Add CAS authentication to Storage Service

This commits adds support for authentication via Central Authentication
Service (CAS) to the Storage Service. It includes configuration
options for auto-setting email addresses for users based on the rule
USERNAME@DOMAIN as well as for setting user.is_superuser based on the
presence or absence of configurable expected values in user attributes
returned by a CAS server during p3/serviceValidate.

Because the CAS middleware bypasses the Archivematica login screen and
thus prevents other single sign-on methods from being utilized, an
ImproperlyConfigured exception will be raised when attempting to start
Archivematica with CAS enabled in addition to Shibboleth or LDAP.

install/README.md

@@ -9,6 +9,7 @@
     - [Application-specific environment variables](#application-specific-environment-variables)
     - [Gunicorn-specific environment variables](#gunicorn-specific-environment-variables)
     - [LDAP-specific environment variables](#ldap-specific-environment-variables)
+    - [CAS-specific environment variables](#cas-specific-environment-variables)
   - [Logging configuration](#logging-configuration)
 
 ## Introduction
@@ -74,6 +75,11 @@ of these settings or provide values to mandatory fields.
     - **Type:** `boolean`
     - **Default:** `false`
 
+- **`SS_CAS_AUTHENTICATION`**:
+    - **Description:** enables the CAS (Central Authentication Service) authentication system.
+    - **Type:** `boolean`
+    - **Default:** `false`
+
 - **`SS_BAG_VALIDATION_NO_PROCESSES`**:
     - **Description:** number of concurrent processes used by BagIt. If Gunicorn is being used to serve the Storage Service and its worker class is set to `gevent`, then BagIt validation must use 1 process. Otherwise, calls to `validate` will hang because of the incompatibility between gevent and multiprocessing (BagIt) concurrency strategies. See [#708](https://github.com/artefactual/archivematica/issues/708).
     - **Type:** `int`
@@ -213,8 +219,7 @@ This is the current list of strings supported:
 
 ### LDAP-specific environment variables
 
-    These variables specify the behaviour of LDAP authentication. If `SS_LDAP_AUTHENTICATION` is false,
-    none of the other ones are used.
+These variables specify the behaviour of LDAP authentication. If `SS_LDAP_AUTHENTICATION` is false, none of the other ones are used.
 
 - **`SS_LDAP_AUTHENTICATION`**:
     - **Description:** Enables user authentication via LDAP.
@@ -343,10 +348,48 @@ This is the current list of strings supported:
     - **Type:** `string`
     - **Default:** ``
 
+### CAS-specific environment variables
+
+These variables specify the behaviour of CAS authentication. If `SS_CAS_AUTHENTICATION` is false, none of the other ones are used.
+
+- **`AUTH_CAS_SERVER_URL`**:
+    - **Description:** Address of the CAS server to authenticate against. Defaults to CAS demo server.
+    - **Type:** `string`
+    - **Default:** `https://django-cas-ng-demo-server.herokuapp.com/cas/`
+
+- **`AUTH_CAS_PROTOCOL_VERSION`**:
+    - **Description:** Version of CAS protocol to use. Allowed values are "1", "2", "3", or "CAS_2_SAML_1_0".
+    - **Type:** `string`
+    - **Default:** `3`
+
+- **`AUTH_CAS_CHECK_ADMIN_ATTRIBUTES`**:
+    - **Description:** Determines if we check user attributes returned by CAS server to determine if user is an administrator.
+    - **Type:** `boolean`
+    - **Default:** `false`
+
+- **`AUTH_CAS_ADMIN_ATTRIBUTE`**:
+    - **Description:** Name of attribute to check for administrator status, if `CAS_CHECK_ADMIN_ATTRIBUTES` is True.
+    - **Type:** `string`
+    - **Default:** `None`
+
+- **`AUTH_CAS_ADMIN_ATTRIBUTE_VALUE`**:
+    - **Description:** Value in `CAS_ADMIN_ATTRIBUTE` that indicates user is an administrator, if `CAS_CHECK_ADMIN_ATTRIBUTES` is True.
+    - **Type:** `string`
+    - **Default:** `None`
+
+- **`AUTH_CAS_AUTOCONFIGURE_EMAIL`**:
+    - **Description:** Determines if we auto-configure an email address for new users by following the rule username@domain.
+    - **Type:** `boolean`
+    - **Default:** `false`
+
+- **`AUTH_CAS_EMAIL_DOMAIN`**:
+    - **Description:** Domain to use for auto-configured email addresses, if `AUTH_CAS_AUTOCONFIGURE_EMAIL` is True.
+    - **Type:** `string`
+    - **Default:** `None`
+
 ### AWS-specific environment variables
 
