From 082f20db60848349250dec9f49d051db8b909647 Mon Sep 17 00:00:00 2001
From: Carson Gee <x@carsongee.com>
Date: Fri, 21 Feb 2014 12:02:53 -0500
Subject: [PATCH] Remove SSL Certifcate auth reliance on internal password

---
 .../external_auth/tests/test_ssl.py           | 21 +++++++++----------
 common/djangoapps/external_auth/views.py      |  6 ++++++
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/common/djangoapps/external_auth/tests/test_ssl.py b/common/djangoapps/external_auth/tests/test_ssl.py
index 33422aad76..8e1c7092e4 100644
--- a/common/djangoapps/external_auth/tests/test_ssl.py
+++ b/common/djangoapps/external_auth/tests/test_ssl.py
@@ -235,23 +235,22 @@ class SSLClientTest(TestCase):
         This tests the response when a user exists but their eamap
         password doesn't match their internal password.
 
-        This should start failing and can be removed when the
-        eamap.internal_password dependency is removed.
+        The internal password use for certificates has been removed
+        and this should not fail.
         """
+        # Create account, break internal password, and activate account
         external_auth.views.ssl_login(self._create_ssl_request('/'))
         user = User.objects.get(email=self.USER_EMAIL)
         user.set_password('not autogenerated')
+        user.is_active = True
         user.save()
 
-        # Validate user failed by checking log
-        output = StringIO.StringIO()
-        audit_log_handler = logging.StreamHandler(output)
-        audit_log = logging.getLogger("audit")
-        audit_log.addHandler(audit_log_handler)
-
-        request = self._create_ssl_request('/')
-        external_auth.views.ssl_login(request)
-        self.assertIn('External Auth Login failed for', output.getvalue())
+        # Make sure we can still login
+        response = self.client.get(
+            reverse('signin_user'), follow=True,
+            SSL_CLIENT_S_DN=self.AUTH_DN.format(self.USER_NAME, self.USER_EMAIL))
+        print(response)
+        self.assertIn('_auth_user_id', self.client.session)
 
     @unittest.skipUnless(settings.ROOT_URLCONF == 'lms.urls', 'Test only valid in lms')
     @override_settings(FEATURES=FEATURES_WITHOUT_SSL_AUTH)
diff --git a/common/djangoapps/external_auth/views.py b/common/djangoapps/external_auth/views.py
index cfb655f4b2..9403f6b10b 100644
--- a/common/djangoapps/external_auth/views.py
+++ b/common/djangoapps/external_auth/views.py
@@ -151,6 +151,7 @@ def _external_login_or_signup(request,
 
     log.info(u"External_Auth login_or_signup for %s : %s : %s : %s", external_domain, external_id, email, fullname)
     uses_shibboleth = settings.FEATURES.get('AUTH_USE_SHIB') and external_domain.startswith(SHIBBOLETH_DOMAIN_PREFIX)
+    uses_certs = settings.FEATURES.get('AUTH_USE_CERTIFICATES')
     internal_user = eamap.user
     if internal_user is None:
         if uses_shibboleth:
@@ -193,6 +194,11 @@ def _external_login_or_signup(request,
             auth_backend = 'django.contrib.auth.backends.ModelBackend'
         user.backend = auth_backend
         AUDIT_LOG.info('Linked user "%s" logged in via Shibboleth', user.email)
+    elif uses_certs:
+        # Certificates are trusted, so just link the user and log the action
+        user = internal_user
+        user.backend = 'django.contrib.auth.backens.ModelBackend'
+        AUDIT_LOG.info('Linked user "%s" logged in via SSL certificate', user.email)
     else:
         user = authenticate(username=uname, password=eamap.internal_password, request=request)
     if user is None: