def signup(request):
""" The signup page """
signup_form = None
if request.method == "POST":
signup_form = SignupForm(request.POST)
if signup_form.is_valid():
try:
try:
LDAPUser.objects.get(
username=signup_form.cleaned_data['username'])
except LDAPUser.DoesNotExist:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
raise OkupyError('Username already exists')
try:
LDAPUser.objects.get(
email__contains=signup_form.cleaned_data['email'])
except LDAPUser.DoesNotExist:
pass
else:
raise OkupyError('Email already exists')
queued_user = Queue(
username=signup_form.cleaned_data['username'],
first_name=signup_form.cleaned_data['first_name'],
last_name=signup_form.cleaned_data['last_name'],
email=signup_form.cleaned_data['email'],
password=signup_form.cleaned_data['password_origin'],
)
try:
queued_user.save()
except IntegrityError:
raise OkupyError('Account is already pending activation')
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact the database")
send_mail(
'%sAccount Activation' % settings.EMAIL_SUBJECT_PREFIX,
'To confirm your email address, please click the \
following link:\n%s' % queued_user.encrypted_id,
'%s' % settings.SERVER_EMAIL,
[signup_form.cleaned_data['email']]
)
messages.info(
request, "You will shortly receive an activation mail")
return redirect(login)
except OkupyError as error:
messages.error(request, str(error))
else:
signup_form = SignupForm()
return render(request, 'signup.html', {
'signup_form': signup_form,
})
def signup(request):
""" The signup page """
signup_form = None
if request.method == "POST":
signup_form = SignupForm(request.POST)
if signup_form.is_valid():
try:
try:
LDAPUser.objects.get(
username=signup_form.cleaned_data['username'])
except LDAPUser.DoesNotExist:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
raise OkupyError('Username already exists')
try:
LDAPUser.objects.get(
email__contains=signup_form.cleaned_data['email'])
except LDAPUser.DoesNotExist:
pass
else:
raise OkupyError('Email already exists')
queued_user = Queue(
username=signup_form.cleaned_data['username'],
first_name=signup_form.cleaned_data['first_name'],
last_name=signup_form.cleaned_data['last_name'],
email=signup_form.cleaned_data['email'],
password=signup_form.cleaned_data['password_origin'],
)
try:
queued_user.save()
except IntegrityError:
raise OkupyError('Account is already pending activation')
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact the database")
send_mail(
'%sAccount Activation' % settings.EMAIL_SUBJECT_PREFIX,
'To confirm your email address, please click the \
following link:\n%s' % queued_user.encrypted_id,
'%s' % settings.SERVER_EMAIL,
[signup_form.cleaned_data['email']])
messages.info(request,
"You will shortly receive an activation mail")
return redirect(login)
except OkupyError as error:
messages.error(request, str(error))
else:
signup_form = SignupForm()
return render(request, 'signup.html', {
'signup_form': signup_form,
})
def activate(request, token):
"""
The page that users get to activate their accounts
It is in the form /activate/$TOKEN
"""
try:
try:
queued = Queue.objects.get(encrypted_id=token)
except (Queue.DoesNotExist, OverflowError, TypeError, ValueError):
raise OkupyError('Invalid URL')
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact the database")
# get max uidNumber
try:
uidnumber = LDAPUser.objects.latest('uid').uid + 1
except LDAPUser.DoesNotExist:
uidnumber = 1
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
# add account to ldap
new_user = LDAPUser(
object_class=settings.AUTH_LDAP_USER_OBJECTCLASS,
last_name=queued.last_name,
full_name='%s %s' % (queued.first_name, queued.last_name),
password=[ldap_md5_crypt.encrypt(queued.password)],
first_name=queued.first_name,
email=[queued.email],
username=queued.username,
uid=uidnumber,
gid=100,
gecos='%s %s' % (queued.first_name, queued.last_name),
home_directory='/home/%s' % queued.username,
ACL=['user.group'],
)
new_user.save()
# remove queued account from DB
queued.delete()
messages.success(request,
"Your account has been activated successfully")
except OkupyError as error:
messages.error(request, str(error))
return redirect(login)
def activate(request, token):
"""
The page that users get to activate their accounts
It is in the form /activate/$TOKEN
"""
try:
try:
queued = Queue.objects.get(encrypted_id=token)
except (Queue.DoesNotExist, OverflowError, TypeError, ValueError):
raise OkupyError('Invalid URL')
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact the database")
# get max uidNumber
try:
uidnumber = LDAPUser.objects.latest('uid').uid + 1
except LDAPUser.DoesNotExist:
uidnumber = 1
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
# add account to ldap
new_user = LDAPUser(
object_class=settings.AUTH_LDAP_USER_OBJECTCLASS,
last_name=queued.last_name,
full_name='%s %s' % (queued.first_name, queued.last_name),
password=[ldap_md5_crypt.encrypt(queued.password)],
first_name=queued.first_name,
email=[queued.email],
username=queued.username,
uid=uidnumber,
gid=100,
gecos='%s %s' % (queued.first_name, queued.last_name),
home_directory='/home/%s' % queued.username,
ACL=['user.group'],
)
new_user.save()
# remove queued account from DB
queued.delete()
messages.success(
request, "Your account has been activated successfully")
except OkupyError as error:
messages.error(request, str(error))
return redirect(login)
def contact_settings(request):
""" Contact details """
with get_bound_ldapuser(request) as user_info:
contact_settings = None
if request.method == "POST":
contact_settings = ContactSettingsForm(request.POST)
if contact_settings.is_valid():
try:
gpg_fingerprint = contact_settings.cleaned_data[
'gpg_fingerprint']
im = contact_settings.cleaned_data['im']
latitude = contact_settings.cleaned_data['latitude']
location = contact_settings.cleaned_data['location']
longitude = contact_settings.cleaned_data['longitude']
phone = contact_settings.cleaned_data['phone']
website = contact_settings.cleaned_data['website']
if user_info.location != location:
user_info.location = location
if user_info.phone != phone:
user_info.phone = phone
if user_info.website != website:
user_info.website.pop()
user_info.website.append(website)
if user_info.im != im:
user_info.im.pop()
user_info.im.append(im)
if user_info.longitude != longitude:
user_info.longitude = longitude
if user_info.latitude != latitude:
user_info.latitude = latitude
if user_info.gpg_fingerprint != gpg_fingerprint:
user_info.gpg_fingerprint.pop()
user_info.gpg_fingerprint.append(gpg_fingerprint)
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
contact_settings = ContactSettingsForm()
return render(request, 'settings-contact.html', {
'contact_settings': contact_settings,
'user_info': user_info,
})
def logout(request):
""" The logout page """
try:
remove_secondary_password(request)
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
finally:
_logout(request)
return redirect(login)
def logout(request):
""" The logout page """
try:
remove_secondary_password(request)
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
finally:
_logout(request)
return redirect(login)
def gentoo_dev_settings(request):
""" Gentoo related information """
with get_bound_ldapuser(request) as user_info:
gentoo_account_settings = None
if request.method == "POST":
gentoo_account_settings = GentooAccountSettingsForm(request.POST)
if gentoo_account_settings.is_valid():
try:
devbug = gentoo_account_settings.cleaned_data[
'developer_bug']
gentoo_join_date = gentoo_account_settings.cleaned_data[
'gentoo_join_date']
gentoo_mentor = gentoo_account_settings.cleaned_data[
'mentor']
ssh_pubkey = gentoo_account_settings.cleaned_data[
'ssh_key']
if user_info.developer_bug != devbug:
user_info.developer_bug.append(devbug)
if user_info.gentoo_join_date != gentoo_join_date:
user_info.gentoo_join_date.append(gentoo_join_date)
if user_info.mentor != gentoo_mentor:
user_info.mentor.append(gentoo_mentor)
if ssh_pubkey:
user_info.ssh_key.append(ssh_pubkey)
if user_info.is_retired or user_info.gentoo_retire_date:
gentoo_retire_date = gentoo_account_settings.cleaned_data[
