def process_request(self, request):
if request.path_info[0:7] != '/admin/':
return None
if 'openid_username' not in request.session:
request.session['openid_session'] = {}
consumer = Consumer(request.session['openid_session'], None)
# auth request to google has not been made yet
if 'openid.mode' not in request.REQUEST:
ax_request = ax.FetchRequest()
ax_request.add(ax.AttrInfo('http://axschema.org/contact/email', required = True))
auth_request = consumer.begin('https://www.google.com/accounts/o8/id')
auth_request.addExtension(ax_request)
url = auth_request.redirectURL(
request.build_absolute_uri('/'),
return_to=request.build_absolute_uri())
return redirect(url)
# auth request has been made, thus analyse google response
else:
info = consumer.complete(request.REQUEST, request.build_absolute_uri())
if info.status == SUCCESS:
ax_response = ax.FetchResponse.fromSuccessResponse(info)
username = ax_response.get('http://axschema.org/contact/email')[0]
request.session['openid_username'] = username
username = request.session.get('openid_username', None)
if username not in AUTHORIZED_EMAILS:
if username: del request.session['openid_username']
return HttpResponse('403 Forbidden', status=403)
def complete(request,
on_success=None,
on_failure=None,
return_to=None,
**kwargs):
""" complete openid signin """
on_success = on_success or default_on_success
on_failure = on_failure or default_on_failure
consumer = Consumer(request.session, DjangoOpenIDStore())
# make sure params are encoded in utf8
params = dict((k, smart_unicode(v)) for k, v in request.GET.items())
openid_response = consumer.complete(params, return_to)
if openid_response.status == SUCCESS:
return on_success(request, openid_response.identity_url,
openid_response, **kwargs)
elif openid_response.status == CANCEL:
return on_failure(request, 'The request was canceled', **kwargs)
elif openid_response.status == FAILURE:
return on_failure(request, openid_response.message, **kwargs)
elif openid_response.status == SETUP_NEEDED:
return on_failure(request, 'Setup needed', **kwargs)
else:
assert False, "Bad openid status: %s" % openid_response.status
def login_begin(self):
"""Step one of logging in with OpenID; we redirect to the provider"""
cons = Consumer(session=session, store=self.openid_store)
try:
openid_url = request.params['openid_identifier']
except KeyError:
return self._bail("Gotta enter an OpenID to log in.")
try:
auth_request = cons.begin(openid_url)
except DiscoveryFailure:
return self._bail(
"Can't connect to '{0}'. You sure it's an OpenID?".format(
openid_url))
sreg_req = SRegRequest(optional=[
'nickname', 'email', 'dob', 'gender', 'country', 'language',
'timezone'
])
auth_request.addExtension(sreg_req)
host = request.headers['host']
protocol = request_config().protocol
return_url = url(host=host,
controller='accounts',
action='login_finish')
new_url = auth_request.redirectURL(return_to=return_url,
realm=protocol + '://' + host)
redirect(new_url)
def try_login(self, identity_url, ask_for=None):
"""This tries to login with the given identity URL. This function
must be called from the login_handler. The `ask_for` parameter can
be a set of values to be asked from the openid provider.
