def user_ask_trust_root(openid_request):
if request.method == 'POST' and 'form_filled' in request.form:
if not 'csrf_id' in get_session() \
or not 'csrf_value' in request.form \
or request.form['csrf_value'] != get_session()['csrf_id']:
return 'CSRF Protection value invalid'
if 'decided_allow' in request.form:
addToSessionArray('TRUSTED_ROOTS', openid_request.trust_root)
else:
addToSessionArray('NON_TRUSTED_ROOTS', openid_request.trust_root)
return redirect(request.url)
get_session()['csrf_id'] = uuid().hex
get_session().save()
# Get which stuff we will send
sreg_data = get_auth_module().get_sreg()
sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request)
teams_resp = teams.TeamsResponse.extractResponse(
teams_req,
filter_cla_groups(get_auth_module().get_groups()))
clas_req = cla.CLARequest.fromOpenIDRequest(openid_request)
clas_resp = cla.CLAResponse.extractResponse(
clas_req,
get_cla_uris(get_auth_module().get_groups()))
# Show form
return render_template(
'openid_user_ask_trust_root.html',
action=complete_url_for('view_main'),
trust_root=openid_request.trust_root,
sreg_policy_url=sreg_req.policy_url or _('None provided'),
sreg_data=sreg_resp.data,
teams_provided=teams_resp.teams,
cla_done=cla.CLA_URI_FEDORA_DONE in clas_resp.clas,
csrf=get_session()['csrf_id'])
def isAuthorized(openid_request):
pape_req_time, pape_auth_policies, pape_auth_level_types = \
getPapeRequestInfo(openid_request)
if not get_auth_module().logged_in():
return AUTH_NOT_LOGGED_IN
elif (pape_req_time) and (pape_req_time != 0) and (
get_session()['last_auth_time'] < (time() - pape_req_time)):
return AUTH_TIMEOUT
elif (app.config['OPENID_MAX_AUTH_TIME'] != 0) and (
get_session()['last_auth_time'] < (time() - (
app.config['OPENID_MAX_AUTH_TIME'] * 60))):
return AUTH_TIMEOUT
# Add checks if yubikey is required by application
elif (not openid_request.idSelect()) and (
openid_request.identity != get_claimed_id(
get_auth_module().get_username())):
return AUTH_INCORRECT_IDENTITY
elif openid_request.trust_root in app.config['OPENID_TRUSTED_ROOTS']:
return AUTH_OK
elif openid_request.trust_root in app.config['OPENID_NON_TRUSTED_ROOTS']:
return AUTH_TRUST_ROOT_CONFIG_NOT_OK
elif openid_request.trust_root in getSessionValue('TRUSTED_ROOTS', []):
return AUTH_OK
elif openid_request.trust_root in getSessionValue('NON_TRUSTED_ROOTS', []):
return AUTH_TRUST_ROOT_NOT_OK
else:
# The user still needs to determine if he/she allows this trust root
return AUTH_TRUST_ROOT_ASK
def view_fas_login():
if not 'next' in request.args and not 'next' in get_session():
return redirect(url_for('view_main'))
if 'next' in request.args:
get_session()['next'] = request.args['next']
get_session().save()
if get_auth_module().logged_in() and not \
('timeout' in get_session() and get_session()['timeout']):
# We can also have "timeout" as of 0.4.0
# indicating PAPE or application configuration requires a re-auth
log_debug('Info', {
'message': 'User tried to login but is already authenticated'})
return redirect(get_session()['next'])
if request.method == 'POST':
username = request.form['username']
password = request.form['password']
if (not app.config['FAS_AVAILABLE_FILTER']) or \
(username in app.config['FAS_AVAILABLE_TO']):
if username == '' or password == '':
user = None
else:
user = get_auth_module().check_login(username, password)
if user:
log_info('Success', {
'username': username,
'message': 'User authenticated succesfully'})
user = user.toDict() # A bunch is not serializable...
