def init_session(request, user_name):
request.session.flush()
request.session[const.USER_NAME] = user_name
request.session[const.AUTHENTICATED] = True
if config.get('always_remember_me') or request.POST.get('remember_me'):
if not config.get('use_header_auth'):
request.session[const.REMEMBER_ME] = True
def clean(self):
cleaned_data = self.cleaned_data
old_password = cleaned_data.get('old_password')
new_password = cleaned_data.get('new_password')
if new_password is None:
# It must be that regex check didn't pass.
return cleaned_data
password_confirm = cleaned_data.get('password_confirm')
if new_password != password_confirm:
#raise forms.ValidationError(_('New password does not match'))
self._errors['password_confirm'] = ErrorList(
[_('New password does not match')])
if config.get('password_cannot_contain_username', False):
import re
user_name = cleaned_data.get('user_name')
if re.compile(user_name, re.I).search(new_password):
logging.warn('New password contains username, rejected.')
self._errors['new_password'] = ErrorList(
[_('Input does not match our password policy')])
if config.get('password_should_not_be_same_as_old_password', False):
if old_password == new_password:
logging.warn('New password is the same as old password, rejected.')
self._errors['new_password'] = ErrorList(
[_('Input does not match our password policy')])
return cleaned_data
def clean(self):
cleaned_data = self.cleaned_data
old_password = cleaned_data.get('old_password')
new_password = cleaned_data.get('new_password')
if new_password is None:
# It must be that regex check didn't pass.
return cleaned_data
password_confirm = cleaned_data.get('password_confirm')
if new_password != password_confirm:
#raise forms.ValidationError(_('New password does not match'))
self._errors['password_confirm'] = ErrorList(
[_('New password does not match')])
if config.get('password_cannot_contain_username', False):
import re
user_name = cleaned_data.get('user_name')
if re.compile(user_name, re.I).search(new_password):
logging.warn('New password contains username, rejected.')
self._errors['new_password'] = ErrorList(
[_('Input does not match our password policy')])
if config.get('password_should_not_be_same_as_old_password', False):
if old_password == new_password:
logging.warn(
'New password is the same as old password, rejected.')
self._errors['new_password'] = ErrorList(
[_('Input does not match our password policy')])
return cleaned_data
def passwd_do(request):
if not config.get("use_change_passwd"):
raise Http404
passwd_form = PasswdForm(data=request.POST)
user_name = request.POST.get('user_name')
if user_name.find('@') >= 0:
mail_address = user_name
else:
mail_address = user_name + '@' + config.get('apps_domain')
if not passwd_form.is_valid():
t = utils.gh_get_template(request, 'idp/passwd.html')
c = RequestContext(request, {
'mail_address': mail_address,
'backURL': request.POST.get('backURL'),
'form': passwd_form})
return HttpResponse(t.render(c))
passwd_engine = passwd.createPasswdEngine(
engine=config.get('passwd_engine'), config=config)
try:
passwd_engine.changePassword(passwd_form.cleaned_data.get('user_name'),
passwd_form.cleaned_data.get('old_password'),
passwd_form.cleaned_data.get('new_password'))
except passwd.PasswdException, e:
# changing password failed
logging.error(e)
time.sleep(config.get('sleep_time', 3))
t = utils.gh_get_template(request, 'idp/passwd.html')
c = RequestContext(request, {
'mail_address': mail_address,
'flash': _('Failed to change password'),
'backURL': passwd_form.cleaned_data.get('backURL'),
'form': passwd_form})
return HttpResponse(t.render(c))
def ga_mobile(request):
"""
Returns the image link for tracking this mobile request.
Retrieves two configurations from gheimdall2.conf.config:
ga_pixel_url: url to location of your tracking CGI.