The following strings can be used in the `ask_for` parameter:
``aim``, ``blog``, ``country``, ``dob`` (date of birth), ``email``,
``fullname``, ``gender``, ``icq``, ``image``, ``jabber``, ``language``,
``msn``, ``nickname``, ``phone``, ``postcode``, ``skype``,
``timezone``, ``website``, ``yahoo``
"""
if ask_for and __debug__:
for key in ask_for:
if key not in ALL_KEYS:
raise ValueError('invalid key %r' % key)
try:
oidutil.log("self.store_factory() :" + str(self.store_factory))
consumer = Consumer(SessionWrapper(self), self.store_factory())
auth_request = consumer.begin(identity_url)
if ask_for:
self.attach_reg_info(auth_request, ask_for)
except discover.DiscoveryFailure:
self.signal_error(u'The OpenID was invalid')
return redirect(self.get_current_url())
trust_root = request.host_url
return redirect(auth_request.redirectURL(request.host_url,
self.get_success_url()))
def complete(request,
on_success=None,
on_failure=None,
failure_template='user/login.html'):
on_success = on_success or default_on_success
on_failure = on_failure or default_on_failure
consumer = Consumer(request.session, DjangoOpenIDStore())
# JanRain library raises a warning if passed unicode objects as the keys,
# so we convert to bytestrings before passing to the library
query_dict = dict([
(k, v) for k, v in request.GET.items(
) # (k.encode('utf8'), v.encode('utf8')) for k, v in request.GET.items()
])
url = get_url_host(request) + request.path
openid_response = consumer.complete(query_dict, url)
if openid_response.status == SUCCESS:
return on_success(request, openid_response.identity_url,
openid_response)
elif openid_response.status == CANCEL:
return on_failure(request, _(u'Авторизация была отменена'),
failure_template)
elif openid_response.status == FAILURE:
return on_failure(request, openid_response.message, failure_template)
elif openid_response.status == SETUP_NEEDED:
return on_failure(request, _('Setup needed'), failure_template)
else:
assert False, "Bad openid status: %s" % openid_response.status
def begin(request, openid_url):
request.session['request_referer'] = urlparse.urljoin(request.META.get('HTTP_REFERER', ''), '/')
consumer = Consumer(request.session, DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
return on_failure(request, _('The OpenID was invalid'))
s = SRegRequest()
for sarg in OPENID_SREG:
if sarg.lower().lstrip() == "policy_url":
s.policy_url = OPENID_SREG[sarg]
else:
for v in OPENID_SREG[sarg].split(','):
s.requestField(field_name=v.lower().lstrip(), required=(sarg.lower().lstrip() == "required"))
auth_request.addExtension(s)
axr = AXFetchRequest()
for i in OPENID_AX:
axr.add(AttrInfo(i['type_uri'], i['count'], i['required'], i['alias']))
auth_request.addExtension(axr)
redirect_url = auth_request.redirectURL(get_trusted_root(request),
request.build_absolute_uri(reverse("openid_complete")))
return HttpResponseRedirect(redirect_url)
def openid2_get_redirect(request, provider, callback, scope, mode):
xrds = urllib.urlopen(providers[provider]["xrds"])
if xrds.getcode() != 200:
raise Exception("OpenID Failed: Invalid response from " + providers[provider]["displayname"] + " on obtaining a XRDS information: " + xrds.read())
xrds = xrds.read()
from openid.consumer.consumer import Consumer
from openid.consumer.discover import OpenIDServiceEndpoint
from openid.store.memstore import MemoryStore
service = OpenIDServiceEndpoint.fromXRDS(providers[provider]["xrds"], xrds)[0]
consumer = Consumer(request.session, MemoryStore())
auth = consumer.beginWithoutDiscovery(service)
if "extensions" in providers[provider]:
for ext, d in providers[provider]["extensions"].iteritems():
for k, v in d.iteritems():
auth.addExtensionArg(ext, k, v)
if mode == "compact": # works with Google
auth.addExtensionArg("http://specs.openid.net/extensions/ui/1.0", "mode", "popup")
return auth.redirectURL(realm=SITE_ROOT_URL, return_to=callback)
def link_google(self, registration):
openid_session = session.get("openid_session", {})
openid_store = None # stateless
cons = Consumer(openid_session, openid_store)
GOOGLE_OPENID = 'https://www.google.com/accounts/o8/id'
try:
authrequest = cons.begin(GOOGLE_OPENID)
except DiscoveryFailure:
h.flash(_('Authentication failed, please try again.'))
redirect(registration.url(action='personal_info'))
ax_req = ax.FetchRequest()
ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/first',
alias='firstname', required=True))
ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/last',
alias='lastname', required=True))
ax_req.add(ax.AttrInfo('http://schema.openid.net/contact/email',
alias='email', required=True))
authrequest.addExtension(ax_req)
session['openid_session'] = openid_session
session.save()
realm = url(controller='home', action='index', qualified=True)
return_to = registration.url(action='google_verify', qualified=True)
redirect(authrequest.redirectURL(realm, return_to))
def signup_openid_callback(request):
consumer = Consumer(request.session, DjangoOpenIDStore())
redirect_to = 'http://'+settings.SEYMOUR_DOMAIN+'/signup/openid/'
openid_response = consumer.complete(dict(request.GET.items()), redirect_to)
if openid_response.status == SUCCESS:
try:
account = Account.objects.get(openid=openid_response.identity_url)
except Account.DoesNotExist:
account = Account(openid=openid_response.identity_url, last_login=datetime.datetime.now(), is_active=True)
account.save()
request.session['account_id'] = account.id
return HttpResponseRedirect('/feeds/unread/')
else:
error_msg = "An account for that openid already exists."
