def test_contains(self): req = sreg.SRegRequest() for field_name in sreg.data_fields: self.assertNotIn(field_name, req) self.assertNotIn('something else', req) req.requestField('nickname') for field_name in sreg.data_fields: if field_name == 'nickname': self.assertIn(field_name, req) else: self.assertNotIn(field_name, req)
def start_openid(session, openid_url, trust_root, return_to): """ Start the OpenID authentication process. * Requests some Simple Registration data using the OpenID library's Simple Registration machinery * Generates the appropriate trust root and return URL values for this application (tweak where appropriate) * Generates the appropriate redirect based on the OpenID protocol version. """ # Start OpenID authentication. c = get_consumer(session) try: auth_request = c.begin(openid_url) except DiscoveryFailure as e: # Some other protocol-level failure occurred. raise Exception("error in openid: OpenID discovery error") from e # Add Simple Registration request information. Some fields # are optional, some are required. It's possible that the # server doesn't support sreg or won't return any of the # fields. sreg_request = sreg.SRegRequest(required=['email'], optional=[]) auth_request.addExtension(sreg_request) # Add Attribute Exchange request information. ax_request = ax.FetchRequest() # XXX - uses myOpenID-compatible schema values, which are # not those listed at axschema.org. for k, v in AX_REQUIRED_FIELDS.items(): ax_request.add(ax.AttrInfo(v, required=True)) auth_request.addExtension(ax_request) # Compute the trust root and return URL values to build the # redirect information. # trust_root = util.getViewURL(request, startOpenID) # return_to = util.getViewURL(request, finishOpenID) # Send the browser to the server either by sending a redirect # URL or by generating a POST form. url = auth_request.redirectURL(trust_root, return_to) return url
def login(request, environ, start_response, ask_info=False): """Redirect the user to the openid provider. Arguments: - ask_info: bool, default False. If set to true, will use the sreg and ax extensions to ask info about the user (email, name...). """ user_url = request.GET['url'] session, oi_session = get_sessions(environ) trust_root = request.host_url return_to = "%s/socialauth/openid/process" % trust_root immediate = False # If set to true and the identity provider can not reply # immediatly (user has to approve), then authentication will fail. # If set to True, then we have to handle the SetupNeeded response case in # process function. consumer = Consumer(oi_session, OPENID_STORE) auth_req = consumer.begin(user_url) if ask_info: sreg_request = sreg.SRegRequest(required=['email' ]) #, optional=SREG_FIELDS) auth_req.addExtension(sreg_request) ax_request = ax.FetchRequest() for alias, url in AX_FIELDS.iteritems(): ax_request.add(ax.AttrInfo(url, alias=alias, required=True)) auth_req.addExtension(ax_request) # PAPE (Provider Authentication Policy Extension): # TODO (an treat pape.Response as well) #pape_request = pape.Request([pape.AUTH_PHISHING_RESISTANT]) #auth_req.addExtension(pape_request) session.save() if auth_req.shouldSendRedirect(): redirect_url = auth_req.redirectURL(trust_root, return_to, immediate=immediate) start_response('302 Redirect', [('Location', redirect_url)]) return [] else: form_html = auth_req.htmlMarkup( trust_root, return_to, form_tag_attrs={'id': 'openid_message'}, immediate=immediate) start_response('200 OK', [('Content-Type', 'text/html')]) return [form_html]
def login(self, req): continue_url = req.values.get('continue') or req.headers.get( 'Referer', '/') consumer = Consumer({}, self.store) authreq = consumer.begin(current_app.config['OPENID2_YADIS']) sregreq = sreg.SRegRequest(optional=['username', 'uid'], required=['email', 'groups']) authreq.addExtension(sregreq) verify_url = urljoin(req.host_url, self.verify_url) + '?' + urlencode( {'continue': continue_url}) urlencode({'continue': continue_url}) url = authreq.redirectURL(return_to=verify_url, realm=req.host_url) return redirect(location=url)
def signin(request): """ signin page. It manage the legacy authentification (user/password) and authentification with openid. url: /signin/ template : authopenid/signin.htm """ on_failure = signin_failure next = clean_next(request.GET.get('next')) form_signin = OpenidSigninForm(initial={'next': next}) form_auth = OpenidAuthForm(initial={'next': next}) if request.POST: if 'bsignin' in request.POST.keys(): form_signin = OpenidSigninForm(request.POST) if form_signin.is_valid(): next = clean_next(form_signin.cleaned_data.get('next')) sreg_req = sreg.SRegRequest(optional=['nickname', 'email']) redirect_to = "%s%s?%s" % (get_url_host(request), reverse('user_complete_signin'), urllib.urlencode({'next': next})) return ask_openid(request, form_signin.cleaned_data['openid_url'], redirect_to, on_failure=signin_failure, sreg_request=sreg_req) elif 'blogin' in request.POST.keys(): # perform normal django authentification form_auth = OpenidAuthForm(request.POST) if form_auth.is_valid(): user_ = form_auth.get_user() login(request, user_) next = clean_next(form_auth.cleaned_data.get('next')) return HttpResponseRedirect(next) return render('authopenid/signin.html', { 'form1': form_auth, 'form2': form_signin, 'msg': request.GET.get('msg', ''), 'sendpw_url': reverse('user_sendpw'), }, context_instance=RequestContext(request))