'gentoo_retire_date']
if user_info.gentoo_retire_date != gentoo_retire_date:
user_info.gentoo_retire_date.append(
gentoo_retire_date)
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
gentoo_account_settings = GentooAccountSettingsForm()
return render(request, 'settings-gentoo.html', {
'gentoo_account_settings': gentoo_account_settings,
'user_info': user_info,
})
def password_settings(request):
""" Password settings """
with get_bound_ldapuser(request) as user_info:
password_settings = None
if request.method == "POST":
password_settings = PasswordSettingsForm(request.POST)
if password_settings.is_valid():
try:
new_password = password_settings.cleaned_data[
'new_password']
new_password_verify = password_settings.cleaned_data[
'new_password_verify']
old_password = password_settings.cleaned_data[
'old_password']
if old_password and (new_password == new_password_verify):
for hash in list(user_info.password):
print hash
try:
if ldap_md5_crypt.verify(old_password, hash):
user_info.password.append(
ldap_md5_crypt.encrypt(
new_password_verify))
user_info.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
password_settings = PasswordSettingsForm()
return render(request, 'settings-password.html', {
'password_settings': password_settings,
'user_info': user_info,
})
def password_settings(request):
""" Password settings """
with get_bound_ldapuser(request) as user_info:
password_settings = None
if request.method == "POST":
password_settings = PasswordSettingsForm(request.POST)
if password_settings.is_valid():
try:
new_password = password_settings.cleaned_data[
'new_password']
new_password_verify = password_settings.cleaned_data[
'new_password_verify']
old_password = password_settings.cleaned_data[
'old_password']
if old_password and (new_password == new_password_verify):
for hash in list(user_info.password):
print hash
try:
if ldap_md5_crypt.verify(old_password, hash):
user_info.password.append(
ldap_md5_crypt.encrypt(
new_password_verify))
user_info.password.remove(hash)
break
except ValueError:
# ignore unknown hashes
pass
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
password_settings = PasswordSettingsForm()
return render(request, 'settings-password.html', {
'password_settings': password_settings,
'user_info': user_info,
})
def profile_settings(request):
""" Primary account settings, """
with get_bound_ldapuser(request) as user_info:
profile_settings = None
if request.method == "POST":
profile_settings = ProfileSettingsForm(request.POST)
if profile_settings.is_valid():
try:
#birthday = profile_settings.cleaned_data['birthday']
first_name = profile_settings.cleaned_data['first_name']
last_name = profile_settings.cleaned_data['last_name']
if user_info.first_name != first_name:
user_info.first_name = first_name
if user_info.last_name != last_name:
user_info.last_name = last_name
user_info.full_name = '%s %s' % (first_name, last_name)
user_info.gecos = '%s %s' % (first_name, last_name)
"""
if user_info.birthday != birthday:
user_info.birthday = birthday
"""
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
profile_settings = ProfileSettingsForm()
return render(request, 'settings-profile.html', {
'profile_settings': profile_settings,
'user_info': user_info,
})
def profile_settings(request):
""" Primary account settings, """
with get_bound_ldapuser(request) as user_info:
profile_settings = None
if request.method == "POST":
profile_settings = ProfileSettingsForm(request.POST)
if profile_settings.is_valid():
try:
#birthday = profile_settings.cleaned_data['birthday']
first_name = profile_settings.cleaned_data['first_name']
last_name = profile_settings.cleaned_data['last_name']
if user_info.first_name != first_name:
user_info.first_name = first_name
if user_info.last_name != last_name:
user_info.last_name = last_name
user_info.full_name = '%s %s' % (first_name, last_name)
user_info.gecos = '%s %s' % (first_name, last_name)
"""
if user_info.birthday != birthday:
user_info.birthday = birthday
"""
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
