1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
|
# -*- coding: utf-8 -*-
# This program is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License version 3 for
# more details.
#
# You should have received a copy of the GNU General Public License version 3
# along with this program; if not, write to the Free Software Foundation, Inc., 51
# Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# (c) 2015-2025 Valentin Samir
"""Default values for the app's settings"""
from django.conf import settings
from django.templatetags.static import static
from importlib import import_module
import sys
if sys.version_info < (3, ):
from django.utils.translation import ugettext_lazy as _
else:
from django.utils.translation import gettext_lazy as _
try:
#: URL to the logo showed in the up left corner on the default templates.
CAS_LOGO_URL = static("cas_server/logo.png")
#: URL to the favicon (shortcut icon) used by the default templates. Default is a key icon.
CAS_FAVICON_URL = static("cas_server/favicon.ico")
# is settings.DEBUG is False and collectstatics has not been run yet, the static function will
# raise a ValueError because the file is not found.
except ValueError:
#: URL to the logo showed in the up left corner on the default templates.
CAS_LOGO_URL = None
#: URL to the favicon (shortcut icon) used by the default templates. Default is a key icon.
CAS_FAVICON_URL = None
#: Show the powered by footer if set to ``True``
CAS_SHOW_POWERED = True
#: URLs to css and javascript external components.
CAS_COMPONENT_URLS = {
"bootstrap3_css": "https://cdn.jsdelivr.net/npm/bootstrap@3.4.1/dist/css/bootstrap.min.css",
"bootstrap3_js": "https://cdn.jsdelivr.net/npm/bootstrap@3.4.1/dist/js/bootstrap.min.js",
"html5shiv": "https://cdn.jsdelivr.net/npm/html5shiv@3.7.3/dist/html5shiv.min.js",
"respond": "https://cdn.jsdelivr.net/npm/respond.js@1.4.2/dest/respond.min.js",
"bootstrap4_css": "https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css",
"bootstrap4_js": "https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.bundle.min.js",
"jquery": "https://code.jquery.com/jquery.min.js",
}
#: Path to the template showed on /login then the user is not autenticated.
CAS_LOGIN_TEMPLATE = 'cas_server/bs4/login.html'
#: Path to the template showed on /login?service=... then the user is authenticated and has asked
#: to be warned before being connected to a service.
CAS_WARN_TEMPLATE = 'cas_server/bs4/warn.html'
#: Path to the template showed on /login then to user is authenticated.
CAS_LOGGED_TEMPLATE = 'cas_server/bs4/logged.html'
#: Path to the template showed on /logout then to user is being disconnected.
CAS_LOGOUT_TEMPLATE = 'cas_server/bs4/logout.html'
#: Should we redirect users to /login after they logged out instead of displaying
#: :obj:`CAS_LOGOUT_TEMPLATE`.
CAS_REDIRECT_TO_LOGIN_AFTER_LOGOUT = False
#: A dotted path to a class or a class implementing cas_server.auth.AuthUser.
CAS_AUTH_CLASS = 'cas_server.auth.DjangoAuthUser'
#: Activate Kerberos authentication (not compatible with federate mode or auth class
#: requiring access to the user credential to retrieve user attributes).
#: See https://web.mit.edu/kerberos/krb5-1.13/doc/admin/env_variables.html
#: for environment variables allowing to configure the underlying GSSAPI C library
#: Username retrieved form kerberos auth MUST match username used by the ``CAS_AUTH_CLASS``
CAS_AUTH_GSSAPI_ENABLE = False
#: SPN to use for Kerberos authentication (must be available in the loaded keytab)
CAS_AUTH_GSSAPI_SERVICENAME = "host/myhost.example.com@AD.EXAMPLE.COM"
#: Path to certificate authorities file. Usually on linux the local CAs are in
#: /etc/ssl/certs/ca-certificates.crt. ``True`` tell requests to use its internal certificat
#: authorities.
CAS_PROXY_CA_CERTIFICATE_PATH = True
#: Maximum number of parallel single log out requests send
#: if more requests need to be send, there are queued
CAS_SLO_MAX_PARALLEL_REQUESTS = 10
#: Timeout for a single SLO request in seconds.
CAS_SLO_TIMEOUT = 5
#: Shared to transmit then using the view :class:`cas_server.views.Auth`
CAS_AUTH_SHARED_SECRET = ''
#: Max time after with the user MUST reauthenticate. Let it to `None` for no max time.
#: This can be used to force refreshing cached informations only available upon user authentication
#: like the user attributes in federation mode or with the ldap auth in bind mode.
CAS_TGT_VALIDITY = None
#: Number of seconds the service tickets and proxy tickets are valid. This is the maximal time
#: between ticket issuance by the CAS and ticket validation by an application.
CAS_TICKET_VALIDITY = 60
#: Number of seconds the proxy granting tickets are valid.
