def verify(request, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""
This view exists because the way django_browserid does it automatically
is not ideal.
TODO: fork django_browserid and use a class based view system so you can
sublcass and customize without borking everything
Process browserid assertions.
"""
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not redirect_to:
redirect_to = getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
user = auth.authenticate(assertion=assertion,
audience=get_audience(request))
if user and user.is_active:
if user.get_profile().is_complete():
auth.login(request, user)
return redirect(reverse('profile', args=[user.username]))
else:
_store_user_in_session(request, assertion,
get_audience(request))
return redirect(reverse('register'))
return HttpResponseRedirect(redirect_to_failure)
def browserid_verify(request):
next = request.REQUEST.get("next")
redirect_to = next or getattr(settings, "LOGIN_REDIRECT_URL", "/")
redirect_to_failure = getattr(settings, "LOGIN_REDIRECT_URL_FAILURE", "/")
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data["assertion"], get_audience(request))
if result:
if request.user.is_authenticated():
# User is already signed in so they must want an email change
request.user.email = result["email"]
request.user.save()
return redirect(reverse("users.edit_profile"))
else:
# Verified so log in
email = result["email"]
user = User.objects.filter(email=email)
if len(user) == 0:
form = BrowserIDSignupForm()
request.session["browserid-email"] = email
return render(request, "users/browserid_signup.html", {"email": email, "next": next, "form": form})
else:
user = user[0]
user.backend = "django_browserid.auth.BrowserIDBackend"
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' % (url, audience,
extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
user_hash = set_user(request, email)
redirect_url = check_pin_status(request)
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_hash
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
"experimental_forceIssuer": settings.BROWSERID_UNVERIFIED_ISSUER,
"experimental_forceAuthentication": "true",
"experimental_allowUnverified": "true",
}
assertion = form.cleaned_data["assertion"]
log.info(
"Re-verifying Persona assertion. url: %s, audience: %s, " "extra_params: %s" % (url, audience, extra_params)
)
result = verify_assertion(assertion, audience, extra_params)
log.info("Reverify got result: %s" % result)
if result:
email = result.get("unverified-email", result.get("email"))
store_mkt_permissions(request, email, assertion, audience)
logged_user = request.session.get("uuid")
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
log.error("User %r tried to reverify as " "new email: %s" % (logged_user, email))
return http.HttpResponseBadRequest()
request.session["was_reverified"] = True
return {"user_hash": reverified_user}
log.error("Persona assertion failed.")
request.session.clear()
return http.HttpResponseBadRequest()
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
home_url = reverse('crashstats.home',
args=(settings.DEFAULT_PRODUCT,))
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
if not settings.ALLOWED_PERSONA_EMAILS: # pragma: no cover
raise ValueError(
"No emails set up in `settings.ALLOWED_PERSONA_EMAILS`"
)
if result:
if result['email'] in settings.ALLOWED_PERSONA_EMAILS:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
messages.success(
request,
'You have successfully logged in.'
)
else:
messages.error(
request,
"You logged in as %s but you don't have sufficient "
"privileges." % result['email']
)
else:
messages.error(
request,
"Login failed"
)
return redirect(home_url)
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_forceAuthentication': 'true',
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(assertion, audience, extra_params)
log.info('Reverify got result: %s' % result)
if result:
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
logged_user = request.session.get('uuid')
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
log.error('User %r tried to reverify as '
'new email: %s' % (logged_user, email))
return http.HttpResponseBadRequest()
request.session['was_reverified'] = True
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' %
(url, audience, extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
user_uuid = set_user(request, email)
redirect_url = check_pin_status(request)
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_uuid
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {'forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'allowUnverified': 'true'}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' % (url, audience,
extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
user_hash = set_user(request, email)
return {'has_pin': request.session.get('uuid_has_pin'),
