def auth_login():
if not 'next' in request.args and not 'next' in session:
return redirect(url_for('view_main'))
if 'next' in request.args:
session['next'] = request.args['next']
if g.fas_user and not ('timeout' in session and session['timeout']): # We can also have "timeout" as of 0.4.0, indicating PAPE or application configuration requires a re-auth
log_debug('Info', {'message': 'User tried to login but is already authenticated'})
return redirect(session['next'])
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if (not app.config['AVAILABLE_FILTER']) or (username in app.config['AVAILABLE_TO']):
if FAS.login(username, password):
log_info('Success', {'username': username, 'message': 'User authenticated succesfully'})
session['last_auth_time'] = time()
session['timeout'] = False
session['trust_root'] = ''
session.modified = True
return redirect(session['next'])
else:
log_warning('Failure', {'username': username, 'message': 'User entered incorrect username or password'})
flash(_('Incorrect username or password'))
else:
log_warning('Failure', {'username': username, 'message': 'Tried to login with an account that is not allowed to use this service'})
flash(_('This service is limited to the following users: %(users)s', users=', '.join(app.config['AVAILABLE_TO'])))
return render_template('login.html', trust_root=session['trust_root'])
def check_login(username, password):
try:
session_id, data = _get_fasclient().login(username, password)
return data.user
except AuthError:
return False
except Exception, ex:
log_warning('Error', {
'message': 'An error occured while checking username/password: %s'
% ex})
return False
def auth_login():
if not 'next' in request.args and not 'next' in get_session():
return redirect(url_for('view_main'))
if 'next' in request.args:
get_session()['next'] = request.args['next']
get_session().save()
if logged_in() and not \
('timeout' in get_session() and get_session()['timeout']):
# We can also have "timeout" as of 0.4.0
# indicating PAPE or application configuration requires a re-auth
log_debug('Info', {
'message': 'User tried to login but is already authenticated'})
return redirect(get_session()['next'])
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if (not app.config['AVAILABLE_FILTER']) or \
(username in app.config['AVAILABLE_TO']):
if username == '' or password == '':
user = None
else:
user = check_login(username, password)
if user:
log_info('Success', {
'username': username,
'message': 'User authenticated succesfully'})
user = user.toDict() # A bunch is not serializable...
user['groups'] = [x['name'] for x in
user['approved_memberships']]
get_session()['user'] = user
get_session()['last_auth_time'] = time()
get_session()['timeout'] = False
get_session()['trust_root'] = ''
get_session().save()
return redirect(get_session()['next'])
else:
log_warning('Failure', {
'username': username,
'message': 'User entered incorrect username or password'})
flash(_('Incorrect username or password'))
else:
log_warning('Failure', {
'username': username,
'message': 'Tried to login with an account that is not '
'allowed to use this service'})
flash(_('This service is limited to the following '
'users: %(users)s',
users=', '.join(app.config['AVAILABLE_TO'])))
return render_template(
'auth_fas_login.html',
trust_root=get_session()['trust_root'])
elif authed == AUTH_TRUST_ROOT_ASK:
# User needs to confirm trust root
return user_ask_trust_root(openid_request)
elif authed == AUTH_TRUST_ROOT_NOT_OK:
log_info('Info', {
'trust_root': openid_request.trust_root,
'message': 'User chose not to trust trust_root'})
return openid_respond(openid_request.answer(False))
elif authed == AUTH_TRUST_ROOT_CONFIG_NOT_OK:
log_info('Info', {
'trust_root': openid_request.trust_root,
'message': 'Configuration blacklisted this trust_root'})
return openid_respond(openid_request.answer(False))
elif openid_request.immediate:
log_warning('Error', {
'trust_root': openid_request.trust_root,
'message': 'Trust root demanded checkid_immediate'})
return openid_respond(openid_request.answer(False))
elif authed == AUTH_TIMEOUT:
get_session()['timeout'] = True
get_session()['next'] = request.base_url
get_session().save()
return redirect(app.config['LOGIN_URL'])
elif authed == AUTH_NOT_LOGGED_IN:
get_session()['next'] = request.base_url
get_session()['trust_root'] = openid_request.trust_root
get_session().save()
return redirect(app.config['LOGIN_URL'])
else:
log_error('Failure', {
'username': auth_module.get('username'),
