def check_authentication(registry, requestData):
"""
Verify authentication for a previous "dumb" request.
@param registry: the current OpenID registry
@type registry: L{OpenIDRegistry}
@param requestData: the current request data
@type requestData: L{OpenIDRequest}
@return: authentication response
@rtype: str
"""
valid_string = repr(registry.validate(requestData, False)).lower()
association = registry.initiate(requestData, False)
log.msg('[check_authentication] request: %r' % requestData)
log.msg('[check_authentication] association: %r' % association)
if(association.handle == requestData['openid.assoc_handle']):
output = util.kvstr({'openid.mode':'id_res'}, is_valid=valid_string)
else:
output = util.kvstr({'openid.mode':'id_res'}, is_valid=valid_string, invalidate_handle=requestData['openid.assoc_handle'])
log.msg('[check_authentication] returning: %r' % output)
return output
def associate(registry, requestData):
"""
An ID Consumer wants to establish a shared secret.
@param registry: the current OpenID registry
@type registry: L{OpenIDRegistry}
@param requestData: the current request data
@type requestData: L{OpenIDRequest}
@return: association response
@rtype: str or L{nevow.url.URL}
"""
association = registry.initiate(requestData, True)
response = dict(
assoc_type = association.assoc_type,
assoc_handle = association.handle,
expires_in = association.expires_in
)
if(DH_SHA1_ENABLED and requestData.get('openid.session_type') == 'DH-SHA1'):
response['enc_mac_key'] = association.enc_mac_key
else:
response['mac_key'] = association.mac_key
log.msg('[associate] new consumer association, dict: %r' % association.__dict__);
return util.kvstr(**response)
def test_kvstr(self): value = dict( one = 1, two = 2, three = 3, ) expected = 'one:1\nthree:3\ntwo:2\n' got = util.kvstr(**value) self.failUnlessEqual(got, expected, "Got %r when expecting %r" % (got, expected))
def validate(self, requestData, is_smart):
"""
Take the hashed "sig" that was passed in the request
and compare it to one we generate using the key we
believe belongs to the consumer.
@param requestData: the current request
@type requestData: L{OpenIDRequest}
@param is_smart: if False, create a new association handle for this response
@return: True if the request is valid.
"""
handle = requestData['openid.assoc_handle']
if(is_smart):
log.msg('Validating smart association')
bank = self.smart
else:
log.msg('Validating dumb association')
bank = self.dumb
if(handle in bank):
log.msg(' found handle: %r' % handle)
association = bank[handle]
log.msg(' association: %r' % association)
if(time.time() - association.created > association.expires_in):
log.msg(' association expired, denying handle')
del bank[association.handle]
return False
else:
log.msg(' denied handle: %r' % handle)
return False
token_contents = util.kvstr(mode='id_res',
identity=requestData['openid.identity'],
return_to=requestData['openid.return_to'])
valid_sig = base64.b64encode(util.get_hmac(association.secret, token_contents))
log.msg('Comparing %r' % requestData['openid.sig'])
log.msg('to valid %r' % valid_sig)
return requestData['openid.sig'] == valid_sig
def get_login_response(registry, requestData):
"""
Convenience function to return a valid login response for the provided request.
@param registry: the current OpenID registry
@type registry: L{OpenIDRegistry}
@param requestData: the current request data
@type requestData: L{OpenIDRequest}
@return: a response URL
@rtype: str
"""
log.msg('[get_login_response] request: %r' % requestData)
association = registry.initiate(requestData, 'openid.assoc_handle' in requestData)
log.msg('[get_login_response] association: %r' % association)
log.msg('[get_login_response] Using handle: %r' % association.handle)
token_key = util.secret(association.handle)
log.msg('[get_login_response] Found key: %r' % token_key)
token_contents = util.kvstr(
mode = 'id_res',
identity = requestData['openid.identity'],
return_to = requestData['openid.return_to'],
)
return_dict = {
'openid.mode' : 'id_res',
'openid.identity' : requestData['openid.identity'],
'openid.assoc_handle' : association.handle,
'openid.return_to' : requestData['openid.return_to'],
'openid.signed' : 'identity,mode,return_to',
'openid.sig' : base64.b64encode(util.get_hmac(token_key, token_contents))
}
if(association.handle != requestData.get('openid.assoc_handle', association.handle)):
log.msg("[get_login_response] Retrieved association handle doesn't match request: %r" % requestData['openid.assoc_handle'])
return_dict['openid.invalidate_handle'] = requestData['openid.assoc_handle']
return util.appendQuery(requestData['openid.return_to'], return_dict)
def test_validate(self):
registry = protocol.OpenIDRegistry()
association = registry.initiate(TestRequest({
'openid.mode' : 'associate',
}), True)
token_contents = util.kvstr(mode='id_res',
identity='http://www.example.com/test',
return_to='http://www.example.com/return')
valid_sig = base64.b64encode(util.get_hmac(association.secret, token_contents))
result = registry.validate(TestRequest({
'openid.mode' : 'associate',
'openid.identity' : 'http://www.example.com/test',
'openid.return_to' : 'http://www.example.com/return',
'openid.assoc_handle' : association.handle,
'openid.sig' : valid_sig,
'openid.signed' : 'identity,mode,return_to',
}), True)
if not(result):
self.fail('Validation failed when it should have passed.')
