def view_authenticate_module(module):
if not 'success_forward' in request.transaction or \
not 'failure_forward' in request.transaction or \
not 'login_target' in request.transaction:
logger.info('Invalid request without success or failure urls or login target in the transaction')
logger.debug('Transaction: %s', request.transaction)
return redirect(complete_url_for('view_main'))
url_success = complete_url_for(request.transaction['success_forward'],
transaction=request.transaction_id)
email_auth_domain = None
if 'email_auth_domain' in request.transaction:
email_auth_domain = request.transaction['email_auth_domain']
auth_module = get_auth_module_by_name(module)
if not auth_module:
logger.warning('Selected module %s, but no longer available', module)
return redirect(complete_url_for('view_authenticate', transaction=request.transaction_id))
result = auth_module.authenticate(request.transaction['login_target'],
complete_url_for('view_authenticate_module',
module=module),
requested_attributes=request.transaction['requested_attributes'])
if result == True:
logger.debug('Was already logged on')
return redirect(url_success)
elif result == False:
logger.debug('Authentication module cancelled')
return redirect(complete_url_for('view_authenticate', transaction=request.transaction_id, cancelmodule=True))
else:
# Otherwise it's an flask result
return result
def view_openid_id(username):
return render_template(
'openid_user.html',
username=username,
claimed_id=get_claimed_id(username),
yadis_url=complete_url_for('view_openid_yadis_id',
username=username)
),
200,
{'X-XRDS-Location':
complete_url_for('view_openid_yadis_id', username=username),
'Cache-Control': 'no-cache, must-revalidate',
'Pragma': 'no-cache',
'Expires': 'Sat, 26 Jul 1997 05:00:00 GMT'}
def user_ask_trust_root(openid_request):
if request.method == 'POST' and 'form_filled' in request.form:
if not 'csrf_id' in get_session() \
or not 'csrf_value' in request.form \
or request.form['csrf_value'] != get_session()['csrf_id']:
return 'CSRF Protection value invalid'
if 'decided_allow' in request.form:
addToSessionArray('TRUSTED_ROOTS', openid_request.trust_root)
else:
addToSessionArray('NON_TRUSTED_ROOTS', openid_request.trust_root)
return redirect(request.url)
get_session()['csrf_id'] = uuid().hex
get_session().save()
# Get which stuff we will send
sreg_data = get_auth_module().get_sreg()
sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request)
teams_resp = teams.TeamsResponse.extractResponse(
teams_req,
filter_cla_groups(get_auth_module().get_groups()))
clas_req = cla.CLARequest.fromOpenIDRequest(openid_request)
clas_resp = cla.CLAResponse.extractResponse(
clas_req,
get_cla_uris(get_auth_module().get_groups()))
# Show form
return render_template(
'openid_user_ask_trust_root.html',
action=complete_url_for('view_main'),
trust_root=openid_request.trust_root,
sreg_policy_url=sreg_req.policy_url or _('None provided'),
sreg_data=sreg_resp.data,
teams_provided=teams_resp.teams,
cla_done=cla.CLA_URI_FEDORA_DONE in clas_resp.clas,
csrf=get_session()['csrf_id'])
def view_openid_id(username):
return render_template('openid_user.html',
username=username,
claimed_id=get_claimed_id(username),
yadis_url=complete_url_for('view_openid_yadis_id',
username=username)),
200,
{
'X-XRDS-Location':
complete_url_for('view_openid_yadis_id', username=username),
'Cache-Control':
'no-cache, must-revalidate',
'Pragma':
'no-cache',
'Expires':
'Sat, 26 Jul 1997 05:00:00 GMT'
}
def view_authenticate():
own_url = complete_url_for('view_authenticate', transaction=request.transaction_id)
email_auth_domain = None
if 'email_auth_domain' in request.transaction:
email_auth_domain = request.transaction['email_auth_domain']
listed_auth_modules = get_listed_auth_modules(email_auth_domain)
if not 'success_forward' in request.transaction or not 'failure_forward' in request.transaction or not 'login_target' in request.transaction:
logger.info('Invalid request without success or failure urls or login target in the transaction')
logger.debug('Transaction: %s', request.transaction)
return redirect(complete_url_for('view_main'))
url_success = complete_url_for(request.transaction['success_forward'], transaction=request.transaction_id)
url_failure = complete_url_for(request.transaction['failure_forward'], transaction=request.transaction_id)
if request.auth_module:
if 'already_authenticated' in request.transaction and \
request.transaction['already_authenticated']:
return 'ERROR: You are already authenticated, but still forwarded to authentication system'
request.transaction['already_authenticated'] = True
request.save_transaction()
logger.debug('Was redirected to authenticate while already authenticated')
return redirect(url_success)
elif len(listed_auth_modules) == 1:
# Only one module selectable. Select and redirect
if 'cancelmodule' in request.args:
logger.debug('Authentication cancelled')
return redirect(url_failure)
logger.debug('Automatically selecting module %s', listed_auth_modules[0])
return redirect(complete_url_for('view_authenticate_module', module=listed_auth_modules[0], transaction=request.transaction_id))
elif len(listed_auth_modules) == 0:
if 'cancel' in request.args:
logger.debug('Authentication cancelled')
return redirect(url_failure)
else:
logger.debug('No listable authentication modules')
return render_template('not_authenticated.html'), 401
else:
# Cancelled from selection screen
if 'cancel' in request.args:
logger.debug('Authentication cancelled')
return redirect(url_failure)
else:
# Show selection form.
modules = []
for module in listed_auth_modules:
url = complete_url_for('view_authenticate_module',
module=module,
transaction=request.transaction_id)
modules.append(get_auth_module_by_name(module).get_select_info(url))
return render_template('select_module.html',
modules=modules,
cancel_url=complete_url_for('view_authenticate',
transaction=request.transaction_id,
cancel=True)), 200
def view_main():
error = None
if 'err' in request.args:
error = error_to_string(request.args['err'])
yadis_url = ''
if 'fedoauth.provider.openid' in APP.config['AUTH_PROVIDER_CONFIGURATION'] and \
APP.config['AUTH_PROVIDER_CONFIGURATION']['fedoauth.provider.openid']['enabled']:
yadis_url = complete_url_for('view_openid_yadis')
return render_template(
'index.html',
yadis_url=yadis_url,
error=error
), 200, {'X-XRDS-Location': yadis_url}
get_session().save()
else:
if 'values' in get_session():
values = get_session()['values']
else:
values = {}
try:
openid_request = get_server().decodeRequest(values)
except server.ProtocolError, openid_error:
return openid_respond(openid_error)
if openid_request is None:
return render_template(
'index.html',
yadis_url=complete_url_for('view_openid_yadis')
), 200, {'X-XRDS-Location': complete_url_for('view_openid_yadis')}
elif openid_request.mode in ['checkid_immediate', 'checkid_setup']:
authed = isAuthorized(openid_request)
if authed == AUTH_OK:
openid_response = openid_request.answer(
True,
identity=get_claimed_id(
get_auth_module().get_username()
),
claimed_id=get_claimed_id(get_auth_module().get_username())
)
sreg_info = addSReg(openid_request, openid_response)
teams_info = addTeams(
openid_request,
openid_response,
def openid_checkid(openid_request):
# Assumption: we are logged in, so request.auth_module is valid
# Return True to get an automatically signed response to be returned
# In immediate, return anything else for failure response
# In non-immediate, anything else will be returned as-is to the browser
if not openid_request.idSelect() and \
get_claimed_id(
request.auth_module.get_username()
) != openid_request.identity:
return 'NOT YOUR IDENTITY!'
if openid_request.trust_root in config['non_trusted_roots']:
logger.warning('Blacklisted trustroot attempted: %s',
openid_request.trust_root)
return False
if openid_request.trust_root in config['trusted_roots']:
return True
# We should check if the user accepts this trust_root
if Remembered.getremembered('OpenIDAllow',
request.auth_module.full_name,
request.auth_module.get_username(),
openid_request.trust_root) is not None:
logger.debug('User previously marked root as remembered trusted')
return True
elif request.method == 'POST' and 'form_filled' in request.form and \
'decided_allow' in request.form:
rememberForDays = request.form.get('rememberForDays', '0')
try:
rememberForDays = int(rememberForDays)
except:
rememberForDays = 0
if rememberForDays < 0 or rememberForDays > 7:
# They selected another option. We don't want either
rememberForDays = 0
if rememberForDays != 0:
Remembered.rememberForDays('OpenIDAllow',
rememberForDays,
None,
request.auth_module.full_name,
request.auth_module.get_username(),
openid_request.trust_root)
return True
elif request.method == 'POST' and 'form_filled' in request.form:
logger.debug('User chose not to trust trustroot')
return False
else:
# Show the user the authorization form
sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
sreg_data = addSReg(openid_request, None)
ax_data = addAX(openid_request, None)
teams_data = addTeams(openid_request, None)
clas_data = addCLAs(openid_request, None)
# Hide this
sreg_data.update(ax_data)
data = []
for field in sreg_data:
data.append({'text': field,
'value': sreg_data[field]})
# Sort these functions
data.sort()
for team in teams_data:
data.append({'text': 'Group',
'value': team})
if clas_data != []:
data.append({'text': 'FPCA Completed',
'value': 'True'})
return render_template(
'openid_user_ask_trust_root.html',
action=complete_url_for('view_openid_main',
transaction=request.transaction_id),
trust_root=openid_request.trust_root,
sreg_policy_url=sreg_req.policy_url or 'None provided',
data=data)