user['groups'] = [x['name'] for x in
user['approved_memberships']]
get_session()['user'] = user
get_session()['last_auth_time'] = time()
get_session()['timeout'] = False
get_session()['trust_root'] = ''
get_session().save()
return redirect(get_session()['next'])
else:
log_warning('Failure', {
'username': username,
'message': 'User entered incorrect username or password'})
flash(_('Incorrect username or password'))
else:
log_warning('Failure', {
'username': username,
'message': 'Tried to login with an account that is not '
'allowed to use this service'})
flash(_('This service is limited to the following '
'users: %(users)s',
users=', '.join(app.config['FAS_AVAILABLE_TO'])))
return render_template(
'auth_fas_login.html',
trust_root=get_session()['trust_root'])
def view_openid_api_v1():
values = request.form
openid_request = get_server().decodeRequest(values)
if not openid_request:
return { 'success': False
, 'status': 400
, 'message': 'Invalid request'
}
auth_result = get_auth_module().api_authenticate(values)
if not auth_result:
return { 'success': False
, 'status': 403
, 'message': 'Authentication failed'
}
openid_response = openid_request.answer(
True,
identity=get_claimed_id(auth_result['username']),
claimed_id=get_claimed_id(auth_result['username'])
)
# SReg
sreg_req = sreg.SRegRequest.fromOpenIDRequest(openid_request)
sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, auth_result)
openid_response.addExtension(sreg_resp)
# Teams
teams_req = teams.TeamsRequest.fromOpenIDRequest(openid_request)
if teams_req.requested != []:
groups = filter_cla_groups(auth_result['groups'])
teams_resp = teams.TeamsResponse.extractResponse(teams_req,
groups)
openid_response.addExtension(teams_resp)
# CLA
cla_req = cla.CLARequest.fromOpenIDRequest(openid_request)
if cla_req.requested != []:
cla_uris = get_cla_uris(auth_result['groups'])
cla_resp = cla.CLAResponse.extractResponse(cla_req, cla_uris)
openid_response.addExtension(cla_resp)
# PAPE
pape_resp = pape.Response(
auth_policies=[],
auth_time=datetime.utcfromtimestamp(time()).strftime(
'%Y-%m-%dT%H:%M:%SZ'),
auth_levels={pape.LEVELS_NIST: 2})
openid_response.addExtension(pape_resp)
# Return
response_strings = openid_response.encodeToKVForm().split('\n')
response = {}
for resp in response_strings:
if resp != '':
resp = resp.split(':', 1)
response[resp[0]] = resp[1]
return {'success': True,
'response': response}
def addPape(request, response):
auth_time = datetime.utcfromtimestamp(
get_session()['last_auth_time']).strftime('%Y-%m-%dT%H:%M:%SZ')
auth_policies = []
auth_levels = {}
auth_levels[pape.LEVELS_NIST] = 2
if get_auth_module().used_multi_factor():
auth_policies.append(pape.AUTH_MULTI_FACTOR)
if get_auth_module().used_multi_factor_physical():
auth_policies.append(pape.AUTH_MULTI_FACTOR_PHYSICAL)
if get_auth_module().used_phishing_resistant():
auth_policies.append(pape.AUTH_PHISHING_RESISTANT)
auth_levels[pape.LEVELS_NIST] = 3
else:
auth_policies.append(pape.AUTH_NONE)
pape_resp = pape.Response(
auth_policies=auth_policies,
auth_time=auth_time,
auth_levels=auth_levels)
response.addExtension(pape_resp)
return auth_levels[pape.LEVELS_NIST]
def view_persona_fas_login():
if not 'username' in request.form or not 'password' in request.form:
return Response('No user or pw', status=400)
if get_auth_module().logged_in():
return Response('Already logged in', status=409)
username = request.form['username']
password = request.form['password']
if (not app.config['FAS_AVAILABLE_FILTER']) or \
(username in app.config['FAS_AVAILABLE_TO']):
if username == '' or password == '':
user = None
else:
user = get_auth_module().check_login(username, password)
if user:
log_info('Success', {
'username': username,
'message': 'User authenticated succesfully'})
user = user.toDict() # A bunch is not serializable...