def _add_extensions(self, request): """Add extensions to the request""" sreg_request = sreg.SRegRequest(required=self._REQUIRED_ATTRIBUTES, optional=self._OPTIONAL_ATTRIBUTES) request.addExtension(sreg_request) ax_request = ax.FetchRequest() for alias in self._REQUIRED_ATTRIBUTES: uri = utils.SREG2AX[alias] ax_request.add(ax.AttrInfo(uri, required=True, alias=alias)) for alias in self._OPTIONAL_ATTRIBUTES: uri = utils.SREG2AX[alias] ax_request.add(ax.AttrInfo(uri, required=False, alias=alias)) request.addExtension(ax_request)
def handleRequest(self, plugin, path, params, request, **kwargs): if plugin != 'tellduslive': return None oidconsumer = consumer.Consumer({}, self.store) if path == 'login': try: authrequest = oidconsumer.begin('http://login.telldus.com') except consumer.DiscoveryFailure, exc: logging.error(str(exc[0])) return None # TODO(micke): Error sregRequest = sreg.SRegRequest(required=['fullname', 'email']) authrequest.addExtension(sregRequest) trustRoot = request.base() returnTo = '%s/tellduslive/authorize' % request.base() url = authrequest.redirectURL(trustRoot, returnTo) return WebResponseRedirect(url)
def get_redirect_url(self): auth_request = self.consumer.begin(self.endpoint_url) if self.ax_attrs: ax_request = ax.FetchRequest() for ax_attr in self.ax_attrs: ax_request.add(ax.AttrInfo(AX_ATTRS[ax_attr], required=True)) auth_request.addExtension(ax_request) if self.sreg_attrs: auth_request.addExtension( sreg.SRegRequest(required=self.sreg_attrs)) redirect_url = auth_request.redirectURL(self.get_realm(), self.get_callback_url()) return redirect_url
def setup_request(self): """Setup request""" openid_request = self.openid_request() # Request some user details. Use attribute exchange if provider # advertises support. if openid_request.endpoint.supportsType(ax.AXMessage.ns_uri): fetch_request = ax.FetchRequest() # Mark all attributes as required, Google ignores optional ones for attr, alias in (AX_SCHEMA_ATTRS + OLD_AX_ATTRS): fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True)) else: fetch_request = sreg.SRegRequest(optional=dict(SREG_ATTR).keys()) openid_request.addExtension(fetch_request) return openid_request
def get_redirect(self): auth_request = self.consumer.begin(self.endpoint) if self.sreg: auth_request.addExtension(oid_sreg.SRegRequest(**self.sreg)) ax_request = oid_ax.FetchRequest() for mode, attributes in self.sreg.items(): for attribute in attributes: if attribute in _ax_sreg_mapping: ax_request.add( oid_ax.AttrInfo(_ax_sreg_mapping[attribute], count=1, required=mode == 'required', alias=attribute)) auth_request.addExtension(ax_request) redirect_url = auth_request.redirectURL( 'http%s://%s/' % (_https(), Site.objects.get_current().domain), self.return_to) return HttpResponseRedirect(redirect_url)
def handleRequest(self, plugin, path, params, request, **kwargs): if plugin != 'tellduslive': return None oidconsumer = consumer.Consumer({}, self.store) if path == 'login': try: authrequest = oidconsumer.begin('http://login.telldus.com') except consumer.DiscoveryFailure as exc: logging.error(str(exc[0])) return None # TODO(micke): Error sregRequest = sreg.SRegRequest(required=['fullname', 'email']) authrequest.addExtension(sregRequest) trustRoot = request.base() returnTo = '%s/tellduslive/authorize' % request.base() url = authrequest.redirectURL(trustRoot, returnTo) return WebResponseRedirect(url) if path == 'authorize': url = '%s/tellduslive/authorize' % request.base() info = oidconsumer.complete(params, url) displayIdentifier = info.getDisplayIdentifier() if info.status == consumer.FAILURE and displayIdentifier: return None # TODO(micke): Error elif info.status == consumer.SUCCESS: sregResp = sreg.SRegResponse.fromSuccessResponse(info) data = dict(list(sregResp.items())) if 'email' not in data: return None # TODO(micke): Error tellduslive = TelldusLive(self.context) if not tellduslive.registered or tellduslive.email == '': return 'loginFailed.html', { 'reason': 1, 'loginEmail': data['email'] } if data['email'] != tellduslive.email: return 'loginFailed.html', { 'reason': 2, 'loginEmail': data['email'], 'registeredEmail': tellduslive.email } request.setSession('loggedIn', True) return request.loggedIn() else: return None # TODO(micke): Error return None
def _update_authrequest(self, authrequest): """Update the authrequest with the default extensions and attributes we ask for This method doesn't need to return anything, since the extensions should be added to the authrequest object itself. """ # Add on the Attribute Exchange for those that support that request_attributes = self.get_argument('ax_attributes', ax_attributes.keys()) ax_request = ax.FetchRequest() for attr in request_attributes: ax_request.add(ax.AttrInfo(attributes[attr], required=True)) authrequest.addExtension(ax_request) # Form the Simple Reg request sreg_request = sreg.SRegRequest(optional=[ 'nickname', 'email', 'fullname', 'dob', 'gender', 'postcode', 'country', 'language', 'timezone' ], ) authrequest.addExtension(sreg_request) # Add PAPE request information. Setting max_auth_age to zero will force a login. requested_policies = [] policy_prefix = 'policy_' #for k, v in request.POST.iteritems(): # if k.startswith(policy_prefix): # policy_attr = k[len(policy_prefix):] # requested_policies.append(getattr(pape, policy_attr)) pape_request = pape.Request(requested_policies, max_auth_age=self.get_argument( 'pape_max_auth_age', None)) authrequest.addExtension(pape_request) popup_mode = self.get_argument('popup_mode', None) if popup_mode: kw_args = {'mode': popup_mode} popup_icon = self.get_argument('popup_icon') if 'popup_icon': kw_args['icon'] = popup_icon ui_request = UIRequest(**kw_args) authrequest.addExtension(ui_request) return None