ga_mobile_account: your GA mobile account number such as MO-XXXXXX-XX
"""
r = str(randint(0, 0x7fffffff))
ga_pixel_url = config.get("ga_pixel_url")
ga_mobile_account = config.get("ga_mobile_account")
if ga_pixel_url is None or ga_mobile_account is None or \
ga_mobile_account == "":
return ''
referer = quote_plus(request.META.get('HTTP_REFERER', '-'))
path = quote_plus(request.get_full_path())
src = ga_pixel_url + \
"?utmac=" + ga_mobile_account + \
"&utmn=" + r + \
"&utmr=" + referer + \
"&utmp=" + path + \
"&guid=ON"
return '<img src="%s" width="1" height="1">' % src
def init_session(request, user_name):
request.session.flush()
request.session[const.USER_NAME] = user_name
request.session[const.AUTHENTICATED] = True
if config.get('always_remember_me') or request.POST.get('remember_me'):
if not config.get('use_header_auth'):
request.session[const.REMEMBER_ME] = True
def create_saml_response(request,
authn_request,
RelayState,
user_name,
set_time=True):
""" Returns HttpResponse object
"""
acsURL = authn_request.assertion_consumer_service_url
issuer = authn_request.issuer.text.strip()
creators = config.get('response_creators', dict())
module_name = creators.get(issuer)
if module_name is None:
module_name = config.get("default_response_creator", "default")
response_creator = responsecreator.create(module_name, config)
if set_time:
auth_time = time.time()
valid_time = auth_time + config.get('session_lifetime')
else:
auth_time = request.session.get(const.AUTH_TIME)
valid_time = request.session.get(const.VALID_TIME)
# create saml response
saml_response = response_creator.createAuthnResponse(
user_name, authn_request, valid_time, auth_time, acsURL, request)
if request.session.get(const.ISSUERS, None) is None:
request.session[const.ISSUERS] = {}
request.session[const.ISSUERS][issuer] = sp.ServiceProvider(
name=issuer,
status=sp.STATUS_LOGIN,
assertion_id=saml_response.assertion[0].id,
name_id=saml_response.assertion[0].subject.name_id)
request.session.modified = True
if issuer.startswith('google.com') and RelayState is not None and \
RelayState.find('continue=https') >= 0:
request.session[const.USE_SSL] = True
if set_time:
request.session[const.AUTH_TIME] = auth_time
request.session[const.VALID_TIME] = valid_time
if authn_request.protocol_binding == saml2.BINDING_HTTP_POST:
signed_response = sign_message(saml_response)
encoded_response = base64.encodestring(signed_response)
t = gh_get_template(request, 'idp/login-success.html')
c = RequestContext(
request, {
'acsURL': acsURL,
'SAMLResponse': encoded_response,
'RelayState': RelayState
})
return HttpResponse(t.render(c))
else:
raise NotImplementedError(
"Specified binding not supported. Binding: %s" %
authn_request.protocol_binding)
class PasswdForm(forms.Form):
backURL = forms.CharField(label='backURL',
widget=forms.HiddenInput,
required=False)
SAMLRequest = forms.CharField(label='SAMLRequest',
widget=forms.HiddenInput,
required=False)
RelayState = forms.CharField(label='RelayState',
widget=forms.HiddenInput,
required=False)
user_name = forms.CharField(label=_('User Name:'),
widget=forms.HiddenInput())
old_password = forms.CharField(
label=_('Old password:'******'size': config.get('password_field_length', 24)}))
new_password = forms.RegexField(
error_messages={
'invalid': _('Input does not match our password policy')
},
regex=config.get('passwd_regex'),
label=_('New password:'******'size': config.get('password_field_length', 24)}))
password_confirm = forms.CharField(
label=_('Confirm:'),
max_length=32,
widget=forms.PasswordInput(
attrs={'size': config.get('password_field_length', 24)}))
def clean(self):
cleaned_data = self.cleaned_data
old_password = cleaned_data.get('old_password')
new_password = cleaned_data.get('new_password')
if new_password is None:
# It must be that regex check didn't pass.
return cleaned_data
password_confirm = cleaned_data.get('password_confirm')
if new_password != password_confirm:
#raise forms.ValidationError(_('New password does not match'))
self._errors['password_confirm'] = ErrorList(
[_('New password does not match')])
if config.get('password_cannot_contain_username', False):
import re
user_name = cleaned_data.get('user_name')
if re.compile(user_name, re.I).search(new_password):
logging.warn('New password contains username, rejected.')
self._errors['new_password'] = ErrorList(
[_('Input does not match our password policy')])
if config.get('password_should_not_be_same_as_old_password', False):
if old_password == new_password:
logging.warn(
'New password is the same as old password, rejected.')
