def parse_peers_userid(configuration, raw_entries):
"""Parse list of user IDs into a list of peers"""
_logger = configuration.logger
peers = []
err = []
for entry in raw_entries:
raw_user = distinguished_name_to_user(entry.strip())
missing = [i for i in peers_fields if i not in raw_user]
if missing:
err.append("Parsed peers did NOT contain required field(s): %s"
% ', '.join(missing))
continue
# IMPORTANT: extract ONLY peers fields and validate to avoid abuse
peer_user = dict([(i, raw_user.get(i, '').strip())
for i in peers_fields])
defaults = dict([(i, REJECT_UNSET) for i in peer_user])
(accepted, rejected) = validated_input(peer_user, defaults,
list_wrap=True)
if rejected:
_logger.warning('skip peer with invalid value(s): %s : %s'
% (entry, rejected))
unsafe_err = ' , '.join(
['%s=%r' % pair for pair in peer_user.items()])
unsafe_err += '. Rejected values: ' + ', '.join(rejected)
err.append("Skip peer user with invalid value(s): %s" %
html_escape(unsafe_err))
continue
peers.append(canonical_user(configuration, peer_user, peers_fields))
_logger.debug('parsed user id into peers: %s' % peers)
return (peers, err)
def parse_peers_form(configuration, raw_lines, csv_sep):
"""Parse CSV form of peers into a list of peers"""
_logger = configuration.logger
header = None
peers = []
err = []
for line in raw_lines.split('\n'):
line = line.split('#', 1)[0].strip()
if not line:
continue
parts = [i.strip() for i in line.split(csv_sep)]
if not header:
missing = [i for i in peers_fields if i not in parts]
if missing:
err.append("Parsed peers did NOT contain required field(s): %s"
% ', '.join(missing))
header = parts
continue
if len(header) != len(parts):
_logger.warning('skip peers line with mismatch in field count: %s'
% line)
err.append("Skip peers line not matching header format: %s" %
html_escape(line + ' vs ' + csv_sep.join(header)))
continue
raw_user = dict(zip(header, parts))
# IMPORTANT: extract ONLY peers fields and validate to avoid abuse
peer_user = dict([(i, raw_user.get(i, '')) for i in peers_fields])
defaults = dict([(i, REJECT_UNSET) for i in peer_user])
(accepted, rejected) = validated_input(peer_user, defaults,
list_wrap=True)
if rejected:
_logger.warning('skip peer with invalid value(s): %s (%s)'
% (line, rejected))
unsafe_err = ' , '.join(
['%s=%r' % pair for pair in peer_user.items()])
unsafe_err += '. Rejected values: ' + ', '.join(rejected)
err.append("Skip peer user with invalid value(s): %s" %
html_escape(unsafe_err))
continue
peers.append(canonical_user(configuration, peer_user, peers_fields))
_logger.debug('parsed form into peers: %s' % peers)
return (peers, err)
def main(client_id, user_arguments_dict):
"""Main function used by front end"""
(configuration, logger, output_objects, op_name) = \
initialize_main_variables(client_id, op_header=False, op_menu=False)
client_dir = client_id_dir(client_id)
defaults = signature()[1]
(validate_status, accepted) = validate_input(user_arguments_dict,
defaults,
output_objects,
allow_rejects=False)
if not validate_status:
return (accepted, returnvalues.CLIENT_ERROR)
if not configuration.site_enable_openid or \
not 'migoid' in configuration.site_signup_methods:
output_objects.append({
'object_type':
'error_text',
'text':
'''Local OpenID login is not enabled on this site'''
})
return (output_objects, returnvalues.SYSTEM_ERROR)
title_entry = find_entry(output_objects, 'title')
title_entry['text'] = '%s OpenID account request' % \
configuration.short_title
title_entry['skipmenu'] = True
form_fields = [
'full_name', 'organization', 'email', 'country', 'state', 'password',
'verifypassword', 'comment'
]
title_entry['style']['advanced'] += account_css_helpers(configuration)
add_import, add_init, add_ready = account_js_helpers(
configuration, form_fields)
title_entry['script']['advanced'] += add_import
title_entry['script']['init'] += add_init
title_entry['script']['ready'] += add_ready
title_entry['script']['body'] = "class='staticpage'"
header_entry = {
'object_type':
'header',
'text':
'%s account request - with OpenID login' % configuration.short_title
}
output_objects.append(header_entry)
output_objects.append({
'object_type':
'html_form',
'text':
'''
<div id="contextual_help">
</div>
'''
})
# Please note that base_dir must end in slash to avoid access to other
# user dirs when own name is a prefix of another user name
base_dir = os.path.abspath(
os.path.join(configuration.user_home, client_dir)) + os.sep
user_fields = {
'full_name': '',
'organization': '',
'email': '',
'state': '',
'country': '',
'password': '',
'verifypassword': '',
'comment': ''
}
if not os.path.isdir(base_dir) and client_id:
# Redirect to extcert page with certificate requirement but without
# changing access method (CGI vs. WSGI).
extcert_url = os.environ['REQUEST_URI'].replace('-sid', '-bin')
extcert_url = os.path.join(os.path.dirname(extcert_url), 'extcert.py')
extcert_link = {
'object_type': 'link',
'destination': extcert_url,
'text': 'Sign up with existing certificate (%s)' % client_id
}
output_objects.append({
'object_type':
'warning',
'text':
'''Apparently
you already have a suitable %s certificate that you may sign up with:''' %
configuration.short_title
})
output_objects.append(extcert_link)
output_objects.append({
'object_type':
'warning',
'text':
'''However,
if you want a dedicated %s %s User OpenID you can still request one below:''' %
(configuration.short_title, configuration.user_mig_oid_title)
})
elif client_id:
for entry in (title_entry, header_entry):
entry['text'] = entry['text'].replace('request', 'request / renew')
output_objects.append({
'object_type':
'html_form',
'text':
'''<p>
Apparently you already have valid %s credentials, but if you want to add %s
User OpenID access to the same account you can do so by posting the form below.
Changing fields is <span class="warningtext"> not </span> supported, so all fields
must remain unchanged for it to work.
Otherwise it results in a request for a new account and OpenID without access
to your old files, jobs and privileges. </p>''' %
(configuration.short_title, configuration.user_mig_oid_title)
})
user_fields.update(distinguished_name_to_user(client_id))
# Override with arg values if set
for field in user_fields:
if not field in accepted:
continue
override_val = accepted[field][-1].strip()
if override_val:
user_fields[field] = override_val
user_fields = canonical_user(configuration, user_fields,
user_fields.keys())
# Site policy dictates min length greater or equal than password_min_len
policy_min_len, policy_min_classes = parse_password_policy(configuration)
user_fields.update({
'valid_name_chars':
'%s (and common accents)' % html_escape(valid_name_chars),
'valid_password_chars':
html_escape(valid_password_chars),
'password_min_len':
max(policy_min_len, password_min_len),
'password_max_len':
password_max_len,
'password_min_classes':
max(policy_min_classes, 1),
'site':
configuration.short_title
})
form_method = 'post'
csrf_limit = get_csrf_limit(configuration)
fill_helpers = {
'form_method': form_method,
'csrf_field': csrf_field,
'csrf_limit': csrf_limit
}
target_op = 'reqoidaction'
csrf_token = make_csrf_token(configuration, form_method, target_op,
client_id, csrf_limit)
fill_helpers.update({'target_op': target_op, 'csrf_token': csrf_token})
fill_helpers.update({'site_signup_hint': configuration.site_signup_hint})
# Write-protect ID fields if requested
for field in cert_field_map:
fill_helpers['readonly_%s' % field] = ''
ro_fields = [i for i in accepted['ro_fields'] if i in cert_field_map]
if keyword_auto in accepted['ro_fields']:
ro_fields += [i for i in cert_field_map if not i in ro_fields]
for field in ro_fields:
fill_helpers['readonly_%s' % field] = 'readonly'
fill_helpers.update(user_fields)
html = """
<p class='sub-title'>Please enter your information in at least the
<span class='highlight_required'>mandatory</span> fields below and press the
Send button to submit the account request to the %(site)s administrators.</p>
<p class='personal leftpad highlight_message'>
IMPORTANT: we need to identify and notify you about login info, so please use a
working Email address clearly affiliated with your Organization!
</p>
%(site_signup_hint)s
<hr />
"""
html += account_request_template(configuration,
default_values=fill_helpers)
# TODO: remove this legacy version?
html += """
<div style="height: 0; visibility: hidden; display: none;">
<!--OLD FORM-->
<form method='%(form_method)s' action='%(target_op)s.py' onSubmit='return validate_form();'>
<input type='hidden' name='%(csrf_field)s' value='%(csrf_token)s' />
<table>
<!-- NOTE: javascript support for unicode pattern matching is lacking so we
only restrict e.g. Full Name to words separated by space here. The
full check takes place in the backend, but users are better of with
sane early warnings than the cryptic backend errors.