-    These variables can be set to allow AWS authentication for S3 storage spaces as an alternative
-	to providing these details via the user interface. See [AWS CLI Environment Variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) for details.
+These variables can be set to allow AWS authentication for S3 storage spaces as an alternative to providing these details via the user interface. See [AWS CLI Environment Variables](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) for details.
 
 - **`AWS_ACCESS_KEY_ID`**:
     - **Description:** Access key for AWS authentication

requirements/base.in

@@ -1,5 +1,4 @@
 # Base requirements - for all installations
-# updated May 9, 2017 for 0.11.0 release
 bagit==1.7.0
 boto3==1.9.174
 botocore==1.12.253
@@ -40,3 +39,6 @@ git+https://github.com/seatme/django-longer-username.git@seatme#egg=longeruserna
 # LDAP support
 python-ldap==3.2.0
 django-auth-ldap==1.3.0
+
+# CAS authentication
+django-cas-ng==3.6.0

requirements/base.txt

@@ -11,19 +11,20 @@ boto3==1.9.174            # via -r base.in
 botocore==1.12.253        # via -r base.in, boto3, s3transfer
 brotli==0.5.2             # via -r base.in
 certifi==2020.6.20        # via requests
-cffi==1.14.0              # via cryptography
+cffi==1.14.1              # via cryptography
 chardet==3.0.4            # via requests
 configparser==4.0.2       # via importlib-metadata
 contextlib2==0.6.0.post1  # via importlib-metadata, importlib-resources, zipp
-cryptography==2.9.2       # via pyopenssl
+cryptography==3.0         # via pyopenssl
 debtcollector==1.22.0     # via oslo.config, oslo.utils, python-keystoneclient
 defusedxml==0.5.0         # via -r base.in
 django-auth-ldap==1.3.0   # via -r base.in
+django-cas-ng==3.6.0      # via -r base.in
 django-extensions==1.7.9  # via -r base.in
 django-prometheus==1.0.15  # via -r base.in
 git+https://github.com/Brown-University-Library/django-shibboleth-remoteuser.git@67d270c65c201606fb86d548493d4b3fd8cc7a76#egg=django-shibboleth-remoteuser  # via -r base.in
 django-tastypie==0.14.3   # via -r base.in
-django==1.11.29           # via -r base.in, django-auth-ldap, jsonfield
+django==1.11.29           # via -r base.in, django-auth-ldap, django-cas-ng, jsonfield
 docutils==0.15.2          # via botocore
 enum34==1.1.10            # via cryptography, oslo.config
 funcsigs==1.0.2           # via debtcollector, oslo.utils
@@ -43,7 +44,7 @@ jsonfield==2.0.1          # via -r base.in
 keystoneauth1==4.0.1      # via python-keystoneclient