elif openid_response.status == CANCEL:
error_msg = "The request was cancelled"
elif openid_response.status == FAILURE:
error_msg = openid_response.message
elif openid_response.status == SETUP_NEEDED:
error_msg = "Setup needed"
else:
error_msg = "Bad openid status: %s" % openid_response.status
return render_to_response('accounts/signup_error.html', {
'error_msg': error_msg,
'section': 'signup',
}, context_instance=RequestContext(request))
def libopenid(request, domain):
if request.user is not None and request.user.is_authenticated():
return redirect(to="http://%s/" % request.get_host())
if domain is 'default':
discovery_url = "https://www.google.com/accounts/o8/id"
else:
discovery_url = "https://www.google.com/accounts/o8/site-xrds?hd=%s" % domain
consumer = Consumer(request.session, FileOpenIDStore('/tmp/gtugdemo'))
auth_request = consumer.begin(discovery_url)
ax_request = ax.FetchRequest()
ax_request.add(ax.AttrInfo('http://axschema.org/namePerson/first',required=True))
ax_request.add(ax.AttrInfo('http://axschema.org/namePerson/last',required=True))
ax_request.add(ax.AttrInfo('http://axschema.org/contact/email',required=True))
auth_request.addExtension(ax_request)
redirect_url = auth_request.redirectURL(realm='http://%s/' % request.get_host(), return_to='http://%s/login/callback' % request.get_host())
oauth_query = {
'openid.ns.oauth': 'http://specs.openid.net/extensions/oauth/1.0',
'openid.oauth.consumer': request.get_host(),
'openid.oauth.scope': ' '.join(OAUTH_SCOPE),
}
redirect_url += "&%s" % urlencode(oauth_query)
print redirect_url
#print str(request.session.keys())
#return render_to_response('login.html', locals(), context_instance=RequestContext(request))
return redirect(to=redirect_url)
def ask_openid(request, openid_url=None, next_url=None, on_failure=None):
""" basic function to ask openid and return response """
on_failure = on_failure or signin_failure
sreg_request = sreg.SRegRequest(optional=["nickname", "email"])
trust_root = getattr(settings, "OPENID_TRUST_ROOT", get_url_host(request) + "/")
if xri.identifierScheme(openid_url) == "XRI" and getattr(settings, "OPENID_DISALLOW_INAMES", False):
msg = _("i-names are not supported")
logging.debug("openid failed because i-names are not supported")
return on_failure(request, msg)
consumer = Consumer(request.session, util.DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
msg = _(u"OpenID %(openid_url)s is invalid" % {"openid_url": openid_url})
logging.debug(msg)
return on_failure(request, msg)
logging.debug("openid seemed to work")
if sreg_request:
logging.debug("adding sreg_request - wtf it is?")
auth_request.addExtension(sreg_request)
redirect_to = "%s%s?%s" % (
get_url_host(request),
reverse("user_complete_openid_signin"),
urllib.urlencode({"next": next_url}),
)
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
logging.debug("redirecting to %s" % redirect_url)
return HttpResponseRedirect(redirect_url)
def openid_select(request):
oidutil.log = dummyOpenIdLoggingFunction
if request.method != 'GET':
return HttpResponseServerError("Invalid Input")
try:
action = request.GET['action']
openid_identifier = request.GET['openid_identifier']
except KeyError:
return HttpResponseServerError("Invalid Input")
if(action != 'verify'):
return HttpResponseServerError("Invalid Input")
openid_consumer = Consumer(request.session, CassandraStore())
try:
auth_request = openid_consumer.begin(openid_identifier)
except DiscoveryFailure:
messages.error(request, 'Invalid OpenID URL')
return redirect('users.views.login')
ax_req = ax.FetchRequest()
ax_req.add(ax.AttrInfo('http://axschema.org/contact/email', alias='email', required=True))
ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/first', alias='firstname', required=True))
ax_req.add(ax.AttrInfo('http://axschema.org/namePerson/last', alias='lastname', required=True))
auth_request.addExtension(ax_req)
realm = settings.OPENID_REALM
redirect_url = auth_request.redirectURL(realm=realm,
return_to=request.build_absolute_uri(reverse('users.views.openid_return')))
return redirect(redirect_url)
def ask_openid(request, openid_url, redirect_to, on_failure=None,
sreg_request=None):
""" basic function to ask openid and return response """
on_failure = on_failure or signin_failure
trust_root = getattr(
settings, 'OPENID_TRUST_ROOT', get_url_host(request) + '/'
)
if xri.identifierScheme(openid_url) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False
):
msg = _("i-names are not supported")
return on_failure(request, msg)
consumer = Consumer(request.session, DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
msg = _("The OpenID %s was invalid" % openid_url)
return on_failure(request, msg)
if sreg_request:
auth_request.addExtension(sreg_request)
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
return HttpResponseRedirect(redirect_url)
def complete_openid(request, success_view, failure_view, redirect_field_name=REDIRECT_FIELD_NAME):
"""
The openid callback utility view.