'pin_create': reverse('pin.create'),
'user_hash': user_hash}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_forceAuthentication': 'true',
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(assertion, audience, extra_params)
log.info('Reverify got result: %s' % result)
if result:
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
logged_user = request.session.get('uuid')
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
log.error('User %r tried to reverify as '
'new email: %s' % (logged_user, email))
return http.HttpResponseBadRequest()
request.session['was_reverified'] = True
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def browserid_verify(request):
next = request.REQUEST.get('next')
redirect_to = next or getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data['assertion'], get_audience(request))
if result:
if request.user.is_authenticated():
# User is already signed in so they must want an email change
request.user.email = result['email']
request.user.save()
return redirect(reverse('users.edit_profile'))
else:
# Verified so log in
email = result['email']
user = User.objects.filter(email=email)
if len(user) == 0:
form = BrowserIDSignupForm()
request.session['browserid-email'] = email
return render(request, 'users/browserid_signup.html',
{'email': email, 'next': next, 'form': form})
else:
user = user[0]
user.backend = 'django_browserid.auth.BrowserIDBackend'
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_ok_assertion = False
_is_contributor = False
if result:
_domain = result['email'].split('@')[-1]
if _domain in settings.ALLOWED_BID:
_ok_assertion = True
elif is_vouched(result['email']):
_ok_assertion = True
_is_contributor = True
if _ok_assertion:
user = auth.authenticate(
assertion=assertion,
audience=audience
)
auth.login(request, user)
# if _is_contributor:
# try:
# profile = user.get_profile()
# if not profile.contributor:
# profile.contributor = True
# profile.save()
# except UserProfile.DoesNotExist:
# profile = UserProfile.objects.create(
# user=user,
# contributor=True
# )
if auth.models.User.objects.count() == 1:
auth.models.User.objects.update(is_superuser=True,
is_staff=True);
return redirect(request.POST.get('next',
settings.LOGIN_REDIRECT_URL))
elif result:
messages.error(
request,
'Hmmm. Are you sure you\'re a vouched mozillian?'
)
except BadStatusCodeError:
logging.error('Unable to call out to mozillians',
exc_info=True)
messages.error(
request,
'Email (%s) authenticated but unable to connect to '
'Mozillians to see if are vouched. ' %
result['email']
)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
log.info("verifying assertion")
result = verify_assertion(form.cleaned_data["assertion"], get_audience(request))
if result:
log.info("assertion ok: %s" % result)
return http.HttpResponse("ok")
return http.HttpResponseBadRequest()
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
home_url = reverse('crashstats.home',
args=(settings.DEFAULT_PRODUCT,))
goto_url = request.POST.get('goto', None) or home_url
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
for name in ('LDAP_BIND_DN', 'LDAP_BIND_PASSWORD', 'LDAP_GROUP_NAMES'):
if not getattr(settings, name, None): # pragma: no cover
raise ValueError(
"Not configured `settings.%s`" % name
)
if result:
allowed = in_allowed_group(result['email'])
debug_email_addresses = getattr(
settings,
'DEBUG_LDAP_EMAIL_ADDRESSES',
[]
)
if debug_email_addresses and not settings.DEBUG:
raise SuspiciousOperation(
"Can't debug login when NOT in DEBUG mode"
)
if allowed or result['email'] in debug_email_addresses:
if allowed:
logging.info('%r is in an allowed group', result['email'])
else:
logging.info('%r allowed for debugging', result['email'])
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
messages.success(
request,
'You have successfully logged in.'
)
else:
if not allowed:
logging.info('%r NOT in an allowed group', result['email'])
messages.error(
request,
"You logged in as %s but you don't have sufficient "
"privileges." % result['email']
)
else:
messages.error(
request,
"Login failed"
)
return redirect(goto_url)
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
if result and result['email'].split('@')[-1] in settings.ALLOWED_BID:
user = auth.authenticate(assertion=assertion, audience=audience)
auth.login(request, user)
return redirect(settings.LOGIN_REDIRECT_URL)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
log.info('verifying assertion')
result = verify_assertion(form.cleaned_data['assertion'],
get_audience(request))
if result:
log.info('assertion ok: %s' % result)
set_user(request, result['email'])
return {'has_pin': request.session['uuid_has_pin'],
'pin_create': reverse('pin.create')}
request.session.clear()
return http.HttpResponseBadRequest()
def browserid_verify(request):
"""Process a submitted BrowserID assertion.
