def get_sreg(self): if not 'user' in get_session(): return {} return {'nickname': self.get_username(), 'email': get_session()['user']['email'], 'fullname': get_session()['user']['human_name'], 'timezone': get_session()['user']['timezone']}
def isAuthorized(openid_request): pape_req_time, pape_auth_policies, pape_auth_level_types = \ getPapeRequestInfo(openid_request) if not get_auth_module().logged_in(): return AUTH_NOT_LOGGED_IN elif (pape_req_time) and (pape_req_time != 0) and ( get_session()['last_auth_time'] < (time() - pape_req_time)): return AUTH_TIMEOUT elif (app.config['OPENID_MAX_AUTH_TIME'] != 0) and ( get_session()['last_auth_time'] < (time() - ( app.config['OPENID_MAX_AUTH_TIME'] * 60))): return AUTH_TIMEOUT # Add checks if yubikey is required by application elif (not openid_request.idSelect()) and ( openid_request.identity != get_claimed_id( get_auth_module().get_username())): return AUTH_INCORRECT_IDENTITY elif openid_request.trust_root in app.config['OPENID_TRUSTED_ROOTS']: return AUTH_OK elif openid_request.trust_root in app.config['OPENID_NON_TRUSTED_ROOTS']: return AUTH_TRUST_ROOT_CONFIG_NOT_OK elif openid_request.trust_root in getSessionValue('TRUSTED_ROOTS', []): return AUTH_OK elif openid_request.trust_root in getSessionValue('NON_TRUSTED_ROOTS', []): return AUTH_TRUST_ROOT_NOT_OK else: # The user still needs to determine if he/she allows this trust root return AUTH_TRUST_ROOT_ASK
def addToSessionArray(array, value): if array in get_session(): get_session()[array].append(value) get_session().save() else: get_session()[array] = [value] get_session().save()
def view_openid_main(): if 'openid.mode' in request.values: values = request.values get_session()['values'] = request.values get_session().save() else: if 'values' in get_session(): values = get_session()['values'] else: values = {} try: openid_request = get_server().decodeRequest(values) except server.ProtocolError, openid_error: return openid_respond(openid_error)
def openid_respond(openid_response): get_session()['TRUSTED_ROOTS'] = [] get_session()['NON_TRUSTED_ROOTS'] = [] get_session().save() if 'values' in get_session(): get_session()['values'] = None get_session().save() try: webresponse = get_server().encodeResponse(openid_response) return (webresponse.body, webresponse.code, webresponse.headers) except server.EncodingError, why: headers = {'Content-type': 'text/plain; charset=UTF-8'} return why.response.encodeToKVForm(), 400, headers
def user_ask_trust_root(openid_request): if request.method == 'POST' and 'form_filled' in request.form: if not 'csrf_id' in get_session() \ or not 'csrf_value' in request.form \ or request.form['csrf_value'] != get_session()['csrf_id']: return 'CSRF Protection value invalid' if 'decided_allow' in request.form: addToSessionArray('TRUSTED_ROOTS', openid_request.trust_root) else: addToSessionArray('NON_TRUSTED_ROOTS', openid_request.trust_root) return redirect(request.url) get_session()['csrf_id'] = uuid().hex get_session().save() # Get which stuff we will send sreg_data = get_auth_module().get_sreg() sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request) sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data) teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request) teams_resp = teams.TeamsResponse.extractResponse( teams_req, filter_cla_groups(get_auth_module().get_groups())) clas_req = cla.CLARequest.fromOpenIDRequest(openid_request) clas_resp = cla.CLAResponse.extractResponse( clas_req, get_cla_uris(get_auth_module().get_groups())) # Show form return render_template( 'openid_user_ask_trust_root.html', action=complete_url_for('view_main'), trust_root=openid_request.trust_root, sreg_policy_url=sreg_req.policy_url or _('None provided'), sreg_data=sreg_resp.data, teams_provided=teams_resp.teams, cla_done=cla.CLA_URI_FEDORA_DONE in clas_resp.clas, csrf=get_session()['csrf_id'])
def addPape(request, response): auth_time = datetime.utcfromtimestamp( get_session()['last_auth_time']).strftime('%Y-%m-%dT%H:%M:%SZ') auth_policies = [] auth_levels = {} auth_levels[pape.LEVELS_NIST] = 2 if get_auth_module().used_multi_factor(): auth_policies.append(pape.AUTH_MULTI_FACTOR) if get_auth_module().used_multi_factor_physical(): auth_policies.append(pape.AUTH_MULTI_FACTOR_PHYSICAL) if get_auth_module().used_phishing_resistant(): auth_policies.append(pape.AUTH_PHISHING_RESISTANT) auth_levels[pape.LEVELS_NIST] = 3 else: auth_policies.append(pape.AUTH_NONE) pape_resp = pape.Response( auth_policies=auth_policies, auth_time=auth_time, auth_levels=auth_levels) response.addExtension(pape_resp) return auth_levels[pape.LEVELS_NIST]
