Esempio n. 1
0
def openid_decide(request):
    """
    The page that asks the user if they really want to sign in to the site, and
    lets them add the consumer to their trusted whitelist.
    # If user is logged in, ask if they want to trust this trust_root
    # If they are NOT logged in, show the landing page
    """
    custom_log(request, "User entered openid_decide page", level="debug")
    server = Server(get_store(request),
	op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
    orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
    trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')

    if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
        custom_log(request, "User is not authenticated. Redirect to sign-in page", level="debug")
        return landing_page(request, orequest)

    if not orequest:
        custom_log(request, "Entered decide page with no OpenID session in progress", level="warn")
        return error_page(request, "You don't have OpenID login session in progress.")

    openid = openid_get_identity(request, orequest.identity)
    if openid is None:
        custom_log(request, "No OpenID exists for user %s" % request.browser.user, level="warn")
        return error_page(
            request, "You are signed in but you don't have OpenID here!")

    if request.method == 'POST' and request.POST.get('decide_page', False):
        if request.POST.get("cancel"):
            custom_log(request, "User cancelled authentication from the decide page", level="info")
            for k in ["AuthorizationInfo", "OPENID_TRUSTROOT_VALID", "OPENID_REQUEST", get_trust_session_key(orequest)]:
                try:
                    del request.session[k]
                except KeyError:
                    pass
            custom_log(request, "Cancelled. Redirect to front page", level="debug")
            return HttpResponseRedirect(reverse("login_frontend.views.indexview"))
        (obj, created) = TrustedRoot.objects.get_or_create(
            openid=openid, trust_root=orequest.trust_root)
        if created:
            custom_log(request, "Created a new TrustRoot for %s" % orequest.trust_root)
        else:
            custom_log(request, "Old TrustRoot for %s exists" % orequest.trust_root)
        if not conf.FAILED_DISCOVERY_AS_VALID:
            custom_log(request, "Setting %s=True" % (get_trust_session_key(orequest)), level="debug")
            request.session[get_trust_session_key(orequest)] = True
        custom_log(request, "Redirecting to OpenID server root", level="debug")
        return HttpResponseRedirect(reverse('openid-provider-root'))

    custom_log(request, "Showing decide page", level="info")
    return render_to_response('openid_provider/decide.html', {
        'title': _('Trust this site?'),
        'trust_root': orequest.trust_root,
        'trust_root_valid': trust_root_valid,
        'return_to': orequest.return_to,
        'identity': orequest.identity,
        'sreg': get_default_sreg_data(request, orequest),
    }, context_instance=RequestContext(request))
Esempio n. 2
0
def openid_decide(request):
    """
    The page that asks the user if they really want to sign in to the site, and
    lets them add the consumer to their trusted whitelist.
    # If user is logged in, ask if they want to trust this trust_root
    # If they are NOT logged in, show the landing page
    """
    custom_log(request, "User entered openid_decide page", level="debug")
    server = Server(get_store(request),
	op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
    orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
    trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')

    if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
        custom_log(request, "User is not authenticated. Redirect to sign-in page", level="debug")
        return landing_page(request, orequest)

    openid = openid_get_identity(request, orequest.identity)
    if openid is None:
        custom_log(request, "No OpenID exists for user %s" % request.browser.user, level="warn")
        return error_page(
            request, "You are signed in but you don't have OpenID here!")

    if request.method == 'POST' and request.POST.get('decide_page', False):
        if request.POST.get("cancel"):
            custom_log(request, "User cancelled authentication from the decide page", level="info")
            for k in ["AuthorizationInfo", "OPENID_TRUSTROOT_VALID", "OPENID_REQUEST", get_trust_session_key(orequest)]:
                try:
                    del request.session[k]
                except KeyError:
                    pass
            custom_log(request, "Cancelled. Redirect to front page", level="debug")
            return HttpResponseRedirect(reverse("login_frontend.views.indexview"))
        (obj, created) = TrustedRoot.objects.get_or_create(
            openid=openid, trust_root=orequest.trust_root)
        if created:
            custom_log(request, "Created a new TrustRoot for %s" % orequest.trust_root)
        else:
            custom_log(request, "Old TrustRoot for %s exists" % orequest.trust_root)
        if not conf.FAILED_DISCOVERY_AS_VALID:
            custom_log(request, "Setting %s=True" % (get_trust_session_key(orequest)), level="debug")
            request.session[get_trust_session_key(orequest)] = True
        custom_log(request, "Redirecting to OpenID server root", level="debug")
        return HttpResponseRedirect(reverse('openid-provider-root'))

    custom_log(request, "Showing decide page", level="info")
    return render_to_response('openid_provider/decide.html', {
        'title': _('Trust this site?'),
        'trust_root': orequest.trust_root,
        'trust_root_valid': trust_root_valid,
        'return_to': orequest.return_to,
        'identity': orequest.identity,
        'sreg': get_default_sreg_data(request, orequest),
    }, context_instance=RequestContext(request))
Esempio n. 3
0
def openid_get_server(request):
    return Server(
        get_store(request),
        op_endpoint=request.build_absolute_uri(
            reverse('openid-provider-root')))
Esempio n. 4
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    custom_log(request, "Server request: %s: %s" % (request.method, request.POST or request.GET), level="debug")