If valid, try to find either a Django or MindTouch user that matches the
verified email address. If neither is found, we bounce to a profile
creation page (ie. browserid_register)."""
redirect_to = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL', reverse('home')))
redirect_to_failure = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', reverse('home')))
failure_resp = set_browserid_explained(
HttpResponseRedirect(redirect_to_failure))
# If the form's not valid, then this is a failure.
form = BrowserIDForm(data=request.POST)
if not form.is_valid():
return failure_resp
# If the BrowserID assersion is not valid, then this is a failure.
result = _verify_browserid(form, request)
if not result:
return failure_resp
# So far, so good: We have a verified email address. But, no user, yet.
email = result['email']
user = None
# Look for first most recently used Django account, use if found.
user = _get_latest_user_with_email(email)
# If no Django account, look for a MindTouch account by email. But, only if
# there's a MindTouch API available. If found, auto-create the user.
if not user and settings.DEKIWIKI_ENDPOINT:
deki_user = DekiUserBackend.get_deki_user_by_email(email)
if deki_user:
user = DekiUserBackend.get_or_create_user(deki_user)
# If we got a user from either the Django or MT paths, complete login for
# Django and MT and redirect.
if user:
user.backend = 'django_browserid.auth.BrowserIDBackend'
auth.login(request, user)
return set_browserid_explained(
_redirect_with_mindtouch_login(redirect_to, user.username))
# Retain the verified email in a session, redirect to registration page.
request.session[SESSION_VERIFIED_EMAIL] = email
request.session[SESSION_REDIRECT_TO] = redirect_to
return set_browserid_explained(
HttpResponseRedirect(reverse('users.browserid_register')))
def browserid_verify(request):
"""Process a submitted BrowserID assertion.
If valid, try to find either a Django or MindTouch user that matches the
verified email address. If neither is found, we bounce to a profile
creation page (ie. browserid_register)."""
redirect_to = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL', reverse('home')))
redirect_to_failure = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', reverse('home')))
failure_resp = set_browserid_explained(
HttpResponseRedirect(redirect_to_failure))
# If the form's not valid, then this is a failure.
form = BrowserIDForm(data=request.POST)
if not form.is_valid():
return failure_resp
# If the BrowserID assersion is not valid, then this is a failure.
result = _verify_browserid(form, request)
if not result:
return failure_resp
# So far, so good: We have a verified email address. But, no user, yet.
email = result['email']
user = None
# Look for first most recently used Django account, use if found.
user = _get_latest_user_with_email(email)
# If no Django account, look for a MindTouch account by email. But, only if
# there's a MindTouch API available. If found, auto-create the user.
if not user and settings.DEKIWIKI_ENDPOINT:
deki_user = DekiUserBackend.get_deki_user_by_email(email)
if deki_user:
user = DekiUserBackend.get_or_create_user(deki_user)
# If we got a user from either the Django or MT paths, complete login for
# Django and MT and redirect.
if user:
user.backend = 'django_browserid.auth.BrowserIDBackend'
auth.login(request, user)
return set_browserid_explained(
_redirect_with_mindtouch_login(redirect_to, user.username))
# Retain the verified email in a session, redirect to registration page.
request.session[SESSION_VERIFIED_EMAIL] = email
request.session[SESSION_REDIRECT_TO] = redirect_to
return set_browserid_explained(
HttpResponseRedirect(reverse('users.browserid_register')))
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_ok_assertion = False
_is_contributor = False
if result:
_domain = result['email'].split('@')[-1]
if _domain in settings.ALLOWED_BID:
_ok_assertion = True
elif is_vouched(result['email']):
_ok_assertion = True
_is_contributor = True
if _ok_assertion:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
# if _is_contributor:
# try:
# profile = user.get_profile()
# if not profile.contributor:
# profile.contributor = True
# profile.save()
# except UserProfile.DoesNotExist:
# profile = UserProfile.objects.create(
# user=user,
# contributor=True
# )
if auth.models.User.objects.count() == 1:
auth.models.User.objects.update(is_superuser=True,
is_staff=True)
return redirect(
request.POST.get('next', settings.LOGIN_REDIRECT_URL))
elif result:
messages.error(
request, 'Hmmm. Are you sure you\'re a vouched mozillian?')
except BadStatusCodeError:
logging.error('Unable to call out to mozillians', exc_info=True)
messages.error(
request, 'Email (%s) authenticated but unable to connect to '
'Mozillians to see if are vouched. ' % result['email'])
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def verify(request, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Process browserid assertions."""