@APP.route('/openid/failure/')
def view_openid_main_failure():
values = None
if ('%s_values' % __name__) in request.transaction:
values = request.transaction['%s_values' % __name__]
openid_request = None
try:
openid_request = get_server().decodeRequest(values)
except server.ProtocolError, openid_error:
return openid_respond(openid_error)
if openid_request is None:
return redirect(complete_url_for('view_main'))
logger.debug('User cancelled signin')
return openid_respond(openid_request.answer(False))
def get_required_attributes(openid_request):
requested = [SREG_ATTRIBUTES]
ax_req = ax.FetchRequest.fromOpenIDRequest(openid_request)
if ax_req is not None:
for type_uri, attribute in ax_req.requested_attributes.iteritems():
if type_uri in AX_WELLKNOWN.keys():
requested.append(AX_WELLKNOWN[type_uri])
def start_authentication(self):
return redirect(complete_url_for('view_fas_login'))
def openid_checkid(openid_request):
# Assumption: we are logged in, so request.auth_module is valid
# Return True to get an automatically signed response to be returned
# In immediate, return anything else for failure response
# In non-immediate, anything else will be returned as-is to the browser
if not openid_request.idSelect() and \
get_claimed_id(
request.auth_module.get_username()
) != openid_request.identity:
return 'NOT YOUR IDENTITY!'
if openid_request.trust_root in config['non_trusted_roots']:
logger.warning('Blacklisted trustroot attempted: %s',
openid_request.trust_root)
return False
if openid_request.trust_root in config['trusted_roots']:
return True
# We should check if the user accepts this trust_root
if Remembered.getremembered('OpenIDAllow', request.auth_module.full_name,
request.auth_module.get_username(),
openid_request.trust_root) is not None:
logger.debug('User previously marked root as remembered trusted')
return True
elif request.method == 'POST' and 'form_filled' in request.form and \
'decided_allow' in request.form:
rememberForDays = request.form.get('rememberForDays', '0')
try:
rememberForDays = int(rememberForDays)
except:
rememberForDays = 0
if rememberForDays < 0 or rememberForDays > 7:
# They selected another option. We don't want either
rememberForDays = 0
if rememberForDays != 0:
Remembered.rememberForDays('OpenIDAllow', rememberForDays, None,
request.auth_module.full_name,
request.auth_module.get_username(),
openid_request.trust_root)
return True
elif request.method == 'POST' and 'form_filled' in request.form:
logger.debug('User chose not to trust trustroot')
return False
else:
# Show the user the authorization form
sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
sreg_data = addSReg(openid_request, None)
ax_data = addAX(openid_request, None)
teams_data = addTeams(openid_request, None)
clas_data = addCLAs(openid_request, None)
# Hide this
sreg_data.update(ax_data)
data = []
for field in sreg_data:
data.append({'text': field, 'value': sreg_data[field]})
# Sort these functions
data.sort()
for team in teams_data:
data.append({'text': 'Group', 'value': team})
if clas_data != []:
data.append({'text': 'FPCA Completed', 'value': 'True'})
return render_template(
'openid_user_ask_trust_root.html',
action=complete_url_for('view_openid_main',
transaction=request.transaction_id),
trust_root=openid_request.trust_root,
sreg_policy_url=sreg_req.policy_url or 'None provided',
data=data)
@APP.route('/openid/failure/')
def view_openid_main_failure():
values = None
if ('%s_values' % __name__) in request.transaction:
values = request.transaction['%s_values' % __name__]
openid_request = None
try:
openid_request = get_server().decodeRequest(values)
except server.ProtocolError, openid_error:
return openid_respond(openid_error)
if openid_request is None:
return redirect(complete_url_for('view_main'))
logger.debug('User cancelled signin')
return openid_respond(openid_request.answer(False))
def get_required_attributes(openid_request):
requested = [SREG_ATTRIBUTES]
ax_req = ax.FetchRequest.fromOpenIDRequest(openid_request)
if ax_req is not None:
for type_uri, attribute in ax_req.requested_attributes.iteritems():
if type_uri in AX_WELLKNOWN.keys():
requested.append(AX_WELLKNOWN[type_uri])
