def isAuthorized(openid_request):
pape_req_time, pape_auth_policies, pape_auth_level_types = \
getPapeRequestInfo(openid_request)
if not auth_module.logged_in():
return AUTH_NOT_LOGGED_IN
elif (pape_req_time) and (pape_req_time != 0) and (
get_session()['last_auth_time'] < (time() - pape_req_time)):
return AUTH_TIMEOUT
elif (app.config['MAX_AUTH_TIME'] != 0) and (
get_session()['last_auth_time'] < (time() - (
app.config['MAX_AUTH_TIME'] * 60))):
return AUTH_TIMEOUT
# Add checks if yubikey is required by application
elif (not openid_request.idSelect()) and (
openid_request.identity != get_claimed_id(
auth_module.get('username'))):
print 'Incorrect claimed id. Claimed: %s, correct: %s' % (
openid_request.identity,
get_claimed_id(auth_module.get('username')))
return AUTH_INCORRECT_IDENTITY
elif openid_request.trust_root in app.config['TRUSTED_ROOTS']:
return AUTH_OK
elif openid_request.trust_root in app.config['NON_TRUSTED_ROOTS']:
return AUTH_TRUST_ROOT_CONFIG_NOT_OK
elif openid_request.trust_root in getSessionValue('TRUSTED_ROOTS', []):
return AUTH_OK
elif openid_request.trust_root in getSessionValue('NON_TRUSTED_ROOTS', []):
return AUTH_TRUST_ROOT_NOT_OK
else:
# The user still needs to determine if he/she allows this trust root
return AUTH_TRUST_ROOT_ASK
def addToSessionArray(array, value):
if array in get_session():
get_session()[array].append(value)
get_session().save()
else:
get_session()[array] = [value]
get_session().save()
def view_main():
if 'openid.mode' in request.values:
values = request.values
get_session()['values'] = request.values
get_session().save()
else:
if 'values' in get_session():
values = get_session()['values']
else:
values = {}
try:
openid_request = get_server().decodeRequest(values)
except server.ProtocolError, openid_error:
return openid_respond(openid_error)
def openid_respond(openid_response):
get_session()['TRUSTED_ROOTS'] = []
get_session()['NON_TRUSTED_ROOTS'] = []
get_session().save()
if 'values' in get_session():
get_session()['values'] = None
get_session().save()
try:
webresponse = get_server().encodeResponse(openid_response)
return (webresponse.body, webresponse.code, webresponse.headers)
except server.EncodingError, why:
headers = {'Content-type': 'text/plain; charset=UTF-8'}
return why.response.encodeToKVForm(), 400, headers
def addPape(request, response):
done_yubikey = False
auth_time = datetime.utcfromtimestamp(
get_session()['last_auth_time']).strftime('%Y-%m-%dT%H:%M:%SZ')
auth_policies = []
auth_levels = {}
if done_yubikey:
auth_policies.append(pape.AUTH_MULTI_FACTOR)
auth_policies.append(pape.AUTH_MULTI_FACTOR_PHYSICAL)
auth_policies.append(pape.AUTH_PHISHING_RESISTANT)
auth_levels[pape.LEVELS_NIST] = 3
else:
auth_policies.append(pape.AUTH_NONE)
auth_levels[pape.LEVELS_NIST] = 2
pape_resp = pape.Response(
auth_policies=auth_policies,
auth_time=auth_time,
auth_levels=auth_levels)
response.addExtension(pape_resp)
return auth_levels[pape.LEVELS_NIST]
def user_ask_trust_root(openid_request):
if request.method == 'POST' and 'form_filled' in request.form:
if not 'csrf_id' in get_session() \
or not 'csrf_value' in request.form \
or request.form['csrf_value'] != get_session()['csrf_id']:
return 'CSRF Protection value invalid'
if 'decided_allow' in request.form:
addToSessionArray('TRUSTED_ROOTS', openid_request.trust_root)
else:
addToSessionArray('NON_TRUSTED_ROOTS', openid_request.trust_root)
return redirect(request.url)
get_session()['csrf_id'] = uuid().hex
get_session().save()
# Get which stuff we will send
sreg_data = {'nickname': auth_module.get('username'),
'email': auth_module.get('email'),
'fullname': auth_module.get('human_name'),
'timezone': auth_module.get('timezone')
}
sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request)
teams_resp = teams.TeamsResponse.extractResponse(
teams_req,
filter_cla_groups(auth_module.get('groups')))