self._errors['new_password'] = ErrorList(
[_('Input does not match our password policy')])
return cleaned_data
def create_saml_response(request, authn_request, RelayState, user_name,
set_time=True):
""" Returns HttpResponse object
"""
acsURL = authn_request.assertion_consumer_service_url
issuer = authn_request.issuer.text.strip()
creators = config.get('response_creators', dict())
module_name = creators.get(issuer)
if module_name is None:
module_name = config.get("default_response_creator","default")
response_creator = responsecreator.create(module_name, config)
if set_time:
auth_time = time.time()
valid_time = auth_time + config.get('session_lifetime')
else:
auth_time = request.session.get(const.AUTH_TIME)
valid_time = request.session.get(const.VALID_TIME)
# create saml response
saml_response = response_creator.createAuthnResponse(user_name,
authn_request,
valid_time,
auth_time,
acsURL,
request)
if request.session.get(const.ISSUERS, None) is None:
request.session[const.ISSUERS] = {}
request.session[const.ISSUERS][issuer] = sp.ServiceProvider(
name=issuer, status=sp.STATUS_LOGIN,
assertion_id=saml_response.assertion[0].id,
name_id=saml_response.assertion[0].subject.name_id)
request.session.modified = True
if issuer.startswith('google.com') and RelayState is not None and \
RelayState.find('continue=https') >= 0:
request.session[const.USE_SSL] = True
if set_time:
request.session[const.AUTH_TIME] = auth_time
request.session[const.VALID_TIME] = valid_time
if authn_request.protocol_binding == saml2.BINDING_HTTP_POST:
signed_response = sign_message(saml_response)
encoded_response = base64.encodestring(signed_response)
t = gh_get_template(request,'idp/login-success.html')
c = RequestContext(request, {'acsURL': acsURL,
'SAMLResponse': encoded_response,
'RelayState': RelayState})
return HttpResponse(t.render(c))
else:
raise NotImplementedError("Specified binding not supported. Binding: %s" %
authn_request.protocol_binding)
def handle_logout_request(request, logout_request, decoded_request):
issuer_name = logout_request.issuer.text.strip()
key_file = config.get('public_keys').get(issuer_name, None)
if key_file is None:
raise GHException('Failed to get public key filename.'
' issuer: %s' % issuer_name)
if verify_message(decoded_request, key_file) == False:
raise GHException('Failed verifyng the signature'
' of logout request.')
issuers = request.session.get(const.ISSUERS, {})
issuer_in_session = issuers.get(issuer_name, None)
if issuer_in_session is None:
raise GHException('Request from invalid issuer. Issuer: %s.' %
issuer_name)
if logout_request.name_id.text is None:
raise GHException('Request with empty NameID.')
if issuer_in_session.name_id.text.strip() != \
logout_request.name_id.text.strip():
raise GHException('Request with invalid NameID.')
logging.debug('Succeeded verifying the signature of logout request.')
issuer_in_session.status = sp.STATUS_LOGOUT_SUCCESS
request.session[const.ISSUERS][issuer_name] = issuer_in_session
clear_user_session(request)
request.session[const.ORIGINAL_ISSUER] = issuer_name
request.session[const.LOGOUT_REQUEST_ID] = logout_request.id
def handle_logout_request(request, logout_request, decoded_request):
issuer_name = logout_request.issuer.text.strip()
key_file = config.get('public_keys').get(issuer_name, None)
if key_file is None:
raise GHException('Failed to get public key filename.'
' issuer: %s' % issuer_name)
if verify_message(decoded_request, key_file) == False:
raise GHException('Failed verifyng the signature'
' of logout request.')
issuers = request.session.get(const.ISSUERS, {})
issuer_in_session = issuers.get(issuer_name, None)
if issuer_in_session is None:
raise GHException('Request from invalid issuer. Issuer: %s.' % issuer_name)
if logout_request.name_id.text is None:
raise GHException('Request with empty NameID.')
if issuer_in_session.name_id.text.strip() != \
logout_request.name_id.text.strip():
raise GHException('Request with invalid NameID.')
logging.debug('Succeeded verifying the signature of logout request.')