-->
<tr><td class='mandatory label'>Full name</td><td><input id='full_name_field' type=text name=cert_name value='%(full_name)s' required pattern='[^ ]+([ ][^ ]+)+' title='Your full name, i.e. two or more names separated by space' /></td><td class=fill_space><br /></td></tr>
<tr><td class='mandatory label'>Email address</td><td><input id='email_field' type=email name=email value='%(email)s' required title='A valid email address that you read' /> </td><td class=fill_space><br /></td></tr>
<tr><td class='mandatory label'>Organization</td><td><input id='organization_field' type=text name=org value='%(organization)s' required pattern='[^ ]+([ ][^ ]+)*' title='Name of your organisation: one or more abbreviations or words separated by space' /></td><td class=fill_space><br /></td></tr>
<tr><td class='mandatory label'>Two letter country-code</td><td><input id='country_field' type=text name=country minlength=2 maxlength=2 value='%(country)s' required pattern='[A-Z]{2}' title='The two capital letters used to abbreviate your country' /></td><td class=fill_space><br /></td></tr>
<tr><td class='optional label'>State</td><td><input id='state_field' type=text name=state value='%(state)s' pattern='([A-Z]{2})?' maxlength=2 title='Leave empty or enter the capital 2-letter abbreviation of your state if you are a US resident' /> </td><td class=fill_space><br /></td></tr>
<tr><td class='mandatory label'>Password</td><td><input id='password_field' type=password name=password minlength=%(password_min_len)d maxlength=%(password_max_len)d value='%(password)s' required pattern='.{%(password_min_len)d,%(password_max_len)d}' title='Password of your choice, see help box for limitations' /> </td><td class=fill_space><br /></td></tr>
<tr><td class='mandatory label'>Verify password</td><td><input id='verifypassword_field' type=password name=verifypassword minlength=%(password_min_len)d maxlength=%(password_max_len)d value='%(verifypassword)s' required pattern='.{%(password_min_len)d,%(password_max_len)d}' title='Repeat your chosen password' /></td><td class=fill_space><br /></td></tr>
<!-- NOTE: we technically allow saving the password on scrambled form hide it by default -->
<tr class='hidden'><td class='optional label'>Password recovery</td><td class=''><input id='passwordrecovery_checkbox' type=checkbox name=passwordrecovery></td><td class=fill_space><br/></td></tr>
<tr><td class='optional label'>Optional comment or reason why you should<br />be granted a %(site)s account:</td><td><textarea id='comment_field' rows=4 name=comment title='A free-form comment where you can explain what you need the account for' ></textarea></td><td class=fill_space><br /></td></tr>
<tr><td class='label'><!-- empty area --></td><td>
<input id='submit_button' type=submit value=Send /></td><td class=fill_space><br/></td></tr>
</table>
</form>
<hr />
<div class='warn_message'>Please note that if you enable password recovery your password will be saved on encoded format but recoverable by the %(site)s administrators</div>
</div>
<br />
<br />
<!-- Hidden help text -->
<div id='help_text'>
<div id='1full_name_help'>Your full name, restricted to the characters in '%(valid_name_chars)s'</div>
<div id='1organization_help'>Organization name or acronym matching email</div>
<div id='1email_help'>Email address associated with your organization if at all possible</div>
<div id='1country_help'>Country code of your organization and on the form DE/DK/GB/US/.. , <a href='https://en.wikipedia.org/wiki/ISO_3166-1'>help</a></div>
<div id='1state_help'>Optional 2-letter ANSI state code of your organization, please just leave empty unless it is in the US or similar, <a href='https://en.wikipedia.org/wiki/List_of_U.S._state_abbreviations'>help</a></div>
<div id='1password_help'>Password is restricted to the characters:<br/><tt>%(valid_password_chars)s</tt><br/>Certain other complexity requirements apply for adequate strength. For example it must be %(password_min_len)s to %(password_max_len)s characters long and contain at least %(password_min_classes)d different character classes.</div>
<div id='1verifypassword_help'>Please repeat password</div>
<!--<div id='1comment_help'>Optional, but a short informative comment may help us verify your account needs and thus speed up our response. Typically the name of a local collaboration partner or project may be helpful.</div>-->