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not redirect_to:
redirect_to = getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
user = auth.authenticate(assertion=assertion,
audience=get_audience(request))
if user is not None and user.is_active:
auth.login(request, user)
return HttpResponseRedirect(redirect_to)
return HttpResponseRedirect(redirect_to_failure)
def verify(request, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Process browserid assertions."""
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not redirect_to:
redirect_to = getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
host, port = _get_host_and_port(request)
user = auth.authenticate(assertion=assertion, host=host, port=port)
if user is not None and user.is_active:
auth.login(request, user)
return HttpResponseRedirect(redirect_to)
return HttpResponseRedirect(redirect_to_failure)
def browserid_info(request):
"""
Output the HTML for the login form and the info tag. Should be called once
at the top of the page just below the <body> tag.
"""
form = BrowserIDForm(auto_id=False)
# Force request_args to be a dictionary, in case it is lazily generated.
request_args = dict(getattr(settings, 'BROWSERID_REQUEST_ARGS', {}))
# Only pass an email to the JavaScript if the current user was authed with
# our auth backend.
backend = getattr(request.user, 'backend', None)
if backend == 'django_browserid.auth.BrowserIDBackend':
email = getattr(request.user, 'email', '')
else:
email = ''
return render_to_string(
'browserid/info.html', {
'email': email,
'login_url': reverse('browserid_login'),
'request_args': json.dumps(request_args, cls=LazyEncoder),
'form': form,
}, RequestContext(request))
def browserid_change_email(request):
"""Process a submitted BrowserID assertion to change email."""
form = BrowserIDForm(data=request.POST)
if not form.is_valid():
messages.error(request, form.errors)
return HttpResponseRedirect(reverse("users.change_email"))
result = _verify_browserid(form, request)
email = result["email"]
user = _get_latest_user_with_email(email)
if user and user != request.user:
messages.error(request, "That email already belongs to another " "user.")
return HttpResponseRedirect(reverse("users.change_email"))
else:
user = request.user
user.email = email
user.save()
return HttpResponseRedirect(reverse("devmo_profile_edit", args=[user.username]))
def mozilla_browserid_verify(request):
"""
Custom BrowserID verifier for ReMo users
and vouched mozillians.
"""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
data = is_vouched(result['email'])
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(
username=USERNAME_ALGO(data['email']),
email=data['email'])
first_name, last_name = (
data['full_name'].split(' ', 1)
if ' ' in data['full_name']
else ('', data['full_name']))
user.first_name = first_name
user.last_name = last_name
user.save()
user.groups.add(Group.objects.get(name='Mozillians'))
if _is_valid_login:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
return redirect('dashboard')
except BadStatusCodeError:
message = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched' %
result['email'])
return login_failed(request, message)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def browserid_form(request):
"""
A context processor that adds a BrowserID form to the request
when the user is not authenticated
"""
if request.user.is_authenticated():
return {}
else:
return {'browserid_form': BrowserIDForm()}
def verify(request):
"""Process login."""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
user = auth.authenticate(assertion=assertion,
audience=get_audience(request))
if user is not None and user.is_active:
auth.login(request, user)
# Redirect to edit profile page if user has no profile.
if UserProfile.objects.filter(pk=user.pk).exists():
return redirect(settings.LOGIN_REDIRECT)
else:
return redirect('flicks.users.edit_profile')
# TODO: Determine how to convey login failure.
return redirect(settings.LOGIN_REDIRECT_FAILURE)
def mozilla_browserid_verify(request):
"""
Custom BrowserID verifier for ReMo users
and vouched mozillians.
"""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
data = is_vouched(result['email'])
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(username=USERNAME_ALGO(
data['email']),
email=data['email'])
first_name, last_name = (data['full_name'].split(
' ', 1) if ' ' in data['full_name'] else
('', data['full_name']))
user.first_name = first_name
user.last_name = last_name
user.save()
user.groups.add(Group.objects.get(name='Mozillians'))
if _is_valid_login:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
return redirect('dashboard')
except BadStatusCodeError:
message = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched' %
result['email'])
return login_failed(request, message)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def personaregister(request):
if request.method == "POST":
form = BrowserIDForm(data=request.POST)
user = request.user
# I've taken the - not - from the docs out of the next line
if form.is_valid():
result = verify(form.cleaned_data['assertion'], get_audience(request))
if result:
if is_lazy_user(user):
if User.objects.filter(email=result[u'email']):
existinguser = User.objects.get(email=result[u'email'])
existinguser.backend = 'django_browserid.auth.BrowserIDBackend'
login(request, existinguser)
else:
foo = LazyUser.objects.get(user=user)
foo.delete()
user.email = result[u'email']
user.save()
return redirect('/')
def browserid_change_email(request):
"""Process a submitted BrowserID assertion to change email."""