def post_pw(): logging.debug("login_openid post_pw") oid_consumer = consumer.Consumer(self.get_openid_session(request), self.store) try: oid_req = oid_consumer.begin(identity) # SReg speaks this protocol: http://openid.net/specs/openid-simple-registration-extension-1_1-01.html # and tries to request additional metadata about this OpenID identity sreg_req = sreg.SRegRequest(required=['fullname','nickname','email'], optional=[]) oid_req.addExtension(sreg_req) # AX speaks this protocol: http://openid.net/specs/openid-attribute-exchange-1_0.html # and tries to get more attributes (by URI), we request some of the more common ones ax_req = ax.FetchRequest() for uri in self.AX_URIS: ax_req.add(ax.AttrInfo(uri, required = True)) oid_req.addExtension(ax_req) except consumer.DiscoveryFailure as exc: #request.setResponseCode(200, message = "OK") #request.write("Error: {0}".format(exc)) #request.finish() logging.error("Error in login_openid: {0}".format(exc)) return self.return_unauthorized(request) else: if oid_req is None: #request.setResponseCode(200, message = "OK") #request.write("Error, no OpenID services found for: {0}".format(identity)) logging.error("Error in login_openid: no OpenID services found for: {0}".format(identity)) #request.finish() return self.return_unauthorized(request) else: trust_root = self.webserver.server_url return_to = appendArgs(trust_root + "/" + self.base_path + "/openid_process", {}) logging.debug("OpenID, had oid_req, trust_root: {0}, return_to: {1}, oid_req: {2}".format(trust_root, return_to, oid_req)) redirect_url = oid_req.redirectURL(trust_root, return_to) # FIXME check this is the best way to redirect here request.setHeader("Location", redirect_url) request.setResponseCode(302, "Found") request.finish() return
def _update_authrequest(self, request, authrequest): """Update the authrequest with the default extensions and attributes we ask for This method doesn't need to return anything, since the extensions should be added to the authrequest object itself. """ # Add on the Attribute Exchange for those that support that ax_request = ax.FetchRequest() for attrib in attributes.values(): ax_request.add(ax.AttrInfo(attrib)) authrequest.addExtension(ax_request) # Form the Simple Reg request sreg_request = sreg.SRegRequest(optional=[ 'nickname', 'email', 'fullname', 'dob', 'gender', 'postcode', 'country', 'language', 'timezone' ], ) authrequest.addExtension(sreg_request)
def ask_openid(self, openid_url, return_url): trust_root = self.get_trust_root() consumer = Consumer(self.request.session, self.store_class()) try: auth_request = consumer.begin(openid_url) except DiscoveryFailure: message = _('The OpenID %(url)s was invalid') return self.failure(message % {'url': openid_url}) use_ax, use_sreg = discover_extensions(openid_url) sreg_request = None ax_request = None if use_sreg: sreg_attrs = self.get_sreg_attrs() if 'optional' not in sreg_attrs: sreg_attrs.update({'optional': ['nickname', 'email']}) sreg_request = sreg.SRegRequest(**sreg_attrs) if use_ax: ax_request = ax.FetchRequest() ax_request.add( ax.AttrInfo('http://schema.openid.net/contact/email', alias='email', required=True), ) ax_request.add( ax.AttrInfo('http://schema.openid.net/namePerson/friendly', alias='nickname', required=True), ) ax_attrs = self.get_ax_attrs() for attr in ax_attrs: if len(attr) == 2: ax_request.add(ax.AttrInfo(attr[0], required=attr[1])) else: ax_request.add(ax.AttrInfo(attr[0])) if sreg_request is not None: auth_request.addExtension(sreg_request) if ax_request is not None: auth_request.addExtension(ax_request) redirect_url = auth_request.redirectURL(trust_root, return_url) return redirect(redirect_url)
class BeginLoginHandler(BaseHandler): def get(self): openid_url = self.request.get('openid_url') if not openid_url: self.render_template( 'login.html', { 'login_url': users.OPENID_LOGIN_PATH, 'continue': self.request.get('continue', '/') }) return consumer = self.get_consumer() # if consumer discovery or authentication fails, show error page try: request = consumer.begin(openid_url) except Exception, e: logging.error( "Unexpected error in OpenID discovery/authentication: %s", e) self.render_template('error.html') return # TODO: Support custom specification of extensions # TODO: Don't ask for data we already have, perhaps? # use Simple Registration if available request.addExtension(sreg.SRegRequest(required=OPENID_SREG_ATTRS)) # or Atribute Exchange if available ax_request = ax.FetchRequest() for attruri in OPENID_AX_ATTRS: ax_request.add( ax.AttrInfo(attruri, required=True, alias=OPENID_AX_ATTRS[attruri])) request.addExtension(ax_request) # assemble and send redirect continue_url = self.request.get('continue', '/') return_to = "%s%s?continue=%s" % ( self.request.host_url, users.OPENID_FINISH_PATH, continue_url) self.redirect(request.redirectURL(self.request.host_url, return_to)) self.session.save()
def setup_request(self, params=None): """Setup request""" request = self.openid_request(params) # Request some user details. Use attribute exchange if provider # advertises support. if request.endpoint.supportsType(ax.AXMessage.ns_uri): fetch_request = ax.FetchRequest() # Mark all attributes as required, Google ignores optional ones for attr, alias in self.get_ax_attributes(): fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True)) else: fetch_request = sreg.SRegRequest( optional=list(dict(self.get_sreg_attributes()).keys()) ) request.addExtension(fetch_request) # Add PAPE Extension for if configured preferred_policies = self.setting( 'OPENID_PAPE_PREFERRED_AUTH_POLICIES' ) preferred_level_types = self.setting( 'OPENID_PAPE_PREFERRED_AUTH_LEVEL_TYPES' ) max_age = self.setting('OPENID_PAPE_MAX_AUTH_AGE') if max_age is not None: try: max_age = int(max_age) except (ValueError, TypeError): max_age = None if max_age is not None or preferred_policies or preferred_level_types: pape_request = pape.Request( max_auth_age=max_age, preferred_auth_policies=preferred_policies, preferred_auth_level_types=preferred_level_types ) request.addExtension(pape_request) return request