issuer_in_session.status = sp.STATUS_LOGOUT_SUCCESS
request.session[const.ISSUERS][issuer_name] = issuer_in_session
clear_user_session(request)
request.session[const.ORIGINAL_ISSUER] = issuer_name
request.session[const.LOGOUT_REQUEST_ID] = logout_request.id
def sign_message(saml_message):
if config.get('use_subproccess_for_signing', False):
import os.path
from subprocess import Popen, PIPE
sign_command = os.path.join(os.path.dirname(__file__), 'gh2-sign.py')
p = Popen(["python", sign_command], stdout=PIPE, stdin=PIPE, bufsize=1)
p.stdin.write(saml_message.ToString().replace("\n", "")+"\n")
p.stdin.write(config.get('privkey_filename')+"\n")
results = "".join(p.stdout.readlines())
p.wait()
if p.returncode != 0:
raise GHException(results)
signed_message = results
else:
signed_message = saml2.utils.sign(saml_message.ToString(),
config.get('privkey_filename'))
return signed_message
def sign_message(saml_message):
if config.get('use_subproccess_for_signing', False):
import os.path
from subprocess import Popen, PIPE
sign_command = os.path.join(os.path.dirname(__file__), 'gh2-sign.py')
p = Popen(["python", sign_command], stdout=PIPE, stdin=PIPE, bufsize=1)
p.stdin.write(saml_message.ToString().replace("\n", "") + "\n")
p.stdin.write(config.get('privkey_filename') + "\n")
results = "".join(p.stdout.readlines())
p.wait()
if p.returncode != 0:
raise GHException(results)
signed_message = results
else:
signed_message = saml2.utils.sign(saml_message.ToString(),
config.get('privkey_filename'))
return signed_message
class LoginForm(forms.Form):
SAMLRequest = forms.CharField(label='SAMLRequest',
widget=forms.HiddenInput)
RelayState = forms.CharField(label='RelayState',
widget=forms.HiddenInput,
required=False)
user_name = forms.CharField(
required=True,
label=_('User Name:'),
max_length=32,
widget=forms.TextInput(
attrs={'size': config.get('user_name_field_length', 32)}))
password = forms.CharField(
required=True,
label=_('Password:'******'size': config.get('password_field_length', 24)}))
def __init__(self):
try:
clsname = config.get("mobile_access_control_class")
if clsname is None:
raise RuntimeError("You must set mobile_access_control_class"
" properly.")
cls = import_string(clsname)
self.access_controller = cls(config)
except Exception, e:
raise ImproperlyConfigured(e)
def __init__(self):
try:
clsname = config.get("mobile_access_control_class")
if clsname is None:
raise RuntimeError("You must set mobile_access_control_class"
" properly.")
cls = import_string(clsname)
self.access_controller = cls(config)
except Exception, e:
raise ImproperlyConfigured(e)
def static_login(request):
if not config.get("use_static_login"):
raise Http404
if request.device.is_docomo():
return render_error(request, _('Unsupported cell phone.'),
status=501)
user_name = request.POST.get('user_name')
password = request.POST.get('password')
if config.get("use_encrypted_AES"):
from gheimdall2.cryptAES import createAES
AES = createAES(config)
password = AES.decryption_str(password)
auth_engine = auth.createAuthEngine(config.get('auth_engine'), config)
try:
auth_engine.authenticate(user_name, password, request)
except auth.AuthException, e:
logging.error("Failed login attempt from %s. User: %s. Reason: %s" %
(request.META['REMOTE_ADDR'], user_name, e.reason))
time.sleep(config.get('sleep_time', 3))
return render_error(request, _('Can not login'), status=401)
def reset_password_do(request):
reset_form = ResetForm(request.POST)
if not reset_form.is_valid():
return render_error(request, _('Invalid username.'), status=400)
try:
user_name = reset_form.cleaned_data.get('user_name')
passwd_engine = passwd.createPasswdEngine(
engine=config.get('passwd_engine'), config=config)
new_pass = passwd_engine.resetPassword(user_name)
except Exception, e:
logging.error(e)
return render_error(request, e, status=500)
def send_logout_request(request, RelayState, issuer_name, session_index,
name_id):
response_creator = responsecreator.create("default", config)
logout_request = response_creator.createLogoutRequest(session_index, name_id)
signed_request = sign_message(logout_request)
logout_url = config.get("logout_request_urls").get(issuer_name)
t = gh_get_template(request, 'idp/logout-post.html')
c = RequestContext(request, {'param_name': 'SAMLRequest',
'SAMLMessage': base64.b64encode(signed_request),
'RelayState': RelayState,
'logout_url': logout_url})
return HttpResponse(t.render(c))