form = BrowserIDForm(data=request.POST)
if not form.is_valid():
messages.error(request, form.errors)
return HttpResponseRedirect(reverse('users.change_email'))
result = _verify_browserid(form, request)
email = result['email']
user = _get_latest_user_with_email(email)
if user and user != request.user:
messages.error(request, 'That email already belongs to another '
'user.')
return HttpResponseRedirect(reverse('users.change_email'))
else:
user = request.user
user.email = email
user.save()
return HttpResponseRedirect(reverse('devmo_profile_edit',
args=[user.username, ]))
def browserid_verify(request):
next = request.REQUEST.get('next')
redirect_to = next or getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
verifier = BrowserIDBackend().get_verifier()
result = verifier.verify(form.cleaned_data['assertion'],
get_audience(request))
if result:
if (request.user.is_authenticated()
and request.user.email != result.email):
# User is already signed and wants to change their email.
request.user.email = result.email
request.user.save()
return redirect(reverse('users.edit_profile'))
else:
# Verified so log in
email = result.email
user = User.objects.filter(email=email)
contributor = 'contributor' in request.POST
if len(user) == 0:
# Add the email to the session and redirect to signup
request.session['browserid-email'] = email
signup_url = reverse('users.browserid_signup')
return redirect('%s?%s' % (signup_url,
urlencode({'next': next})))
else:
user = user[0]
user.backend = 'django_browserid.auth.BrowserIDBackend'
if contributor:
add_to_contributors(request, user)
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def browserid_verify(request):
next = request.REQUEST.get('next')
redirect_to = next or getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
verifier = BrowserIDBackend().get_verifier()
result = verifier.verify(form.cleaned_data['assertion'],
get_audience(request))
if result:
if (request.user.is_authenticated()
and request.user.email != result.email):
# User is already signed and wants to change their email.
request.user.email = result.email
request.user.save()
return redirect(reverse('users.edit_profile'))
else:
# Verified so log in
email = result.email
user = User.objects.filter(email=email)
contributor = 'contributor' in request.POST
if len(user) == 0:
# Add the email to the session and redirect to signup
request.session['browserid-email'] = email
signup_url = reverse('users.browserid_signup')
return redirect('%s?%s' %
(signup_url, urlencode({'next': next})))
else:
user = user[0]
user.backend = 'django_browserid.auth.BrowserIDBackend'
if contributor:
add_to_contributors(request, user)
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' % (url, audience,
extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
user_uuid = set_user(request, email)
redirect_url = check_pin_status(request)
# Before we verify the user's PIN let's save some
# time and get the transaction configured via Bango in the
# background.
log.info('configuring transaction {0} from auth'
.format(request.session.get('trans_id')))
if not pay_tasks.configure_transaction(request):
log.error('Configuring transaction failed.')
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_uuid
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' %
(url, audience, extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
user_uuid = set_user(request, email)
redirect_url = check_pin_status(request)
# Before we verify the user's PIN let's save some
# time and get the transaction configured via Bango in the
# background.
log.info('configuring transaction {0} from auth'.format(
request.session.get('trans_id')))
pay_tasks.configure_transaction(request)
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_uuid
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def browserid(request):
"""
Context processor that adds django-browserid helpers to the template
context.
"""
form = BrowserIDForm(auto_id=False)
return {
'browserid_form': form, # For custom buttons.