</div>
"""
output_objects.append({
'object_type': 'html_form',
'text': html % fill_helpers
})
return (output_objects, returnvalues.OK)
def main(client_id, user_arguments_dict):
"""Main function used by front end"""
(configuration, logger, output_objects, op_name) = \
initialize_main_variables(client_id, op_header=False, op_menu=False)
defaults = signature()[1]
(validate_status, accepted) = validate_input_and_cert(
user_arguments_dict,
defaults,
output_objects,
client_id,
configuration,
allow_rejects=False,
require_user=False
)
if not validate_status:
return (accepted, returnvalues.CLIENT_ERROR)
if not 'extcert' in configuration.site_signup_methods:
output_objects.append(
{'object_type': 'error_text', 'text':
'''X.509 certificate login is not enabled on this site'''})
return (output_objects, returnvalues.SYSTEM_ERROR)
title_entry = find_entry(output_objects, 'title')
title_entry['text'] = '%s certificate account sign up' % \
configuration.short_title
title_entry['skipmenu'] = True
form_fields = ['cert_id', 'cert_name', 'organization', 'email', 'country',
'state', 'comment']
title_entry['style']['advanced'] += account_css_helpers(configuration)
add_import, add_init, add_ready = account_js_helpers(configuration,
form_fields)
title_entry['script']['advanced'] += add_import
title_entry['script']['init'] += add_init
title_entry['script']['ready'] += add_ready
title_entry['script']['body'] = "class='staticpage'"
# output_objects.append({'object_type': 'html_form',
# 'text': '''
# <div id="contextual_help">
# <div class="help_gfx_bubble"><!-- graphically connect field with help text--></div>
# <div class="help_message"><!-- filled by js --></div>
# </div>
# '''})
header_entry = {'object_type': 'header', 'text':
'%s account sign up - with certificate login' %
configuration.short_title}
output_objects.append(header_entry)
user_fields = {'full_name': '', 'organization': '', 'email': '',
'state': '', 'country': '', 'comment': ''}
# Redirect to reqcert page without certificate requirement but without
# changing access method (CGI vs. WSGI).
certreq_url = os.environ['REQUEST_URI'].replace('-bin', '-sid')
certreq_url = os.path.join(os.path.dirname(certreq_url), 'reqcert.py')
certreq_link = {'object_type': 'link', 'destination': certreq_url,
'text': 'Request a new %s certificate account' %
configuration.short_title}
id_fields = distinguished_name_to_user(client_id)
user_fields.update(id_fields)
# Override with arg values if set
for field in user_fields:
if not field in accepted:
continue
override_val = accepted[field][-1].strip()
if override_val:
user_fields[field] = override_val
user_fields = canonical_user(configuration, user_fields,
user_fields.keys())
# If cert auto create is on, add user without admin interaction
form_method = 'post'
csrf_limit = get_csrf_limit(configuration)
fill_helpers = {'valid_name_chars': valid_name_chars,
'client_id': client_id,
'cert_id': client_id,
'dn_max_len': dn_max_len,
'site': configuration.short_title,
'form_method': form_method,
'csrf_field': csrf_field,
'csrf_limit': csrf_limit}
if configuration.auto_add_cert_user == False:
target_op = 'extcertaction'
else:
target_op = 'autocreate'
csrf_token = make_csrf_token(configuration, form_method, target_op,
client_id, csrf_limit)
fill_helpers.update({'target_op': target_op, 'csrf_token': csrf_token})
fill_helpers.update({'site_signup_hint': configuration.site_signup_hint})
# Write-protect ID fields if requested
for field in cert_field_map:
fill_helpers['readonly_%s' % field] = ''
ro_fields = [i for i in accepted['ro_fields'] if i in cert_field_map]
if keyword_auto in accepted['ro_fields']:
ro_fields += [i for i in cert_field_map if not i in ro_fields]
# NOTE: lock all ID fields to current certificate here
ro_fields += [i for i in id_fields if not i in ro_fields]
for field in ro_fields:
fill_helpers['readonly_%s' % field] = 'readonly'
fill_helpers.update(user_fields)
html = """This page is
used to sign up for %(site)s with an existing certificate from a Certificate
Authority (CA) allowed for %(site)s.
You can use it if you already have a x509 certificate from another accepted CA.
In this way you can simply use your existing certificate for %(site)s access
instead of requesting a new one.
<br />
The page tries to auto load any certificate your browser provides and fill in
the fields accordingly, but in case it can't guess all
<span class=highlight_required>mandatory</span> fields, you still need to fill
in those.<br />
Please enter any missing information below and press the Send button to submit
the external certificate sign up request to the %(site)s administrators.
<p class='personal leftpad highlight_message'>
IMPORTANT: we need to identify and notify you about login info, so please use a
working Email address clearly affiliated with your Organization!
</p>
%(site_signup_hint)s
<hr />
"""
html += account_request_template(configuration, password=False,
default_values=fill_helpers)
# TODO : remove this legacy version?
html += """
<div style="height: 0; visibility: hidden; display: none;">
<!--OLD FORM-->
<div class=form_container>
<!-- use post here to avoid field contents in URL -->
<form method='%(form_method)s' action='%(target_op)s.py' onSubmit='return validate_form();'>
<input type='hidden' name='%(csrf_field)s' value='%(csrf_token)s' />
<table>
<!-- NOTE: javascript support for unicode pattern matching is lacking so we
only restrict e.g. Full Name to words separated by space here. The
full check takes place in the backend, but users are better of with
sane early warnings than the cryptic backend errors.
-->
<tr><td class='mandatory label'>Certificate DN</td><td><input id='cert_id_field' type=text size=%(dn_max_len)s maxlength=%(dn_max_len)s name=cert_id value='%(client_id)s' required pattern='(/[a-zA-Z]+=[^/ ]+([ ][^/ ]+)*)+' title='The Distinguished Name field of your certificate, i.e. key=value pairs separated by slashes' /></td><td class=fill_space></td></tr>
<tr><td class='mandatory label'>Full name</td><td><input id='cert_name_field' type=text name=cert_name value='%(full_name)s' required pattern='[^ ]+([ ][^ ]+)+' title='Your full name, i.e. two or more names separated by space' /></td><td class=fill_space></td></tr>
<tr><td class='mandatory label'>Email address</td><td><input id='email_field' type=email name=email value='%(email)s' title='A valid email address that you read' /></td><td class=fill_space></td></tr>
<tr><td class='mandatory label'>Organization</td><td><input id='organization_field' type=text name=org value='%(organization)s' required pattern='[^ ]+([ ][^ ]+)*' title='Name of your organisation: one or more abbreviations or words separated by space' /></td><td class=fill_space></td></tr>
<tr><td class='mandatory label'>Two letter country-code</td><td><input id='country_field' type=text name=country minlength=2 maxlength=2 value='%(country)s' required pattern='[A-Z]{2}' title='The two capital letters used to abbreviate your country' /></td><td class=fill_space></td></tr>
<tr><td class='optional label'>State</td><td><input id='state_field' type=text name=state value='%(state)s' pattern='([A-Z]{2})?' maxlength=2 title='Leave empty or enter the capital 2-letter abbreviation of your state if you are a US resident' /></td><td class=fill_space></td></tr>
<tr><td class='optional label'>Comment or reason why you should<br />be granted a %(site)s certificate:</td><td><textarea id='comment_field' rows=4 name=comment title='A free-form comment where you can explain what you need the certificate for'></textarea></td><td class=fill_space></td></tr>
<tr><td class='label'><!-- empty area --></td><td><input id='submit_button' type='submit' value='Send' /></td><td class=fill_space></td></tr>
</table>
</form>
</div>
<!-- Hidden help text -->
<div id='help_text'>
<div id='cert_id_help'>Must be the exact Distinguished Name (DN) of your certificate</div>
<div id='cert_name_help'>Your full name, restricted to the characters in '%(valid_name_chars)s'</div>
<div id='organization_help'>Organization name or acronym matching email</div>
<div id='email_help'>Email address associated with your organization if at all possible</div>
<div id='country_help'>Country code of your organization and on the form DE/DK/GB/US/.. , <a href='https://en.wikipedia.org/wiki/ISO_3166-1'>help</a></div>
<div id='state_help'>Optional 2-letter ANSI state code of your organization, please just leave empty unless it is in the US or similar, <a href='https://en.wikipedia.org/wiki/List_of_U.S._state_abbreviations'>help</a></div>
<div id='comment_help'>Optional, but a short informative comment may help us verify your certificate needs and thus speed up our response.</div>
</div>
</div>
"""
output_objects.append({'object_type': 'html_form', 'text':
html % fill_helpers})
return (output_objects, returnvalues.OK)