def test_contains(self):
req = sreg.SRegRequest()
for field_name in sreg.data_fields:
self.assertNotIn(field_name, req)
self.assertNotIn('something else', req)
req.requestField('nickname')
for field_name in sreg.data_fields:
if field_name == 'nickname':
self.assertIn(field_name, req)
else:
self.assertNotIn(field_name, req)
def start_openid(session, openid_url, trust_root, return_to):
"""
Start the OpenID authentication process.
* Requests some Simple Registration data using the OpenID
library's Simple Registration machinery
* Generates the appropriate trust root and return URL values for
this application (tweak where appropriate)
* Generates the appropriate redirect based on the OpenID protocol
version.
"""
# Start OpenID authentication.
c = get_consumer(session)
try:
auth_request = c.begin(openid_url)
except DiscoveryFailure as e:
# Some other protocol-level failure occurred.
raise Exception("error in openid: OpenID discovery error") from e
# Add Simple Registration request information. Some fields
# are optional, some are required. It's possible that the
# server doesn't support sreg or won't return any of the
# fields.
sreg_request = sreg.SRegRequest(required=['email'], optional=[])
auth_request.addExtension(sreg_request)
# Add Attribute Exchange request information.
ax_request = ax.FetchRequest()
# XXX - uses myOpenID-compatible schema values, which are
# not those listed at axschema.org.
for k, v in AX_REQUIRED_FIELDS.items():
ax_request.add(ax.AttrInfo(v, required=True))
auth_request.addExtension(ax_request)
# Compute the trust root and return URL values to build the
# redirect information.
# trust_root = util.getViewURL(request, startOpenID)
# return_to = util.getViewURL(request, finishOpenID)
# Send the browser to the server either by sending a redirect
# URL or by generating a POST form.
url = auth_request.redirectURL(trust_root, return_to)
return url
def login(request, environ, start_response, ask_info=False):
"""Redirect the user to the openid provider.
Arguments:
- ask_info: bool, default False. If set to true, will use the sreg and ax
extensions to ask info about the user (email, name...).
"""
user_url = request.GET['url']
session, oi_session = get_sessions(environ)
trust_root = request.host_url
return_to = "%s/socialauth/openid/process" % trust_root
immediate = False # If set to true and the identity provider can not reply
# immediatly (user has to approve), then authentication will fail.
# If set to True, then we have to handle the SetupNeeded response case in
# process function.
consumer = Consumer(oi_session, OPENID_STORE)
auth_req = consumer.begin(user_url)
if ask_info:
sreg_request = sreg.SRegRequest(required=['email'
]) #, optional=SREG_FIELDS)
auth_req.addExtension(sreg_request)
ax_request = ax.FetchRequest()
for alias, url in AX_FIELDS.iteritems():
ax_request.add(ax.AttrInfo(url, alias=alias, required=True))
auth_req.addExtension(ax_request)
# PAPE (Provider Authentication Policy Extension):
# TODO (an treat pape.Response as well)
#pape_request = pape.Request([pape.AUTH_PHISHING_RESISTANT])
#auth_req.addExtension(pape_request)
session.save()
if auth_req.shouldSendRedirect():
redirect_url = auth_req.redirectURL(trust_root,
return_to,
immediate=immediate)
start_response('302 Redirect', [('Location', redirect_url)])
return []
else:
form_html = auth_req.htmlMarkup(
trust_root,
return_to,
form_tag_attrs={'id': 'openid_message'},
immediate=immediate)
start_response('200 OK', [('Content-Type', 'text/html')])
return [form_html]
def login(self, req):
continue_url = req.values.get('continue') or req.headers.get(
'Referer', '/')
consumer = Consumer({}, self.store)
authreq = consumer.begin(current_app.config['OPENID2_YADIS'])
sregreq = sreg.SRegRequest(optional=['username', 'uid'],
required=['email', 'groups'])
authreq.addExtension(sregreq)
verify_url = urljoin(req.host_url, self.verify_url) + '?' + urlencode(
{'continue': continue_url})
urlencode({'continue': continue_url})
url = authreq.redirectURL(return_to=verify_url, realm=req.host_url)
return redirect(location=url)
def signin(request):
"""
signin page. It manage the legacy authentification (user/password)
and authentification with openid.