    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        custom_log(request, "Request is not secure. Switching to encrypted negotiator", level="debug")
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        custom_log(request, "Clearing AuthorizationInfo session var", level="debug")
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None))
        if orequest:
            # remove session stored data:
            custom_log(request, "Removing stored data from session", level="debug")
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host': request.build_absolute_uri('/'),
                'xrds_location': request.build_absolute_uri(
                    reverse('openid-provider-xrds')),
            }
            custom_log(request, "Not an OpenID request, sending info: %s" % data, level="info")
            if request.browser and request.browser.user:
                data["openid_identifier"] = "https://" + request.get_host() +  reverse('openid-provider-identity', args=[request.browser.user.username])
            else:
                data["page_url"] = request.build_absolute_uri()
            return render_to_response('openid_provider/server.html',
                                      data,
                                      context_instance=RequestContext(request))

    custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
            custom_log(request, "no local authentication, sending landing page", level="debug")
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        # verify return_to:
        trust_root_valid = trust_root_validation(orequest)
        custom_log(request, "trust_root_valid=%s" % trust_root_valid, level="debug")
        validated = False

        # Allow per-url exceptions for trust roots.
        for global_trusted_root in settings.OPENID_TRUSTED_ROOTS:
            if orequest.trust_root.startswith(global_trusted_root):
                custom_log(request, "Trust root %s is in always trusted roots. Set validated=True" % orequest.trust_root, level="debug")
                validated = True
                break

        if conf.FAILED_DISCOVERY_AS_VALID:
            if trust_root_valid == 'DISCOVERY_FAILED' or trust_root_valid == 'Unreachable':
                custom_log(request, "Setting validated=True as FAILED_DISCOVERY_AS_VALID is True", level="debug")
                validated = True
        else:
            # if in decide already took place, set as valid:
            if request.session.get(get_trust_session_key(orequest), False):
                custom_log(request, "Setting validated=True as session var %s is True" % (get_trust_session_key(orequest)), level="debug")
                validated = True

        custom_log(request, "Session key: %s=%s" % (get_trust_session_key(orequest), request.session.get(get_trust_session_key(orequest))), level="debug")

        custom_log(request, "OpenID is %s" % openid, level="debug")
        if openid is not None and (validated or trust_root_valid == 'Valid'):
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            try:
                oresponse = orequest.answer(True, identity=id_url)
            except ValueError, e:
                return render_to_response("openid_provider/error.html", {"title": "Invalid identity URL", "msg": e.message}, context_instance=RequestContext(request))
            custom_log(request, 'orequest.answer(True, identity="%s")' % id_url, level="debug")
        elif orequest.immediate:
            custom_log(request, 'checkid_immediate mode not supported', level="debug")
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
            request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
            custom_log(request, "redirecting to decide page", level="debug")
            return HttpResponseRedirect(reverse('openid-provider-decide'))
Esempio n. 5
0
def openid_get_server(request):
    return Server(get_store(request),
                  op_endpoint=request.build_absolute_uri(
                      reverse('openid-provider-root')))
Esempio n. 6
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by
    the <link rel="openid.server"> tag.
    """
    logger.debug('server request %s: %s',
                 request.method, request.POST or request.GET)
    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        del request.session['AuthorizationInfo']

    querydict = dict(request.POST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = request.session.get('OPENID_REQUEST', None)
        if orequest:
            # remove session stored data:
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host': request.build_absolute_uri('/'),
                'xrds_location': request.build_absolute_uri(
                    reverse('openid-provider-xrds')),
            }
            # Return empty string
            return HttpResponse("", content_type="text/plain")

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not request.user.is_authenticated:
            logger.debug('no local authentication, sending landing page')
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        if openid is not None:
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            oresponse = orequest.answer(True, identity=id_url)
            logger.debug('orequest.answer(True, identity="%s")', id_url)
        elif orequest.immediate:
            logger.debug('checkid_immediate mode not supported')
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest
            logger.debug('redirecting to decide page')
            return HttpResponseRedirect(reverse('openid-provider-decide'))
    else:
        oresponse = server.handleRequest(orequest)
    if request.user.is_authenticated:
        add_sreg_data(request, orequest, oresponse)
        if conf.AX_EXTENSION:
            add_ax_data(request, orequest, oresponse)
    # Convert a webresponse from the OpenID library in to a Django HttpResponse
    webresponse = server.encodeResponse(oresponse)
    if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
        response = render(request, 'openid_provider/response.html', {
            'body': webresponse.body,
        })
        logger.debug('rendering browser response')
    else:
        response = HttpResponse(webresponse.body)
        response.status_code = webresponse.code
        for key, value in webresponse.headers.items():
            response[key] = value
        logger.debug('rendering raw response')
    return response
Esempio n. 7
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    custom_log(request, "Server request: %s: %s" % (request.method, request.POST or request.GET), level="debug")

    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        custom_log(request, "Request is not secure. Switching to encrypted negotiator", level="debug")
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        custom_log(request, "Clearing AuthorizationInfo session var", level="debug")
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None))
        if orequest:
            # remove session stored data:
            custom_log(request, "Removing stored data from session", level="debug")
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host': request.build_absolute_uri('/'),
                'xrds_location': request.build_absolute_uri(
                    reverse('openid-provider-xrds')),
            }
            custom_log(request, "Not an OpenID request, sending info: %s" % data, level="info")
            if request.browser and request.browser.user:
                data["openid_identifier"] = "https://" + request.get_host() +  reverse('openid-provider-identity', args=[request.browser.user.username])
            else:
                data["page_url"] = request.build_absolute_uri()
            return render_to_response('openid_provider/server.html',
                                      data,
                                      context_instance=RequestContext(request))

    custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
            custom_log(request, "no local authentication, sending landing page", level="debug")
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        # verify return_to:
        trust_root_valid = trust_root_validation(orequest)
        custom_log(request, "trust_root_valid=%s" % trust_root_valid, level="debug")
        validated = False

        # Allow per-url exceptions for trust roots.
        for global_trusted_root in settings.OPENID_TRUSTED_ROOTS:
            if orequest.trust_root.startswith(global_trusted_root):
                custom_log(request, "Trust root %s is in always trusted roots. Set validated=True" % orequest.trust_root, level="debug")
                validated = True
                break

        if conf.FAILED_DISCOVERY_AS_VALID:
            if trust_root_valid == 'DISCOVERY_FAILED' or trust_root_valid == 'Unreachable':
                custom_log(request, "Setting validated=True as FAILED_DISCOVERY_AS_VALID is True", level="debug")
                validated = True
        else:
            # if in decide already took place, set as valid:
            if request.session.get(get_trust_session_key(orequest), False):
                custom_log(request, "Setting validated=True as session var %s is True" % (get_trust_session_key(orequest)), level="debug")
                validated = True

        custom_log(request, "Session key: %s=%s" % (get_trust_session_key(orequest), request.session.get(get_trust_session_key(orequest))), level="debug")

        custom_log(request, "OpenID is %s" % openid, level="debug")
        if openid is not None and (validated or trust_root_valid == 'Valid'):
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            try:
                oresponse = orequest.answer(True, identity=id_url)
            except ValueError, e:
                return render_to_response("openid_provider/error.html", {"title": "Invalid identity URL", "msg": e.message}, context_instance=RequestContext(request))
            custom_log(request, 'orequest.answer(True, identity="%s")' % id_url, level="debug")
        elif orequest.immediate:
            custom_log(request, 'checkid_immediate mode not supported', level="debug")
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
            request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
            custom_log(request, "redirecting to decide page", level="debug")
            return HttpResponseRedirect(reverse('openid-provider-decide'))
Esempio n. 8
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    logger.debug('server request %s: %s', request.method, request.POST
                 or request.GET)
    server = Server(get_store(request),
                    op_endpoint=request.build_absolute_uri(
                        reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = request.session.get('OPENID_REQUEST', None)
        if orequest:
            # remove session stored data:
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host':
                request.build_absolute_uri('/'),
                'xrds_location':
                request.build_absolute_uri(reverse('openid-provider-xrds')),
            }
            logger.debug('invalid request, sending info: %s', data)
            return render_to_response('openid_provider/server.html',
                                      data,
                                      context_instance=RequestContext(request))

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not request.user.is_authenticated():

            #return HttpResponse(orequest.return_to)
            logger.debug('no local authentication, sending landing page')
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        if openid is not None:
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            oresponse = orequest.answer(True, identity=id_url)
            logger.debug('orequest.answer(True, identity="%s")', id_url)
        elif orequest.immediate:
            logger.debug('checkid_immediate mode not supported')
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest
            logger.debug('redirecting to decide page')
            return HttpResponseRedirect(reverse('openid-provider-decide'))
    else:
        oresponse = server.handleRequest(orequest)
    if request.user.is_authenticated():
        add_sreg_data(request, orequest, oresponse)
        if conf.AX_EXTENSION:
            add_ax_data(request, orequest, oresponse)
    # Convert a webresponse from the OpenID library in to a Django HttpResponse
    webresponse = server.encodeResponse(oresponse)
    if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
        response = render_to_response('openid_provider/response.html', {
            'body': webresponse.body,
        },
                                      context_instance=RequestContext(request))
        logger.debug('rendering browser response')
    else:
        response = HttpResponse(webresponse.body)
        response.status_code = webresponse.code
        for key, value in webresponse.headers.items():
            response[key] = value
        logger.debug('rendering raw response')
    return response