Mercurial > public > pelican-blog
view content/Coding/020-django-moinmoin.rst @ 22:a893739e9587
Updates for SSL
author | Brian Neal <bgneal@gmail.com> |
---|---|
date | Sat, 21 Jul 2018 17:47:55 -0500 |
parents | 49bebfa6f9d3 |
children |
line wrap: on
line source
Integrating Django and MoinMoin with Redis ########################################## :date: 2012-12-02 14:50 :tags: Django, MoinMoin, Redis :slug: integrating-django-and-moinmoin-with-redis :author: Brian Neal :summary: Here is how I integrated the MoinMoin wiki with Django using Redis! We want a Wiki! =============== Over at SurfGuitar101.com_, we decided we'd like to have a wiki to capture community knowledge. I briefly looked at candidate wiki engines with an eye towards integrating them with Django_, the framework that powers SurfGuitar101.com_. And of course I was biased towards a wiki solution that was written in Python_. I had tried a few wikis in the past, including the behemoth MediaWiki_. MediaWiki is a very powerful piece of software, but it is also quite complex, and I didn't want to have to maintain a PHP infrastructure to run it. Enter MoinMoin_. This is a mature wiki platform that is actively maintained and written in Python. It is full featured but did not seem overly complex to me. It stores its pages in flat files, which seemed appealing for our likely small wiki needs. It turns out I had been a user of MoinMoin for many years without really knowing it. The `Python.org wiki`_, `Mercurial wiki`_, and `omniORB wiki`_ are all powered by MoinMoin_. We'd certainly be in good company. Single Sign-On ============== The feature that clinched it was MoinMoin's flexible `authentication system`_. It would be very desirable if my users did not have to sign into Django and then sign in again to the wiki with possibly a different username. Managing two different password databases would be a real headache. The ideal solution would mean signing into Django would log the user into MoinMoin with the same username automatically. MoinMoin supports this with their `external cookie authentication`_ mechanism. The details are provided in the previous link; basically a Django site needs to perform the following: #. Set an external cookie for MoinMoin to read whenever a user logs into Django. #. To prevent spoofing, the Django application should create a record that the cookie was created in some shared storage area accessible to MoinMoin. This allows MoinMoin to validate that the cookie is legitimate and not a fake. #. When the user logs out of the Django application, it should delete this external cookie and the entry in the shared storage area. #. Periodically the Django application should expire entires in the shared storage area for clean-up purposes. Otherwise this storage would grow and grow if users never logged out. Deleting entries older than the external cookie's age should suffice. My Django Implementation ======================== There are of course many ways to approach this problem. Here is what I came up with. I created a Django application called *wiki* to hold this integration code. There is quite a lot of code here, too much to conveniently show in this blog post. I will post snippets below, but you can refer to the complete code in my `Bitbucket repository`_. You can also view online the `wiki application in bitbucket`_ for convenience. Getting notified of when users log into or out of Django is made easy thanks to Django's `login and logout signals`_. By creating a signal handler I can be notified when a user logs in or out. The signal handler code looks like this: .. sourcecode:: python import logging from django.contrib.auth.signals import user_logged_in, user_logged_out from wiki.constants import SESSION_SET_MEMBER logger = logging.getLogger(__name__) def login_callback(sender, request, user, **kwargs): """Signal callback function for a user logging in. Sets a flag for the middleware to create an external cookie. """ logger.info('User login: %s', user.username) request.wiki_set_cookie = True def logout_callback(sender, request, user, **kwargs): """Signal callback function for a user logging in. Sets a flag for the middleware to delete the external cookie. Since the user is about to logout, her session will be wiped out after this function returns. This forces us to set an attribute on the request object so that the response middleware can delete the wiki's cookie. """ if user: logger.info('User logout: %s', user.username) # Remember what Redis set member to delete by adding an attribute to the # request object: request.wiki_delete_cookie = request.session.get(SESSION_SET_MEMBER) user_logged_in.connect(login_callback, dispatch_uid='wiki.signals.login') user_logged_out.connect(logout_callback, dispatch_uid='wiki.signals.logout') When a user logs in I want to create an external cookie for MoinMoin. But cookies can only be created on HttpResponse_ objects, and all we have access to here in the signal handler is the request object. The solution here is to set an attribute on the request object that a later piece of middleware_ will process. I