def view_authenticate_module(module): if not 'success_forward' in request.transaction or \ not 'failure_forward' in request.transaction or \ not 'login_target' in request.transaction: logger.info('Invalid request without success or failure urls or login target in the transaction') logger.debug('Transaction: %s', request.transaction) return redirect(complete_url_for('view_main')) url_success = complete_url_for(request.transaction['success_forward'], transaction=request.transaction_id) email_auth_domain = None if 'email_auth_domain' in request.transaction: email_auth_domain = request.transaction['email_auth_domain'] auth_module = get_auth_module_by_name(module) if not auth_module: logger.warning('Selected module %s, but no longer available', module) return redirect(complete_url_for('view_authenticate', transaction=request.transaction_id)) result = auth_module.authenticate(request.transaction['login_target'], complete_url_for('view_authenticate_module', module=module), requested_attributes=request.transaction['requested_attributes']) if result == True: logger.debug('Was already logged on') return redirect(url_success) elif result == False: logger.debug('Authentication module cancelled') return redirect(complete_url_for('view_authenticate', transaction=request.transaction_id, cancelmodule=True)) else: # Otherwise it's an flask result return result
def view_openid_id(username): return render_template( 'openid_user.html', username=username, claimed_id=get_claimed_id(username), yadis_url=complete_url_for('view_openid_yadis_id', username=username) ), 200, {'X-XRDS-Location': complete_url_for('view_openid_yadis_id', username=username), 'Cache-Control': 'no-cache, must-revalidate', 'Pragma': 'no-cache', 'Expires': 'Sat, 26 Jul 1997 05:00:00 GMT'}
def user_ask_trust_root(openid_request): if request.method == 'POST' and 'form_filled' in request.form: if not 'csrf_id' in get_session() \ or not 'csrf_value' in request.form \ or request.form['csrf_value'] != get_session()['csrf_id']: return 'CSRF Protection value invalid' if 'decided_allow' in request.form: addToSessionArray('TRUSTED_ROOTS', openid_request.trust_root) else: addToSessionArray('NON_TRUSTED_ROOTS', openid_request.trust_root) return redirect(request.url) get_session()['csrf_id'] = uuid().hex get_session().save() # Get which stuff we will send sreg_data = get_auth_module().get_sreg() sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request) sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data) teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request) teams_resp = teams.TeamsResponse.extractResponse( teams_req, filter_cla_groups(get_auth_module().get_groups())) clas_req = cla.CLARequest.fromOpenIDRequest(openid_request) clas_resp = cla.CLAResponse.extractResponse( clas_req, get_cla_uris(get_auth_module().get_groups())) # Show form return render_template( 'openid_user_ask_trust_root.html', action=complete_url_for('view_main'), trust_root=openid_request.trust_root, sreg_policy_url=sreg_req.policy_url or _('None provided'), sreg_data=sreg_resp.data, teams_provided=teams_resp.teams, cla_done=cla.CLA_URI_FEDORA_DONE in clas_resp.clas, csrf=get_session()['csrf_id'])
def view_openid_id(username): return render_template('openid_user.html', username=username, claimed_id=get_claimed_id(username), yadis_url=complete_url_for('view_openid_yadis_id', username=username)), 200, { 'X-XRDS-Location': complete_url_for('view_openid_yadis_id', username=username), 'Cache-Control': 'no-cache, must-revalidate', 'Pragma': 'no-cache', 'Expires': 'Sat, 26 Jul 1997 05:00:00 GMT' }
def view_authenticate(): own_url = complete_url_for('view_authenticate', transaction=request.transaction_id) email_auth_domain = None if 'email_auth_domain' in request.transaction: email_auth_domain = request.transaction['email_auth_domain'] listed_auth_modules = get_listed_auth_modules(email_auth_domain) if not 'success_forward' in request.transaction or not 'failure_forward' in request.transaction or not 'login_target' in request.transaction: logger.info('Invalid request without success or failure urls or login target in the transaction') logger.debug('Transaction: %s', request.transaction) return redirect(complete_url_for('view_main')) url_success = complete_url_for(request.transaction['success_forward'], transaction=request.transaction_id) url_failure = complete_url_for(request.transaction['failure_forward'], transaction=request.transaction_id) if request.auth_module: if 'already_authenticated' in request.transaction and \ request.transaction['already_authenticated']: return 'ERROR: You are already authenticated, but still forwarded to