 logutils==0.3.4.1         # via -r base.in
 git+https://github.com/seatme/django-longer-username.git@seatme#egg=longerusername  # via -r base.in
-lxml==3.7.3               # via -r base.in, metsrw
+lxml==3.7.3               # via -r base.in, metsrw, python-cas
 metsrw==0.3.15            # via -r base.in
 monotonic==1.5            # via oslo.utils
 msgpack==1.0.0            # via oslo.serialization
@@ -66,6 +67,7 @@ pyasn1==0.4.8             # via pyasn1-modules, python-ldap
 pycparser==2.20           # via cffi
 pyopenssl==19.1.0         # via ndg-httpsclient
 pyparsing==2.4.7          # via oslo.utils
+python-cas==1.5.0         # via django-cas-ng
 python-dateutil==2.8.1    # via botocore, django-tastypie
 python-gnupg==0.4.0       # via -r base.in
 python-keystoneclient==3.10.0  # via -r base.in
@@ -75,15 +77,15 @@ python-swiftclient==3.3.0  # via -r base.in
 pytz==2020.1              # via babel, django, oslo.serialization, oslo.utils
 pyyaml==5.3.1             # via oslo.config, oslo.serialization
 requests-oauthlib==1.2.0  # via -r base.in
-requests==2.21.0          # via -r base.in, agentarchives, keystoneauth1, oslo.config, python-keystoneclient, python-swiftclient, requests-oauthlib
+requests==2.21.0          # via -r base.in, agentarchives, keystoneauth1, oslo.config, python-cas, python-keystoneclient, python-swiftclient, requests-oauthlib
 rfc3986==1.4.0            # via oslo.config
 s3transfer==0.2.1         # via boto3
 scandir==1.10.0           # via -r base.in, pathlib2
 singledispatch==3.4.0.3   # via importlib-resources
-six==1.15.0               # via cryptography, debtcollector, django-extensions, keystoneauth1, metsrw, oslo.config, oslo.i18n, oslo.serialization, oslo.utils, pathlib2, pyopenssl, python-dateutil, python-keystoneclient, python-swiftclient, singledispatch, stevedore
+six==1.15.0               # via cryptography, debtcollector, django-extensions, keystoneauth1, metsrw, oslo.config, oslo.i18n, oslo.serialization, oslo.utils, pathlib2, pyopenssl, python-cas, python-dateutil, python-keystoneclient, python-swiftclient, singledispatch, stevedore
 stevedore==1.32.0         # via keystoneauth1, oslo.config, python-keystoneclient
 sword2==0.2.1             # via -r base.in
-typing==3.7.4.2           # via importlib-resources
+typing==3.7.4.3           # via importlib-resources
 urllib3==1.24.3           # via botocore, requests
 whitenoise==3.3.0         # via -r base.in
 wrapt==1.12.1             # via debtcollector, positional