'browserid_info': partial(helpers.browserid_info, request),
'browserid_login': helpers.browserid_login,
'browserid_logout': helpers.browserid_logout,
'browserid_js': helpers.browserid_js
}
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
home_url = reverse('crashstats.home', args=(settings.DEFAULT_PRODUCT, ))
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
for name in ('LDAP_BIND_DN', 'LDAP_BIND_PASSWORD', 'LDAP_GROUP_NAMES'):
if not getattr(settings, name, None): # pragma: no cover
raise ValueError("Not configured `settings.%s`" % name)
if result:
allowed = in_allowed_group(result['email'])
debug_email_addresses = getattr(settings,
'DEBUG_LDAP_EMAIL_ADDRESSES', [])
if debug_email_addresses and not settings.DEBUG:
raise SuspiciousOperation(
"Can't debug login when NOT in DEBUG mode")
if allowed or result['email'] in debug_email_addresses:
if allowed:
logging.info('%r is in an allowed group', result['email'])
else:
logging.info('%r allowed for debugging', result['email'])
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
messages.success(request, 'You have successfully logged in.')
else:
if not allowed:
logging.info('%r NOT in an allowed group', result['email'])
messages.error(
request,
"You logged in as %s but you don't have sufficient "
"privileges." % result['email'])
else:
messages.error(request, "Login failed")
return redirect(home_url)
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
# TODO: when we want to require a forced-auth login across the
# entire site then how do we do it?
# See bug 836060.
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
# TODO: how do we make sure this is a proper forced
# auth assertion?
# This can also be addressed in bug 836060
'experimental_forceAuthentication': 'true',
'experimental_allowUnverified': 'true'
}
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(form.cleaned_data['assertion'], audience,
extra_params)
log.info('Reverify got result: %s')
if result:
logged_user = request.session.get('uuid')
email = result.get('unverified-email', result.get('email'))
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
# TODO: Should we try to support this?
raise ValueError('A user tried to reverify herself with a '
'new email: %s' % email)
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def browserid_info(request):
"""
Output the HTML for the login form and the info tag. Should be called once
at the top of the page just below the <body> tag.
"""
form = BrowserIDForm(auto_id=False)
request_args = getattr(settings, 'BROWSERID_REQUEST_ARGS', {})
return render_to_string(
'browserid/info.html', {
'email': getattr(request.user, 'email', ''),
'login_url': reverse('browserid_login'),
'request_args': json.dumps(request_args),
'form': form,
}, RequestContext(request))
def browserid_verify(request):
next = request.REQUEST.get("next")
redirect_to = next or getattr(settings, "LOGIN_REDIRECT_URL", "/")
redirect_to_failure = getattr(settings, "LOGIN_REDIRECT_URL_FAILURE", "/")
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data["assertion"], get_audience(request))
if result:
if request.user.is_authenticated():
# User is already signed in so they must want an email change
request.user.email = result["email"]
request.user.save()
return redirect(reverse("users.edit_profile"))
else:
# Verified so log in
email = result["email"]
user = User.objects.filter(email=email)
contributor = "contributor" in request.POST
if len(user) == 0:
# Add the email to the session and redirect to signup
request.session["browserid-email"] = email
signup_url = reverse("users.browserid_signup")
return redirect("%s?%s" % (signup_url, urlencode({"next": next})))
else:
user = user[0]
user.backend = "django_browserid.auth.BrowserIDBackend"
if contributor:
add_to_contributors(request, user)
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def browserid(request):
"""
A context processor necessary for BrowserID auth
Similar to django_browserid.context_processors, but in addition to the
BrowserID form, we include whether a user has been logged on via the
BrowserID authentication backend.
"""
auth_backend = request.session.get('_auth_user_backend', None)
return {
'browserid_form':
BrowserIDForm(),
'browserid_authenticated':
auth_backend == 'django_browserid.auth.BrowserIDBackend'