def POST(self): # unlike the usual scheme of things, the POST is actually called # first here i = web.input(return_to='/') if i.get('action') == 'logout': oid.logout() return web.redirect(i.return_to) if not i.has_key('openid') or len(i.openid) == 0: return web.redirect(i.return_to) session_data = {'webpy_return_to': i.return_to} session_hash = oid._new_session(session_data) ax_req = ax.FetchRequest() ax_req.add( ax.AttrInfo('http://axschema.org/namePerson/first', required=True)) ax_req.add( ax.AttrInfo('http://axschema.org/namePerson/last', required=True)) ax_req.add( ax.AttrInfo('http://axschema.org/contact/email', required=True)) c = openid.consumer.consumer.Consumer(session_data, oid._get_openid_store()) a = c.begin(i.openid) a.addExtension(ax_req) a.addExtension( sreg.SRegRequest(optional=['email', 'fullname'])) f = a.redirectURL(web.ctx.home, web.ctx.home + web.ctx.fullpath) oid._save_session(session_hash, session_data) web.setcookie('openid_session_id', session_hash) return web.redirect(f)
def test_requestField(self): # Add all of the fields, one at a time req = sreg.SRegRequest() fields = list(sreg.data_fields) for field_name in fields: req.requestField(field_name) self.failUnlessEqual(fields, req.optional) self.failUnlessEqual([], req.required) # By default, adding the same fields over again has no effect for field_name in fields: req.requestField(field_name) self.failUnlessEqual(fields, req.optional) self.failUnlessEqual([], req.required) # Requesting a field as required overrides requesting it as optional expected = list(fields) overridden = expected.pop(0) req.requestField(overridden, required=True) self.failUnlessEqual(expected, req.optional) self.failUnlessEqual([overridden], req.required) # Requesting a field as required overrides requesting it as optional for field_name in fields: req.requestField(field_name, required=True) self.failUnlessEqual([], req.optional) self.failUnlessEqual(fields, req.required) # Requesting it as optional does not downgrade it to optional for field_name in fields: req.requestField(field_name) self.failUnlessEqual([], req.optional) self.failUnlessEqual(fields, req.required)
def init(self): self.consumer = create_consumer(self.openid_session) if not hasattr(self, 'form_result'): return self._failure('', _("Invalid input.")) openid = self.form_result.get("openid") try: if not openid: raise ValueError(_("No OpenID given!")) authrequest = self.consumer.begin(openid) if not c.user and not model.OpenID.find(openid): axreq = ax.FetchRequest( h.base_url('/openid/update', absolute=True)) axreq.add( ax.AttrInfo(get_ax_mail_schema(openid), alias="email", required=True)) authrequest.addExtension(axreq) sreq = sreg.SRegRequest(required=['nickname'], optional=['email']) authrequest.addExtension(sreq) redirecturl = authrequest.redirectURL(h.base_url('/', absolute=True), return_to=h.base_url( '/openid/verify', absolute=True), immediate=False) self.set_session(self.openid_session) session.save() return redirect(redirecturl) except HTTPFound: raise except Exception, e: log.exception(e) return self._failure(openid, str(e))
def handle_initial_request(request): groups = ['sysadmin-releng', 'sysadmin-main'] session = {} oidconsumer = consumer.Consumer(session, None) try: req = oidconsumer.begin('https://id.fedoraproject.org') except consumer.DiscoveryFailure: # VERY strange, as this means it could not discover an OpenID # endpoint at FAS_OPENID_ENDPOINT return 'discoveryfailure' if req is None: # Also very strange, as this means the discovered OpenID # endpoint is no OpenID endpoint return 'no-req' req.addExtension(sreg.SRegRequest( required=['nickname', 'fullname', 'email', 'timezone'])) req.addExtension(pape.Request([])) req.addExtension(teams.TeamsRequest(requested=groups)) req.addExtension(cla.CLARequest( requested=[cla.CLA_URI_FEDORA_DONE])) # Use the django HTTPRequest for this trust_root = request.build_absolute_uri('/') return_to = request.build_absolute_uri() + "?type=fas-openid" # Success or fail, redirect to the base. ¯\_(ツ)_/¯ return_url = cancel_url = request.build_absolute_uri('/') request.session['FAS_OPENID_RETURN_URL'] = return_url request.session['FAS_OPENID_CANCEL_URL'] = cancel_url # the django rest framework requires that we use the json route here return dict(form=req.htmlMarkup(trust_root, return_to, form_tag_attrs={'id': 'openid_message'}, immediate=False))