def view_persona_fas_login(): if not 'username' in request.form or not 'password' in request.form: return Response('No user or pw', status=400) if get_auth_module().logged_in(): return Response('Already logged in', status=409) username = request.form['username'] password = request.form['password'] if (not app.config['FAS_AVAILABLE_FILTER']) or \ (username in app.config['FAS_AVAILABLE_TO']): if username == '' or password == '': user = None else: user = get_auth_module().check_login(username, password) if user: log_info('Success', { 'username': username, 'message': 'User authenticated succesfully'}) user = user.toDict() # A bunch is not serializable... user['groups'] = [x['name'] for x in user['approved_memberships']] get_session()['user'] = user get_session()['last_auth_time'] = time() get_session()['timeout'] = False get_session()['trust_root'] = '' get_session().save() return Response('Success', status=200) else: log_warning('Failure', { 'username': username, 'message': 'User entered incorrect username or password'}) return Response('Incorrect username or password', status=403) else: log_warning('Failure', { 'username': username, 'message': 'Tried to login with an account that is not ' 'allowed to use this service'}) return Response('Service limited to a restricted set of users', status=403)
log_info('Info', { 'trust_root': openid_request.trust_root, 'message': 'User chose not to trust trust_root'}) return openid_respond(openid_request.answer(False)) elif authed == AUTH_TRUST_ROOT_CONFIG_NOT_OK: log_info('Info', { 'trust_root': openid_request.trust_root, 'message': 'Configuration blacklisted this trust_root'}) return openid_respond(openid_request.answer(False)) elif openid_request.immediate: log_warning('Error', { 'trust_root': openid_request.trust_root, 'message': 'Trust root demanded checkid_immediate'}) return openid_respond(openid_request.answer(False)) elif authed == AUTH_TIMEOUT: get_session()['timeout'] = True get_session()['next'] = request.base_url get_session().save() return get_auth_module().start_authentication() elif authed == AUTH_NOT_LOGGED_IN: get_session()['next'] = request.base_url get_session()['trust_root'] = openid_request.trust_root get_session().save() return get_auth_module().start_authentication() else: log_error('Failure', { 'username': get_auth_module().get_username(), 'attempted_claimed_id': openid_request.identity, 'trust_root': openid_request.trust_root, 'message': 'The user tried to claim an ID that is not theirs'})
def auth_logout(): # No check if we are logged in, as we can always delete the session get_session().delete() flash(_('You have been logged out')) return redirect(url_for('view_main'))
def view_persona_sign_in(): get_session().delete() return render_template('persona_signin.html', auth_module_login=get_auth_module().get_persona_auth_base(), trust_root='Persona', domain=app.config['PERSONA_DOMAIN'], website_root=app.config['WEBSITE_ROOT'])
def getSessionValue(key, default_value=None): if key in get_session(): return get_session()[key] else: return default_value
def get_groups(self): if not 'user' in get_session(): return None return get_session()['user']['groups']
def get_username(self): if not 'user' in get_session(): return None return get_session()['user']['username']
def logged_in(self): return 'user' in get_session()
def view_fas_login(): if not 'next' in request.args and not 'next' in get_session(): return redirect(url_for('view_main')) if 'next' in request.args: get_session()['next'] = request.args['next'] get_session().save() if get_auth_module().logged_in() and not \ ('timeout' in get_session() and get_session()['timeout']): # We can also have "timeout" as of 0.4.0 # indicating PAPE or application configuration requires a re-auth log_debug('Info', { 'message': 'User tried to login but is already authenticated'}) return redirect(get_session()['next']) if request.method == 'POST': username = request.form['username'] password = request.form['password'] if (not app.config['FAS_AVAILABLE_FILTER']) or \ (username in app.config['FAS_AVAILABLE_TO']): if username == '' or password == '': user = None else: user = get_auth_module().check_login(username, password) if user: log_info('Success', { 'username': username, 'message': 'User authenticated succesfully'}) user = user.toDict() # A bunch is not serializable... user['groups'] = [x['name'] for x in user['approved_memberships']] get_session()['user'] = user get_session()['last_auth_time'] = time() get_session()['timeout'] = False get_session()['trust_root'] = '' get_session().save() return redirect(get_session()['next']) else: log_warning('Failure', { 'username': username, 'message': 'User entered incorrect username or password'}) flash(_('Incorrect username or password')) else: log_warning('Failure', { 'username': username, 'message': 'Tried to login with an account that is not ' 'allowed to use this service'}) flash(_('This service is limited to the following ' 'users: %(users)s', users=', '.join(app.config['FAS_AVAILABLE_TO']))) return render_template( 'auth_fas_login.html', trust_root=get_session()['trust_root'])