profile_settings = ProfileSettingsForm()
return render(request, 'settings-profile.html', {
'profile_settings': profile_settings,
'user_info': user_info,
})
def email_settings(request):
""" Email Settings """
with get_bound_ldapuser(request) as user_info:
email_settings = None
if request.method == "POST":
email_settings = EmailSettingsForm(request.POST)
if email_settings.is_valid():
try:
email = email_settings.cleaned_data['email']
gravatar_mail = email_settings.cleaned_data['gravatar']
if request.POST.get('delete'):
user_info.email.remove(email)
else:
user_info.email.append(email)
if gravatar_mail:
gravatar_hash = hashlib.md5(gravatar_mail).hexdigest()
user_info.gravatar = gravatar_hash
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
email_settings = EmailSettingsForm()
return render(request, 'settings-email.html', {
'email_settings': email_settings,
'user_info': user_info,
})
def email_settings(request):
""" Email Settings """
with get_bound_ldapuser(request) as user_info:
email_settings = None
if request.method == "POST":
email_settings = EmailSettingsForm(request.POST)
if email_settings.is_valid():
try:
email = email_settings.cleaned_data['email']
gravatar_mail = email_settings.cleaned_data['gravatar']
if request.POST.get('delete'):
user_info.email.remove(email)
else:
user_info.email.append(email)
if gravatar_mail:
gravatar_hash = hashlib.md5(gravatar_mail).hexdigest()
user_info.gravatar = gravatar_hash
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
email_settings = EmailSettingsForm()
return render(request, 'settings-email.html', {
'email_settings': email_settings,
'user_info': user_info,
})
def gentoo_dev_settings(request):
""" Gentoo related information """
with get_bound_ldapuser(request) as user_info:
gentoo_account_settings = None
if request.method == "POST":
gentoo_account_settings = GentooAccountSettingsForm(request.POST)
if gentoo_account_settings.is_valid():
try:
devbug = gentoo_account_settings.cleaned_data[
'developer_bug']
gentoo_join_date = gentoo_account_settings.cleaned_data[
'gentoo_join_date']
gentoo_mentor = gentoo_account_settings.cleaned_data[
'mentor']
gentoo_retire_date = gentoo_account_settings.cleaned_data[
'gentoo_retire_date']
gentoo_mentor = gentoo_account_settings.cleaned_data[
'mentor']
planet_feed = gentoo_account_settings.cleaned_data[
'planet_feed']
universe_feed = gentoo_account_settings.cleaned_data[
'universe_feed']
if request.POST.get('delete_devbug'):
user_info.devbug.remove(devbug)
elif devbug and (not devbug in user_info.developer_bug):
user_info.developer_bug.append(devbug)
if request.POST.get('delete_gjd'):
user_info.gentoo_join_date.remove(gentoo_join_date)
elif gentoo_join_date and (not gentoo_join_date
in user_info.gentoo_join_date):
user_info.gentoo_join_date.append(gentoo_join_date)
if request.POST.get('delete_mentor'):
user_info.mentor.remove(gentoo_mentor)
elif gentoo_mentor and \
(not gentoo_mentor in user_info.mentor):
user_info.mentor.append(gentoo_mentor)
if user_info.gentoo_retire_date:
if request.POST.get('delete_grd'):
user_info.gentoo_retire_date.remove(
gentoo_retire_date)
elif gentoo_retire_date and (
not gentoo_retire_date
in user_info.gentoo_retire_date):
user_info.gentoo_retire_date.append(
gentoo_retire_date)
if user_info.planet_feed != planet_feed:
user_info.planet_feed = planet_feed
if user_info.universe_feed != universe_feed:
user_info.universe_feed = universe_feed
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
gentoo_account_settings = GentooAccountSettingsForm()
return render(
request, 'settings-gentoo.html', {
'gentoo_account_settings': gentoo_account_settings,
'user_info': user_info,
})
def contact_settings(request):
""" Contact details """
with get_bound_ldapuser(request) as user_info:
contact_settings = None
if request.method == "POST":
contact_settings = ContactSettingsForm(request.POST)
if contact_settings.is_valid():
try:
gpg_fingerprint = contact_settings.cleaned_data[
'gpg_fingerprint']
im = contact_settings.cleaned_data['im']
latitude = contact_settings.cleaned_data['latitude']
