Example #1
0
 def get_sreg(self):
     if not 'user' in get_session():
         return {}
     return {'nickname': self.get_username(),
             'email': get_session()['user']['email'],
             'fullname': get_session()['user']['human_name'],
             'timezone': get_session()['user']['timezone']}
Example #2
0
def isAuthorized(openid_request):
    pape_req_time, pape_auth_policies, pape_auth_level_types = \
        getPapeRequestInfo(openid_request)

    if not get_auth_module().logged_in():
        return AUTH_NOT_LOGGED_IN
    elif (pape_req_time) and (pape_req_time != 0) and (
            get_session()['last_auth_time'] < (time() - pape_req_time)):
        return AUTH_TIMEOUT
    elif (app.config['OPENID_MAX_AUTH_TIME'] != 0) and (
            get_session()['last_auth_time'] < (time() - (
            app.config['OPENID_MAX_AUTH_TIME'] * 60))):
        return AUTH_TIMEOUT
    # Add checks if yubikey is required by application
    elif (not openid_request.idSelect()) and (
            openid_request.identity != get_claimed_id(
                get_auth_module().get_username())):
        return AUTH_INCORRECT_IDENTITY
    elif openid_request.trust_root in app.config['OPENID_TRUSTED_ROOTS']:
        return AUTH_OK
    elif openid_request.trust_root in app.config['OPENID_NON_TRUSTED_ROOTS']:
        return AUTH_TRUST_ROOT_CONFIG_NOT_OK
    elif openid_request.trust_root in getSessionValue('TRUSTED_ROOTS', []):
        return AUTH_OK
    elif openid_request.trust_root in getSessionValue('NON_TRUSTED_ROOTS', []):
        return AUTH_TRUST_ROOT_NOT_OK
    else:
        # The user still needs to determine if he/she allows this trust root
        return AUTH_TRUST_ROOT_ASK
Example #3
0
def addToSessionArray(array, value):
    if array in get_session():
        get_session()[array].append(value)
        get_session().save()
    else:
        get_session()[array] = [value]
        get_session().save()
Example #4
0
def view_openid_main():
    if 'openid.mode' in request.values:
        values = request.values
        get_session()['values'] = request.values
        get_session().save()
    else:
        if 'values' in get_session():
            values = get_session()['values']
        else:
            values = {}

    try:
        openid_request = get_server().decodeRequest(values)
    except server.ProtocolError, openid_error:
        return openid_respond(openid_error)
Example #5
0
def openid_respond(openid_response):
    get_session()['TRUSTED_ROOTS'] = []
    get_session()['NON_TRUSTED_ROOTS'] = []
    get_session().save()
    if 'values' in get_session():
        get_session()['values'] = None
        get_session().save()
    try:
        webresponse = get_server().encodeResponse(openid_response)
        return (webresponse.body, webresponse.code, webresponse.headers)
    except server.EncodingError, why:
        headers = {'Content-type': 'text/plain; charset=UTF-8'}
        return why.response.encodeToKVForm(), 400, headers
Example #6
0
def user_ask_trust_root(openid_request):
    if request.method == 'POST' and 'form_filled' in request.form:
        if not 'csrf_id' in get_session() \
                or not 'csrf_value' in request.form \
                or request.form['csrf_value'] != get_session()['csrf_id']:
            return 'CSRF Protection value invalid'
        if 'decided_allow' in request.form:
            addToSessionArray('TRUSTED_ROOTS', openid_request.trust_root)
        else:
            addToSessionArray('NON_TRUSTED_ROOTS', openid_request.trust_root)
        return redirect(request.url)
    get_session()['csrf_id'] = uuid().hex
    get_session().save()
    # Get which stuff we will send
    sreg_data = get_auth_module().get_sreg()
    sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
    sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
    teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request)
    teams_resp = teams.TeamsResponse.extractResponse(
        teams_req,
        filter_cla_groups(get_auth_module().get_groups()))
    clas_req = cla.CLARequest.fromOpenIDRequest(openid_request)
    clas_resp = cla.CLAResponse.extractResponse(
        clas_req,
        get_cla_uris(get_auth_module().get_groups()))
    # Show form
    return render_template(
        'openid_user_ask_trust_root.html',
        action=complete_url_for('view_main'),
        trust_root=openid_request.trust_root,
        sreg_policy_url=sreg_req.policy_url or _('None provided'),
        sreg_data=sreg_resp.data,
        teams_provided=teams_resp.teams,
        cla_done=cla.CLA_URI_FEDORA_DONE in clas_resp.clas,
        csrf=get_session()['csrf_id'])
Example #7
0
def addPape(request, response):
    auth_time = datetime.utcfromtimestamp(
        get_session()['last_auth_time']).strftime('%Y-%m-%dT%H:%M:%SZ')
    auth_policies = []
    auth_levels = {}
    auth_levels[pape.LEVELS_NIST] = 2

    if get_auth_module().used_multi_factor():
        auth_policies.append(pape.AUTH_MULTI_FACTOR)
        if get_auth_module().used_multi_factor_physical():
            auth_policies.append(pape.AUTH_MULTI_FACTOR_PHYSICAL)
            if get_auth_module().used_phishing_resistant():
                auth_policies.append(pape.AUTH_PHISHING_RESISTANT)
                auth_levels[pape.LEVELS_NIST] = 3
    else:
        auth_policies.append(pape.AUTH_NONE)