url: /signin/
template : authopenid/signin.htm
"""
on_failure = signin_failure
next = clean_next(request.GET.get('next'))
form_signin = OpenidSigninForm(initial={'next': next})
form_auth = OpenidAuthForm(initial={'next': next})
if request.POST:
if 'bsignin' in request.POST.keys():
form_signin = OpenidSigninForm(request.POST)
if form_signin.is_valid():
next = clean_next(form_signin.cleaned_data.get('next'))
sreg_req = sreg.SRegRequest(optional=['nickname', 'email'])
redirect_to = "%s%s?%s" % (get_url_host(request),
reverse('user_complete_signin'),
urllib.urlencode({'next': next}))
return ask_openid(request,
form_signin.cleaned_data['openid_url'],
redirect_to,
on_failure=signin_failure,
sreg_request=sreg_req)
elif 'blogin' in request.POST.keys():
# perform normal django authentification
form_auth = OpenidAuthForm(request.POST)
if form_auth.is_valid():
user_ = form_auth.get_user()
login(request, user_)
next = clean_next(form_auth.cleaned_data.get('next'))
return HttpResponseRedirect(next)
return render('authopenid/signin.html', {
'form1': form_auth,
'form2': form_signin,
'msg': request.GET.get('msg', ''),
'sendpw_url': reverse('user_sendpw'),
},
context_instance=RequestContext(request))
def _add_extensions(self, request):
"""Add extensions to the request"""
sreg_request = sreg.SRegRequest(required=self._REQUIRED_ATTRIBUTES,
optional=self._OPTIONAL_ATTRIBUTES)
request.addExtension(sreg_request)
ax_request = ax.FetchRequest()
for alias in self._REQUIRED_ATTRIBUTES:
uri = utils.SREG2AX[alias]
ax_request.add(ax.AttrInfo(uri, required=True, alias=alias))
for alias in self._OPTIONAL_ATTRIBUTES:
uri = utils.SREG2AX[alias]
ax_request.add(ax.AttrInfo(uri, required=False, alias=alias))
request.addExtension(ax_request)
def handleRequest(self, plugin, path, params, request, **kwargs):
if plugin != 'tellduslive':
return None
oidconsumer = consumer.Consumer({}, self.store)
if path == 'login':
try:
authrequest = oidconsumer.begin('http://login.telldus.com')
except consumer.DiscoveryFailure, exc:
logging.error(str(exc[0]))
return None # TODO(micke): Error
sregRequest = sreg.SRegRequest(required=['fullname', 'email'])
authrequest.addExtension(sregRequest)
trustRoot = request.base()
returnTo = '%s/tellduslive/authorize' % request.base()
url = authrequest.redirectURL(trustRoot, returnTo)
return WebResponseRedirect(url)
def get_redirect_url(self):
auth_request = self.consumer.begin(self.endpoint_url)
if self.ax_attrs:
ax_request = ax.FetchRequest()
for ax_attr in self.ax_attrs:
ax_request.add(ax.AttrInfo(AX_ATTRS[ax_attr], required=True))
auth_request.addExtension(ax_request)
if self.sreg_attrs:
auth_request.addExtension(
sreg.SRegRequest(required=self.sreg_attrs))
redirect_url = auth_request.redirectURL(self.get_realm(),
self.get_callback_url())
return redirect_url
def setup_request(self):
"""Setup request"""
openid_request = self.openid_request()
# Request some user details. Use attribute exchange if provider
# advertises support.
if openid_request.endpoint.supportsType(ax.AXMessage.ns_uri):
fetch_request = ax.FetchRequest()
# Mark all attributes as required, Google ignores optional ones
for attr, alias in (AX_SCHEMA_ATTRS + OLD_AX_ATTRS):
fetch_request.add(ax.AttrInfo(attr, alias=alias,
required=True))
else:
fetch_request = sreg.SRegRequest(optional=dict(SREG_ATTR).keys())
openid_request.addExtension(fetch_request)
return openid_request
def get_redirect(self):
auth_request = self.consumer.begin(self.endpoint)
if self.sreg:
auth_request.addExtension(oid_sreg.SRegRequest(**self.sreg))
ax_request = oid_ax.FetchRequest()
for mode, attributes in self.sreg.items():
for attribute in attributes:
if attribute in _ax_sreg_mapping:
ax_request.add(
oid_ax.AttrInfo(_ax_sreg_mapping[attribute],
count=1,
required=mode == 'required',
alias=attribute))
auth_request.addExtension(ax_request)
redirect_url = auth_request.redirectURL(
'http%s://%s/' % (_https(), Site.objects.get_current().domain),
self.return_to)
return HttpResponseRedirect(redirect_url)
def handleRequest(self, plugin, path, params, request, **kwargs):
if plugin != 'tellduslive':
return None
oidconsumer = consumer.Consumer({}, self.store)
if path == 'login':
try:
authrequest = oidconsumer.begin('http://login.telldus.com')
except consumer.DiscoveryFailure as exc:
logging.error(str(exc[0]))
return None # TODO(micke): Error
sregRequest = sreg.SRegRequest(required=['fullname', 'email'])
authrequest.addExtension(sregRequest)
trustRoot = request.base()
returnTo = '%s/tellduslive/authorize' % request.base()
url = authrequest.redirectURL(trustRoot, returnTo)
return WebResponseRedirect(url)
if path == 'authorize':
url = '%s/tellduslive/authorize' % request.base()
info = oidconsumer.complete(params, url)
displayIdentifier = info.getDisplayIdentifier()
if info.status == consumer.FAILURE and displayIdentifier:
return None # TODO(micke): Error
elif info.status == consumer.SUCCESS:
sregResp = sreg.SRegResponse.fromSuccessResponse(info)
data = dict(list(sregResp.items()))
if 'email' not in data:
return None # TODO(micke): Error
tellduslive = TelldusLive(self.context)
if not tellduslive.registered or tellduslive.email == '':
return 'loginFailed.html', {
'reason': 1,
'loginEmail': data['email']
}
if data['email'] != tellduslive.email:
return 'loginFailed.html', {
'reason': 2,
'loginEmail': data['email'],
'registeredEmail': tellduslive.email
}
request.setSession('loggedIn', True)
return request.loggedIn()
else:
return None # TODO(micke): Error
return None
def _update_authrequest(self, authrequest):
"""Update the authrequest with the default extensions and attributes
we ask for
This method doesn't need to return anything, since the extensions
should be added to the authrequest object itself.
"""
# Add on the Attribute Exchange for those that support that
request_attributes = self.get_argument('ax_attributes',
ax_attributes.keys())
ax_request = ax.FetchRequest()
for attr in request_attributes:
ax_request.add(ax.AttrInfo(attributes[attr], required=True))
authrequest.addExtension(ax_request)
# Form the Simple Reg request
sreg_request = sreg.SRegRequest(optional=[
'nickname', 'email', 'fullname', 'dob', 'gender', 'postcode',
'country', 'language', 'timezone'
], )
authrequest.addExtension(sreg_request)