CAS_PGT_VALIDITY = 3600
#: Number of seconds a ticket is kept in the database before sending Single Log Out request and
#: being cleared.
CAS_TICKET_TIMEOUT = 24*3600
#: All CAS implementation MUST support ST and PT up to 32 chars,
#: PGT and PGTIOU up to 64 chars and it is RECOMMENDED that all
#: tickets up to 256 chars are supports so we use 64 for the default
#: len.
CAS_TICKET_LEN = 64
#: alias of :obj:`settings.CAS_TICKET_LEN`
CAS_LT_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
#: alias of :obj:`settings.CAS_TICKET_LEN`
#: Services MUST be able to accept service tickets of up to 32 characters in length.
CAS_ST_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
#: alias of :obj:`settings.CAS_TICKET_LEN`
#: Back-end services MUST be able to accept proxy tickets of up to 32 characters.
CAS_PT_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
#: alias of :obj:`settings.CAS_TICKET_LEN`
#: Services MUST be able to handle proxy-granting tickets of up to 64
CAS_PGT_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
#: alias of :obj:`settings.CAS_TICKET_LEN`
#: Services MUST be able to handle PGTIOUs of up to 64 characters in length.
CAS_PGTIOU_LEN = getattr(settings, 'CAS_TICKET_LEN', CAS_TICKET_LEN)
#: Prefix of login tickets.
CAS_LOGIN_TICKET_PREFIX = u'LT'
#: Prefix of service tickets. Service tickets MUST begin with the characters ST so you should not
#: change this.
CAS_SERVICE_TICKET_PREFIX = u'ST'
#: Prefix of proxy ticket. Proxy tickets SHOULD begin with the characters, PT.
CAS_PROXY_TICKET_PREFIX = u'PT'
#: Prefix of proxy granting ticket. Proxy-granting tickets SHOULD begin with the characters PGT.
CAS_PROXY_GRANTING_TICKET_PREFIX = u'PGT'
#: Prefix of proxy granting ticket IOU. Proxy-granting ticket IOUs SHOULD begin with the characters
#: PGTIOU.
CAS_PROXY_GRANTING_TICKET_IOU_PREFIX = u'PGTIOU'
#: Host for the SQL server.
CAS_SQL_HOST = 'localhost'
#: Username for connecting to the SQL server.
CAS_SQL_USERNAME = ''
#: Password for connecting to the SQL server.
CAS_SQL_PASSWORD = ''
#: Database name.
CAS_SQL_DBNAME = ''
#: Database charset.
CAS_SQL_DBCHARSET = 'utf8'
#: The query performed upon user authentication.
CAS_SQL_USER_QUERY = 'SELECT user AS username, pass AS password, users.* FROM users WHERE user = %s'
#: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
#: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
#: ``"hex_sha512"``, ``"plain"``.
CAS_SQL_PASSWORD_CHECK = 'crypt'
#: charset the SQL users passwords was hash with
CAS_SQL_PASSWORD_CHARSET = "utf-8"
#: Address of the LDAP server
CAS_LDAP_SERVER = 'localhost'
#: LDAP user bind address, for example ``"cn=admin,dc=crans,dc=org"`` for connecting to the LDAP
#: server.
CAS_LDAP_USER = None
#: LDAP connection password
CAS_LDAP_PASSWORD = None
#: LDAP seach base DN, for example ``"ou=data,dc=crans,dc=org"``.
CAS_LDAP_BASE_DN = None
#: LDAP search filter for searching user by username. User inputed usernames are escaped using
#: :func:`ldap3.utils.conv.escape_bytes`.
CAS_LDAP_USER_QUERY = "(uid=%(username)s)"
#: LDAP attribute used for users usernames
CAS_LDAP_USERNAME_ATTR = "uid"
#: LDAP attribute used for users passwords
CAS_LDAP_PASSWORD_ATTR = "userPassword"
#: The method used to check the user password. Must be one of ``"crypt"``, ``"ldap"``,
#: ``"hex_md5"``, ``"hex_sha1"``, ``"hex_sha224"``, ``"hex_sha256"``, ``"hex_sha384"``,
#: ``"hex_sha512"``, ``"plain"``, ``"bind"``.
CAS_LDAP_PASSWORD_CHECK = "ldap"
#: charset the LDAP users passwords was hash with
CAS_LDAP_PASSWORD_CHARSET = "utf-8"
#: This parameter is only used then ``CAS_LDAP_PASSWORD_CHECK`` is set to ``"bind"``.
#:
#: * if ``0`` the user attributes are retrieved by connecting to the ldap as ``CAS_LDAP_USER``.
#: * if ``1`` the user attributes are retrieve then the user authenticate using
#: the user credentials. These attributes are then cached for the session.
#:
#: The default is ``0``.
CAS_LDAP_ATTRS_VIEW = 0
#: Username of the test user.
CAS_TEST_USER = 'test'
#: Password of the test user.