def OpenIDStartSubmit(request, default_success_url='/'): response = django.http.HttpResponse() if request.method == 'POST': openid = request.POST.get('openid_identifier', '') openid = openid.strip() if not openid: return show_main_page(request) c = Consumer({},get_store()) try: auth_request = c.begin(openid) except discover.DiscoveryFailure, e: logging.error('OpenID discovery error with begin on %s: %s' % (openid, str(e))) return show_main_page(request, 'An error occured determining your server information. Please try again.') from openid.extensions import sreg sreg_request = sreg.SRegRequest( optional=['dob', 'gender', 'postcode'], required=['email', 'nickname', 'fullname', 'country', 'language', 'timezone']) auth_request.addExtension(sreg_request) from openid.extensions import ax ax_req = ax.FetchRequest() ax_req.add(ax.AttrInfo('http://schema.openid.net/contact/email', alias='email',required=True)) ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/first', alias='firstname',required=True)) ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/last', alias='lastname',required=True)) ax_req.add(ax.AttrInfo('http://axschema.org/pref/language', alias='language',required=True)) ax_req.add(ax.AttrInfo('http://axschema.org/contact/country/home', alias='country',required=True)) auth_request.addExtension(ax_req) import urlparse parts = list(urlparse.urlparse(get_full_path(request))) # finish URL with the leading "/" character removed parts[2] = django.core.urlresolvers.reverse('openidgae.views.OpenIDFinish')[1:] continueUrl = get_continue_url(request, default_success_url) import urllib parts[4] = 'continue=%s' % urllib.quote_plus(continueUrl) parts[5] = '' return_to = urlparse.urlunparse(parts) realm = urlparse.urlunparse(parts[0:2] + [''] * 4) # save the session stuff session = openidgae.get_session(request, response) import pickle session.openid_stuff = pickle.dumps(c.session) session.put() # send the redirect! we use a meta because appengine bombs out # sometimes with long redirect urls redirect_url = auth_request.redirectURL(realm, return_to) response.write( "<html><head><meta http-equiv=\"refresh\" content=\"0;url=%s\"></head><body></body></html>" % (redirect_url,)) return response
def startOpenID(request): """ Start the OpenID authentication process. Renders an authentication form and accepts its POST. * Renders an error message if OpenID cannot be initiated * Requests some Simple Registration data using the OpenID library's Simple Registration machinery * Generates the appropriate trust root and return URL values for this application (tweak where appropriate) * Generates the appropriate redirect based on the OpenID protocol version. """ if request.POST: # Start OpenID authentication. openid_url = request.POST['openid_identifier'] c = getConsumer(request) error = None try: auth_request = c.begin(openid_url) except DiscoveryFailure as e: # Some other protocol-level failure occurred. error = "OpenID discovery error: %s" % (str(e), ) if error: # Render the page with an error. return renderIndexPage(request, error=error) # Add Simple Registration request information. Some fields # are optional, some are required. It's possible that the # server doesn't support sreg or won't return any of the # fields. sreg_request = sreg.SRegRequest( optional=['email', 'nickname'], required=['dob']) auth_request.addExtension(sreg_request) # Add Attribute Exchange request information. ax_request = ax.FetchRequest() # XXX - uses myOpenID-compatible schema values, which are # not those listed at axschema.org. ax_request.add( ax.AttrInfo('http://schema.openid.net/namePerson', required=True)) ax_request.add( ax.AttrInfo( 'http://schema.openid.net/contact/web/default', required=False, count=ax.UNLIMITED_VALUES)) auth_request.addExtension(ax_request) # Add PAPE request information. We'll ask for # phishing-resistant auth and display any policies we get in # the response. requested_policies = [] policy_prefix = 'policy_' for k, v in list(request.POST.items()): if k.startswith(policy_prefix): policy_attr = k[len(policy_prefix):] if policy_attr in PAPE_POLICIES: requested_policies.append(getattr(pape, policy_attr)) if requested_policies: pape_request = pape.Request(requested_policies) auth_request.addExtension(pape_request) # Compute the trust root and return URL values to build the # redirect information. trust_root = util.getViewURL(request, startOpenID) return_to = util.getViewURL(request, finishOpenID) # Send the browser to the server either by sending a redirect # URL or by generating a POST form. if auth_request.shouldSendRedirect(): url = auth_request.redirectURL(trust_root, return_to) return HttpResponseRedirect(url) else: # Beware: this renders a template whose content is a form # and some javascript to submit it upon page load. Non-JS # users will have to click the form submit button to # initiate OpenID authentication. form_id = 'openid_message' form_html = auth_request.formMarkup(trust_root, return_to, False, {'id': form_id}) return TemplateView(request, 'consumer/request_form.html', {'html': form_html}) return renderIndexPage(request)
def requestRegistrationData(self, request): sreg_request = sreg.SRegRequest(required=['nickname'], optional=['fullname', 'email']) request.addExtension(sreg_request)
def login(self): # Instantiate consumer self.store._log = self._log oi_consumer = consumer.Consumer(self.session, self.store) # handle realm and XRDS if there is only one query parameter if self.use_realm and len(self.params) == 1: realm_request = self.params.get(self.realm_param) xrds_request = self.params.get(self.xrds_param) else: realm_request = None xrds_request = None # determine type of request if realm_request: #=================================================================== # Realm HTML #=================================================================== self._log(logging.INFO, 'Writing OpenID realm HTML to the response.') xrds_location = '{u}?