clas_req = cla.CLARequest.fromOpenIDRequest(openid_request)
clas_resp = cla.CLAResponse.extractResponse(
clas_req,
get_cla_uris(auth_module.get('groups')))
# Show form
return render_template(
'user_ask_trust_root.html',
action=request.url,
trust_root=openid_request.trust_root,
sreg_policy_url=sreg_req.policy_url or _('None provided'),
sreg_data=sreg_resp.data,
teams_provided=teams_resp.teams,
cla_done=cla.CLA_URI_FEDORA_DONE in clas_resp.clas,
csrf=get_session()['csrf_id'])
def auth_login():
if not 'next' in request.args and not 'next' in get_session():
return redirect(url_for('view_main'))
if 'next' in request.args:
get_session()['next'] = request.args['next']
get_session().save()
if logged_in() and not \
('timeout' in get_session() and get_session()['timeout']):
# We can also have "timeout" as of 0.4.0
# indicating PAPE or application configuration requires a re-auth
log_debug('Info', {
'message': 'User tried to login but is already authenticated'})
return redirect(get_session()['next'])
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if (not app.config['AVAILABLE_FILTER']) or \
(username in app.config['AVAILABLE_TO']):
if username == '' or password == '':
user = None
else:
user = check_login(username, password)
if user:
log_info('Success', {
'username': username,
'message': 'User authenticated succesfully'})
user = user.toDict() # A bunch is not serializable...
user['groups'] = [x['name'] for x in
user['approved_memberships']]
get_session()['user'] = user
get_session()['last_auth_time'] = time()
get_session()['timeout'] = False
get_session()['trust_root'] = ''
get_session().save()
return redirect(get_session()['next'])
else:
log_warning('Failure', {
'username': username,
'message': 'User entered incorrect username or password'})
flash(_('Incorrect username or password'))
else:
log_warning('Failure', {
'username': username,
'message': 'Tried to login with an account that is not '
'allowed to use this service'})
flash(_('This service is limited to the following '
'users: %(users)s',
users=', '.join(app.config['AVAILABLE_TO'])))
return render_template(
'auth_fas_login.html',
trust_root=get_session()['trust_root'])
def get(field):
if not 'user' in get_session():
return None
if not field in get_session()['user']:
return None
return get_session()['user'][field]
def logged_in():
return 'user' in get_session()
def auth_logout():
# No check if we are logged in, as we can always delete the session
get_session().delete()
flash(_('You have been logged out'))
return redirect(url_for('view_main'))
def getSessionValue(key, default_value=None):
if key in get_session():
return get_session()[key]
else:
return default_value
log_info('Info', {
'trust_root': openid_request.trust_root,
'message': 'User chose not to trust trust_root'})
return openid_respond(openid_request.answer(False))
elif authed == AUTH_TRUST_ROOT_CONFIG_NOT_OK:
log_info('Info', {
'trust_root': openid_request.trust_root,
'message': 'Configuration blacklisted this trust_root'})
return openid_respond(openid_request.answer(False))
elif openid_request.immediate:
log_warning('Error', {
'trust_root': openid_request.trust_root,
'message': 'Trust root demanded checkid_immediate'})
return openid_respond(openid_request.answer(False))
elif authed == AUTH_TIMEOUT:
get_session()['timeout'] = True
get_session()['next'] = request.base_url
get_session().save()
return redirect(app.config['LOGIN_URL'])
elif authed == AUTH_NOT_LOGGED_IN:
get_session()['next'] = request.base_url
get_session()['trust_root'] = openid_request.trust_root
get_session().save()
return redirect(app.config['LOGIN_URL'])
else:
log_error('Failure', {
'username': auth_module.get('username'),
'attempted_claimed_id': openid_request.identity,
'trust_root': openid_request.trust_root,
'message':
'The user tried to claim an ID that is not theirs'})