def openid_decide(request):
"""
The page that asks the user if they really want to sign in to the site, and
lets them add the consumer to their trusted whitelist.
# If user is logged in, ask if they want to trust this trust_root
# If they are NOT logged in, show the landing page
"""
custom_log(request, "User entered openid_decide page", level="debug")
server = Server(get_store(request),
op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')
if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
custom_log(request, "User is not authenticated. Redirect to sign-in page", level="debug")
return landing_page(request, orequest)
if not orequest:
custom_log(request, "Entered decide page with no OpenID session in progress", level="warn")
return error_page(request, "You don't have OpenID login session in progress.")
openid = openid_get_identity(request, orequest.identity)
if openid is None:
custom_log(request, "No OpenID exists for user %s" % request.browser.user, level="warn")
return error_page(
request, "You are signed in but you don't have OpenID here!")
if request.method == 'POST' and request.POST.get('decide_page', False):
if request.POST.get("cancel"):
custom_log(request, "User cancelled authentication from the decide page", level="info")
for k in ["AuthorizationInfo", "OPENID_TRUSTROOT_VALID", "OPENID_REQUEST", get_trust_session_key(orequest)]:
try:
del request.session[k]
except KeyError:
pass
custom_log(request, "Cancelled. Redirect to front page", level="debug")
return HttpResponseRedirect(reverse("login_frontend.views.indexview"))
(obj, created) = TrustedRoot.objects.get_or_create(
openid=openid, trust_root=orequest.trust_root)
if created:
custom_log(request, "Created a new TrustRoot for %s" % orequest.trust_root)
else:
custom_log(request, "Old TrustRoot for %s exists" % orequest.trust_root)
if not conf.FAILED_DISCOVERY_AS_VALID:
custom_log(request, "Setting %s=True" % (get_trust_session_key(orequest)), level="debug")
request.session[get_trust_session_key(orequest)] = True
custom_log(request, "Redirecting to OpenID server root", level="debug")
return HttpResponseRedirect(reverse('openid-provider-root'))
custom_log(request, "Showing decide page", level="info")
return render_to_response('openid_provider/decide.html', {
'title': _('Trust this site?'),
'trust_root': orequest.trust_root,
'trust_root_valid': trust_root_valid,
'return_to': orequest.return_to,
'identity': orequest.identity,
'sreg': get_default_sreg_data(request, orequest),
}, context_instance=RequestContext(request))
def openid_decide(request):
"""
The page that asks the user if they really want to sign in to the site, and
lets them add the consumer to their trusted whitelist.
# If user is logged in, ask if they want to trust this trust_root
# If they are NOT logged in, show the landing page
"""
custom_log(request, "User entered openid_decide page", level="debug")
server = Server(get_store(request),
op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')
if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
custom_log(request, "User is not authenticated. Redirect to sign-in page", level="debug")
return landing_page(request, orequest)
openid = openid_get_identity(request, orequest.identity)
if openid is None:
custom_log(request, "No OpenID exists for user %s" % request.browser.user, level="warn")
return error_page(
request, "You are signed in but you don't have OpenID here!")
if request.method == 'POST' and request.POST.get('decide_page', False):
if request.POST.get("cancel"):
custom_log(request, "User cancelled authentication from the decide page", level="info")
for k in ["AuthorizationInfo", "OPENID_TRUSTROOT_VALID", "OPENID_REQUEST", get_trust_session_key(orequest)]:
try:
del request.session[k]
except KeyError:
pass
custom_log(request, "Cancelled. Redirect to front page", level="debug")
return HttpResponseRedirect(reverse("login_frontend.views.indexview"))
(obj, created) = TrustedRoot.objects.get_or_create(
openid=openid, trust_root=orequest.trust_root)
if created:
custom_log(request, "Created a new TrustRoot for %s" % orequest.trust_root)
else:
custom_log(request, "Old TrustRoot for %s exists" % orequest.trust_root)
if not conf.FAILED_DISCOVERY_AS_VALID:
custom_log(request, "Setting %s=True" % (get_trust_session_key(orequest)), level="debug")
request.session[get_trust_session_key(orequest)] = True
custom_log(request, "Redirecting to OpenID server root", level="debug")
return HttpResponseRedirect(reverse('openid-provider-root'))
custom_log(request, "Showing decide page", level="info")
return render_to_response('openid_provider/decide.html', {
'title': _('Trust this site?'),
'trust_root': orequest.trust_root,
'trust_root_valid': trust_root_valid,
'return_to': orequest.return_to,
'identity': orequest.identity,
'sreg': get_default_sreg_data(request, orequest),
}, context_instance=RequestContext(request))
def openid_decide(request):
"""
The page that asks the user if they really want to sign in to the site, and
lets them add the consumer to their trusted whitelist.
# If user is logged in, ask if they want to trust this trust_root
# If they are NOT logged in, show the landing page
"""
server = openid_get_server(request)
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')
if not request.user.is_authenticated():
return landing_page(request, orequest)
openid = openid_get_identity(request, orequest.identity)
if openid is None:
return error_page(
request, "You are signed in but you don't have OpenID here!")
# Unconditionally allow access to a site without prompting the
# user if the trusted root contains the trusted domain name
# configured in the settings
if any(x in orequest.trust_root for x in settings.TRUSTED_DOMAINS):
TrustedRoot.objects.get_or_create(
openid=openid, trust_root=orequest.trust_root)
if not conf.FAILED_DISCOVERY_AS_VALID:
request.session[get_trust_session_key(orequest)] = True
return HttpResponseRedirect(reverse('openid-provider-root'))
if request.method == 'POST' and request.POST.get('decide_page', False):
if request.POST.get('allow', False):
TrustedRoot.objects.get_or_create(
openid=openid, trust_root=orequest.trust_root)
if not conf.FAILED_DISCOVERY_AS_VALID:
request.session[get_trust_session_key(orequest)] = True
return HttpResponseRedirect(reverse('openid-provider-root'))
oresponse = orequest.answer(False)
logger.debug('orequest.answer(False)')
return prep_response(request, orequest, oresponse)
return render_to_response('openid_provider/decide.html', {
'title': _('Trust this site?'),
'trust_root': orequest.trust_root,
'trust_root_valid': trust_root_valid,
'return_to': orequest.return_to,
'identity': orequest.identity,
}, context_instance=RequestContext(request))
def openid_decide(request):
"""
The page that asks the user if they really want to sign in to the site, and
lets them add the consumer to their trusted whitelist.
# If user is logged in, ask if they want to trust this trust_root
# If they are NOT logged in, show the landing page
"""
server = openid_get_server(request)
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')
logger.debug('Got OPENID_REQUEST %s, OPENID_TRUSTROOT_VALID %s from '
'session %s', orequest, trust_root_valid, request.session)
if not request.user.is_authenticated():
return landing_page(request, orequest)
if orequest is None:
# This isn't normal, but can occur if the user uses the 'back' button
# or if the session data is otherwise lost for some reason.
return error_page(
request, "I've lost track of your session now. Sorry! Please go "
"back to the site you are logging in to with a Baserock "
"OpenID and, if you're not yet logged in, try again.")
openid = openid_get_identity(request, orequest.identity)
if openid is None:
# User should only ever have one OpenID, created for them when they
# registered.
message = openid_not_found_error_message(request, orequest.identity)
return error_page(request, message)
if request.method == 'POST' and request.POST.get('decide_page', False):
if request.POST.get('allow', False):
TrustedRoot.objects.get_or_create(
openid=openid, trust_root=orequest.trust_root)
if not conf.FAILED_DISCOVERY_AS_VALID:
request.session[get_trust_session_key(orequest)] = True
return HttpResponseRedirect(reverse('openid-provider-root'))
oresponse = orequest.answer(False)
logger.debug('orequest.answer(False)')
return prep_response(request, orequest, oresponse)
return render_to_response('openid_provider/decide.html', {
'title': _('Trust this site?'),
'trust_root': orequest.trust_root,
'trust_root_valid': trust_root_valid,
'return_to': orequest.return_to,
'identity': orequest.identity,
}, context_instance=RequestContext(request))
def openid_decide(request):
"""
The page that asks the user if they really want to sign in to the site, and
lets them add the consumer to their trusted whitelist.
# If user is logged in, ask if they want to trust this trust_root
# If they are NOT logged in, show the landing page
"""
server = openid_get_server(request)
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')
if not request.user.is_authenticated():
return landing_page(request, orequest)
try:
openid = openid_get_identity(request, orequest.identity)
except AttributeError:
openid = None
if openid is None:
return error_page(request,
"You are signed in but you don't have OpenID here!")
if request.method == 'POST' and request.POST.get('decide_page', False):
if request.POST.get('allow', False):
TrustedRoot.objects.get_or_create(openid=openid,
trust_root=orequest.trust_root)
if not conf.FAILED_DISCOVERY_AS_VALID:
request.session[get_trust_session_key(orequest)] = True
return HttpResponseRedirect(reverse('openid-provider-root'))
oresponse = orequest.answer(False)
logger.debug('orequest.answer(False)')
return prep_response(request, orequest, oresponse)
return render(
request, 'openid_provider/decide.html', {
'title': _('Trust this site?'),
'trust_root': orequest.trust_root,
'trust_root_valid': trust_root_valid,
'return_to': orequest.return_to,
'identity': orequest.identity,
})
def openid_server(request):
"""
This view is the actual OpenID server - running at the URL pointed to by
the <link rel="openid.server"> tag.
"""
logger.debug('server request %s: %s',
request.method, request.POST or request.GET)
server = openid_get_server(request)
if not request.is_secure():
# if request is not secure allow only encrypted association sessions
server.negotiator = encrypted_negotiator
# Clear AuthorizationInfo session var, if it is set
if request.session.get('AuthorizationInfo', None):
del request.session['AuthorizationInfo']
querydict = dict(request.REQUEST.items())
orequest = server.decodeRequest(querydict)
if not orequest:
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None))
if orequest:
# remove session stored data:
del request.session['OPENID_REQUEST']
else:
# not request, render info page:
data = {
'host': request.build_absolute_uri('/'),
'xrds_location': request.build_absolute_uri(
reverse('openid-provider-xrds')),
}
logger.debug('invalid request, sending info: %s', data)
return render_to_response('openid_provider/server.html',
data,
context_instance=RequestContext(request))
if orequest.mode in BROWSER_REQUEST_MODES:
if not request.user.is_authenticated():
logger.debug('no local authentication, sending landing page')
return landing_page(request, orequest)
openid = openid_is_authorized(request, orequest.identity,
orequest.trust_root)
# verify return_to:
trust_root_valid = trust_root_validation(orequest)
validated = False
if conf.FAILED_DISCOVERY_AS_VALID:
if trust_root_valid == 'DISCOVERY_FAILED':
validated = True
else:
# if in decide already took place, set as valid:
if request.session.get(get_trust_session_key(orequest), False):
validated = True
if openid is not None and (validated or trust_root_valid == 'Valid'):
id_url = request.build_absolute_uri(
reverse('openid-provider-identity', args=[openid.openid]))
oresponse = orequest.answer(True, identity=id_url)
logger.debug('orequest.answer(True, identity="%s")', id_url)
elif orequest.immediate:
logger.debug('checkid_immediate mode not supported')
raise Exception('checkid_immediate mode not supported')
else:
request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
logger.debug('redirecting to decide page')
return HttpResponseRedirect(reverse('openid-provider-decide'))
else:
oresponse = server.handleRequest(orequest)
if request.user.is_authenticated():
add_sreg_data(request, orequest, oresponse)
if conf.AX_EXTENSION:
add_ax_data(request, orequest, oresponse)
return prep_response(request, orequest, oresponse, server)
def openid_server(request):
"""
This view is the actual OpenID server - running at the URL pointed to by
the <link rel="openid.server"> tag.
"""
custom_log(request, "Server request: %s: %s" % (request.method, request.POST or request.GET), level="debug")
server = Server(get_store(request),
op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
if not request.is_secure():
# if request is not secure allow only encrypted association sessions
custom_log(request, "Request is not secure. Switching to encrypted negotiator", level="debug")
server.negotiator = encrypted_negotiator
# Clear AuthorizationInfo session var, if it is set
if request.session.get('AuthorizationInfo', None):
custom_log(request, "Clearing AuthorizationInfo session var", level="debug")
del request.session['AuthorizationInfo']
querydict = dict(request.REQUEST.items())
orequest = server.decodeRequest(querydict)
if not orequest:
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None))
if orequest:
# remove session stored data:
custom_log(request, "Removing stored data from session", level="debug")
del request.session['OPENID_REQUEST']
else:
# not request, render info page:
data = {
'host': request.build_absolute_uri('/'),
'xrds_location': request.build_absolute_uri(
reverse('openid-provider-xrds')),
}
custom_log(request, "Not an OpenID request, sending info: %s" % data, level="info")
if request.browser and request.browser.user:
data["openid_identifier"] = "https://" + request.get_host() + reverse('openid-provider-identity', args=[request.browser.user.username])
else:
data["page_url"] = request.build_absolute_uri()
return render_to_response('openid_provider/server.html',
data,
context_instance=RequestContext(request))
custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")
if orequest.mode in BROWSER_REQUEST_MODES:
if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
custom_log(request, "no local authentication, sending landing page", level="debug")
return landing_page(request, orequest)
openid = openid_is_authorized(request, orequest.identity,
orequest.trust_root)
# verify return_to:
trust_root_valid = trust_root_validation(orequest)
custom_log(request, "trust_root_valid=%s" % trust_root_valid, level="debug")
validated = False
# Allow per-url exceptions for trust roots.
for global_trusted_root in settings.OPENID_TRUSTED_ROOTS:
if orequest.trust_root.startswith(global_trusted_root):
custom_log(request, "Trust root %s is in always trusted roots. Set validated=True" % orequest.trust_root, level="debug")
validated = True
break
if conf.FAILED_DISCOVERY_AS_VALID:
if trust_root_valid == 'DISCOVERY_FAILED' or trust_root_valid == 'Unreachable':
custom_log(request, "Setting validated=True as FAILED_DISCOVERY_AS_VALID is True", level="debug")
validated = True
else:
# if in decide already took place, set as valid:
if request.session.get(get_trust_session_key(orequest), False):
custom_log(request, "Setting validated=True as session var %s is True" % (get_trust_session_key(orequest)), level="debug")
validated = True
custom_log(request, "Session key: %s=%s" % (get_trust_session_key(orequest), request.session.get(get_trust_session_key(orequest))), level="debug")
custom_log(request, "OpenID is %s" % openid, level="debug")
if openid is not None and (validated or trust_root_valid == 'Valid'):
id_url = request.build_absolute_uri(
reverse('openid-provider-identity', args=[openid.openid]))
try:
oresponse = orequest.answer(True, identity=id_url)
except ValueError, e:
return render_to_response("openid_provider/error.html", {"title": "Invalid identity URL", "msg": e.message}, context_instance=RequestContext(request))
custom_log(request, 'orequest.answer(True, identity="%s")' % id_url, level="debug")
elif orequest.immediate:
custom_log(request, 'checkid_immediate mode not supported', level="debug")
raise Exception('checkid_immediate mode not supported')
else:
request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
custom_log(request, "redirecting to decide page", level="debug")
return HttpResponseRedirect(reverse('openid-provider-decide'))
def openid_server(request):
"""
This view is the actual OpenID server - running at the URL pointed to by
the <link rel="openid.server"> tag.
"""
logger.debug('server request %s: %s', request.method, request.POST
or request.GET)
server = openid_get_server(request)
if not request.is_secure():
# if request is not secure allow only encrypted association sessions
server.negotiator = encrypted_negotiator
# Clear AuthorizationInfo session var, if it is set
if request.session.get('AuthorizationInfo', None):
del request.session['AuthorizationInfo']
querydict = dict(request.POST.items())
orequest = server.decodeRequest(querydict)
if not orequest:
orequest = server.decodeRequest(
request.session.get('OPENID_REQUEST', None))
if orequest:
# remove session stored data:
del request.session['OPENID_REQUEST']
else:
# not request, render info page:
data = {
'host':
request.build_absolute_uri('/'),
'xrds_location':
request.build_absolute_uri(reverse('openid-provider-xrds')),
}
logger.debug('invalid request, sending info: %s', data)
return render(request, 'openid_provider/server.html', data)
if orequest.mode in BROWSER_REQUEST_MODES:
if not request.user.is_authenticated():
logger.debug('no local authentication, sending landing page')
return landing_page(request, orequest)
openid = openid_is_authorized(request, orequest.identity,
orequest.trust_root)
# verify return_to:
trust_root_valid = trust_root_validation(orequest)
validated = False
if conf.FAILED_DISCOVERY_AS_VALID:
if trust_root_valid == 'DISCOVERY_FAILED':
validated = True
else:
# if in decide already took place, set as valid:
if request.session.get(get_trust_session_key(orequest), False):
validated = True
if openid is not None and (validated or trust_root_valid == 'Valid'):
id_url = request.build_absolute_uri(
reverse('openid-provider-identity', args=[openid.openid]))
oresponse = orequest.answer(True, identity=id_url)
logger.debug('orequest.answer(True, identity="%s")', id_url)
elif orequest.immediate:
logger.debug('checkid_immediate mode not supported')
raise Exception('checkid_immediate mode not supported')
else:
request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
logger.debug('redirecting to decide page')
return HttpResponseRedirect(reverse('openid-provider-decide'))
else:
oresponse = server.handleRequest(orequest)
if request.user.is_authenticated():
add_sreg_data(request, orequest, oresponse)
if conf.AX_EXTENSION:
add_ax_data(request, orequest, oresponse)
return prep_response(request, orequest, oresponse, server)
def openid_server(request):
"""
This view is the actual OpenID server - running at the URL pointed to by
the <link rel="openid.server"> tag.
"""
custom_log(request, "Server request: %s: %s" % (request.method, request.POST or request.GET), level="debug")
server = Server(get_store(request),
op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
if not request.is_secure():
# if request is not secure allow only encrypted association sessions
custom_log(request, "Request is not secure. Switching to encrypted negotiator", level="debug")
server.negotiator = encrypted_negotiator
# Clear AuthorizationInfo session var, if it is set
if request.session.get('AuthorizationInfo', None):
custom_log(request, "Clearing AuthorizationInfo session var", level="debug")
del request.session['AuthorizationInfo']
querydict = dict(request.REQUEST.items())
orequest = server.decodeRequest(querydict)
if not orequest:
orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None))
if orequest:
# remove session stored data:
custom_log(request, "Removing stored data from session", level="debug")
del request.session['OPENID_REQUEST']
else:
# not request, render info page:
data = {
'host': request.build_absolute_uri('/'),
'xrds_location': request.build_absolute_uri(
reverse('openid-provider-xrds')),
}
custom_log(request, "Not an OpenID request, sending info: %s" % data, level="info")
if request.browser and request.browser.user:
data["openid_identifier"] = "https://" + request.get_host() + reverse('openid-provider-identity', args=[request.browser.user.username])
else:
data["page_url"] = request.build_absolute_uri()
return render_to_response('openid_provider/server.html',
data,
context_instance=RequestContext(request))
custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")
if orequest.mode in BROWSER_REQUEST_MODES:
if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
custom_log(request, "no local authentication, sending landing page", level="debug")
return landing_page(request, orequest)
openid = openid_is_authorized(request, orequest.identity,
orequest.trust_root)
# verify return_to:
trust_root_valid = trust_root_validation(orequest)
custom_log(request, "trust_root_valid=%s" % trust_root_valid, level="debug")
validated = False
# Allow per-url exceptions for trust roots.
for global_trusted_root in settings.OPENID_TRUSTED_ROOTS:
if orequest.trust_root.startswith(global_trusted_root):
custom_log(request, "Trust root %s is in always trusted roots. Set validated=True" % orequest.trust_root, level="debug")
validated = True
break
if conf.FAILED_DISCOVERY_AS_VALID:
if trust_root_valid == 'DISCOVERY_FAILED' or trust_root_valid == 'Unreachable':
custom_log(request, "Setting validated=True as FAILED_DISCOVERY_AS_VALID is True", level="debug")
validated = True
else:
# if in decide already took place, set as valid:
if request.session.get(get_trust_session_key(orequest), False):
custom_log(request, "Setting validated=True as session var %s is True" % (get_trust_session_key(orequest)), level="debug")
validated = True
custom_log(request, "Session key: %s=%s" % (get_trust_session_key(orequest), request.session.get(get_trust_session_key(orequest))), level="debug")
custom_log(request, "OpenID is %s" % openid, level="debug")
if openid is not None and (validated or trust_root_valid == 'Valid'):
id_url = request.build_absolute_uri(
reverse('openid-provider-identity', args=[openid.openid]))
try:
oresponse = orequest.answer(True, identity=id_url)
except ValueError, e:
return render_to_response("openid_provider/error.html", {"title": "Invalid identity URL", "msg": e.message}, context_instance=RequestContext(request))
custom_log(request, 'orequest.answer(True, identity="%s")' % id_url, level="debug")
elif orequest.immediate:
custom_log(request, 'checkid_immediate mode not supported', level="debug")
raise Exception('checkid_immediate mode not supported')
else:
request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
custom_log(request, "redirecting to decide page", level="debug")
return HttpResponseRedirect(reverse('openid-provider-decide'))