``redirect_field_name`` must be set to the same value as that passed into
the ``begin_openid`` view that initiates the openid call.
"""
success_view = get_view(success_view)
failure_view = get_view(failure_view)
#Get the openid response
consumer = Consumer(request.session, DjangoOpenIDStore())
openid_response = consumer.complete(dict(request.GET.items()))
#Deal with the response based on status
if openid_response.status == SUCCESS:
return success_view(request, openid_response, redirect_field_name=redirect_field_name)
else:
if openid_response.status == CANCEL:
error_message = _("The request was cancelled.")
elif openid_response.status == FAILURE:
error_message = _(openid_response.message)
elif openid_response.status == SETUP_NEEDED:
error_message = _("Setup needed. Please check your OpenID provider and try again.")
else:
error_message = "%s: %s" % (_("Bad openid status"), openid_response.status)
return failure_view(request, openid_response, error_message, redirect_field_name=redirect_field_name)
def openid2_get_redirect(request, provider, callback, scope, mode):
xrds = urllib.request.urlopen(providers[provider]["xrds"])
if xrds.getcode() != 200:
raise Exception("OpenID Failed: Invalid response from " +
providers[provider]["displayname"] +
" on obtaining a XRDS information: " + xrds.read())
xrds = xrds.read()
from openid.consumer.consumer import Consumer
from openid.consumer.discover import OpenIDServiceEndpoint
service = OpenIDServiceEndpoint.fromXRDS(providers[provider]["xrds"],
xrds)[0]
consumer = Consumer(request.session, openid_store)
auth = consumer.beginWithoutDiscovery(service)
if "extensions" in providers[provider]:
for ext, d in providers[provider]["extensions"].items():
for k, v in d.items():
auth.addExtensionArg(ext, k, v)
if mode == "compact": # works with Google
auth.addExtensionArg("http://specs.openid.net/extensions/ui/1.0",
"mode", "popup")
return auth.redirectURL(realm=settings.SITE_ROOT_URL, return_to=callback)
def OpenIDFinish(request, default_success_url='/', success_handler=None):
if request.method not in ('GET', 'POST'):
return django.http.HttpResponseNotAllowed(['GET', 'POST'])
else:
args = args_to_dict(request.GET)
assert type(args) is dict
if request.method == 'POST':
args.update(args_to_dict(request.POST))
url = 'http://'+request.META['HTTP_HOST']+django.core.urlresolvers.reverse(OpenIDFinish)
s = {}
sess_key = request.COOKIES.get(COOKIE_NAME, None)
if sess_key:
s = store.restoreConsumerSession(sess_key)
c = Consumer(s, store.DatastoreStore())
auth_response = c.complete(args, url)
if auth_response.status == auth_SUCCESS:
openid_url = auth_response.getDisplayIdentifier()
continueUrl = get_continue_url(request, default_success_url)
response = django.http.HttpResponseRedirect(continueUrl)
if success_handler:
success_handler(request, response, openid_url)
return response
else:
return err_page("verification_failed")
def _1(request):
consumer = Consumer(request.session, DjangoOpenIDStore())
realm = "http://" + request.get_host()
redirect_url = "http://" + request.get_host() + reverse('flexible_auth:auth-process', args=[cls.SERVICE_NAME, step+1])
# catch Google Apps domain that is referring, if any
_domain = None
if 'domain' in request.POST:
_domain = request.POST['domain']
elif 'domain' in request.GET:
_domain = request.GET['domain']
try:
# two different endpoints depending on whether the using is using Google Account or Google Apps Account
if _domain:
auth_request = consumer.begin(cls.GOOGLE_APPS_URL % _domain)
else:
auth_request = consumer.begin(cls.GOOGLE_URL)
except DiscoveryFailure as e:
return CustomError(request, "Google Accounts Error", "Google's OpenID endpoint is not available.")
