Bug fixes related to Shib auth

ChangeLog

+===========
+0.8.4 RELEASE
+Vulnerability prevention/bug fixes release
+Fixes:
+	- Fixed a bug where the shib auth backend erased non-shibboleth users info
+	- Added an authsource variable to prevent authentication backend overlapping
+	- Added exception handling for non-Shibboleth users that do not belong to a peer
+
 ===========
 0.8.3 RELEASE
 Feature enhancement release

djangobackends/shibauthBackend.py

@@ -10,6 +10,9 @@ class shibauthBackend:
         firstname = kwargs.get('firstname')
         lastname = kwargs.get('lastname')
         mail = kwargs.get('mail')
+        authsource = kwargs.get('authsource')
+        if authsource != 'shibboleth':
+            return None
         try:
             user = self._auth_user(username, firstname, lastname, mail)
         except:
@@ -22,10 +25,6 @@ class shibauthBackend:
 
         try:
             user = User.objects.get(username__exact=username)
-            user.email = mail
-            user.first_name = firstname
-            user.last_name = lastname
-            user.save()
         # The user did not exist. Create one with no privileges
         except: 
             user = User.objects.create_user(username, mail, None)

flowspec/views.py

@@ -63,7 +63,11 @@ def welcome(request):
 @never_cache
 def group_routes(request):
     group_routes = []
+    try:
         peer = request.user.get_profile().peer
+    except UserProfile.DoesNotExist:
+        error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % request.user.username
+        return render_to_response('error.html', {'error': error})
     if peer:
        peer_members = UserProfile.objects.filter(peer=peer)
        users = [prof.user for prof in peer_members]
@@ -207,8 +211,11 @@ def delete_route(request, route_slug):
 @never_cache
 def user_profile(request):
     user = request.user
+    try:
         peer = request.user.get_profile().peer
-    
+    except UserProfile.DoesNotExist:
+        error = "User <strong>%s</strong> does not belong to any peer or organization. It is not possible to create new firewall rules.<br>Please contact Helpdesk to resolve this issue" % user.username
+        return render_to_response('error.html', {'error': error})
     return render_to_response('profile.html', {'user': user, 'peer':peer},
                                   context_instance=RequestContext(request))
 
@@ -250,10 +257,14 @@ def user_login(request):
                                   context_instance=RequestContext(request))
         try:
             user = User.objects.get(username__exact=username)
+            user.email = mail
+            user.first_name = firstname
+            user.last_name = lastname
+            user.save()
             user_exists = True
         except:
             user_exists = False
-        user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail)
+        user = authenticate(username=username, firstname=firstname, lastname=lastname, mail=mail, authsource='shibboleth')
         if user is not None:
             try:
                 peer = Peer.objects.get(domain_name=organization)

templates/error.html

@@ -73,7 +73,7 @@ $(document).ready(function(){
 			</div>
 			<div id="content">
 				{% block brcrmb_container %}
-				<div class="info_content_title">{% if user.is_authenticated %}<a href="{% url group-routes %}">{% trans "My routes" %}</a>{% endif %}
+				<div class="info_content_title">{% if user.is_authenticated %}<a href="{% url group-routes %}">{% trans "My rules" %}</a>{% endif %}
 				{% block breadcrumbs %}{% endblock %}
 				</div>