{x}={x}'.format(u=self.url, x=self.xrds_param) self.write(REALM_HTML.format(xrds_location=xrds_location, body=self.realm_body)) elif xrds_request: #=================================================================== # XRDS XML #=================================================================== self._log(logging.INFO, 'Writing XRDS XML document to the response.') self.set_header('Content-Type', 'application/xrds+xml') self.write(XRDS_XML.format(return_to=self.url)) elif self.params.get('openid.mode'): #=================================================================== # Phase 2 after redirect #=================================================================== self._log(logging.INFO, 'Continuing OpenID authentication procedure after redirect.') # complete the authentication process response = oi_consumer.complete(self.params, self.url) # on success if response.status == consumer.SUCCESS: data = {} # get user ID data['guid'] = response.getDisplayIdentifier() self._log(logging.INFO, 'Authentication successful.') # get user data from AX response ax_response = ax.FetchResponse.fromSuccessResponse(response) if ax_response and ax_response.data: self._log(logging.INFO, 'Got AX data.') ax_data = {} # convert iterable values to their first item for k, v in ax_response.data.iteritems(): if v and type(v) in (list, tuple): ax_data[k] = v[0] data['ax'] = ax_data # get user data from SREG response sreg_response = sreg.SRegResponse.fromSuccessResponse(response) if sreg_response and sreg_response.data: self._log(logging.INFO, 'Got SREG data.') data['sreg'] = sreg_response.data # get data from PAPE response pape_response = pape.Response.fromSuccessResponse(response) if pape_response and pape_response.auth_policies: self._log(logging.INFO, 'Got PAPE data.') data['pape'] = pape_response.auth_policies # create user self._update_or_create_user(data) #=============================================================== # We're done! #=============================================================== elif response.status == consumer.CANCEL: raise CancellationError('User cancelled the verification of ID "{}"!'.format(response.getDisplayIdentifier())) elif response.status == consumer.FAILURE: raise FailureError(response.message) elif self.params.get(self.identifier_param): #=================================================================== # Phase 1 before redirect #=================================================================== self._log(logging.INFO, 'Starting OpenID authentication procedure.') # get AuthRequest object try: auth_request = oi_consumer.begin(self.identifier) except consumer.DiscoveryFailure as e: raise FailureError('Discovery failed for identifier {}!'.format(self.identifier), url=self.identifier, original_message=e.message) self._log(logging.INFO, 'Service discovery for identifier {} successful.'.format(self.identifier)) # add SREG extension # we need to remove required fields from optional fields because addExtension then raises an error self.sreg = [i for i in self.sreg if i not in self.sreg_required] auth_request.addExtension(sreg.SRegRequest(optional=self.sreg, required=self.sreg_required)) # add AX extension ax_request = ax.FetchRequest() # set AX schemas for i in self.ax: required = i in self.ax_required ax_request.add(ax.AttrInfo(i, required=required)) auth_request.addExtension(ax_request) # add PAPE extension auth_request.addExtension(pape.Request(self.pape)) # prepare realm and return_to URLs if self.use_realm: realm = return_to = '{u}?{r}={r}'.format(u=self.url, r=self.realm_param) else: realm = return_to = self.url url = auth_request.redirectURL(realm, return_to) if auth_request.shouldSendRedirect(): # can be redirected url = auth_request.redirectURL(realm, return_to) self._log(logging.INFO, 'Redirecting user to {}.'.format(url)) self.redirect(url) else: # must be sent as POST # this writes a html post form with auto-submit self._log(logging.INFO, 'Writing an auto-submit HTML form to the response.') form = auth_request.htmlMarkup(realm, return_to, False, dict(id='openid_form')) self.write(form) else: raise OpenIDError('No identifier specified!')
status=500) # Request some user details. If the provider advertises support # for attribute exchange, use that. if openid_request.endpoint.supportsType(ax.AXMessage.ns_uri): fetch_request = ax.FetchRequest() # We mark all the attributes as required, since Google ignores # optional attributes. We request both the full name and # first/last components since some providers offer one but not # the other. for (attr, alias) in conf.REQUIRED_AX_ATTRIBUTES: fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True)) openid_request.addExtension(fetch_request) else: openid_request.addExtension( sreg.SRegRequest(optional=['email', 'fullname', 'nickname'])) # Request team info launchpad_teams = conf.LAUNCHPAD_TEAMS_MAPPING if conf.LAUNCHPAD_TEAMS_MAPPING_AUTO: #ignore launchpad teams. use all django-groups launchpad_teams = dict() all_groups = Group.objects.exclude( name__in=conf.LAUNCHPAD_TEAMS_MAPPING_AUTO_BLACKLIST) for group in all_groups: launchpad_teams[group.name] = group.name if launchpad_teams: openid_request.addExtension(teams.TeamsRequest(launchpad_teams.keys())) # Construct the request completion URL, including the page we