location = contact_settings.cleaned_data['location']
longitude = contact_settings.cleaned_data['longitude']
phone = contact_settings.cleaned_data['phone']
website = contact_settings.cleaned_data['website']
if location and user_info.location != location:
user_info.location = location
if user_info.phone != phone:
user_info.phone = phone
if request.POST.get('delete_web'):
user_info.website.remove(website)
elif website and (not website in user_info.website):
user_info.website.append(website)
if request.POST.get('delete_im'):
user_info.im.remove(im)
elif im and (not im in user_info.im):
user_info.im.append(im)
if user_info.longitude != longitude:
user_info.longitude = longitude
if user_info.latitude != latitude:
user_info.latitude = latitude
if request.POST.get('delete_gpg'):
user_info.gpg_fingerprint.remove(gpg_fingerprint)
elif gpg_fingerprint and \
(not gpg_fingerprint in user_info.gpg_fingerprint):
user_info.gpg_fingerprint.append(gpg_fingerprint)
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
contact_settings = ContactSettingsForm()
return render(request, 'settings-contact.html', {
'contact_settings': contact_settings,
'user_info': user_info,
})
def login(request):
""" The login page """
user = None
oreq = request.session.get('openid_request', None)
# this can be POST or GET, and can be null or empty
next = request.REQUEST.get('next') or reverse(index)
is_otp = False
login_form = None
strong_auth_req = 'strong_auth_requested' in request.session
if oreq:
login_form_class = OpenIDLoginForm
elif ('strong_auth_requested' in request.session
and request.user.is_authenticated()):
login_form_class = StrongAuthForm
else:
login_form_class = LoginForm
try:
if request.method != 'POST':
pass
elif 'cancel' in request.POST:
# note: this wipes request.session
_logout(request)
if oreq is not None:
oresp = oreq.answer(False)
return render_openid_response(request, oresp)
elif 'otp_token' in request.POST:
# if user's not authenticated, go back to square one
if not request.user.is_authenticated():
raise OkupyError('OTP verification timed out')
is_otp = True
otp_form = OTPForm(request.POST)
if otp_form.is_valid():
token = otp_form.cleaned_data['otp_token']
else:
raise OkupyError('OTP verification failed')
# prevent replay attacks and race conditions
if not RevokedToken.add(token, request.user):
raise OkupyError('OTP verification failed')
dev = django_otp.match_token(request.user, token)
if not dev:
raise OkupyError('OTP verification failed')
django_otp.login(request, dev)
else:
login_form = login_form_class(request.POST)
if login_form.is_valid():
if login_form_class != StrongAuthForm:
username = login_form.cleaned_data['username']
else:
username = request.user.username
password = login_form.cleaned_data['password']
else:
raise OkupyError('Login failed')
"""
Perform authentication, if it retrieves a user object then
it was successful. If it retrieves None then it failed to login
"""
try:
user = authenticate(
request=request,
username=username,
password=password)
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError(
"Can't contact the LDAP server or the database")
if not user:
raise OkupyError('Login failed')
if oreq:
request.session['auto_logout'] = (
login_form.cleaned_data['auto_logout'])
except OkupyError as error:
messages.error(request, str(error))
if user and user.is_active:
_login(request, user)
# prepare devices, and see if OTP is enabled
init_otp(request)
set_secondary_password(request=request, password=password)
if request.user.is_authenticated():
if (strong_auth_req
and not 'secondary_password' in request.session):
if request.method != 'POST':
messages.info(request, 'You need to type in your password'
+ ' again to perform this action')
else:
if request.user.is_verified():
return redirect(next)
login_form = OTPForm()
is_otp = True
if login_form is None:
login_form = login_form_class()
if is_otp or strong_auth_req:
ssl_auth_form = None
ssl_auth_uri = None
ssh_auth_command = None
else:
encrypted_id = sessionrefcipher.encrypt(request.session)