# add requests for additional account information required, in this case: email, first name & last name + oauth token
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'mode', 'fetch_request')
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'required', 'email,firstname,lastname')
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'type.email', 'http://schema.openid.net/contact/email')
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'type.firstname', 'http://axschema.org/namePerson/first')
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'type.lastname', 'http://axschema.org/namePerson/last')
return redirect(auth_request.redirectURL(realm, redirect_url))
def OpenIDFinish(request, default_success_url='/', success_handler=None):
if request.method not in ('GET', 'POST'):
return HttpResponseNotAllowed(['GET', 'POST'])
else:
args = args_to_dict(request.GET)
assert type(args) is dict
if request.method == 'POST':
args.update(args_to_dict(request.POST))
url = 'http://' + request.META['HTTP_HOST'] + reverse(OpenIDFinish)
s = {}
sess_key = request.COOKIES.get(COOKIE_NAME, None)
if sess_key:
s = store.restoreConsumerSession(sess_key)
c = Consumer(s, store.DatastoreStore())
auth_response = c.complete(args, url)
if auth_response.status == auth_SUCCESS:
openid_url = auth_response.getDisplayIdentifier()
continueUrl = get_continue_url(request, default_success_url)
response = HttpResponseRedirect(continueUrl)
if success_handler:
success_handler(request, response, openid_url)
return response
else:
return err_page("verification_failed")
def complete_openid_login(request, redirect_field_name=REDIRECT_FIELD_NAME):
"""
The openid callback view.
``redirect_field_name`` must be set to the same value as that passed into
the ``login_openid`` view.
"""
#Get the openid response
consumer = Consumer(request.session, DjangoOpenIDStore())
openid_response = consumer.complete(dict(request.GET.items()),
request.build_absolute_uri())
#Deal with the response based on status
if openid_response.status == SUCCESS:
return success_openid_login(request,
openid_response,
redirect_field_name=redirect_field_name)
else:
openid_url = openid_response.identity_url
if openid_response.status == CANCEL:
error_message = _("The request was cancelled.")
elif openid_response.status == FAILURE:
error_message = _(openid_response.message)
elif openid_response.status == SETUP_NEEDED:
error_message = _(
"Setup needed. Please check your OpenID provider and try again."
)
else:
error_message = "%s: %s" % (_("Bad openid status"),
openid_response.status)
return failure_openid_login(request,
openid_url,
error_message,
redirect_field_name=redirect_field_name)
def login(self):
consumer = Consumer(session, SOOpenIDStore())
# catch Google Apps domain that is referring, if any
domain = None
if 'domain' in request.POST:
domain = request.POST['domain']
elif 'domain' in request.GET:
domain = request.GET['domain']
try:
# two different endpoints depending on whether the using is using Google Account or Google Apps Account
if domain:
auth_request = consumer.begin('https://www.google.com/accounts/o8/site-xrds?hd=%s' % domain)
else:
auth_request = consumer.begin('https://www.google.com/accounts/o8/id')
except DiscoveryFailure as e:
flash ("Google Accounts Error : Google's OpenID endpoint is not available.")
return redirect("/user/show_login")
# add requests for additional account information required, in my case: email
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'mode', 'fetch_request')
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'required', 'email')
auth_request.addExtensionArg('http://openid.net/srv/ax/1.0', 'type.email', 'http://schema.openid.net/contact/email')
return redirect(auth_request.redirectURL(url('/', qualified=True), url(controller='user', action='google_login_response', qualified=True)))
def mycomplete(request, on_success=None, on_failure=None, return_to=None,
**kwargs):
on_success = on_success or default_on_success
on_failure = on_failure or default_on_failure
consumer = Consumer(request.session, DjangoOpenIDStore())
# make sure params are encoded in utf8
params = dict((k,smart_unicode(v)) for k, v in request.GET.items())
openid_response = consumer.complete(params, return_to)
if not hasattr(request.GET,'openid.identity'):
_openid_url = 'None'
else:
_openid_url = request.GET['openid.identity']
if openid_response.status == SUCCESS:
auth_oidlogin.send(sender = None, openid_url = _openid_url, state = 'success')
return on_success(request, openid_response.identity_url,
openid_response, **kwargs)
elif openid_response.status == CANCEL:
auth_oidlogin.send(sender = None, openid_url = _openid_url, state = 'cancel')
return on_failure(request, 'The request was canceled', **kwargs)
elif openid_response.status == FAILURE:
auth_oidlogin.send(sender = None, openid_url = _openid_url, state = 'failure')
return on_failure(request, openid_response.message, **kwargs)
elif openid_response.status == SETUP_NEEDED:
auth_oidlogin.send(sender = None, openid_url = _openid_url, state = 'setup_needed')
return on_failure(request, 'Setup needed', **kwargs)
else:
assert False, "Bad openid status: %s" % openid_response.status
def __call__(self):
request = self.request
siteURL = u'%s/'%absoluteURL(getSite(), request)
if not IUnauthenticatedPrincipal.providedBy(request.principal):
request.response.redirect(siteURL)
return u''
if not 'openid_form_submitted' in request:
request.response.redirect(siteURL)
return u''
identifier = request.get('openid_identifier')
if not identifier:
IStatusMessage(request).add(
_(u"Please specify your OpenID identifier."))