CAS_TEST_PASSWORD = 'test'
#: Attributes of the test user.
CAS_TEST_ATTRIBUTES = {
'nom': 'Nymous',
'prenom': 'Ano',
'email': 'anonymous@example.net',
'alias': ['demo1', 'demo2']
}
#: A :class:`bool` for activatinc the hability to fetch tickets using javascript.
CAS_ENABLE_AJAX_AUTH = False
#: A :class:`bool` for activating the federated mode
CAS_FEDERATE = False
#: Time after witch the cookie use for “remember my identity provider” expire (one week).
CAS_FEDERATE_REMEMBER_TIMEOUT = 604800
#: A :class:`bool` for diplaying a warning on html pages then a new version of the application
#: is avaible. Once closed by a user, it is not displayed to this user until the next new version.
CAS_NEW_VERSION_HTML_WARNING = True
#: A :class:`bool` for sending emails to ``settings.ADMINS`` when a new version is available.
CAS_NEW_VERSION_EMAIL_WARNING = True
#: URL to the pypi json of the application. Used to retreive the version number of the last version.
#: You should not change it.
CAS_NEW_VERSION_JSON_URL = "https://pypi.org/pypi/django-cas-server/json"
#: If the service message should be displayed on the login page
CAS_SHOW_SERVICE_MESSAGES = True
#: Messages displayed in a info-box on the html pages of the default templates.
#: ``CAS_INFO_MESSAGES`` is a :class:`dict` mapping message name to a message :class:`dict`.
#: A message :class:`dict` has 3 keys:
#:
#: * ``message``: A :class:`unicode`, the message to display, potentially wrapped around
#: ugettex_lazy
#: * ``discardable``: A :class:`bool`, specify if the users can close the message info-box
#: * ``type``: One of info, success, info, warning, danger. The type of the info-box.
#:
#: ``CAS_INFO_MESSAGES`` contains by default one message, ``cas_explained``, which explain
#: roughly the purpose of a CAS.
CAS_INFO_MESSAGES = {
"cas_explained": {
"message": _(
u"The Central Authentication Service grants you access to most of our websites by "
u"authenticating only once, so you don't need to type your credentials again unless "
u"your session expires or you logout."
),
"discardable": True,
"type": "info", # one of info, success, info, warning, danger
},
}
#: :class:`list` of message names. Order in which info-box messages are displayed.
#: Let the list empty to disable messages display.
CAS_INFO_MESSAGES_ORDER = []
#: :class:`bool` If `True` Django session cookie will be removed on logout from CAS server
CAS_REMOVE_DJANGO_SESSION_COOKIE_ON_LOGOUT = False
#: :class:`bool` If `True` Django csrf cookie will be removed on logout from CAS server
CAS_REMOVE_DJANGO_CSRF_COOKIE_ON_LOGOUT = False
#: :class:`bool` If `True` Django language cookie will be removed on logout from CAS server
CAS_REMOVE_DJANGO_LANGUAGE_COOKIE_ON_LOGOUT = False
#: A dotted path to a form or a form used on the login page to retrieve user credentials
CAS_USER_CREDENTIAL_FORM = "cas_server.forms.UserCredential"
#: A dotted path to a form or a form used on warn page before emitting a ticket
CAS_WARN_FORM = "cas_server.forms.WarnForm"
#: A dotted path to a form or a form used on the login page to select another CAS in federated mode
CAS_FEDERATE_SELECT_FORM = "cas_server.forms.FederateSelect"
#: A dotted path to a form or a form used on the login page in federated mode
CAS_FEDERATE_USER_CREDENTIAL_FORM = "cas_server.forms.FederateUserCredential"
#: A dotted path to a form or a form for Tickets in the admin interface
CAS_TICKET_FORM = "cas_server.forms.TicketForm"
GLOBALS = globals().copy()
for name, default_value in GLOBALS.items():
# only care about parameter begining by CAS_
if name.startswith("CAS_"):
# get the current setting value, falling back to default_value
value = getattr(settings, name, default_value)
# set the setting value to its value if defined, else to the default_value.
setattr(settings, name, value)
# Allow the user defined CAS_COMPONENT_URLS to omit not changed values
MERGED_CAS_COMPONENT_URLS = CAS_COMPONENT_URLS.copy()
MERGED_CAS_COMPONENT_URLS.update(settings.CAS_COMPONENT_URLS)
settings.CAS_COMPONENT_URLS = MERGED_CAS_COMPONENT_URLS
# if the federated mode is enabled, we must use the :class`cas_server.auth.CASFederateAuth` auth
# backend.
if settings.CAS_FEDERATE:
settings.CAS_AUTH_CLASS = "cas_server.auth.CASFederateAuth"
#: SessionStore class depending of :django:setting:`SESSION_ENGINE`
SessionStore = import_module(settings.SESSION_ENGINE).SessionStore
|