    pape_resp = pape.Response(
        auth_policies=auth_policies,
        auth_time=auth_time,
        auth_levels=auth_levels)
    response.addExtension(pape_resp)
    return auth_levels[pape.LEVELS_NIST]
Example #8
0
 def view_persona_fas_login():
     if not 'username' in request.form or not 'password' in  request.form:
         return Response('No user or pw', status=400)
     if get_auth_module().logged_in():
         return Response('Already logged in', status=409)
     username = request.form['username']
     password = request.form['password']
     if (not app.config['FAS_AVAILABLE_FILTER']) or \
             (username in app.config['FAS_AVAILABLE_TO']):
         if username == '' or password == '':
             user = None
         else:
             user = get_auth_module().check_login(username, password)
         if user:
             log_info('Success', {
                 'username': username,
                 'message': 'User authenticated succesfully'})
             user = user.toDict()  # A bunch is not serializable...
             user['groups'] = [x['name'] for x in
                               user['approved_memberships']]
             get_session()['user'] = user
             get_session()['last_auth_time'] = time()
             get_session()['timeout'] = False
             get_session()['trust_root'] = ''
             get_session().save()
             return Response('Success', status=200)
         else:
             log_warning('Failure', {
                 'username': username,
                 'message': 'User entered incorrect username or password'})
             return Response('Incorrect username or password', status=403)
     else:
         log_warning('Failure', {
             'username': username,
             'message': 'Tried to login with an account that is not '
                        'allowed to use this service'})
         return Response('Service limited to a restricted set of users', status=403)
Example #9
0
     log_info('Info', {
         'trust_root': openid_request.trust_root,
         'message': 'User chose not to trust trust_root'})
     return openid_respond(openid_request.answer(False))
 elif authed == AUTH_TRUST_ROOT_CONFIG_NOT_OK:
     log_info('Info', {
         'trust_root': openid_request.trust_root,
         'message': 'Configuration blacklisted this trust_root'})
     return openid_respond(openid_request.answer(False))
 elif openid_request.immediate:
     log_warning('Error', {
         'trust_root': openid_request.trust_root,
         'message': 'Trust root demanded checkid_immediate'})
     return openid_respond(openid_request.answer(False))
 elif authed == AUTH_TIMEOUT:
     get_session()['timeout'] = True
     get_session()['next'] = request.base_url
     get_session().save()
     return get_auth_module().start_authentication()
 elif authed == AUTH_NOT_LOGGED_IN:
     get_session()['next'] = request.base_url
     get_session()['trust_root'] = openid_request.trust_root
     get_session().save()
     return get_auth_module().start_authentication()
 else:
     log_error('Failure', {
         'username': get_auth_module().get_username(),
         'attempted_claimed_id': openid_request.identity,
         'trust_root': openid_request.trust_root,
         'message':
         'The user tried to claim an ID that is not theirs'})
Example #10
0
def auth_logout():
    # No check if we are logged in, as we can always delete the session
    get_session().delete()
    flash(_('You have been logged out'))
    return redirect(url_for('view_main'))
Example #11
0
 def view_persona_sign_in():
     get_session().delete()
     return render_template('persona_signin.html',
         auth_module_login=get_auth_module().get_persona_auth_base(),
         trust_root='Persona', domain=app.config['PERSONA_DOMAIN'],
         website_root=app.config['WEBSITE_ROOT'])
Example #12
0
def getSessionValue(key, default_value=None):
    if key in get_session():
        return get_session()[key]
    else:
        return default_value
Example #13
0
 def get_groups(self):
     if not 'user' in get_session():
         return None
     return get_session()['user']['groups']
Example #14
0
 def get_username(self):
     if not 'user' in get_session():
         return None
     return get_session()['user']['username']
Example #15
0
 def logged_in(self):
     return 'user' in get_session()
Example #16
0
 def view_fas_login():
     if not 'next' in request.args and not 'next' in get_session():
         return redirect(url_for('view_main'))
     if 'next' in request.args:
         get_session()['next'] = request.args['next']
         get_session().save()
     if get_auth_module().logged_in() and not \
             ('timeout' in get_session() and get_session()['timeout']):
         # We can also have "timeout" as of 0.4.0
         # indicating PAPE or application configuration requires a re-auth
         log_debug('Info', {
             'message': 'User tried to login but is already authenticated'})
         return redirect(get_session()['next'])
     if request.method == 'POST':
         username = request.form['username']
         password = request.form['password']
         if (not app.config['FAS_AVAILABLE_FILTER']) or \
                 (username in app.config['FAS_AVAILABLE_TO']):
             if username == '' or password == '':
                 user = None
             else:
                 user = get_auth_module().check_login(username, password)
             if user:
                 log_info('Success', {
                     'username': username,
                     'message': 'User authenticated succesfully'})
                 user = user.toDict()  # A bunch is not serializable...
                 user['groups'] = [x['name'] for x in
                                   user['approved_memberships']]
                 get_session()['user'] = user
                 get_session()['last_auth_time'] = time()
                 get_session()['timeout'] = False
                 get_session()['trust_root'] = ''
                 get_session().save()
                 return redirect(get_session()['next'])
             else:
                 log_warning('Failure', {
                     'username': username,
                     'message': 'User entered incorrect username or password'})
                 flash(_('Incorrect username or password'))
         else:
             log_warning('Failure', {
                 'username': username,
                 'message': 'Tried to login with an account that is not '
                            'allowed to use this service'})
             flash(_('This service is limited to the following '
                     'users: %(users)s',
                     users=', '.join(app.config['FAS_AVAILABLE_TO'])))
     return render_template(
         'auth_fas_login.html',
         trust_root=get_session()['trust_root'])