# Add PAPE request information. Setting max_auth_age to zero will force a login.
requested_policies = []
policy_prefix = 'policy_'
#for k, v in request.POST.iteritems():
# if k.startswith(policy_prefix):
# policy_attr = k[len(policy_prefix):]
# requested_policies.append(getattr(pape, policy_attr))
pape_request = pape.Request(requested_policies,
max_auth_age=self.get_argument(
'pape_max_auth_age', None))
authrequest.addExtension(pape_request)
popup_mode = self.get_argument('popup_mode', None)
if popup_mode:
kw_args = {'mode': popup_mode}
popup_icon = self.get_argument('popup_icon')
if 'popup_icon':
kw_args['icon'] = popup_icon
ui_request = UIRequest(**kw_args)
authrequest.addExtension(ui_request)
return None
def post_pw():
logging.debug("login_openid post_pw")
oid_consumer = consumer.Consumer(self.get_openid_session(request), self.store)
try:
oid_req = oid_consumer.begin(identity)
# SReg speaks this protocol: http://openid.net/specs/openid-simple-registration-extension-1_1-01.html
# and tries to request additional metadata about this OpenID identity
sreg_req = sreg.SRegRequest(required=['fullname','nickname','email'], optional=[])
oid_req.addExtension(sreg_req)
# AX speaks this protocol: http://openid.net/specs/openid-attribute-exchange-1_0.html
# and tries to get more attributes (by URI), we request some of the more common ones
ax_req = ax.FetchRequest()
for uri in self.AX_URIS:
ax_req.add(ax.AttrInfo(uri, required = True))
oid_req.addExtension(ax_req)
except consumer.DiscoveryFailure as exc:
#request.setResponseCode(200, message = "OK")
#request.write("Error: {0}".format(exc))
#request.finish()
logging.error("Error in login_openid: {0}".format(exc))
return self.return_unauthorized(request)
else:
if oid_req is None:
#request.setResponseCode(200, message = "OK")
#request.write("Error, no OpenID services found for: {0}".format(identity))
logging.error("Error in login_openid: no OpenID services found for: {0}".format(identity))
#request.finish()
return self.return_unauthorized(request)
else:
trust_root = self.webserver.server_url
return_to = appendArgs(trust_root + "/" + self.base_path + "/openid_process", {})
logging.debug("OpenID, had oid_req, trust_root: {0}, return_to: {1}, oid_req: {2}".format(trust_root, return_to, oid_req))
redirect_url = oid_req.redirectURL(trust_root, return_to)
# FIXME check this is the best way to redirect here
request.setHeader("Location", redirect_url)
request.setResponseCode(302, "Found")
request.finish()
return
def _update_authrequest(self, request, authrequest):
"""Update the authrequest with the default extensions and attributes
we ask for
This method doesn't need to return anything, since the extensions
should be added to the authrequest object itself.
"""
# Add on the Attribute Exchange for those that support that
ax_request = ax.FetchRequest()
for attrib in attributes.values():
ax_request.add(ax.AttrInfo(attrib))
authrequest.addExtension(ax_request)
# Form the Simple Reg request
sreg_request = sreg.SRegRequest(optional=[
'nickname', 'email', 'fullname', 'dob', 'gender', 'postcode',
'country', 'language', 'timezone'
], )
authrequest.addExtension(sreg_request)
def ask_openid(self, openid_url, return_url):
trust_root = self.get_trust_root()
consumer = Consumer(self.request.session, self.store_class())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
message = _('The OpenID %(url)s was invalid')
return self.failure(message % {'url': openid_url})
use_ax, use_sreg = discover_extensions(openid_url)
sreg_request = None
ax_request = None
if use_sreg:
sreg_attrs = self.get_sreg_attrs()
if 'optional' not in sreg_attrs:
sreg_attrs.update({'optional': ['nickname', 'email']})
sreg_request = sreg.SRegRequest(**sreg_attrs)
if use_ax:
ax_request = ax.FetchRequest()
ax_request.add(
ax.AttrInfo('http://schema.openid.net/contact/email',
alias='email',
required=True), )
ax_request.add(
ax.AttrInfo('http://schema.openid.net/namePerson/friendly',
alias='nickname',
required=True), )
ax_attrs = self.get_ax_attrs()
for attr in ax_attrs:
if len(attr) == 2:
ax_request.add(ax.AttrInfo(attr[0], required=attr[1]))
else:
ax_request.add(ax.AttrInfo(attr[0]))
if sreg_request is not None:
auth_request.addExtension(sreg_request)
if ax_request is not None:
auth_request.addExtension(ax_request)
redirect_url = auth_request.redirectURL(trust_root, return_url)
return redirect(redirect_url)
class BeginLoginHandler(BaseHandler):
def get(self):
openid_url = self.request.get('openid_url')
if not openid_url:
self.render_template(
'login.html', {
'login_url': users.OPENID_LOGIN_PATH,
'continue': self.request.get('continue', '/')
})
return
consumer = self.get_consumer()
# if consumer discovery or authentication fails, show error page
try:
request = consumer.begin(openid_url)
except Exception, e:
logging.error(
"Unexpected error in OpenID discovery/authentication: %s", e)
self.render_template('error.html')