request.response.redirect(siteURL)
return u''
authenticator = getUtility(IOpenIdAuthenticator)
session = ISession(request)[SESSION_KEY]
consumer = Consumer(session, authenticator.store)
try:
authRequest = consumer.begin(identifier)
redirectURL = authRequest.redirectURL(
siteURL, getReturnToURL(request))
except Exception, err:
IStatusMessage(request).add(err, 'error')
redirectURL = siteURL
def ask_openid(request,
openid_url,
redirect_to,
on_failure=None,
sreg_request=None):
""" basic function to ask openid and return response """
request.encoding = 'UTF-8'
on_failure = on_failure or signin_failure
trust_root = getattr(settings, 'OPENID_TRUST_ROOT',
get_url_host(request) + '/')
if xri.identifierScheme(openid_url) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False):
msg = _("i-names are not supported")
return on_failure(request, msg)
consumer = Consumer(request.session, DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
msg = _(u"OpenID %(openid_url)s is invalid" %
{'openid_url': openid_url})
return on_failure(request, msg)
if sreg_request:
auth_request.addExtension(sreg_request)
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
return HttpResponseRedirect(redirect_url)
def get(self):
federated_id = self.request.args.get(AUTH_REQUEST_FIELD)
if not federated_id:
response = Response("missing %s field\n" % AUTH_REQUEST_FIELD)
# Since we only care about Ajax requests we don't have to do
# anything more informative than a 409.
response.status_code = 409
return self.respond(response)
session = self.environ.get(BEAKER_ENV_KEY)
try:
auth_request = Consumer(session, aeoid_store.AppEngineStore()).begin(federated_id)
except DiscoveryFailure:
response = Response("discovery failure\n")
# Since we only care about Ajax requests we don't have to do
# anything more informative than a 409.
response.status_code = 409
return self.respond(response)
# If this raises a different exception it will be caught by the fwerks dispatcher.
# TODO: We need a nicer way of handling exceptions here.
host_url = self.request.host_url
cont = self.request.args.get("continuation", "/")
return_to = urlparse.urljoin(host_url, cont)
redirect_url = auth_request.redirectURL(host_url, return_to)
