Exemple #1
0
def user_ask_trust_root(openid_request):
    if request.method == 'POST' and 'form_filled' in request.form:
        if not 'csrf_id' in get_session() \
                or not 'csrf_value' in request.form \
                or request.form['csrf_value'] != get_session()['csrf_id']:
            return 'CSRF Protection value invalid'
        if 'decided_allow' in request.form:
            addToSessionArray('TRUSTED_ROOTS', openid_request.trust_root)
        else:
            addToSessionArray('NON_TRUSTED_ROOTS', openid_request.trust_root)
        return redirect(request.url)
    get_session()['csrf_id'] = uuid().hex
    get_session().save()
    # Get which stuff we will send
    sreg_data = get_auth_module().get_sreg()
    sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
    sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
    teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request)
    teams_resp = teams.TeamsResponse.extractResponse(
        teams_req,
        filter_cla_groups(get_auth_module().get_groups()))
    clas_req = cla.CLARequest.fromOpenIDRequest(openid_request)
    clas_resp = cla.CLAResponse.extractResponse(
        clas_req,
        get_cla_uris(get_auth_module().get_groups()))
    # Show form
    return render_template(
        'openid_user_ask_trust_root.html',
        action=complete_url_for('view_main'),
        trust_root=openid_request.trust_root,
        sreg_policy_url=sreg_req.policy_url or _('None provided'),
        sreg_data=sreg_resp.data,
        teams_provided=teams_resp.teams,
        cla_done=cla.CLA_URI_FEDORA_DONE in clas_resp.clas,
        csrf=get_session()['csrf_id'])
Exemple #2
0
def isAuthorized(openid_request):
    pape_req_time, pape_auth_policies, pape_auth_level_types = \
        getPapeRequestInfo(openid_request)

    if not get_auth_module().logged_in():
        return AUTH_NOT_LOGGED_IN
    elif (pape_req_time) and (pape_req_time != 0) and (
            get_session()['last_auth_time'] < (time() - pape_req_time)):
        return AUTH_TIMEOUT
    elif (app.config['OPENID_MAX_AUTH_TIME'] != 0) and (
            get_session()['last_auth_time'] < (time() - (
            app.config['OPENID_MAX_AUTH_TIME'] * 60))):
        return AUTH_TIMEOUT
    # Add checks if yubikey is required by application
    elif (not openid_request.idSelect()) and (
            openid_request.identity != get_claimed_id(
                get_auth_module().get_username())):
        return AUTH_INCORRECT_IDENTITY
    elif openid_request.trust_root in app.config['OPENID_TRUSTED_ROOTS']:
        return AUTH_OK
    elif openid_request.trust_root in app.config['OPENID_NON_TRUSTED_ROOTS']:
        return AUTH_TRUST_ROOT_CONFIG_NOT_OK
    elif openid_request.trust_root in getSessionValue('TRUSTED_ROOTS', []):
        return AUTH_OK
    elif openid_request.trust_root in getSessionValue('NON_TRUSTED_ROOTS', []):
        return AUTH_TRUST_ROOT_NOT_OK
    else:
        # The user still needs to determine if he/she allows this trust root
        return AUTH_TRUST_ROOT_ASK
Exemple #3
0
 def view_fas_login():
     if not 'next' in request.args and not 'next' in get_session():
         return redirect(url_for('view_main'))
     if 'next' in request.args:
         get_session()['next'] = request.args['next']
         get_session().save()
     if get_auth_module().logged_in() and not \
             ('timeout' in get_session() and get_session()['timeout']):
         # We can also have "timeout" as of 0.4.0
         # indicating PAPE or application configuration requires a re-auth
         log_debug('Info', {
             'message': 'User tried to login but is already authenticated'})
         return redirect(get_session()['next'])
     if request.method == 'POST':
         username = request.form['username']
         password = request.form['password']
         if (not app.config['FAS_AVAILABLE_FILTER']) or \
                 (username in app.config['FAS_AVAILABLE_TO']):
             if username == '' or password == '':
                 user = None
             else:
                 user = get_auth_module().check_login(username, password)
             if user:
                 log_info('Success', {
                     'username': username,
                     'message': 'User authenticated succesfully'})
                 user = user.toDict()  # A bunch is not serializable...