return
# TODO: Support custom specification of extensions
# TODO: Don't ask for data we already have, perhaps?
# use Simple Registration if available
request.addExtension(sreg.SRegRequest(required=OPENID_SREG_ATTRS))
# or Atribute Exchange if available
ax_request = ax.FetchRequest()
for attruri in OPENID_AX_ATTRS:
ax_request.add(
ax.AttrInfo(attruri,
required=True,
alias=OPENID_AX_ATTRS[attruri]))
request.addExtension(ax_request)
# assemble and send redirect
continue_url = self.request.get('continue', '/')
return_to = "%s%s?continue=%s" % (
self.request.host_url, users.OPENID_FINISH_PATH, continue_url)
self.redirect(request.redirectURL(self.request.host_url, return_to))
self.session.save()
def setup_request(self, params=None):
"""Setup request"""
request = self.openid_request(params)
# Request some user details. Use attribute exchange if provider
# advertises support.
if request.endpoint.supportsType(ax.AXMessage.ns_uri):
fetch_request = ax.FetchRequest()
# Mark all attributes as required, Google ignores optional ones
for attr, alias in self.get_ax_attributes():
fetch_request.add(ax.AttrInfo(attr, alias=alias,
required=True))
else:
fetch_request = sreg.SRegRequest(
optional=list(dict(self.get_sreg_attributes()).keys())
)
request.addExtension(fetch_request)
# Add PAPE Extension for if configured
preferred_policies = self.setting(
'OPENID_PAPE_PREFERRED_AUTH_POLICIES'
)
preferred_level_types = self.setting(
'OPENID_PAPE_PREFERRED_AUTH_LEVEL_TYPES'
)
max_age = self.setting('OPENID_PAPE_MAX_AUTH_AGE')
if max_age is not None:
try:
max_age = int(max_age)
except (ValueError, TypeError):
max_age = None
if max_age is not None or preferred_policies or preferred_level_types:
pape_request = pape.Request(
max_auth_age=max_age,
preferred_auth_policies=preferred_policies,
preferred_auth_level_types=preferred_level_types
)
request.addExtension(pape_request)
return request
def POST(self):
# unlike the usual scheme of things, the POST is actually called
# first here
i = web.input(return_to='/')
if i.get('action') == 'logout':
oid.logout()
return web.redirect(i.return_to)
if not i.has_key('openid') or len(i.openid) == 0:
return web.redirect(i.return_to)
session_data = {'webpy_return_to': i.return_to}
session_hash = oid._new_session(session_data)
ax_req = ax.FetchRequest()
ax_req.add(
ax.AttrInfo('http://axschema.org/namePerson/first',
required=True))
ax_req.add(
ax.AttrInfo('http://axschema.org/namePerson/last',
required=True))
ax_req.add(
ax.AttrInfo('http://axschema.org/contact/email',
required=True))
c = openid.consumer.consumer.Consumer(session_data,
oid._get_openid_store())
a = c.begin(i.openid)
a.addExtension(ax_req)
a.addExtension(
sreg.SRegRequest(optional=['email', 'fullname']))
f = a.redirectURL(web.ctx.home,
web.ctx.home + web.ctx.fullpath)
oid._save_session(session_hash, session_data)
web.setcookie('openid_session_id', session_hash)
return web.redirect(f)
def test_requestField(self):
# Add all of the fields, one at a time
req = sreg.SRegRequest()
fields = list(sreg.data_fields)
for field_name in fields:
req.requestField(field_name)
self.failUnlessEqual(fields, req.optional)
self.failUnlessEqual([], req.required)
# By default, adding the same fields over again has no effect
for field_name in fields:
req.requestField(field_name)
self.failUnlessEqual(fields, req.optional)
self.failUnlessEqual([], req.required)
# Requesting a field as required overrides requesting it as optional
expected = list(fields)
overridden = expected.pop(0)
req.requestField(overridden, required=True)
self.failUnlessEqual(expected, req.optional)
self.failUnlessEqual([overridden], req.required)
# Requesting a field as required overrides requesting it as optional
for field_name in fields:
req.requestField(field_name, required=True)
self.failUnlessEqual([], req.optional)
self.failUnlessEqual(fields, req.required)
# Requesting it as optional does not downgrade it to optional
for field_name in fields:
req.requestField(field_name)
self.failUnlessEqual([], req.optional)
self.failUnlessEqual(fields, req.required)
def init(self):
self.consumer = create_consumer(self.openid_session)
if not hasattr(self, 'form_result'):
return self._failure('', _("Invalid input."))
openid = self.form_result.get("openid")
try:
if not openid:
raise ValueError(_("No OpenID given!"))
authrequest = self.consumer.begin(openid)
if not c.user and not model.OpenID.find(openid):
axreq = ax.FetchRequest(
h.base_url('/openid/update', absolute=True))
axreq.add(
ax.AttrInfo(get_ax_mail_schema(openid),
alias="email",
required=True))
authrequest.addExtension(axreq)
sreq = sreg.SRegRequest(required=['nickname'],
optional=['email'])
authrequest.addExtension(sreq)
redirecturl = authrequest.redirectURL(h.base_url('/',
absolute=True),
return_to=h.base_url(
'/openid/verify',
absolute=True),
immediate=False)
self.set_session(self.openid_session)
session.save()
return redirect(redirecturl)
except HTTPFound:
raise
except Exception, e:
log.exception(e)
return self._failure(openid, str(e))
def handle_initial_request(request):
groups = ['sysadmin-releng', 'sysadmin-main']
session = {}
oidconsumer = consumer.Consumer(session, None)
try:
req = oidconsumer.begin('https://id.fedoraproject.org')
except consumer.DiscoveryFailure:
# VERY strange, as this means it could not discover an OpenID
# endpoint at FAS_OPENID_ENDPOINT
return 'discoveryfailure'
if req is None:
# Also very strange, as this means the discovered OpenID
# endpoint is no OpenID endpoint
return 'no-req'
req.addExtension(sreg.SRegRequest(
required=['nickname', 'fullname', 'email', 'timezone']))
req.addExtension(pape.Request([]))
req.addExtension(teams.TeamsRequest(requested=groups))
req.addExtension(cla.CLARequest(
requested=[cla.CLA_URI_FEDORA_DONE]))
# Use the django HTTPRequest for this
trust_root = request.build_absolute_uri('/')
return_to = request.build_absolute_uri() + "?type=fas-openid"
# Success or fail, redirect to the base. ¯\_(ツ)_/¯
return_url = cancel_url = request.build_absolute_uri('/')
request.session['FAS_OPENID_RETURN_URL'] = return_url
request.session['FAS_OPENID_CANCEL_URL'] = cancel_url
# the django rest framework requires that we use the json route here
return dict(form=req.htmlMarkup(trust_root, return_to,
form_tag_attrs={'id': 'openid_message'}, immediate=False))
def OpenIDStartSubmit(request, default_success_url='/'):
response = django.http.HttpResponse()
if request.method == 'POST':
openid = request.POST.get('openid_identifier', '')
openid = openid.strip()
if not openid:
return show_main_page(request)
c = Consumer({},get_store())
try:
auth_request = c.begin(openid)
except discover.DiscoveryFailure, e:
logging.error('OpenID discovery error with begin on %s: %s'
% (openid, str(e)))
return show_main_page(request, 'An error occured determining your server information. Please try again.')