authentication system' request.transaction['already_authenticated'] = True request.save_transaction() logger.debug('Was redirected to authenticate while already authenticated') return redirect(url_success) elif len(listed_auth_modules) == 1: # Only one module selectable. Select and redirect if 'cancelmodule' in request.args: logger.debug('Authentication cancelled') return redirect(url_failure) logger.debug('Automatically selecting module %s', listed_auth_modules[0]) return redirect(complete_url_for('view_authenticate_module', module=listed_auth_modules[0], transaction=request.transaction_id)) elif len(listed_auth_modules) == 0: if 'cancel' in request.args: logger.debug('Authentication cancelled') return redirect(url_failure) else: logger.debug('No listable authentication modules') return render_template('not_authenticated.html'), 401 else: # Cancelled from selection screen if 'cancel' in request.args: logger.debug('Authentication cancelled') return redirect(url_failure) else: # Show selection form. modules = [] for module in listed_auth_modules: url = complete_url_for('view_authenticate_module', module=module, transaction=request.transaction_id) modules.append(get_auth_module_by_name(module).get_select_info(url)) return render_template('select_module.html', modules=modules, cancel_url=complete_url_for('view_authenticate', transaction=request.transaction_id, cancel=True)), 200
def view_main(): error = None if 'err' in request.args: error = error_to_string(request.args['err']) yadis_url = '' if 'fedoauth.provider.openid' in APP.config['AUTH_PROVIDER_CONFIGURATION'] and \ APP.config['AUTH_PROVIDER_CONFIGURATION']['fedoauth.provider.openid']['enabled']: yadis_url = complete_url_for('view_openid_yadis') return render_template( 'index.html', yadis_url=yadis_url, error=error ), 200, {'X-XRDS-Location': yadis_url}
get_session().save() else: if 'values' in get_session(): values = get_session()['values'] else: values = {} try: openid_request = get_server().decodeRequest(values) except server.ProtocolError, openid_error: return openid_respond(openid_error) if openid_request is None: return render_template( 'index.html', yadis_url=complete_url_for('view_openid_yadis') ), 200, {'X-XRDS-Location': complete_url_for('view_openid_yadis')} elif openid_request.mode in ['checkid_immediate', 'checkid_setup']: authed = isAuthorized(openid_request) if authed == AUTH_OK: openid_response = openid_request.answer( True, identity=get_claimed_id( get_auth_module().get_username() ), claimed_id=get_claimed_id(get_auth_module().get_username()) ) sreg_info = addSReg(openid_request, openid_response) teams_info = addTeams( openid_request, openid_response,
def openid_checkid(openid_request): # Assumption: we are logged in, so request.auth_module is valid # Return True to get an automatically signed response to be returned # In immediate, return anything else for failure response # In non-immediate, anything else will be returned as-is to the browser if not openid_request.idSelect() and \ get_claimed_id( request.auth_module.get_username() ) != openid_request.identity: return 'NOT YOUR IDENTITY!' if openid_request.trust_root in config['non_trusted_roots']: logger.warning('Blacklisted trustroot attempted: %s', openid_request.trust_root) return False if openid_request.trust_root in config['trusted_roots']: return True # We should check if the user accepts this trust_root if Remembered.getremembered('OpenIDAllow', request.auth_module.full_name, request.auth_module.get_username(), openid_request.trust_root) is not None: logger.debug('User previously marked root as remembered trusted') return True elif request.method == 'POST' and 'form_filled' in request.form and \ 'decided_allow' in request.form: rememberForDays = request.form.get('rememberForDays', '0') try: rememberForDays = int(rememberForDays) except: rememberForDays = 0 if rememberForDays < 0 or rememberForDays > 7: # They selected another option. We don't want either rememberForDays = 0 if rememberForDays != 0: Remembered.rememberForDays('OpenIDAllow', rememberForDays, None, request.auth_module.full_name, request.auth_module.get_username(), openid_request.trust_root) return True elif request.method == 'POST' and 'form_filled' in request.form: logger.debug('User chose not to trust trustroot') return False else: # Show the user the authorization form sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request) sreg_data = addSReg(openid_request, None) ax_data = addAX(openid_request, None) teams_data = addTeams(openid_request, None) clas_data = addCLAs(openid_request, None) # Hide this sreg_data.update(ax_data) data = [] for field in sreg_data: data.append({'text': field, 'value': sreg_data[field]}) # Sort these functions data.sort() for team in teams_data: data.append({'text': 'Group', 'value': team}) if clas_data != []: data.append({'text': 'FPCA Completed', 'value': 'True'}) return render_template( 'openid_user_ask_trust_root.html', action=complete_url_for('view_openid_main', transaction=request.transaction_id), trust_root=openid_request.trust_root, sreg_policy_url=sreg_req.policy_url or 'None provided', data=data)