requirements/local.txt

@@ -11,21 +11,22 @@ boto3==1.9.174            # via -r base.txt
 botocore==1.12.253        # via -r base.txt, boto3, s3transfer
 brotli==0.5.2             # via -r base.txt
 certifi==2020.6.20        # via -r base.txt, requests
-cffi==1.14.0              # via -r base.txt, cryptography
+cffi==1.14.1              # via -r base.txt, cryptography
 chardet==3.0.4            # via -r base.txt, requests
 click==7.1.2              # via pip-tools
 configparser==4.0.2       # via -r base.txt, importlib-metadata
 contextlib2==0.6.0.post1  # via -r base.txt, importlib-metadata, importlib-resources, zipp
-cryptography==2.9.2       # via -r base.txt, pyopenssl
+cryptography==3.0         # via -r base.txt, pyopenssl
 debtcollector==1.22.0     # via -r base.txt, oslo.config, oslo.utils, python-keystoneclient
 defusedxml==0.5.0         # via -r base.txt
 dj-database-url==0.4.2    # via -r local.in
 django-auth-ldap==1.3.0   # via -r base.txt
+django-cas-ng==3.6.0      # via -r base.txt
 django-extensions==1.7.9  # via -r base.txt
 django-prometheus==1.0.15  # via -r base.txt
 git+https://github.com/Brown-University-Library/django-shibboleth-remoteuser.git@67d270c65c201606fb86d548493d4b3fd8cc7a76#egg=django-shibboleth-remoteuser  # via -r base.txt
 django-tastypie==0.14.3   # via -r base.txt
-django==1.11.29           # via -r base.txt, django-auth-ldap, jsonfield
+django==1.11.29           # via -r base.txt, django-auth-ldap, django-cas-ng, jsonfield
 docutils==0.15.2          # via -r base.txt, botocore, sphinx
 enum34==1.1.10            # via -r base.txt, cryptography, oslo.config
 funcsigs==1.0.2           # via -r base.txt, debtcollector, oslo.utils
@@ -47,7 +48,7 @@ jsonfield==2.0.1          # via -r base.txt
 keystoneauth1==4.0.1      # via -r base.txt, python-keystoneclient
 logutils==0.3.4.1         # via -r base.txt
 git+https://github.com/seatme/django-longer-username.git@seatme#egg=longerusername  # via -r base.txt
-lxml==3.7.3               # via -r base.txt, metsrw
+lxml==3.7.3               # via -r base.txt, metsrw, python-cas
 markupsafe==1.1.1         # via jinja2
 metsrw==0.3.15            # via -r base.txt
 monotonic==1.5            # via -r base.txt, oslo.utils
@@ -74,6 +75,7 @@ pycparser==2.20           # via -r base.txt, cffi
 pygments==2.5.2           # via sphinx
 pyopenssl==19.1.0         # via -r base.txt, ndg-httpsclient
 pyparsing==2.4.7          # via -r base.txt, oslo.utils
+python-cas==1.5.0         # via -r base.txt, django-cas-ng
 python-dateutil==2.8.1    # via -r base.txt, botocore, django-tastypie
 python-gnupg==0.4.0       # via -r base.txt
 python-keystoneclient==3.10.0  # via -r base.txt
@@ -83,17 +85,17 @@ python-swiftclient==3.3.0  # via -r base.txt
 pytz==2020.1              # via -r base.txt, babel, django, oslo.serialization, oslo.utils
 pyyaml==5.3.1             # via -r base.txt, oslo.config, oslo.serialization
 requests-oauthlib==1.2.0  # via -r base.txt
-requests==2.21.0          # via -r base.txt, agentarchives, keystoneauth1, oslo.config, python-keystoneclient, python-swiftclient, requests-oauthlib
+requests==2.21.0          # via -r base.txt, agentarchives, keystoneauth1, oslo.config, python-cas, python-keystoneclient, python-swiftclient, requests-oauthlib
 rfc3986==1.4.0            # via -r base.txt, oslo.config
 s3transfer==0.2.1         # via -r base.txt, boto3
 scandir==1.10.0           # via -r base.txt, pathlib2
 singledispatch==3.4.0.3   # via -r base.txt, importlib-resources
-six==1.15.0               # via -r base.txt, cryptography, debtcollector, django-extensions, keystoneauth1, metsrw, oslo.config, oslo.i18n, oslo.serialization, oslo.utils, pathlib2, pip-tools, pyopenssl, python-dateutil, python-keystoneclient, python-swiftclient, singledispatch, stevedore, transifex-client
+six==1.15.0               # via -r base.txt, cryptography, debtcollector, django-extensions, keystoneauth1, metsrw, oslo.config, oslo.i18n, oslo.serialization, oslo.utils, pathlib2, pip-tools, pyopenssl, python-cas, python-dateutil, python-keystoneclient, python-swiftclient, singledispatch, stevedore, transifex-client
 sphinx==1.2b1             # via -r local.in
 stevedore==1.32.0         # via -r base.txt, keystoneauth1, oslo.config, python-keystoneclient
 sword2==0.2.1             # via -r base.txt
 transifex-client==0.12.2  # via -r local.in
-typing==3.7.4.2           # via -r base.txt, importlib-resources
+typing==3.7.4.3           # via -r base.txt, importlib-resources
 urllib3==1.24.3           # via -r base.txt, botocore, requests, transifex-client
 whitenoise==3.3.0         # via -r base.txt
 wrapt==1.12.1             # via -r base.txt, debtcollector, positional