from openid.extensions import sreg
sreg_request = sreg.SRegRequest(
optional=['dob', 'gender', 'postcode'],
required=['email', 'nickname', 'fullname', 'country', 'language', 'timezone'])
auth_request.addExtension(sreg_request)
from openid.extensions import ax
ax_req = ax.FetchRequest()
ax_req.add(ax.AttrInfo('http://schema.openid.net/contact/email',
alias='email',required=True))
ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/first',
alias='firstname',required=True))
ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/last',
alias='lastname',required=True))
ax_req.add(ax.AttrInfo('http://axschema.org/pref/language',
alias='language',required=True))
ax_req.add(ax.AttrInfo('http://axschema.org/contact/country/home',
alias='country',required=True))
auth_request.addExtension(ax_req)
import urlparse
parts = list(urlparse.urlparse(get_full_path(request)))
# finish URL with the leading "/" character removed
parts[2] = django.core.urlresolvers.reverse('openidgae.views.OpenIDFinish')[1:]
continueUrl = get_continue_url(request, default_success_url)
import urllib
parts[4] = 'continue=%s' % urllib.quote_plus(continueUrl)
parts[5] = ''
return_to = urlparse.urlunparse(parts)
realm = urlparse.urlunparse(parts[0:2] + [''] * 4)
# save the session stuff
session = openidgae.get_session(request, response)
import pickle
session.openid_stuff = pickle.dumps(c.session)
session.put()
# send the redirect! we use a meta because appengine bombs out
# sometimes with long redirect urls
redirect_url = auth_request.redirectURL(realm, return_to)
response.write(
"<html><head><meta http-equiv=\"refresh\" content=\"0;url=%s\"></head><body></body></html>"
% (redirect_url,))
return response
def startOpenID(request):
"""
Start the OpenID authentication process. Renders an
authentication form and accepts its POST.
* Renders an error message if OpenID cannot be initiated
* Requests some Simple Registration data using the OpenID
library's Simple Registration machinery
* Generates the appropriate trust root and return URL values for
this application (tweak where appropriate)
* Generates the appropriate redirect based on the OpenID protocol
version.
"""
if request.POST:
# Start OpenID authentication.
openid_url = request.POST['openid_identifier']
c = getConsumer(request)
error = None
try:
auth_request = c.begin(openid_url)
except DiscoveryFailure as e:
# Some other protocol-level failure occurred.
error = "OpenID discovery error: %s" % (str(e), )
if error:
# Render the page with an error.
return renderIndexPage(request, error=error)
# Add Simple Registration request information. Some fields
# are optional, some are required. It's possible that the
# server doesn't support sreg or won't return any of the
# fields.
sreg_request = sreg.SRegRequest(
optional=['email', 'nickname'], required=['dob'])
auth_request.addExtension(sreg_request)
# Add Attribute Exchange request information.
ax_request = ax.FetchRequest()
# XXX - uses myOpenID-compatible schema values, which are
# not those listed at axschema.org.
ax_request.add(
ax.AttrInfo('http://schema.openid.net/namePerson', required=True))
ax_request.add(
ax.AttrInfo(
'http://schema.openid.net/contact/web/default',
required=False,
count=ax.UNLIMITED_VALUES))
auth_request.addExtension(ax_request)
# Add PAPE request information. We'll ask for
# phishing-resistant auth and display any policies we get in
# the response.
requested_policies = []
policy_prefix = 'policy_'
for k, v in list(request.POST.items()):
if k.startswith(policy_prefix):
policy_attr = k[len(policy_prefix):]
if policy_attr in PAPE_POLICIES:
requested_policies.append(getattr(pape, policy_attr))
if requested_policies:
pape_request = pape.Request(requested_policies)
auth_request.addExtension(pape_request)
# Compute the trust root and return URL values to build the
# redirect information.
trust_root = util.getViewURL(request, startOpenID)
return_to = util.getViewURL(request, finishOpenID)
# Send the browser to the server either by sending a redirect
# URL or by generating a POST form.
if auth_request.shouldSendRedirect():
url = auth_request.redirectURL(trust_root, return_to)
return HttpResponseRedirect(url)
else:
# Beware: this renders a template whose content is a form
# and some javascript to submit it upon page load. Non-JS
# users will have to click the form submit button to
# initiate OpenID authentication.
form_id = 'openid_message'
form_html = auth_request.formMarkup(trust_root, return_to, False,
{'id': form_id})
return TemplateView(request, 'consumer/request_form.html',
{'html': form_html})
return renderIndexPage(request)
def requestRegistrationData(self, request):
sreg_request = sreg.SRegRequest(required=['nickname'],
optional=['fullname', 'email'])
request.addExtension(sreg_request)
def login(self):
# Instantiate consumer
self.store._log = self._log
oi_consumer = consumer.Consumer(self.session, self.store)
# handle realm and XRDS if there is only one query parameter
if self.use_realm and len(self.params) == 1:
realm_request = self.params.get(self.realm_param)
xrds_request = self.params.get(self.xrds_param)
else:
realm_request = None
xrds_request = None
# determine type of request
if realm_request:
#===================================================================
# Realm HTML
#===================================================================
self._log(logging.INFO, 'Writing OpenID realm HTML to the response.')
xrds_location = '{u}?{x}={x}'.format(u=self.url, x=self.xrds_param)
self.write(REALM_HTML.format(xrds_location=xrds_location, body=self.realm_body))
elif xrds_request:
#===================================================================
# XRDS XML
#===================================================================
self._log(logging.INFO, 'Writing XRDS XML document to the response.')
self.set_header('Content-Type', 'application/xrds+xml')
self.write(XRDS_XML.format(return_to=self.url))
elif self.params.get('openid.mode'):
#===================================================================
# Phase 2 after redirect
#===================================================================
self._log(logging.INFO, 'Continuing OpenID authentication procedure after redirect.')
