def openid_decide(request): """ The page that asks the user if they really want to sign in to the site, and lets them add the consumer to their trusted whitelist. # If user is logged in, ask if they want to trust this trust_root # If they are NOT logged in, show the landing page """ server = openid_get_server(request) orequest = server.decodeRequest(request.session.get('OPENID_REQUEST')) trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID') logger.debug('Got OPENID_REQUEST %s, OPENID_TRUSTROOT_VALID %s from ' 'session %s', orequest, trust_root_valid, request.session) if not request.user.is_authenticated(): return landing_page(request, orequest) if orequest is None: # This isn't normal, but can occur if the user uses the 'back' button # or if the session data is otherwise lost for some reason. return error_page( request, "I've lost track of your session now. Sorry! Please go " "back to the site you are logging in to with a Baserock " "OpenID and, if you're not yet logged in, try again.") openid = openid_get_identity(request, orequest.identity) if openid is None: # User should only ever have one OpenID, created for them when they # registered. message = openid_not_found_error_message(request, orequest.identity) return error_page(request, message) if request.method == 'POST' and request.POST.get('decide_page', False): if request.POST.get('allow', False): TrustedRoot.objects.get_or_create( openid=openid, trust_root=orequest.trust_root) if not conf.FAILED_DISCOVERY_AS_VALID: request.session[get_trust_session_key(orequest)] = True return HttpResponseRedirect(reverse('openid-provider-root')) oresponse = orequest.answer(False) logger.debug('orequest.answer(False)') return prep_response(request, orequest, oresponse) return render_to_response('openid_provider/decide.html', { 'title': _('Trust this site?'), 'trust_root': orequest.trust_root, 'trust_root_valid': trust_root_valid, 'return_to': orequest.return_to, 'identity': orequest.identity, }, context_instance=RequestContext(request))
def openid_decide(request): """ The page that asks the user if they really want to sign in to the site, and lets them add the consumer to their trusted whitelist. # If user is logged in, ask if they want to trust this trust_root # If they are NOT logged in, show the landing page """ server = openid_get_server(request) orequest = server.decodeRequest(request.session.get('OPENID_REQUEST')) trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID') if not request.user.is_authenticated(): return landing_page(request, orequest) openid = openid_get_identity(request, orequest.identity) if openid is None: return error_page( request, "You are signed in but you don't have OpenID here!") # Unconditionally allow access to a site without prompting the # user if the trusted root contains the trusted domain name # configured in the settings if any(x in orequest.trust_root for x in settings.TRUSTED_DOMAINS): TrustedRoot.objects.get_or_create( openid=openid, trust_root=orequest.trust_root) if not conf.FAILED_DISCOVERY_AS_VALID: request.session[get_trust_session_key(orequest)] = True return HttpResponseRedirect(reverse('openid-provider-root')) if request.method == 'POST' and request.POST.get('decide_page', False): if request.POST.get('allow', False): TrustedRoot.objects.get_or_create( openid=openid, trust_root=orequest.trust_root) if not conf.FAILED_DISCOVERY_AS_VALID: request.session[get_trust_session_key(orequest)] = True return HttpResponseRedirect(reverse('openid-provider-root')) oresponse = orequest.answer(False) logger.debug('orequest.answer(False)') return prep_response(request, orequest, oresponse) return render_to_response('openid_provider/decide.html', { 'title': _('Trust this site?'), 'trust_root': orequest.trust_root, 'trust_root_valid': trust_root_valid, 'return_to': orequest.return_to, 'identity': orequest.identity, }, context_instance=RequestContext(request))
def openid_decide(request): """ The page that asks the user if they really want to sign in to the site, and lets them add the consumer to their trusted whitelist. # If user is logged in, ask if they want to trust this trust_root # If they are NOT logged in, show the landing page """ server = openid_get_server(request) orequest = server.decodeRequest(request.session.get('OPENID_REQUEST')) trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID') if not request.user.is_authenticated(): return landing_page(request, orequest) try: openid = openid_get_identity(request, orequest.identity) except AttributeError: openid = None if openid is None: return error_page(request, "You are signed in but you don't have OpenID here!") if request.method == 'POST' and request.POST.get('decide_page', False): if request.POST.get('allow', False): TrustedRoot.objects.get_or_create(openid=openid, trust_root=orequest.trust_root) if not conf.FAILED_DISCOVERY_AS_VALID: request.session[get_trust_session_key(orequest)] = True return HttpResponseRedirect(reverse('openid-provider-root')) oresponse = orequest.answer(False) logger.debug('orequest.answer(False)') return prep_response(request, orequest, oresponse) return render( request, 'openid_provider/decide.html', { 'title': _('Trust this site?'), 'trust_root': orequest.trust_root, 'trust_root_valid': trust_root_valid, 'return_to': orequest.return_to, 'identity': orequest.identity, })
def openid_server(request): """ This view is the actual OpenID server - running at the URL pointed to by the <link rel="openid.server"> tag. """ logger.debug('server request %s: %s', request.method, request.POST or request.GET) server = openid_get_server(request) if not request.is_secure(): # if request is not secure allow only encrypted association sessions server.negotiator = encrypted_negotiator # Clear AuthorizationInfo session var, if it is set if request.session.get('AuthorizationInfo', None): del request.session['AuthorizationInfo'] querydict = dict(request.REQUEST.items()) orequest = server.decodeRequest(querydict) if not orequest: orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None)) if orequest: # remove session stored data: del request.session['OPENID_REQUEST'] else: # not request, render info page: data = { 'host': request.build_absolute_uri('/'), 'xrds_location': request.build_absolute_uri( reverse('openid-provider-xrds')), } logger.debug('invalid request, sending info: %s', data) return render_to_response('openid_provider/server.html', data, context_instance=RequestContext(request)) if orequest.mode in BROWSER_REQUEST_MODES: if not request.user.is_authenticated(): logger.debug('no local authentication, sending landing page') return landing_page(request, orequest) openid = openid_is_authorized(request, orequest.identity, orequest.trust_root) # verify return_to: trust_root_valid = trust_root_validation(orequest) validated = False if conf.FAILED_DISCOVERY_AS_VALID: if trust_root_valid == 'DISCOVERY_FAILED': validated = True else: # if in decide already took place, set as valid: if request.session.get(get_trust_session_key(orequest), False): validated = True if openid is not None and (validated or trust_root_valid == 'Valid'): id_url = request.build_absolute_uri( reverse('openid-provider-identity', args=[openid.openid])) oresponse = orequest.answer(True, identity=id_url) logger.debug('orequest.answer(True, identity="%s")', id_url) elif orequest.immediate: logger.debug('checkid_immediate mode not supported') raise Exception('checkid_immediate mode not supported') else: request.session['OPENID_REQUEST'] = orequest.message.toPostArgs() request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid logger.debug('redirecting to decide page') return HttpResponseRedirect(reverse('openid-provider-decide')) else: oresponse = server.handleRequest(orequest) if request.user.is_authenticated(): add_sreg_data(request, orequest, oresponse) if conf.AX_EXTENSION: add_ax_data(request, orequest, oresponse) return prep_response(request, orequest, oresponse, server)
def openid_server(request): """ This view is the actual OpenID server - running at the URL pointed to by the <link rel="openid.server"> tag. """ logger.debug('server request %s: %s', request.method, request.POST or request.GET) server = openid_get_server(request) if not request.is_secure(): # if request is not secure allow only encrypted association sessions server.negotiator = encrypted_negotiator # Clear AuthorizationInfo session var, if it is set if request.session.get('AuthorizationInfo', None): del request.session['AuthorizationInfo'] querydict = dict(request.POST.items()) orequest = server.decodeRequest(querydict) if not orequest: orequest = server.decodeRequest( request.session.get('OPENID_REQUEST', None)) if orequest: # remove session stored data: del request.session['OPENID_REQUEST'] else: # not request, render info page: data = { 'host': request.build_absolute_uri('/'), 'xrds_location': request.build_absolute_uri(reverse('openid-provider-xrds')), } logger.debug('invalid request, sending info: %s', data) return render(request, 'openid_provider/server.html', data) if orequest.mode in BROWSER_REQUEST_MODES: if not request.user.is_authenticated(): logger.debug('no local authentication, sending landing page') return landing_page(request, orequest) openid = openid_is_authorized(request, orequest.identity, orequest.trust_root) # verify return_to: trust_root_valid = trust_root_validation(orequest) validated = False if conf.FAILED_DISCOVERY_AS_VALID: if trust_root_valid == 'DISCOVERY_FAILED': validated = True else: # if in decide already took place, set as valid: if request.session.get(get_trust_session_key(orequest), False): validated = True if openid is not None and (validated or trust_root_valid == 'Valid'): id_url = request.build_absolute_uri( reverse('openid-provider-identity', args=[openid.openid])) oresponse = orequest.answer(True, identity=id_url) logger.debug('orequest.answer(True, identity="%s")', id_url) elif orequest.immediate: logger.debug('checkid_immediate mode not supported') raise Exception('checkid_immediate mode not supported') else: request.session['OPENID_REQUEST'] = orequest.message.toPostArgs() request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid logger.debug('redirecting to decide page') return HttpResponseRedirect(reverse('openid-provider-decide')) else: oresponse = server.handleRequest(orequest) if request.user.is_authenticated(): add_sreg_data(request, orequest, oresponse) if conf.AX_EXTENSION: add_ax_data(request, orequest, oresponse) return prep_response(request, orequest, oresponse, server)