def send_logout_response(request, RelayState, issuer_name, req_id,
status_code):
response_creator = responsecreator.create("default", config)
logout_response = response_creator.createLogoutResponse(req_id, status_code)
signed_response = sign_message(logout_response)
logout_url = config.get("logout_response_urls").get(issuer_name)
t = gh_get_template(request, 'idp/logout-post.html')
c = RequestContext(request,
{'param_name': 'SAMLResponse',
'SAMLMessage': base64.b64encode(signed_response),
'RelayState': RelayState,
"logout_url": logout_url})
return HttpResponse(t.render(c))
def ga():
ga_account = config.get("ga_account")
if ga_account:
return """<script type="text/javascript">
var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
document.write(unescape("%%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%%3E%%3C/script%%3E"));
</script>
<script type="text/javascript">
try {
var pageTracker = _gat._getTracker("%s");
pageTracker._trackPageview();
} catch(err) {}</script>""" % ga_account
else:
return ""
def password(request):
if not config.get("use_change_passwd"):
return render_error(request, _('Changing password is not available here'), status=404)
# first retrieve user_name from request
user_name = request.REQUEST.get('user_name')
if user_name is None:
user_name = request.session.get(const.USER_NAME)
if user_name is None:
return render_error(request, _('Can not retrieve user name.'), status=400)
backURL = request.REQUEST.get('backURL')
# TODO: sanitize user_name and backURL
passwd_form = PasswdForm(initial={"user_name": user_name,
"backURL": backURL})
if user_name.find('@') >= 0:
mail_address = user_name
else:
mail_address = user_name + '@' + config.get('apps_domain')
t = utils.gh_get_template(request, 'idp/passwd.html')
c = RequestContext(request, {'mail_address': mail_address,
'backURL': backURL,
'form': passwd_form})
return HttpResponse(t.render(c))
def send_logout_request(request, RelayState, issuer_name, session_index,
name_id):
response_creator = responsecreator.create("default", config)
logout_request = response_creator.createLogoutRequest(
session_index, name_id)
signed_request = sign_message(logout_request)
logout_url = config.get("logout_request_urls").get(issuer_name)
t = gh_get_template(request, 'idp/logout-post.html')
c = RequestContext(
request, {
'param_name': 'SAMLRequest',
'SAMLMessage': base64.b64encode(signed_request),
'RelayState': RelayState,
'logout_url': logout_url
})
return HttpResponse(t.render(c))
def send_logout_response(request, RelayState, issuer_name, req_id,
status_code):
response_creator = responsecreator.create("default", config)
logout_response = response_creator.createLogoutResponse(
req_id, status_code)
signed_response = sign_message(logout_response)
logout_url = config.get("logout_response_urls").get(issuer_name)
t = gh_get_template(request, 'idp/logout-post.html')
c = RequestContext(
request, {
'param_name': 'SAMLResponse',
'SAMLMessage': base64.b64encode(signed_response),
'RelayState': RelayState,
"logout_url": logout_url
})
return HttpResponse(t.render(c))
def verify_message(saml_message, key):
if config.get('use_subproccess_for_signing', False):
import os.path
from subprocess import Popen, PIPE
verify_command = os.path.join(os.path.dirname(__file__), 'gh2-verify.py')
p = Popen(["python", verify_command], stdout=PIPE, stdin=PIPE, bufsize=1)
p.stdin.write(key+"\n")
p.stdin.write(saml_message)
p.stdin.close()
results = "".join(p.stdout.readlines())
p.wait()
if p.returncode != 0:
logging.warn("Failed to verify a message. %s" % results)
return False
return True
else:
return saml2.utils.verify(saml_message, key)
def verify_message(saml_message, key):
if config.get('use_subproccess_for_signing', False):
import os.path
from subprocess import Popen, PIPE
verify_command = os.path.join(os.path.dirname(__file__),
'gh2-verify.py')
p = Popen(["python", verify_command],
stdout=PIPE,
stdin=PIPE,
bufsize=1)
p.stdin.write(key + "\n")
p.stdin.write(saml_message)
p.stdin.close()
results = "".join(p.stdout.readlines())
p.wait()
if p.returncode != 0:
logging.warn("Failed to verify a message. %s" % results)
return False
return True
else:
return saml2.utils.verify(saml_message, key)
def handle_logout_response(request, logout_response, decoded_response):
issuer_name = logout_response.issuer.text.strip()
key_file = config.get('public_keys').get(issuer_name, None)
if key_file is None:
raise GHException('Failed to get public key filename.'