# complete the authentication process
response = oi_consumer.complete(self.params, self.url)
# on success
if response.status == consumer.SUCCESS:
data = {}
# get user ID
data['guid'] = response.getDisplayIdentifier()
self._log(logging.INFO, 'Authentication successful.')
# get user data from AX response
ax_response = ax.FetchResponse.fromSuccessResponse(response)
if ax_response and ax_response.data:
self._log(logging.INFO, 'Got AX data.')
ax_data = {}
# convert iterable values to their first item
for k, v in ax_response.data.iteritems():
if v and type(v) in (list, tuple):
ax_data[k] = v[0]
data['ax'] = ax_data
# get user data from SREG response
sreg_response = sreg.SRegResponse.fromSuccessResponse(response)
if sreg_response and sreg_response.data:
self._log(logging.INFO, 'Got SREG data.')
data['sreg'] = sreg_response.data
# get data from PAPE response
pape_response = pape.Response.fromSuccessResponse(response)
if pape_response and pape_response.auth_policies:
self._log(logging.INFO, 'Got PAPE data.')
data['pape'] = pape_response.auth_policies
# create user
self._update_or_create_user(data)
#===============================================================
# We're done!
#===============================================================
elif response.status == consumer.CANCEL:
raise CancellationError('User cancelled the verification of ID "{}"!'.format(response.getDisplayIdentifier()))
elif response.status == consumer.FAILURE:
raise FailureError(response.message)
elif self.params.get(self.identifier_param):
#===================================================================
# Phase 1 before redirect
#===================================================================
self._log(logging.INFO, 'Starting OpenID authentication procedure.')
# get AuthRequest object
try:
auth_request = oi_consumer.begin(self.identifier)
except consumer.DiscoveryFailure as e:
raise FailureError('Discovery failed for identifier {}!'.format(self.identifier),
url=self.identifier,
original_message=e.message)
self._log(logging.INFO, 'Service discovery for identifier {} successful.'.format(self.identifier))
# add SREG extension
# we need to remove required fields from optional fields because addExtension then raises an error
self.sreg = [i for i in self.sreg if i not in self.sreg_required]
auth_request.addExtension(sreg.SRegRequest(optional=self.sreg,
required=self.sreg_required))
# add AX extension
ax_request = ax.FetchRequest()
# set AX schemas
for i in self.ax:
required = i in self.ax_required
ax_request.add(ax.AttrInfo(i, required=required))
auth_request.addExtension(ax_request)
# add PAPE extension
auth_request.addExtension(pape.Request(self.pape))
# prepare realm and return_to URLs
if self.use_realm:
realm = return_to = '{u}?{r}={r}'.format(u=self.url, r=self.realm_param)
else:
realm = return_to = self.url
url = auth_request.redirectURL(realm, return_to)
if auth_request.shouldSendRedirect():
# can be redirected
url = auth_request.redirectURL(realm, return_to)
self._log(logging.INFO, 'Redirecting user to {}.'.format(url))
self.redirect(url)
else:
# must be sent as POST
# this writes a html post form with auto-submit
self._log(logging.INFO, 'Writing an auto-submit HTML form to the response.')
form = auth_request.htmlMarkup(realm, return_to, False, dict(id='openid_form'))
self.write(form)
else:
raise OpenIDError('No identifier specified!')
status=500)
# Request some user details. If the provider advertises support
# for attribute exchange, use that.
if openid_request.endpoint.supportsType(ax.AXMessage.ns_uri):
fetch_request = ax.FetchRequest()
# We mark all the attributes as required, since Google ignores
# optional attributes. We request both the full name and
# first/last components since some providers offer one but not
# the other.
for (attr, alias) in conf.REQUIRED_AX_ATTRIBUTES:
fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True))
openid_request.addExtension(fetch_request)
else:
openid_request.addExtension(
sreg.SRegRequest(optional=['email', 'fullname', 'nickname']))
# Request team info
launchpad_teams = conf.LAUNCHPAD_TEAMS_MAPPING
if conf.LAUNCHPAD_TEAMS_MAPPING_AUTO:
#ignore launchpad teams. use all django-groups
launchpad_teams = dict()
all_groups = Group.objects.exclude(
name__in=conf.LAUNCHPAD_TEAMS_MAPPING_AUTO_BLACKLIST)
for group in all_groups:
launchpad_teams[group.name] = group.name
if launchpad_teams:
openid_request.addExtension(teams.TeamsRequest(launchpad_teams.keys()))
# Construct the request completion URL, including the page we
def login_begin(request,
template_name='openid/login.html',
login_complete_view='openid-complete',
form_class=OpenIDLoginForm,
render_failure=default_render_failure,
redirect_field_name=REDIRECT_FIELD_NAME):
"""Begin an OpenID login request, possibly asking for an identity URL."""
data = get_request_data(request)
redirect_to = data.get(redirect_field_name, '')
# Get the OpenID URL to try. First see if we've been configured
# to use a fixed server URL.
openid_url = getattr(settings, 'OPENID_SSO_SERVER_URL', None)
if openid_url is None:
if request.POST:
login_form = form_class(data=request.POST)
if login_form.is_valid():
openid_url = login_form.cleaned_data['openid_identifier']
else:
login_form = form_class()
# Invalid or no form data:
if openid_url is None:
context = RequestContext(request).flatten()
context.update({
'form': login_form,
redirect_field_name: redirect_to,
})
return render(request, template_name, context)
consumer = make_consumer(request)
try:
openid_request = consumer.begin(openid_url)
except DiscoveryFailure as exc:
return render_failure(request,
"OpenID discovery error: %s" % (str(exc), ),
status=500,
exception=exc)
# Request some user details. If the provider advertises support
# for attribute exchange, use that.
endpoint = openid_request.endpoint
if endpoint.supportsType(ax.AXMessage.ns_uri):
fetch_request = ax.FetchRequest()
# We mark all the attributes as required, since Google ignores
# optional attributes. We request both the full name and
# first/last components since some providers offer one but not
# the other.
for (attr, alias) in [
('http://axschema.org/contact/email', 'email'),
('http://axschema.org/namePerson', 'fullname'),
('http://axschema.org/namePerson/first', 'firstname'),
('http://axschema.org/namePerson/last', 'lastname'),
('http://axschema.org/namePerson/friendly', 'nickname'),
# The myOpenID provider advertises AX support, but uses
# attribute names from an obsolete draft of the
# specification. We request them for compatibility.
('http://schema.openid.net/contact/email', 'old_email'),
('http://schema.openid.net/namePerson', 'old_fullname'),
('http://schema.openid.net/namePerson/friendly', 'old_nickname')
]:
fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True))
# conditionally require account_verified attribute
verification_scheme_map = getattr(settings,
'OPENID_VALID_VERIFICATION_SCHEMES',
{})
valid_schemes = verification_scheme_map.get(
endpoint.server_url, verification_scheme_map.get(None, ()))
if valid_schemes:
# there are valid schemes configured for this endpoint, so
# request account_verified status
fetch_request.add(
ax.AttrInfo(
'http://ns.login.ubuntu.com/2013/validation/account',
alias='account_verified',
required=True))
openid_request.addExtension(fetch_request)
else:
sreg_required_fields = []
sreg_required_fields.extend(
getattr(settings, 'OPENID_SREG_REQUIRED_FIELDS', []))
sreg_optional_fields = ['email', 'fullname', 'nickname']
sreg_optional_fields.extend(
getattr(settings, 'OPENID_SREG_EXTRA_FIELDS', []))
sreg_optional_fields = [
field for field in sreg_optional_fields
if field not in sreg_required_fields
]
openid_request.addExtension(
sreg.SRegRequest(optional=sreg_optional_fields,
required=sreg_required_fields))
if getattr(settings, 'OPENID_PHYSICAL_MULTIFACTOR_REQUIRED', False):
preferred_auth = [
pape.AUTH_MULTI_FACTOR_PHYSICAL,
]
pape_request = pape.Request(preferred_auth_policies=preferred_auth)
openid_request.addExtension(pape_request)
# Request team info
teams_mapping_auto = getattr(settings,
'OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO', False)
teams_mapping_auto_blacklist = getattr(
settings, 'OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO_BLACKLIST', [])
launchpad_teams = getattr(settings, 'OPENID_LAUNCHPAD_TEAMS_MAPPING', {})
if teams_mapping_auto:
# ignore launchpad teams. use all django-groups
launchpad_teams = dict()
all_groups = Group.objects.exclude(
name__in=teams_mapping_auto_blacklist)
for group in all_groups:
launchpad_teams[group.name] = group.name
if launchpad_teams:
openid_request.addExtension(teams.TeamsRequest(launchpad_teams.keys()))
# Construct the request completion URL, including the page we
# should redirect to.
return_to = request.build_absolute_uri(reverse(login_complete_view))
if redirect_to:
if '?' in return_to:
return_to += '&'
else:
return_to += '?'
# Django gives us Unicode, which is great. We must encode URI.
# urllib enforces str. We can't trust anything about the default
# encoding inside str(foo) , so we must explicitly make foo a str.
return_to += urlencode(
{redirect_field_name: redirect_to.encode("UTF-8")})
return render_openid_request(request, openid_request, return_to)
error = None
try:
auth_request = c.begin(openid_url)
except DiscoveryFailure, e:
# Some other protocol-level failure occurred.
error = "OpenID discovery error: %s" % (str(e),)
if error:
raise Exception("error in openid")
# Add Simple Registration request information. Some fields
# are optional, some are required. It's possible that the
# server doesn't support sreg or won't return any of the
# fields.
sreg_request = sreg.SRegRequest(required=['email'],
optional=[])
auth_request.addExtension(sreg_request)
# Add Attribute Exchange request information.
ax_request = ax.FetchRequest()
# XXX - uses myOpenID-compatible schema values, which are
# not those listed at axschema.org.
for k, v in AX_REQUIRED_FIELDS.iteritems():
ax_request.add(ax.AttrInfo(v, required=True))
auth_request.addExtension(ax_request)
# Compute the trust root and return URL values to build the
# redirect information.
# trust_root = util.getViewURL(request, startOpenID)
if requested_policies:
pape_request = pape.Request(requested_policies)
request.addExtension(pape_request)
# Let the sreg policy be configurable
sreg_opt = []
sreg_req = []
sreg_fields = ['fullname', 'email']
if self.sreg_required:
sreg_req = sreg_fields
else:
sreg_opt = sreg_fields
if self.use_nickname_as_authname:
sreg_req.append('nickname')
sreg_request = sreg.SRegRequest(optional=sreg_opt,
required=sreg_req)
request.addExtension(sreg_request)
ax_request = ax.FetchRequest()
for alias, uri in self.openid_ax_attrs.items():
attr_info = ax.AttrInfo(uri, required=True, alias=alias)
ax_request.add(attr_info)
request.addExtension(ax_request)
if self.groups_to_request:
if not TeamsRequest:
self.env.log.error(
'The python-openid-teams package is not installed.'