                 user['groups'] = [x['name'] for x in
                                   user['approved_memberships']]
                 get_session()['user'] = user
                 get_session()['last_auth_time'] = time()
                 get_session()['timeout'] = False
                 get_session()['trust_root'] = ''
                 get_session().save()
                 return redirect(get_session()['next'])
             else:
                 log_warning('Failure', {
                     'username': username,
                     'message': 'User entered incorrect username or password'})
                 flash(_('Incorrect username or password'))
         else:
             log_warning('Failure', {
                 'username': username,
                 'message': 'Tried to login with an account that is not '
                            'allowed to use this service'})
             flash(_('This service is limited to the following '
                     'users: %(users)s',
                     users=', '.join(app.config['FAS_AVAILABLE_TO'])))
     return render_template(
         'auth_fas_login.html',
         trust_root=get_session()['trust_root'])
Exemple #4
0
def view_openid_api_v1():
    values = request.form
    openid_request = get_server().decodeRequest(values)
    if not openid_request:
        return { 'success': False
               , 'status': 400
               , 'message': 'Invalid request'
               }
    auth_result = get_auth_module().api_authenticate(values)
    if not auth_result:
        return { 'success': False
               , 'status': 403
               , 'message': 'Authentication failed'
               }
    openid_response = openid_request.answer(
        True,
        identity=get_claimed_id(auth_result['username']),
        claimed_id=get_claimed_id(auth_result['username'])
    )
    # SReg
    sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
    sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, auth_result)
    openid_response.addExtension(sreg_resp)
    # Teams
    teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request)
    if teams_req.requested != []:
        groups = filter_cla_groups(auth_result['groups'])
        teams_resp = teams.TeamsResponse.extractResponse(teams_req,
                                                         groups)
        openid_response.addExtension(teams_resp)
    # CLA
    cla_req = cla.CLARequest.fromOpenIDRequest(openid_request)
    if cla_req.requested != []:
        cla_uris = get_cla_uris(auth_result['groups'])
        cla_resp = cla.CLAResponse.extractResponse(cla_req, cla_uris)
        openid_response.addExtension(cla_resp)
    # PAPE
    pape_resp = pape.Response(
        auth_policies=[],
        auth_time=datetime.utcfromtimestamp(time()).strftime(
                                        '%Y-%m-%dT%H:%M:%SZ'),
        auth_levels={pape.LEVELS_NIST: 2})
    openid_response.addExtension(pape_resp)
    # Return
    response_strings = openid_response.encodeToKVForm().split('\n')
    response = {}
    for resp in response_strings:
        if resp != '':
            resp = resp.split(':', 1)
            response[resp[0]] = resp[1]
    return {'success': True,
            'response': response}
Exemple #5
0
def addPape(request, response):
    auth_time = datetime.utcfromtimestamp(
        get_session()['last_auth_time']).strftime('%Y-%m-%dT%H:%M:%SZ')
    auth_policies = []
    auth_levels = {}
    auth_levels[pape.LEVELS_NIST] = 2

    if get_auth_module().used_multi_factor():
        auth_policies.append(pape.AUTH_MULTI_FACTOR)
        if get_auth_module().used_multi_factor_physical():
            auth_policies.append(pape.AUTH_MULTI_FACTOR_PHYSICAL)
            if get_auth_module().used_phishing_resistant():
                auth_policies.append(pape.AUTH_PHISHING_RESISTANT)
                auth_levels[pape.LEVELS_NIST] = 3
    else:
        auth_policies.append(pape.AUTH_NONE)

    pape_resp = pape.Response(
        auth_policies=auth_policies,
        auth_time=auth_time,
        auth_levels=auth_levels)
    response.addExtension(pape_resp)
    return auth_levels[pape.LEVELS_NIST]
Exemple #6
0
 def view_persona_fas_login():
     if not 'username' in request.form or not 'password' in  request.form:
         return Response('No user or pw', status=400)
     if get_auth_module().logged_in():
         return Response('Already logged in', status=409)
     username = request.form['username']
     password = request.form['password']
     if (not app.config['FAS_AVAILABLE_FILTER']) or \
             (username in app.config['FAS_AVAILABLE_TO']):
         if username == '' or password == '':
             user = None
         else:
             user = get_auth_module().check_login(username, password)
         if user:
             log_info('Success', {
                 'username': username,
                 'message': 'User authenticated succesfully'})
             user = user.toDict()  # A bunch is not serializable...