@APP.route('/openid/failure/') def view_openid_main_failure(): values = None if ('%s_values' % __name__) in request.transaction: values = request.transaction['%s_values' % __name__] openid_request = None try: openid_request = get_server().decodeRequest(values) except server.ProtocolError, openid_error: return openid_respond(openid_error) if openid_request is None: return redirect(complete_url_for('view_main')) logger.debug('User cancelled signin') return openid_respond(openid_request.answer(False)) def get_required_attributes(openid_request): requested = [SREG_ATTRIBUTES] ax_req = ax.FetchRequest.fromOpenIDRequest(openid_request) if ax_req is not None: for type_uri, attribute in ax_req.requested_attributes.iteritems(): if type_uri in AX_WELLKNOWN.keys(): requested.append(AX_WELLKNOWN[type_uri])
def start_authentication(self): return redirect(complete_url_for('view_fas_login'))
def openid_checkid(openid_request): # Assumption: we are logged in, so request.auth_module is valid # Return True to get an automatically signed response to be returned # In immediate, return anything else for failure response # In non-immediate, anything else will be returned as-is to the browser if not openid_request.idSelect() and \ get_claimed_id( request.auth_module.get_username() ) != openid_request.identity: return 'NOT YOUR IDENTITY!' if openid_request.trust_root in config['non_trusted_roots']: logger.warning('Blacklisted trustroot attempted: %s', openid_request.trust_root) return False if openid_request.trust_root in config['trusted_roots']: return True # We should check if the user accepts this trust_root if Remembered.getremembered('OpenIDAllow', request.auth_module.full_name, request.auth_module.get_username(), openid_request.trust_root) is not None: logger.debug('User previously marked root as remembered trusted') return True elif request.method == 'POST' and 'form_filled' in request.form and \ 'decided_allow' in request.form: rememberForDays = request.form.get('rememberForDays', '0') try: rememberForDays = int(rememberForDays) except: rememberForDays = 0 if rememberForDays < 0 or rememberForDays > 7: # They selected another option. We don't want either rememberForDays = 0 if rememberForDays != 0: Remembered.rememberForDays('OpenIDAllow', rememberForDays, None, request.auth_module.full_name, request.auth_module.get_username(), openid_request.trust_root) return True elif request.method == 'POST' and 'form_filled' in request.form: logger.debug('User chose not to trust trustroot') return False else: # Show the user the authorization form sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request) sreg_data = addSReg(openid_request, None) ax_data = addAX(openid_request, None) teams_data = addTeams(openid_request, None) clas_data = addCLAs(openid_request, None) # Hide this sreg_data.update(ax_data) data = [] for field in sreg_data: data.append({'text': field, 'value': sreg_data[field]}) # Sort these functions data.sort() for team in teams_data: data.append({'text': 'Group', 'value': team}) if clas_data != []: data.append({'text': 'FPCA Completed', 'value': 'True'}) return render_template( 'openid_user_ask_trust_root.html', action=complete_url_for('view_openid_main', transaction=request.transaction_id), trust_root=openid_request.trust_root, sreg_policy_url=sreg_req.policy_url or 'None provided', data=data)
@APP.route('/openid/failure/') def view_openid_main_failure(): values = None if ('%s_values' % __name__) in request.transaction: values = request.transaction['%s_values' % __name__] openid_request = None try: openid_request = get_server().decodeRequest(values) except server.ProtocolError, openid_error: return openid_respond(openid_error) if openid_request is None: return redirect(complete_url_for('view_main')) logger.debug('User cancelled signin') return openid_respond(openid_request.answer(False)) def get_required_attributes(openid_request): requested = [SREG_ATTRIBUTES] ax_req = ax.FetchRequest.fromOpenIDRequest(openid_request) if ax_req is not None: for type_uri, attribute in ax_req.requested_attributes.iteritems(): if type_uri in AX_WELLKNOWN.keys(): requested.append(AX_WELLKNOWN[type_uri])