASAccount
 from authens.tests.cas_utils import FakeCASClient
 
 UserModel = get_user_model()
@@ -94,8 +94,31 @@ class TestCASBackend(TestCase):
         # Log the new 'johndoe' in.
         new_user = authenticate(None, ticket="dummy ticket")
         new_clipper = new_user.cas_account
-        # Check that it gets a fresh user and a fresh clipper account.
+
+        # Check that it gets a fresh user and a fresh clipper account
         self.assertNotEqual(old_user, new_user)
         self.assertNotEqual(old_clipper, new_clipper)
+
+        # Check that the created CAS account matches the old one
         self.assertEqual(new_clipper.cas_login, fake_cas_client.cas_login)
         self.assertEqual(new_clipper.entrance_year, fake_cas_client.entrance_year)
+
+        # Check deprecation of the old CAS account
+        old_user.refresh_from_db()
+        self.assertFalse(hasattr(old_user, "cas_account"))
+        self.assertTrue(hasattr(old_user, "old_cas_account"))
+        old_cas = old_user.old_cas_account
+        self.assertEqual(old_cas.cas_login, old_clipper.cas_login)
+        self.assertEqual(old_cas.entrance_year, old_clipper.entrance_year)
+
+
+class TestOldCASBackend(TestCase):
+    def test_simple_auth(self):
+        user = UserModel.objects.create_user(username="johndoe31", password="password")
+        wrong_user = UserModel.objects.create_user("johndoe", "password")
+        OldCASAccount.objects.create(user=user, cas_login="johndoe", entrance_year=2019)
+
+        auth_user = authenticate(
+            None, cas_login="johndoe", entrance_year=2019, password="password"
+        )
+        self.assertEqual(auth_user, user)

tests/settings.py

@@ -16,16 +16,17 @@ INSTALLED_APPS = [
 AUTHENTICATION_BACKENDS = [
     "django.contrib.auth.backends.ModelBackend",
     "authens.backends.ENSCASBackend",
+    "authens.backends.OldCASBackend",
 ]
 
 MIDDLEWARE = [
-    'django.middleware.security.SecurityMiddleware',
+    "django.middleware.security.SecurityMiddleware",
-    'django.contrib.sessions.middleware.SessionMiddleware',
+    "django.contrib.sessions.middleware.SessionMiddleware",
-    'django.middleware.common.CommonMiddleware',
+    "django.middleware.common.CommonMiddleware",
-    'django.middleware.csrf.CsrfViewMiddleware',
+    "django.middleware.csrf.CsrfViewMiddleware",
-    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    "django.contrib.auth.middleware.AuthenticationMiddleware",
-    'django.contrib.messages.middleware.MessageMiddleware',
+    "django.contrib.messages.middleware.MessageMiddleware",
-    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    "django.middleware.clickjacking.XFrameOptionsMiddleware",
 ]
 
 TEMPLATES = [