# TODO: it fails when:
# 1. site is accessed via IP (auth.127.0.0.1),
# 2. HTTP used on non-standard port (https://...:8000).
ssl_auth_form = SSLCertLoginForm({
'session': encrypted_id,
'next': request.build_absolute_uri(next),
'login_uri': request.build_absolute_uri(request.get_full_path()),
})
ssl_auth_host = 'auth.' + request.get_host()
ssl_auth_path = reverse(ssl_auth)
ssl_auth_uri = urljoin('https://' + ssl_auth_host, ssl_auth_path)
if settings.SSH_BIND[1] == 22:
ssh_port_opt = ''
else:
ssh_port_opt = '-p %d ' % settings.SSH_BIND[1]
ssh_auth_command = 'ssh %sauth+%s@%s' % (
ssh_port_opt,
encrypted_id,
request.get_host().split(':')[0])
return render(request, 'login.html', {
'login_form': login_form,
'openid_request': oreq,
'next': next,
'ssl_auth_uri': ssl_auth_uri,
'ssl_auth_form': ssl_auth_form,
'ssh_auth_command': ssh_auth_command,
'is_otp': is_otp,
})
def login(request):
""" The login page """
user = None
oreq = request.session.get('openid_request', None)
# this can be POST or GET, and can be null or empty
next = request.REQUEST.get('next') or reverse(index)
is_otp = False
login_form = None
strong_auth_req = 'strong_auth_requested' in request.session
if oreq:
login_form_class = OpenIDLoginForm
elif ('strong_auth_requested' in request.session
and request.user.is_authenticated()):
login_form_class = StrongAuthForm
else:
login_form_class = LoginForm
try:
if request.method != 'POST':
pass
elif 'cancel' in request.POST:
# note: this wipes request.session
_logout(request)
if oreq is not None:
oresp = oreq.answer(False)
return render_openid_response(request, oresp)
elif 'otp_token' in request.POST:
# if user's not authenticated, go back to square one
if not request.user.is_authenticated():
raise OkupyError('OTP verification timed out')
is_otp = True
otp_form = OTPForm(request.POST)
if otp_form.is_valid():
token = otp_form.cleaned_data['otp_token']
else:
raise OkupyError('OTP verification failed')
# prevent replay attacks and race conditions
if not RevokedToken.add(token, request.user):
raise OkupyError('OTP verification failed')
dev = django_otp.match_token(request.user, token)
if not dev:
raise OkupyError('OTP verification failed')
django_otp.login(request, dev)
else:
login_form = login_form_class(request.POST)
if login_form.is_valid():
if login_form_class != StrongAuthForm:
username = login_form.cleaned_data['username']
else:
username = request.user.username
password = login_form.cleaned_data['password']
else:
raise OkupyError('Login failed')
"""
Perform authentication, if it retrieves a user object then
it was successful. If it retrieves None then it failed to login
"""
try:
user = authenticate(request=request,
username=username,
password=password)
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError(
"Can't contact the LDAP server or the database")
if not user:
raise OkupyError('Login failed')
if oreq:
request.session['auto_logout'] = (
login_form.cleaned_data['auto_logout'])
except OkupyError as error:
messages.error(request, str(error))
if user and user.is_active:
_login(request, user)
# prepare devices, and see if OTP is enabled
init_otp(request)
set_secondary_password(request=request, password=password)
if request.user.is_authenticated():
if (strong_auth_req and not 'secondary_password' in request.session):
if request.method != 'POST':
messages.info(
request, 'You need to type in your password' +
' again to perform this action')
else:
if request.user.is_verified():
return redirect(next)
login_form = OTPForm()
is_otp = True
if login_form is None:
login_form = login_form_class()
if is_otp or strong_auth_req:
ssl_auth_form = None
ssl_auth_uri = None
ssh_auth_command = None
else:
encrypted_id = sessionrefcipher.encrypt(request.session)