' issuer: %s' % issuer_name)
if verify_message(decoded_response, key_file) == False:
raise GHException('Failed verifyng the signature'
' of logout response.')
issuers = request.session.get(const.ISSUERS, {})
issuer_in_session = issuers.get(issuer_name, None)
if issuer_in_session is None:
raise GHException('Request from invalid issuer. Issuer: %s.' % issuer_name)
if issuer_in_session.status != sp.STATUS_LOGOUT_START:
raise GHException('Request from invalid issuer.')
if logout_response.status.status_code.value == samlp.STATUS_SUCCESS:
request.session[const.ISSUERS][issuer_name].status = \
sp.STATUS_LOGOUT_SUCCESS
else:
request.session[const.ISSUERS][issuer_name].status = \
sp.STATUS_LOGOUT_FAIL
request.session.modified = True
def handle_logout_response(request, logout_response, decoded_response):
issuer_name = logout_response.issuer.text.strip()
key_file = config.get('public_keys').get(issuer_name, None)
if key_file is None:
raise GHException('Failed to get public key filename.'
' issuer: %s' % issuer_name)
if verify_message(decoded_response, key_file) == False:
raise GHException('Failed verifyng the signature'
' of logout response.')
issuers = request.session.get(const.ISSUERS, {})
issuer_in_session = issuers.get(issuer_name, None)
if issuer_in_session is None:
raise GHException('Request from invalid issuer. Issuer: %s.' %
issuer_name)
if issuer_in_session.status != sp.STATUS_LOGOUT_START:
raise GHException('Request from invalid issuer.')
if logout_response.status.status_code.value == samlp.STATUS_SUCCESS:
request.session[const.ISSUERS][issuer_name].status = \
sp.STATUS_LOGOUT_SUCCESS
else:
request.session[const.ISSUERS][issuer_name].status = \
sp.STATUS_LOGOUT_FAIL
request.session.modified = True
def get_domain(request):
user_name = request.session.get(const.USER_NAME)
if user_name and user_name.find('@') >= 0:
return user_name[user_name.find('@') + 1:]
return config.get('apps_domain')
def reset_password(request):
if not config.get("use_reset_passwd"):
raise Http404
t = utils.gh_get_template(request, 'idp/reset-password.html')
c = RequestContext(request, {'form': ResetForm()})
return HttpResponse(t.render(c))
SAMLRequest, RelayState, samlp.AuthnRequestFromString)
except Exception, e:
logging.error(e)
return render_error(request, _('Invalid SAMLRequest'), status=500)
response = utils.create_saml_response(request, authn_request, RelayState,
user_name)
return response
def login(request):
try:
(authn_request, RelayState) = utils.parse_saml_request(
request, samlp.AuthnRequestFromString)
except Exception, e:
logging.error(e)
return render_error(request, _('Invalid SAMLRequest'), status=400)
if config.get('use_header_auth'):
header_key = config.get('auth_header_key')
if request.META.has_key(header_key):
return utils.create_saml_response(request, authn_request, RelayState,
request.META[header_key])
else:
logging.error('use_header_auth is set to true,'
' but can not retrieve user_name from header.')
return render_error(request, _('Can not retrieve user_name'), status=400)
# TODO: implement cookie auth
if config.get('use_cookie_auth'):
logging.debug('cookie_auth start.')
from gheimdall2 import cookie_auth
cookie_auth_engine = cookie_auth.createCookieAuthEngine(
config.get('cookie_auth_engine'),
def get_domain(request):
user_name = request.session.get(const.USER_NAME)
if user_name and user_name.find('@') >= 0:
return user_name[user_name.find('@')+1:]
return config.get('apps_domain')
class ResetForm(forms.Form):
user_name = forms.CharField(
label=_('User Name:'),
max_length=32,
widget=forms.TextInput(
attrs={'size': config.get('user_name_field_length', 32)}))