at first resisted this approach, thinking it was kind of hacky. I initially decided to set a flag in the session, but then found out that in some cases the session is not always available. I then reviewed some of the Django supplied middleware classes and saw that they also set attributes on the request object, so this must be an acceptable practice. My middleware looks like this. .. sourcecode:: python class WikiMiddleware(object): """ Check for flags on the request object to determine when to set or delete an external cookie for the wiki application. When creating a cookie, also set an entry in Redis that the wiki application can validate to prevent spoofing. """ def process_response(self, request, response): if hasattr(request, 'wiki_set_cookie'): create_wiki_session(request, response) elif hasattr(request, 'wiki_delete_cookie'): destroy_wiki_session(request.wiki_delete_cookie, response) return response The ``create_wiki_session()`` function creates the cookie for MoinMoin and stores a hash of the cookie in a shared storage area for MoinMoin to validate. In our case, Redis_ makes an excellent shared storage area. We create a sorted set in Redis to store our cookie hashes. The score for each hash is the timestamp of when the cookie was created. This allows us to easily delete expired cookies by score periodically. .. sourcecode:: python def create_wiki_session(request, response): """Sets up the session for the external wiki application. Creates the external cookie for the Wiki. Updates the Redis set so the Wiki can verify the cookie. """ now = datetime.datetime.utcnow() value = cookie_value(request.user, now) response.set_cookie(settings.WIKI_COOKIE_NAME, value=value, max_age=settings.WIKI_COOKIE_AGE, domain=settings.WIKI_COOKIE_DOMAIN) # Update a sorted set in Redis with a hash of our cookie and a score # of the current time as a timestamp. This allows us to delete old # entries by score periodically. To verify the cookie, the external wiki # application computes a hash of the cookie value and checks to see if # it is in our Redis set. h = hashlib.sha256() h.update(value) name = h.hexdigest() score = time.mktime(now.utctimetuple()) conn = get_redis_connection() try: conn.zadd(settings.WIKI_REDIS_SET, score, name) except redis.RedisError: logger.error("Error adding wiki cookie key") # Store the set member name in the session so we can delete it when the # user logs out: request.session[SESSION_SET_MEMBER] = name We store the name of the Redis set member in the user's session so we can delete it from Redis when the user logs out. During logout, this set member is retrieved from the session in the logout signal handler and stored on the request object. This is because the session will be destroyed after the logout signal handler runs and before the middleware can access it. The middleware can check for the existence of this attribute as its cue to delete the wiki session. .. sourcecode:: python def destroy_wiki_session(set_member, response): """Destroys the session for the external wiki application. Delete the external cookie. Deletes the member from the Redis set as this entry is no longer valid. """ response.delete_cookie(settings.WIKI_COOKIE_NAME, domain=settings.WIKI_COOKIE_DOMAIN) if set_member: conn = get_redis_connection() try: conn.zrem(settings.WIKI_REDIS_SET, set_member) except redis.RedisError: logger.error("Error deleting wiki cookie set member") As suggested in the MoinMoin external cookie documentation, I create a cookie whose value consists of the username, email address, and a key separated by the ``#`` character. The key is just a string of stuff that makes it difficult for a spoofer to recreate. .. sourcecode:: python def cookie_value(user, now): """Creates the value for the external wiki cookie.""" # The key part of the cookie is just a string that would make things # difficult for a spoofer; something that can't be easily made up: h = hashlib.sha256() h.update(user.username + user.email) h.update(now.isoformat()) h.update(''.join(random.sample(string.printable, 64))) h.update(settings.SECRET_KEY) key = h.hexdigest() parts = (user.username, user.email, key) return '#'.join(parts) Finally on the Django side we should periodically delete expired Redis set members in case users do not log out. Since I am using Celery_ with my Django application, I created a Celery task that runs periodically to delete old set members. This function is a bit longer than it probably needs to be, but I wanted to log how big this set is before and after we cull the expired entries. .. sourcecode:: python @task def expire_cookies(): """ Periodically run this task to remove expired cookies from the Redis set that is shared between this Django application & the MoinMoin wiki for authentication. """ now = datetime.datetime.utcnow() cutoff = now - datetime.timedelta(seconds=settings.WIKI_COOKIE_AGE) min_score = time.mktime(cutoff.utctimetuple()) conn = get_redis_connection() set_name = settings.WIKI_REDIS_SET try: count = conn.zcard(set_name) except redis.RedisError: logger.error("Error getting zcard") return try: removed = conn.zremrangebyscore(set_name, 0.0, min_score) except redis.RedisError: logger.error("Error removing by score") return total = count - removed logger.info("Expire wiki cookies: removed %d, total is now %d", removed, total) MoinMoin Implementation ======================= As described in the MoinMoin external cookie documentation, you have to configure MoinMoin to use your external cookie authentication mechanism. It is also nice to disable the ability for the MoinMoin user to change their username and email address since that is being managed by the Django application. These changes to the MoinMoin ``Config`` class are shown below. .. sourcecode:: python class Config(multiconfig.DefaultConfig): # ... # Use ExternalCookie method for integration authentication with Django: auth = [ExternalCookie(autocreate=True)] # remove ability to change username & email, etc. user_form_disable = ['name', 'aliasname', 'email',] user_form_remove = ['password', 'password2', 'css_url', 'logout', 'create', 'account_sendmail', 'jid'] Next we create an ``ExternalCookie`` class and associated helper functions to process the cookie and verify it in Redis. This code is shown in its entirety below. It is based off the example in the MoinMoin external cookie documentation, but uses Redis as the shared storage area. .. sourcecode:: python import hashlib import Cookie import logging from MoinMoin.auth import BaseAuth from MoinMoin.user import User import redis COOKIE_NAME = 'YOUR_COOKIE_NAME_HERE' # Redis connection and database settings REDIS_HOST = 'localhost' REDIS_PORT = 6379 REDIS_DB = 0 # The name of the set in Redis that holds cookie hashes REDIS_SET = 'wiki_cookie_keys' logger = logging.getLogger(__name__) def get_cookie_value(cookie): """Returns the value of the Django cookie from the cookie. None is returned if the cookie is invalid or the value cannot be determined. This function works around an issue with different Python versions. In Python 2.5, if you construct a SimpleCookie with a dict, then type(cookie[key]) == unicode whereas in later versions of Python: type(cookie[key]) == Cookie.Morsel """ if cookie: try: morsel = cookie[COOKIE_NAME] except KeyError: return None if isinstance(morsel, unicode): # Python 2.5 return morsel elif isinstance(morsel, Cookie.Morsel): # Python 2.6+ return morsel.value return None def get_redis_connection(host=REDIS_HOST, port=REDIS_PORT, db=REDIS_DB): """ Create and return a Redis connection using the supplied parameters. """ return redis.StrictRedis(host=host, port=port, db=db) def validate_cookie(value): """Determines if cookie was created by Django. Returns True on success, False on failure. Looks up the hash of the cookie value in Redis. If present, cookie is deemed legit. """ h = hashlib.sha256() h.update(value) set_member = h.hexdigest() conn = get_redis_connection() success = False try: score = conn.zscore(REDIS_SET, set_member) success = score is not None except redis.RedisError: logger.error('Could not check Redis for ExternalCookie auth') return success class ExternalCookie(BaseAuth): name = 'external_cookie' def __init__(self, autocreate=False): self.autocreate = autocreate BaseAuth.__init__(self) def request(self, request, user_obj, **kwargs): user = None try_next = True try: cookie = Cookie.SimpleCookie(request.cookies) except Cookie.CookieError: cookie = None val = get_cookie_value(cookie) if val: try: username, email, _ = val.split('#') except ValueError: return user, try_next if validate_cookie(val): user = User(request, name=username, auth_username=username, auth_method=self.name) changed = False if email != user.email: user.email = email changed = True if user: user.create_or_update(changed) if user and user.valid: try_next = False return user, try_next Conclusion ========== I've been running this setup for a month now and it is working great. My users and I are enjoying our shiny new MoinMoin wiki integrated with our Django powered community website. The single sign-on experience is quite seamless and eliminates the need for separate accounts. .. _SurfGuitar101.com: http://surfguitar101.com .. _Django: https://www.djangoproject.com .. _MediaWiki: http://www.mediawiki.org .. _MoinMoin: http://moinmo.in/ .. _Python: http://www.python.org .. _Python.org wiki: http://wiki.python.org/moin/ .. _Mercurial wiki: http://mercurial.selenic.com/wiki/ .. _omniORB wiki: http://www.omniorb-support.com/omniwiki .. _authentication system: http://moinmo.in/HelpOnAuthentication .. _external cookie authentication: http://moinmo.in/HelpOnAuthentication/ExternalCookie .. _login and logout signals: https://docs.djangoproject.com/en/1.4/topics/auth/#login-and-logout-signals .. _HttpResponse: https://docs.djangoproject.com/en/1.4/ref/request-response/#httpresponse-objects .. _middleware: https://docs.djangoproject.com/en/1.4/topics/http/middleware/ .. _Redis: http://redis.io/ .. _Bitbucket repository: https://bitbucket.org/bgneal/sg101 .. _wiki application in bitbucket: https://bitbucket.org/bgneal/sg101/src/a5b8f25e1752faf71ed429ec7f22ff6f3b3dc851/wiki?at=default .. _Celery: http://celeryproject.org/