}
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
# TODO: when we want to require a forced-auth login across the
# entire site then how do we do it?
# See bug 836060.
extra_params = {'forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
# TODO: how do we make sure this is a proper forced
# auth assertion?
# This can also be addressed in bug 836060
'forceAuthentication': 'true',
'allowUnverified': 'true'}
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(form.cleaned_data['assertion'], audience,
extra_params)
log.info('Reverify got result: %s')
if result:
logged_user = request.session.get('uuid')
email = result.get('unverified-email', result.get('email'))
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
# TODO: Should we try to support this?
raise ValueError('A user tried to reverify herself with a '
'new email: %s' % email)
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
"experimental_forceIssuer": settings.BROWSERID_UNVERIFIED_ISSUER,
"experimental_allowUnverified": "true",
}
assertion = form.cleaned_data["assertion"]
log.info(
"verifying Persona assertion. url: %s, audience: %s, "
"extra_params: %s, assertion: %s" % (url, audience, extra_params, assertion)
)
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info("Persona assertion ok: %s" % result)
email = result.get("unverified-email", result.get("email"))
store_mkt_permissions(request, email, assertion, audience)
user_uuid = set_user(request, email)
redirect_url = check_pin_status(request)
# Before we verify the user's PIN let's save some
# time and get the transaction configured via Bango in the
# background.
log.info("configuring transaction {0} from auth".format(request.session.get("trans_id")))
if not pay_tasks.configure_transaction(request):
log.error("Configuring transaction failed.")
return {"needs_redirect": redirect_url is not None, "redirect_url": redirect_url, "user_hash": user_uuid}
log.error("Persona assertion failed.")
request.session.flush()
return http.HttpResponseBadRequest()
def browserid_info(request):
"""
Output the HTML for the login form and the info tag. Should be called once
at the top of the page just below the <body> tag.
"""
form = BrowserIDForm(auto_id=False)
# Force request_args to be a dictionary, in case it is lazily generated.
request_args = dict(getattr(settings, 'BROWSERID_REQUEST_ARGS', {}))
return render_to_string(
'browserid/info.html', {
'email': getattr(request.user, 'email', ''),
'login_url': reverse('browserid_login'),
'request_args': json.dumps(request_args, cls=LazyEncoder),
'form': form,
}, RequestContext(request))
def test_valid_assertion():
form = BrowserIDForm({"assertion": "xxx"})
assert form.is_valid()
def browserid_form(request):
"""
A context processor that adds a BrowserID form to the request
"""
return {'browserid_form': BrowserIDForm()}
def test_invalid_assertion():
form = BrowserIDForm({'assertion': u'\xe3'})
assert not form.is_valid()
def test_valid_assertion():
form = BrowserIDForm({'assertion': b'xxx'})
assert form.is_valid()
def test_invalid_assertion():
form = BrowserIDForm({"assertion": u"\xe3"})
assert not form.is_valid()
def browserid_verify(request):
"""Process a submitted BrowserID assertion.
If valid, try to find either a Django or MindTouch user that matches the
verified email address. If neither is found, we bounce to a profile
creation page (ie. browserid_register)."""
redirect_to = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL', reverse('home')))
redirect_to_failure = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', reverse('home')))
failure_resp = set_browserid_explained(
HttpResponseRedirect(redirect_to_failure))
# If the form's not valid, then this is a failure.
form = BrowserIDForm(data=request.POST)
if not form.is_valid():
return failure_resp
# If the BrowserID assersion is not valid, then this is a failure.
result = _verify_browserid(form, request)
if not result:
return failure_resp
# So far, so good: We have a verified email address. But, no user, yet.
email = result['email']
user = None
# TODO: This user lookup and create stuff probably belongs in the model:
# If user is authenticated, change their email
if request.user.is_authenticated():
user = _get_latest_user_with_email(email)
# If a user with the email already exists, don't change
if user and user != request.user:
messages.error(request, 'That email already belongs to another '
'user.')
return set_browserid_explained(
HttpResponseRedirect(reverse('users.change_email')))
else:
user = request.user
user.email = email
user.save()
redirect_to = reverse('devmo_profile_edit', args=[user.username, ])
else:
# Look for first most recently used Django account, use if found.
user = _get_latest_user_with_email(email)
# If no Django account, look for a MindTouch account by email.
# If found, auto-create the user.
if not user:
deki_user = DekiUserBackend.get_deki_user_by_email(email)
if deki_user:
user = DekiUserBackend.get_or_create_user(deki_user)
# If we got a user from either the Django or MT paths, complete login for
# Django and MT and redirect.
if user:
user.backend = 'django_browserid.auth.BrowserIDBackend'
auth.login(request, user)
return set_browserid_explained(
_redirect_with_mindtouch_login(redirect_to, user.username))
# Retain the verified email in a session, redirect to registration page.
request.session[SESSION_VERIFIED_EMAIL] = email
request.session[SESSION_REDIRECT_TO] = redirect_to
return set_browserid_explained(
HttpResponseRedirect(reverse('users.browserid_register')))