' The groups_to_request configuration option will'
' be ignored.')
else:
def signin(request):
"""
signin page. It manages the legacy authentification (user/password)
and openid authentification
url: /signin/
template : authopenid/signin.htm
"""
logging.debug('in signin view')
on_failure = signin_failure
email_feeds_form = askbot_forms.SimpleEmailSubscribeForm()
#we need a special priority on where to redirect on successful login
#here:
#1) url parameter "next" - if explicitly set
#2) url from django setting LOGIN_REDIRECT_URL
#3) home page of the forum
login_redirect_url = getattr(settings, 'LOGIN_REDIRECT_URL', None)
next_url = get_next_url(request, default=login_redirect_url)
logging.debug('next url is %s' % next_url)
if askbot_settings.ALLOW_ADD_REMOVE_LOGIN_METHODS == False \
and request.user.is_authenticated():
return HttpResponseRedirect(next_url)
if next_url == reverse('user_signin'):
next_url = '%(next)s?next=%(next)s' % {'next': next_url}
login_form = forms.LoginForm(initial={'next': next_url})
#todo: get next url make it sticky if next is 'user_signin'
if request.method == 'POST':
login_form = forms.LoginForm(request.POST)
if login_form.is_valid():
provider_name = login_form.cleaned_data['login_provider_name']
if login_form.cleaned_data['login_type'] == 'password':
password_action = login_form.cleaned_data['password_action']
if askbot_settings.USE_LDAP_FOR_PASSWORD_LOGIN:
assert (password_action == 'login')
username = login_form.cleaned_data['username']
password = login_form.cleaned_data['password']
# will be None if authentication fails
user = authenticate(username=username,
password=password,
method='ldap')
if user is not None:
login(request, user)
return HttpResponseRedirect(next_url)
else:
return finalize_generic_signin(
request=request,
user=user,
user_identifier=username,
login_provider_name=provider_name,
redirect_url=next_url)
else:
if password_action == 'login':
user = authenticate(
username=login_form.cleaned_data['username'],
password=login_form.cleaned_data['password'],
provider_name=provider_name,
method='password')
if user is None:
login_form.set_password_login_error()
else:
login(request, user)
#todo: here we might need to set cookies
#for external login sites
return HttpResponseRedirect(next_url)
elif password_action == 'change_password':
if request.user.is_authenticated():
new_password = \
login_form.cleaned_data['new_password']
AuthBackend.set_password(
user=request.user,
password=new_password,
provider_name=provider_name)
request.user.message_set.create(
message=_('Your new password saved'))
return HttpResponseRedirect(next_url)
else:
logging.critical('unknown password action %s' %
password_action)
raise Http404
elif login_form.cleaned_data['login_type'] == 'openid':
#initiate communication process
logging.debug('processing signin with openid submission')
#todo: make a simple-use wrapper for openid protocol
sreg_req = sreg.SRegRequest(optional=['nickname', 'email'])
redirect_to = "%s%s?%s" % (
get_url_host(request), reverse('user_complete_signin'),
urllib.urlencode({'next': next_url}))
return ask_openid(request,
login_form.cleaned_data['openid_url'],
redirect_to,
on_failure=signin_failure,
sreg_request=sreg_req)
elif login_form.cleaned_data['login_type'] == 'oauth':
try:
#this url may need to have "next" piggibacked onto
callback_url = reverse('user_complete_oauth_signin')
connection = util.OAuthConnection(
provider_name, callback_url=callback_url)
connection.start()
request.session['oauth_token'] = connection.get_token()
request.session['oauth_provider_name'] = provider_name
request.session[
'next_url'] = next_url #special case for oauth
oauth_url = connection.get_auth_url(login_only=False)
return HttpResponseRedirect(oauth_url)
except util.OAuthError, e:
logging.critical(unicode(e))
msg = _('Unfortunately, there was some problem when '
'connecting to %(provider)s, please try again '
'or use another provider') % {
'provider': provider_name
}
request.user.message_set.create(message=msg)
elif login_form.cleaned_data['login_type'] == 'facebook':
#have to redirect for consistency
#there is a requirement that 'complete_signin'
try:
#this call may raise FacebookError
user_id = util.get_facebook_user_id(request)
user = authenticate(method='facebook',
facebook_user_id=user_id)
return finalize_generic_signin(
request=request,
user=user,
user_identifier=user_id,
login_provider_name=provider_name,
redirect_url=next_url)
except util.FacebookError, e:
logging.critical(unicode(e))
msg = _('Unfortunately, there was some problem when '
'connecting to %(provider)s, please try again '
'or use another provider') % {
'provider': 'Facebook'
}
request.user.message_set.create(message=msg)
elif login_form.cleaned_data['login_type'] == 'wordpress_site':
#here wordpress_site means for a self hosted wordpress blog not a wordpress.com blog
wp = Client(askbot_settings.WORDPRESS_SITE_URL,
login_form.cleaned_data['username'],
login_form.cleaned_data['password'])
try:
wp_user = wp.call(GetUserInfo())
custom_wp_openid_url = '%s?user_id=%s' % (wp.url,
wp_user.user_id)
user = authenticate(method='wordpress_site',
wordpress_url=wp.url,
wp_user_id=wp_user.user_id)
return finalize_generic_signin(
request=request,
user=user,
user_identifier=custom_wp_openid_url,
login_provider_name=provider_name,
redirect_url=next_url)
except WpFault, e:
logging.critical(unicode(e))
msg = _('The login password combination was not correct')
request.user.message_set.create(message=msg)