requirements/production.txt

@@ -11,20 +11,21 @@ boto3==1.9.174            # via -r base.txt
 botocore==1.12.253        # via -r base.txt, boto3, s3transfer
 brotli==0.5.2             # via -r base.txt
 certifi==2020.6.20        # via -r base.txt, requests
-cffi==1.14.0              # via -r base.txt, cryptography
+cffi==1.14.1              # via -r base.txt, cryptography
 chardet==3.0.4            # via -r base.txt, requests
 configparser==4.0.2       # via -r base.txt, importlib-metadata
 contextlib2==0.6.0.post1  # via -r base.txt, importlib-metadata, importlib-resources, zipp
-cryptography==2.9.2       # via -r base.txt, pyopenssl
+cryptography==3.0         # via -r base.txt, pyopenssl
 debtcollector==1.22.0     # via -r base.txt, oslo.config, oslo.utils, python-keystoneclient
 defusedxml==0.5.0         # via -r base.txt
 dj-database-url==0.4.2    # via -r production.in
 django-auth-ldap==1.3.0   # via -r base.txt
+django-cas-ng==3.6.0      # via -r base.txt
 django-extensions==1.7.9  # via -r base.txt
 django-prometheus==1.0.15  # via -r base.txt
 git+https://github.com/Brown-University-Library/django-shibboleth-remoteuser.git@67d270c65c201606fb86d548493d4b3fd8cc7a76#egg=django-shibboleth-remoteuser  # via -r base.txt
 django-tastypie==0.14.3   # via -r base.txt
-django==1.11.29           # via -r base.txt, django-auth-ldap, jsonfield
+django==1.11.29           # via -r base.txt, django-auth-ldap, django-cas-ng, jsonfield
 docutils==0.15.2          # via -r base.txt, botocore
 enum34==1.1.10            # via -r base.txt, cryptography, oslo.config
 funcsigs==1.0.2           # via -r base.txt, debtcollector, oslo.utils
@@ -44,7 +45,7 @@ jsonfield==2.0.1          # via -r base.txt
 keystoneauth1==4.0.1      # via -r base.txt, python-keystoneclient
 logutils==0.3.4.1         # via -r base.txt
 git+https://github.com/seatme/django-longer-username.git@seatme#egg=longerusername  # via -r base.txt
-lxml==3.7.3               # via -r base.txt, metsrw
+lxml==3.7.3               # via -r base.txt, metsrw, python-cas
 metsrw==0.3.15            # via -r base.txt
 monotonic==1.5            # via -r base.txt, oslo.utils
 msgpack==1.0.0            # via -r base.txt, oslo.serialization
@@ -68,6 +69,7 @@ pyasn1==0.4.8             # via -r base.txt, pyasn1-modules, python-ldap
 pycparser==2.20           # via -r base.txt, cffi
 pyopenssl==19.1.0         # via -r base.txt, ndg-httpsclient
 pyparsing==2.4.7          # via -r base.txt, oslo.utils
+python-cas==1.5.0         # via -r base.txt, django-cas-ng
 python-dateutil==2.8.1    # via -r base.txt, botocore, django-tastypie
 python-gnupg==0.4.0       # via -r base.txt
 python-keystoneclient==3.10.0  # via -r base.txt
@@ -77,15 +79,15 @@ python-swiftclient==3.3.0  # via -r base.txt
 pytz==2020.1              # via -r base.txt, babel, django, oslo.serialization, oslo.utils
 pyyaml==5.3.1             # via -r base.txt, oslo.config, oslo.serialization
 requests-oauthlib==1.2.0  # via -r base.txt
-requests==2.21.0          # via -r base.txt, agentarchives, keystoneauth1, oslo.config, python-keystoneclient, python-swiftclient, requests-oauthlib
+requests==2.21.0          # via -r base.txt, agentarchives, keystoneauth1, oslo.config, python-cas, python-keystoneclient, python-swiftclient, requests-oauthlib
 rfc3986==1.4.0            # via -r base.txt, oslo.config
 s3transfer==0.2.1         # via -r base.txt, boto3
 scandir==1.10.0           # via -r base.txt, pathlib2
 singledispatch==3.4.0.3   # via -r base.txt, importlib-resources
-six==1.15.0               # via -r base.txt, cryptography, debtcollector, django-extensions, keystoneauth1, metsrw, oslo.config, oslo.i18n, oslo.serialization, oslo.utils, pathlib2, pyopenssl, python-dateutil, python-keystoneclient, python-swiftclient, singledispatch, stevedore
+six==1.15.0               # via -r base.txt, cryptography, debtcollector, django-extensions, keystoneauth1, metsrw, oslo.config, oslo.i18n, oslo.serialization, oslo.utils, pathlib2, pyopenssl, python-cas, python-dateutil, python-keystoneclient, python-swiftclient, singledispatch, stevedore
 stevedore==1.32.0         # via -r base.txt, keystoneauth1, oslo.config, python-keystoneclient
 sword2==0.2.1             # via -r base.txt
-typing==3.7.4.2           # via -r base.txt, importlib-resources
+typing==3.7.4.3           # via -r base.txt, importlib-resources
 urllib3==1.24.3           # via -r base.txt, botocore, requests
 whitenoise==3.3.0         # via -r base.txt
 wrapt==1.12.1             # via -r base.txt, debtcollector, positional