From d60db93b8507a95537c3e889aab777ffb9d27f40 Mon Sep 17 00:00:00 2001
From: Leonidas Poulopoulos <leopoul@noc.grnet.gr>
Date: Fri, 2 Mar 2012 15:19:28 +0200
Subject: [PATCH] Bug fixes related to Shib auth

---
 ChangeLog                         |  8 ++++++++
 djangobackends/shibauthBackend.py |  7 +++----
 flowspec/views.py                 | 21 ++++++++++++++++-----
 templates/error.html              |  2 +-
 4 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 66eebda..0d0c05d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+===========
+0.8.4 RELEASE
+Vulnerability prevention/bug fixes release
+Fixes:
+	- Fixed a bug where the shib auth backend erased non-shibboleth users info
+	- Added an authsource variable to prevent authentication backend overlapping
+	- Added exception handling for non-Shibboleth users that do not belong to a peer
+
 ===========
 0.8.3 RELEASE
 Feature enhancement release
diff --git a/djangobackends/shibauthBackend.py b/djangobackends/shibauthBackend.py
index 6ed5442..c262bae 100644
--- a/djangobackends/shibauthBackend.py
+++ b/djangobackends/shibauthBackend.py
@@ -10,6 +10,9 @@ class shibauthBackend:
         firstname = kwargs.get('firstname')
         lastname = kwargs.get('lastname')
         mail = kwargs.get('mail')
+        authsource = kwargs.get('authsource')
+        if authsource != 'shibboleth':
+            return None
         try:
             user = self._auth_user(username, firstname, lastname, mail)
         except:
@@ -22,10 +25,6 @@ class shibauthBackend:
 
         try:
             user = User.objects.get(username__exact=username)
-            user.email = mail
-            user.first_name = firstname
-            user.last_name = lastname
-            user.save()
         # The user did not exist. Create one with no privileges
         except: 
             user = User.objects.create_user(username, mail, None)
diff --git a/flowspec/views.py b/flowspec/views.py
index 1502e61..f579ed4 100644
--- a/flowspec/views.py
+++ b/flowspec/views.py
@@ -63,12 +63,16 @@ def welcome(request):
 @never_cache
 def group_routes(request):
     group_routes = []
-    peer = request.user.get_profile().peer
+    try:
+        peer = request.user.get_profile().peer
+    except UserProfile.DoesNotExist:
+        error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % request.user.username
+        return render_to_response('error.html', {'error': error})
     if peer:
        peer_members = UserProfile.objects.filter(peer=peer)
        users = [prof.user for prof in peer_members]
        group_routes = Route.objects.filter(applier__in=users)
-    return render_to_response('user_routes.html', {'routes': group_routes},
+       return render_to_response('user_routes.html', {'routes': group_routes},
                               context_instance=RequestContext(request))
 
 
@@ -207,8 +211,11 @@ def delete_route(request, route_slug):
 @never_cache
 def user_profile(request):
     user = request.user
-    peer = request.user.get_profile().peer
-    
+    try:
+        peer = request.user.get_profile().peer
+    except UserProfile.DoesNotExist:
+        error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % user.username
+        return render_to_response('error.html', {'error': error})
     return render_to_response('profile.html', {'user': user, 'peer':peer},
                                   context_instance=RequestContext(request))
 
@@ -250,10 +257,14 @@ def user_login(request):
                                   context_instance=RequestContext(request))
         try:
             user = User.objects.get(username__exact=username)
+            user.email = mail
+            user.first_name = firstname
+            user.last_name = lastname
+            user.save()
             user_exists = True
         except:
             user_exists = False
-        user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail)
+        user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail, authsource='shibboleth')
         if user is not None:
             try:
                 peer = Peer.objects.get(domain_name=organization)
diff --git a/templates/error.html b/templates/error.html
index a6a79e2..e9bc4e8 100644
--- a/templates/error.html
+++ b/templates/error.html
@@ -73,7 +73,7 @@ $(document).ready(function(){
 			</div>
 			<div id="content">
 				{% block brcrmb_container %}
-				<div class="info_content_title">{% if user.is_authenticated %}<a href="{% url group-routes %}">{% trans "My routes" %}</a>{% endif %}
+				<div class="info_content_title">{% if user.is_authenticated %}<a href="{% url group-routes %}">{% trans "My rules" %}</a>{% endif %}
 				{% block breadcrumbs %}{% endblock %}
 				</div>
 				
-- 
GitLab