# TODO: it fails when:
# 1. site is accessed via IP (auth.127.0.0.1),
# 2. HTTP used on non-standard port (https://...:8000).
ssl_auth_form = SSLCertLoginForm({
'session':
encrypted_id,
'next':
request.build_absolute_uri(next),
'login_uri':
request.build_absolute_uri(request.get_full_path()),
})
ssl_auth_host = 'auth.' + request.get_host()
ssl_auth_path = reverse(ssl_auth)
ssl_auth_uri = urljoin('https://' + ssl_auth_host, ssl_auth_path)
if settings.SSH_BIND[1] == 22:
ssh_port_opt = ''
else:
ssh_port_opt = '-p %d ' % settings.SSH_BIND[1]
ssh_auth_command = 'ssh %sauth+%s@%s' % (
ssh_port_opt, encrypted_id, request.get_host().split(':')[0])
return render(
request, 'login.html', {
'login_form': login_form,
'openid_request': oreq,
'next': next,
'ssl_auth_uri': ssl_auth_uri,
'ssl_auth_form': ssl_auth_form,
'ssh_auth_command': ssh_auth_command,
'is_otp': is_otp,
})
def gentoo_dev_settings(request):
""" Gentoo related information """
with get_bound_ldapuser(request) as user_info:
gentoo_account_settings = None
if request.method == "POST":
gentoo_account_settings = GentooAccountSettingsForm(request.POST)
if gentoo_account_settings.is_valid():
try:
devbug = gentoo_account_settings.cleaned_data[
'developer_bug']
gentoo_join_date = gentoo_account_settings.cleaned_data[
'gentoo_join_date']
gentoo_mentor = gentoo_account_settings.cleaned_data[
'mentor']
gentoo_retire_date = gentoo_account_settings.cleaned_data[
'gentoo_retire_date']
gentoo_mentor = gentoo_account_settings.cleaned_data[
'mentor']
planet_feed = gentoo_account_settings.cleaned_data[
'planet_feed']
universe_feed = gentoo_account_settings.cleaned_data[
'universe_feed']
if request.POST.get('delete_devbug'):
user_info.devbug.remove(devbug)
elif devbug and (not devbug in user_info.developer_bug):
user_info.developer_bug.append(devbug)
if request.POST.get('delete_gjd'):
user_info.gentoo_join_date.remove(gentoo_join_date)
elif gentoo_join_date and (not gentoo_join_date in user_info.gentoo_join_date):
user_info.gentoo_join_date.append(gentoo_join_date)
if request.POST.get('delete_mentor'):
user_info.mentor.remove(gentoo_mentor)
elif gentoo_mentor and \
(not gentoo_mentor in user_info.mentor):
user_info.mentor.append(gentoo_mentor)
if user_info.gentoo_retire_date:
if request.POST.get('delete_grd'):
user_info.gentoo_retire_date.remove(gentoo_retire_date)
elif gentoo_retire_date and (not gentoo_retire_date in user_info.gentoo_retire_date):
user_info.gentoo_retire_date.append(gentoo_retire_date)
if user_info.planet_feed != planet_feed:
user_info.planet_feed = planet_feed
if user_info.universe_feed != universe_feed:
user_info.universe_feed = universe_feed
try:
user_info.save()
except IntegrityError:
pass
except ldap.TYPE_OR_VALUE_EXISTS:
pass
except Exception as error:
logger.critical(error, extra=log_extra_data(request))
logger_mail.exception(error)
raise OkupyError("Can't contact LDAP server")
else:
gentoo_account_settings = GentooAccountSettingsForm()
return render(request, 'settings-gentoo.html', {
'gentoo_account_settings': gentoo_account_settings,
'user_info': user_info,
})