             user['groups'] = [x['name'] for x in
                               user['approved_memberships']]
             get_session()['user'] = user
             get_session()['last_auth_time'] = time()
             get_session()['timeout'] = False
             get_session()['trust_root'] = ''
             get_session().save()
             return Response('Success', status=200)
         else:
             log_warning('Failure', {
                 'username': username,
                 'message': 'User entered incorrect username or password'})
             return Response('Incorrect username or password', status=403)
     else:
         log_warning('Failure', {
             'username': username,
             'message': 'Tried to login with an account that is not '
                        'allowed to use this service'})
         return Response('Service limited to a restricted set of users', status=403)
Exemple #7
0
 def view_persons_provision_sign():
     if not 'email' in request.form or not 'publicKey' in request.form \
             or not 'certDuration' in request.form:
         return Response('Invalid request', status=400)
     email = request.form['email']
     publicKey = request.form['publicKey']
     certDuration = request.form['certDuration']
     if email == ('%s@%s' % (get_auth_module().get_username()
                            , app.config['PERSONA_DOMAIN'])):
         return persona_sign(email, publicKey, certDuration)
     else:
         if get_auth_module().logged_in():
             log_error('Failure', {
                 'email': email,
                 'username': get_auth_module().get_username(),
                 'message': 'User tried to get certificate for incorrect user'
             })
             return Response('Incorrect user!', status=403)
         else:
             log_error('Failure', {
                 'email': email,
                 'message': 'User tried to get certificate while not logged in'
             })
             return Response('Not signed in', status=401)
Exemple #8
0
 def api_authenticate(self, post_data):
     if not 'username' in post_data or not 'password' in post_data:
         return False
     username = post_data['username']
     password = post_data['password']
     if not username or not password:
         return False
     user = get_auth_module().check_login(username, password)
     if not user:
         return False
     user['groups'] = [x['name'] for x in user['approved_memberships']]
     user['last_auth_time'] = time()
     return { 'username': user['username']
            , 'email': user['email']
            , 'fullname': user['human_name']
            , 'timezone': user['timezone']
            , 'groups': user['groups']
            }
Exemple #9
0
def addSReg(request, response):
    sreg_req = sreg.SRegRequest.fromOpenIDRequest(request)
    sreg_data = get_auth_module().get_sreg()
    sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
    response.addExtension(sreg_resp)
    return sreg_resp.data
Exemple #10
0
        openid_request = get_server().decodeRequest(values)
    except server.ProtocolError, openid_error:
        return openid_respond(openid_error)

    if openid_request is None:
        return render_template(
            'index.html',
            yadis_url=complete_url_for('view_openid_yadis')
        ), 200, {'X-XRDS-Location': complete_url_for('view_openid_yadis')}
    elif openid_request.mode in ['checkid_immediate', 'checkid_setup']:
        authed = isAuthorized(openid_request)
        if authed == AUTH_OK:
            openid_response = openid_request.answer(
                True,
                identity=get_claimed_id(
                    get_auth_module().get_username()
                ),
                claimed_id=get_claimed_id(get_auth_module().get_username())
            )
            sreg_info = addSReg(openid_request, openid_response)
            teams_info = addTeams(
                openid_request,
                openid_response,
                filter_cla_groups(get_auth_module().get_groups()))
            cla_info = addCLAs(
                openid_request,
                openid_response,
                get_cla_uris(get_auth_module().get_groups()))
            auth_level = addPape(openid_request, openid_response)
            log_info('Success', {
                'claimed_id': get_claimed_id(get_auth_module().get_username()),
Exemple #11
0
 def view_persona_sign_in():
     get_session().delete()
     return render_template('persona_signin.html',
         auth_module_login=get_auth_module().get_persona_auth_base(),
         trust_root='Persona', domain=app.config['PERSONA_DOMAIN'],
         website_root=app.config['WEBSITE_ROOT'])
Exemple #12
0
 def view_persona_provision():
     user_email = 'INVALID'
     if get_auth_module().logged_in():
         user_email = '%s@%s' % (get_auth_module().get_username()
                                , app.config['PERSONA_DOMAIN'])
     return render_template('persona_provision.html', user_email=user_email)