Ejemplo n.º 1
0
    def persona_sign(email, publicKey, certDuration):
        header = {'alg': 'RS%s' % digest_size}
        header = json.dumps(header)
        header = base64_url_encode(header)

        claim = {}
        # Valid for at most 24 hours
        claim['iat'] = 1000 * int(time.time() - 10)
        claim['exp'] = 1000 * int(time.time() + \
                                    min(certDuration, 24 * 60 * 60))
        claim['iss'] = app.config['PERSONA_DOMAIN']
        claim['public-key'] = json.loads(publicKey)
        claim['principal'] = {'email': email}
        claim_json = claim

        claim = json.dumps(claim)
        claim = base64_url_encode(claim)

        certificate = '%s.%s' % (header, claim)
        digest = M2Crypto.EVP.MessageDigest('sha%s' % digest_size)
        digest.update(certificate)
        signature = key.sign(digest.digest(), 'sha%s' % digest_size)
        signature = base64_url_encode(signature)
        signed_certificate = '%s.%s' % (certificate, signature)

        log_info('Success', {
            'email': email,
            'issuedAt': str(claim_json['iat']),
            'expiresAt': str(claim_json['exp']),
            'message': 'The user succesfully acquired a Persona certificate'})

        return signed_certificate
Ejemplo n.º 2
0
 def view_fas_login():
     if not 'next' in request.args and not 'next' in get_session():
         return redirect(url_for('view_main'))
     if 'next' in request.args:
         get_session()['next'] = request.args['next']
         get_session().save()
     if get_auth_module().logged_in() and not \
             ('timeout' in get_session() and get_session()['timeout']):
         # We can also have "timeout" as of 0.4.0
         # indicating PAPE or application configuration requires a re-auth
         log_debug('Info', {
             'message': 'User tried to login but is already authenticated'})
         return redirect(get_session()['next'])
     if request.method == 'POST':
         username = request.form['username']
         password = request.form['password']
         if (not app.config['FAS_AVAILABLE_FILTER']) or \
                 (username in app.config['FAS_AVAILABLE_TO']):
             if username == '' or password == '':
                 user = None
             else:
                 user = get_auth_module().check_login(username, password)
             if user:
                 log_info('Success', {
                     'username': username,
                     'message': 'User authenticated succesfully'})
                 user = user.toDict()  # A bunch is not serializable...
                 user['groups'] = [x['name'] for x in
                                   user['approved_memberships']]
                 get_session()['user'] = user
                 get_session()['last_auth_time'] = time()
                 get_session()['timeout'] = False
                 get_session()['trust_root'] = ''
                 get_session().save()
                 return redirect(get_session()['next'])
             else:
                 log_warning('Failure', {
                     'username': username,
                     'message': 'User entered incorrect username or password'})
                 flash(_('Incorrect username or password'))
         else:
             log_warning('Failure', {
                 'username': username,
                 'message': 'Tried to login with an account that is not '
                            'allowed to use this service'})
             flash(_('This service is limited to the following '
                     'users: %(users)s',
                     users=', '.join(app.config['FAS_AVAILABLE_TO'])))
     return render_template(
         'auth_fas_login.html',
         trust_root=get_session()['trust_root'])
Ejemplo n.º 3
0
 def view_persona_fas_login():
     if not 'username' in request.form or not 'password' in  request.form:
         return Response('No user or pw', status=400)
     if get_auth_module().logged_in():
         return Response('Already logged in', status=409)
     username = request.form['username']
     password = request.form['password']
     if (not app.config['FAS_AVAILABLE_FILTER']) or \
             (username in app.config['FAS_AVAILABLE_TO']):
         if username == '' or password == '':
             user = None
         else:
             user = get_auth_module().check_login(username, password)
         if user:
             log_info('Success', {
                 'username': username,
                 'message': 'User authenticated succesfully'})
             user = user.toDict()  # A bunch is not serializable...
             user['groups'] = [x['name'] for x in
                               user['approved_memberships']]
             get_session()['user'] = user
             get_session()['last_auth_time'] = time()
             get_session()['timeout'] = False
             get_session()['trust_root'] = ''
             get_session().save()
             return Response('Success', status=200)
         else:
             log_warning('Failure', {
                 'username': username,
                 'message': 'User entered incorrect username or password'})
             return Response('Incorrect username or password', status=403)
     else:
         log_warning('Failure', {
             'username': username,
             'message': 'Tried to login with an account that is not '
                        'allowed to use this service'})
         return Response('Service limited to a restricted set of users', status=403)
Ejemplo n.º 4
0
         ),
         claimed_id=get_claimed_id(get_auth_module().get_username())
     )
     sreg_info = addSReg(openid_request, openid_response)
     teams_info = addTeams(
         openid_request,
         openid_response,
         filter_cla_groups(get_auth_module().get_groups()))
     cla_info = addCLAs(
         openid_request,
         openid_response,
         get_cla_uris(get_auth_module().get_groups()))
     auth_level = addPape(openid_request, openid_response)
     log_info('Success', {
         'claimed_id': get_claimed_id(get_auth_module().get_username()),
         'trust_root': openid_request.trust_root,
         'security_level': auth_level,
         'message': 'The user succesfully claimed the identity'})
     log_debug('Info', {'teams': teams_info})
     return openid_respond(openid_response)
 elif authed == AUTH_TRUST_ROOT_ASK:
     # User needs to confirm trust root
     return user_ask_trust_root(openid_request)
 elif authed == AUTH_TRUST_ROOT_NOT_OK:
     log_info('Info', {
         'trust_root': openid_request.trust_root,
         'message': 'User chose not to trust trust_root'})
     return openid_respond(openid_request.answer(False))
 elif authed == AUTH_TRUST_ROOT_CONFIG_NOT_OK:
     log_info('Info', {
         'trust_root': openid_request.trust_root,