def login_begin(request, template_name='openid/login.html', login_complete_view='openid-complete', form_class=OpenIDLoginForm, render_failure=default_render_failure, redirect_field_name=REDIRECT_FIELD_NAME): """Begin an OpenID login request, possibly asking for an identity URL.""" data = get_request_data(request) redirect_to = data.get(redirect_field_name, '') # Get the OpenID URL to try. First see if we've been configured # to use a fixed server URL. openid_url = getattr(settings, 'OPENID_SSO_SERVER_URL', None) if openid_url is None: if request.POST: login_form = form_class(data=request.POST) if login_form.is_valid(): openid_url = login_form.cleaned_data['openid_identifier'] else: login_form = form_class() # Invalid or no form data: if openid_url is None: context = RequestContext(request).flatten() context.update({ 'form': login_form, redirect_field_name: redirect_to, }) return render(request, template_name, context) consumer = make_consumer(request) try: openid_request = consumer.begin(openid_url) except DiscoveryFailure as exc: return render_failure(request, "OpenID discovery error: %s" % (str(exc), ), status=500, exception=exc) # Request some user details. If the provider advertises support # for attribute exchange, use that. endpoint = openid_request.endpoint if endpoint.supportsType(ax.AXMessage.ns_uri): fetch_request = ax.FetchRequest() # We mark all the attributes as required, since Google ignores # optional attributes. We request both the full name and # first/last components since some providers offer one but not # the other. for (attr, alias) in [ ('http://axschema.org/contact/email', 'email'), ('http://axschema.org/namePerson', 'fullname'), ('http://axschema.org/namePerson/first', 'firstname'), ('http://axschema.org/namePerson/last', 'lastname'), ('http://axschema.org/namePerson/friendly', 'nickname'), # The myOpenID provider advertises AX support, but uses # attribute names from an obsolete draft of the # specification. We request them for compatibility. ('http://schema.openid.net/contact/email', 'old_email'), ('http://schema.openid.net/namePerson', 'old_fullname'), ('http://schema.openid.net/namePerson/friendly', 'old_nickname') ]: fetch_request.add(ax.AttrInfo(attr, alias=alias, required=True)) # conditionally require account_verified attribute verification_scheme_map = getattr(settings, 'OPENID_VALID_VERIFICATION_SCHEMES', {}) valid_schemes = verification_scheme_map.get( endpoint.server_url, verification_scheme_map.get(None, ())) if valid_schemes: # there are valid schemes configured for this endpoint, so # request account_verified status fetch_request.add( ax.AttrInfo( 'http://ns.login.ubuntu.com/2013/validation/account', alias='account_verified', required=True)) openid_request.addExtension(fetch_request) else: sreg_required_fields = [] sreg_required_fields.extend( getattr(settings, 'OPENID_SREG_REQUIRED_FIELDS', [])) sreg_optional_fields = ['email', 'fullname', 'nickname'] sreg_optional_fields.extend( getattr(settings, 'OPENID_SREG_EXTRA_FIELDS', [])) sreg_optional_fields = [ field for field in sreg_optional_fields if field not in sreg_required_fields ] openid_request.addExtension( sreg.SRegRequest(optional=sreg_optional_fields, required=sreg_required_fields)) if getattr(settings, 'OPENID_PHYSICAL_MULTIFACTOR_REQUIRED', False): preferred_auth = [ pape.AUTH_MULTI_FACTOR_PHYSICAL, ] pape_request = pape.Request(preferred_auth_policies=preferred_auth) openid_request.addExtension(pape_request) # Request team info teams_mapping_auto = getattr(settings, 'OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO', False) teams_mapping_auto_blacklist = getattr( settings, 'OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO_BLACKLIST', []) launchpad_teams = getattr(settings, 'OPENID_LAUNCHPAD_TEAMS_MAPPING', {}) if teams_mapping_auto: # ignore launchpad teams. use all django-groups launchpad_teams = dict() all_groups = Group.objects.exclude( name__in=teams_mapping_auto_blacklist) for group in all_groups: launchpad_teams[group.name] = group.name if launchpad_teams: openid_request.addExtension(teams.TeamsRequest(launchpad_teams.keys())) # Construct the request completion URL, including the page we # should redirect to. return_to = request.build_absolute_uri(reverse(login_complete_view)) if redirect_to: if '?' in return_to: return_to += '&' else: return_to += '?' # Django gives us Unicode, which is great. We must encode URI. # urllib enforces str. We can't trust anything about the default # encoding inside str(foo) , so we must explicitly make foo a str. return_to += urlencode( {redirect_field_name: redirect_to.encode("UTF-8")}) return render_openid_request(request, openid_request, return_to)
error = None try: auth_request = c.begin(openid_url) except DiscoveryFailure, e: # Some other protocol-level failure occurred. error = "OpenID discovery error: %s" % (str(e),) if error: raise Exception("error in openid") # Add Simple Registration request information. Some fields # are optional, some are required. It's possible that the # server doesn't support sreg or won't return any of the # fields. sreg_request = sreg.SRegRequest(required=['email'], optional=[]) auth_request.addExtension(sreg_request) # Add Attribute Exchange request information. ax_request = ax.FetchRequest() # XXX - uses myOpenID-compatible schema values, which are # not those listed at axschema.org. for k, v in AX_REQUIRED_FIELDS.iteritems(): ax_request.add(ax.AttrInfo(v, required=True)) auth_request.addExtension(ax_request) # Compute the trust root and return URL values to build the # redirect information. # trust_root = util.getViewURL(request, startOpenID)
if requested_policies: pape_request = pape.Request(requested_policies) request.addExtension(pape_request) # Let the sreg policy be configurable sreg_opt = [] sreg_req = [] sreg_fields = ['fullname', 'email'] if self.sreg_required: sreg_req = sreg_fields else: sreg_opt = sreg_fields if self.use_nickname_as_authname: sreg_req.append('nickname') sreg_request = sreg.SRegRequest(optional=sreg_opt, required=sreg_req) request.addExtension(sreg_request) ax_request = ax.FetchRequest() for alias, uri in self.openid_ax_attrs.items(): attr_info = ax.AttrInfo(uri, required=True, alias=alias) ax_request.add(attr_info) request.addExtension(ax_request) if self.groups_to_request: if not TeamsRequest: self.env.log.error( 'The python-openid-teams package is not installed.' ' The groups_to_request configuration option will' ' be ignored.') else:
def signin(request): """ signin page. It manages the legacy authentification (user/password) and openid authentification url: /signin/ template : authopenid/signin.htm """ logging.debug('in signin view') on_failure = signin_failure email_feeds_form = askbot_forms.SimpleEmailSubscribeForm() #we need a special priority on where to redirect on successful login #here: #1) url parameter "next" - if explicitly set #2) url from django setting LOGIN_REDIRECT_URL #3) home page of the forum login_redirect_url = getattr(settings, 'LOGIN_REDIRECT_URL', None) next_url = get_next_url(request, default=login_redirect_url) logging.debug('next url is %s' % next_url) if askbot_settings.ALLOW_ADD_REMOVE_LOGIN_METHODS == False \ and request.user.is_authenticated(): return HttpResponseRedirect(next_url) if next_url == reverse('user_signin'): next_url = '%(next)s?next=%(next)s' % {'next': next_url} login_form = forms.LoginForm(initial={'next': next_url}) #todo: get next url make it sticky if next is 'user_signin' if request.method == 'POST': login_form = forms.LoginForm(request.POST) if login_form.is_valid(): provider_name = login_form.cleaned_data['login_provider_name'] if login_form.cleaned_data['login_type'] == 'password': password_action = login_form.cleaned_data['password_action'] if askbot_settings.USE_LDAP_FOR_PASSWORD_LOGIN: assert (password_action == 'login') username = login_form.cleaned_data['username'] password = login_form.cleaned_data['password'] # will be None if authentication fails user = authenticate(username=username, password=password, method='ldap') if user is not None: login(request, user) return HttpResponseRedirect(next_url) else: return finalize_generic_signin( request=request, user=user, user_identifier=username, login_provider_name=provider_name, redirect_url=next_url) else: if password_action == 'login': user = authenticate( username=login_form.cleaned_data['username'], password=login_form.cleaned_data['password'], provider_name=provider_name, method='password') if user is None: login_form.set_password_login_error() else: login(request, user) #todo: here we might need to set cookies #for external login sites return HttpResponseRedirect(next_url) elif password_action == 'change_password': if request.user.is_authenticated(): new_password = \ login_form.cleaned_data['new_password'] AuthBackend.set_password( user=request.user, password=new_password, provider_name=provider_name) request.user.message_set.create( message=_('Your new password saved')) return HttpResponseRedirect(next_url) else: logging.critical('unknown password action %s' % password_action) raise Http404 elif login_form.cleaned_data['login_type'] == 'openid': #initiate communication process logging.debug('processing signin with openid submission') #todo: make a simple-use wrapper for openid protocol sreg_req = sreg.SRegRequest(optional=['nickname', 'email']) redirect_to = "%s%s?%s" % ( get_url_host(request), reverse('user_complete_signin'), urllib.urlencode({'next': next_url})) return ask_openid(request, login_form.cleaned_data['openid_url'], redirect_to, on_failure=signin_failure, sreg_request=sreg_req) elif login_form.cleaned_data['login_type'] == 'oauth': try: #this url may need to have "next" piggibacked onto callback_url = reverse('user_complete_oauth_signin') connection = util.OAuthConnection( provider_name, callback_url=callback_url) connection.start() request.session['oauth_token'] = connection.get_token() request.session['oauth_provider_name'] = provider_name request.session[ 'next_url'] = next_url #special case for oauth oauth_url = connection.get_auth_url(login_only=False) return HttpResponseRedirect(oauth_url) except util.OAuthError, e: logging.critical(unicode(e)) msg = _('Unfortunately, there was some problem when ' 'connecting to %(provider)s, please try again ' 'or use another provider') % { 'provider': provider_name } request.user.message_set.create(message=msg) elif login_form.cleaned_data['login_type'] == 'facebook': #have to redirect for consistency #there is a requirement that 'complete_signin' try: #this call may raise FacebookError user_id = util.get_facebook_user_id(request) user = authenticate(method='facebook', facebook_user_id=user_id) return finalize_generic_signin( request=request, user=user, user_identifier=user_id, login_provider_name=provider_name, redirect_url=next_url) except util.FacebookError, e: logging.critical(unicode(e)) msg = _('Unfortunately, there was some problem when ' 'connecting to %(provider)s, please try again ' 'or use another provider') % { 'provider': 'Facebook' } request.user.message_set.create(message=msg) elif login_form.cleaned_data['login_type'] == 'wordpress_site': #here wordpress_site means for a self hosted wordpress blog not a wordpress.com blog wp = Client(askbot_settings.WORDPRESS_SITE_URL, login_form.cleaned_data['username'], login_form.cleaned_data['password']) try: wp_user = wp.call(GetUserInfo()) custom_wp_openid_url = '%s?user_id=%s' % (wp.url, wp_user.user_id) user = authenticate(method='wordpress_site', wordpress_url=wp.url, wp_user_id=wp_user.user_id) return finalize_generic_signin( request=request, user=user, user_identifier=custom_wp_openid_url, login_provider_name=provider_name, redirect_url=next_url) except WpFault, e: logging.critical(unicode(e)) msg = _('The login password combination was not correct') request.user.message_set.create(message=msg)