user['groups'] = [x['name'] for x in
user['approved_memberships']]
get_session()['user'] = user
get_session()['last_auth_time'] = time()
get_session()['timeout'] = False
get_session()['trust_root'] = ''
get_session().save()
return Response('Success', status=200)
else:
log_warning('Failure', {
'username': username,
'message': 'User entered incorrect username or password'})
return Response('Incorrect username or password', status=403)
else:
log_warning('Failure', {
'username': username,
'message': 'Tried to login with an account that is not '
'allowed to use this service'})
return Response('Service limited to a restricted set of users', status=403)
def view_persons_provision_sign():
if not 'email' in request.form or not 'publicKey' in request.form \
or not 'certDuration' in request.form:
return Response('Invalid request', status=400)
email = request.form['email']
publicKey = request.form['publicKey']
certDuration = request.form['certDuration']
if email == ('%s@%s' % (get_auth_module().get_username()
, app.config['PERSONA_DOMAIN'])):
return persona_sign(email, publicKey, certDuration)
else:
if get_auth_module().logged_in():
log_error('Failure', {
'email': email,
'username': get_auth_module().get_username(),
'message': 'User tried to get certificate for incorrect user'
})
return Response('Incorrect user!', status=403)
else:
log_error('Failure', {
'email': email,
'message': 'User tried to get certificate while not logged in'
})
return Response('Not signed in', status=401)
def api_authenticate(self, post_data):
if not 'username' in post_data or not 'password' in post_data:
return False
username = post_data['username']
password = post_data['password']
if not username or not password:
return False
user = get_auth_module().check_login(username, password)
if not user:
return False
user['groups'] = [x['name'] for x in user['approved_memberships']]
user['last_auth_time'] = time()
return { 'username': user['username']
, 'email': user['email']
, 'fullname': user['human_name']
, 'timezone': user['timezone']
, 'groups': user['groups']
}
def addSReg(request, response):
sreg_req = sreg.SRegRequest.fromOpenIDRequest(request)
sreg_data = get_auth_module().get_sreg()
sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
response.addExtension(sreg_resp)
return sreg_resp.data
openid_request = get_server().decodeRequest(values)
except server.ProtocolError, openid_error:
return openid_respond(openid_error)
if openid_request is None:
return render_template(
'index.html',
yadis_url=complete_url_for('view_openid_yadis')
), 200, {'X-XRDS-Location': complete_url_for('view_openid_yadis')}
elif openid_request.mode in ['checkid_immediate', 'checkid_setup']:
authed = isAuthorized(openid_request)
if authed == AUTH_OK:
openid_response = openid_request.answer(
True,
identity=get_claimed_id(
get_auth_module().get_username()
),
claimed_id=get_claimed_id(get_auth_module().get_username())
)
sreg_info = addSReg(openid_request, openid_response)
teams_info = addTeams(
openid_request,
openid_response,
filter_cla_groups(get_auth_module().get_groups()))
cla_info = addCLAs(
openid_request,
openid_response,
get_cla_uris(get_auth_module().get_groups()))
auth_level = addPape(openid_request, openid_response)
log_info('Success', {
'claimed_id': get_claimed_id(get_auth_module().get_username()),
def view_persona_sign_in():
get_session().delete()
return render_template('persona_signin.html',
auth_module_login=get_auth_module().get_persona_auth_base(),
trust_root='Persona', domain=app.config['PERSONA_DOMAIN'],
website_root=app.config['WEBSITE_ROOT'])
def view_persona_provision():
user_email = 'INVALID'
if get_auth_module().logged_in():
user_email = '%s@%s' % (get_auth_module().get_username()
, app.config['PERSONA_DOMAIN'])
return render_template('persona_provision.html', user_email=user_email)