# The Ajax request wants the redirect url as plain text, not an actual
# HTTP redirect.
response = self.respond(Response(redirect_url))
session.save()
return response
def complete(request, on_success=None, on_failure=None, failure_template='openid_consumer/failure.html'):
on_success = on_success or default_on_success
on_failure = on_failure or default_on_failure
consumer = Consumer(request.session, DjangoOpenIDStore())
#dummydebug
#for r in request.GET.items():
# print r
# JanRain library raises a warning if passed unicode objects as the keys,
# so we convert to bytestrings before passing to the library
query_dict = dict([
(k.encode('utf8'), v.encode('utf8')) for k, v in request.GET.items()
])
url = get_url_host(request) + request.path
openid_response = consumer.complete(query_dict, url)
if openid_response.status == SUCCESS:
return on_success(request, openid_response.identity_url, openid_response)
elif openid_response.status == CANCEL:
return on_failure(request, _('The request was cancelled'), failure_template)
elif openid_response.status == FAILURE:
return on_failure(request, openid_response.message, failure_template)
elif openid_response.status == SETUP_NEEDED:
return on_failure(request, _('Setup needed'), failure_template)
else:
assert False, "Bad openid status: %s" % openid_response.status
def libopenid(request, domain):
if request.user is not None and request.user.is_authenticated():
return redirect(to="http://%s/" % request.get_host())
if domain is "default":
discovery_url = "https://www.google.com/accounts/o8/id"
else:
discovery_url = "https://www.google.com/accounts/o8/site-xrds?hd=%s" % domain
consumer = Consumer(request.session, FileOpenIDStore("/tmp/gtugdemo"))
auth_request = consumer.begin(discovery_url)
ax_request = ax.FetchRequest()
ax_request.add(ax.AttrInfo("http://axschema.org/namePerson/first", required=True))
ax_request.add(ax.AttrInfo("http://axschema.org/namePerson/last", required=True))
ax_request.add(ax.AttrInfo("http://schema.openid.net/contact/email", required=True))
auth_request.addExtension(ax_request)
realm = "http://%s/" % str(request.get_host())
logging.warn("REAL: %s" % realm)
redirect_url = auth_request.redirectURL(realm=realm, return_to="http://%s/login/callback" % request.get_host())
"""
oauth_query = {
'openid.ns.oauth': 'http://specs.openid.net/extensions/oauth/1.0',
'openid.oauth.consumer': request.get_host(),
'openid.oauth.scope': ' '.join(OAUTH_SCOPE),
}
redirect_url += "&%s" % urlencode(oauth_query)
"""
logging.warn(redirect_url)
return redirect(to=redirect_url)
def login_openid_callback(request):
consumer = Consumer(request.session, DjangoOpenIDStore())
#trust_root = 'http://'+settings.SEYMOUR_DOMAIN + '/'
redirect_to = 'http://'+settings.SEYMOUR_DOMAIN+'/login/openid/'
#redirect_url = auth_request.redirectURL(trust_root, redirect_to)
openid_response = consumer.complete(dict(request.GET.items()), redirect_to)
if openid_response.status == SUCCESS:
try:
account = Account.objects.get(openid=openid_response.identity_url)
except Account.DoesNotExist:
error_msg = "No account using that OpenID found."
else:
request.session['account_id'] = account.id
account.last_login = datetime.datetime.now()
account.save()
return HttpResponseRedirect('/feeds/unread/')
elif openid_response.status == CANCEL:
error_msg = "The request was cancelled"
elif openid_response.status == FAILURE:
error_msg = openid_response.message
elif openid_response.status == SETUP_NEEDED:
error_msg = "Setup needed"
else:
error_msg = "Bad openid status: %s" % openid_response.status
return render_to_response('accounts/login_error.html', {
'error_msg': error_msg,
'section': 'login',
}, context_instance=RequestContext(request))
def callback(request):
consumer = Consumer(request.session, FileOpenIDStore("/tmp/gtugdemo"))
openid_response = consumer.complete(request.REQUEST, "http://%s/login/callback" % request.get_host())
if openid_response.status == SUCCESS:
ax_response = ax.FetchResponse.fromSuccessResponse(openid_response)
if ax_response:
ax_items = {
"firstname": ax_response.get("http://axschema.org/namePerson/first"),
"lastname": ax_response.get("http://axschema.org/namePerson/last"),
"email": ax_response.get("http://schema.openid.net/contact/email"),
}
username = "".join(ax_items["email"])
firstname = "".join(ax_items["firstname"])
lastname = "".join(ax_items["lastname"])
email = "".join(ax_items["email"])
register_user(username, firstname, lastname, email)
user = User.objects.get(username=username)
user.backend = "django.contrib.auth.backends.ModelBackend"
login(request, user)
return redirect(to="http://%s/" % request.get_host())
else:
message = openid_response.message
return render_to_response("login.html", locals(), context_instance=RequestContext(request))
def complete(request,
email=None,
confirmed=True,
on_success=None,
on_failure=None,
failure_template='openid_consumer/failure.html'):
on_success = on_success or default_on_success
on_failure = on_failure or default_on_failure
consumer = Consumer(request.session, DjangoOpenIDStore())
#dummydebug
#for r in request.GET.items():
# print r
# JanRain library raises a warning if passed unicode objects as the keys,
# so we convert to bytestrings before passing to the library
query_dict = dict([(k.encode('utf8'), v) for k, v in request.GET.items()])
url = get_url_host(request) + request.path
openid_response = consumer.complete(query_dict, url)
if openid_response.status == SUCCESS:
return on_success(request,
openid_response.identity_url,
openid_response,
confirmed=confirmed,
email=email)
elif openid_response.status == CANCEL:
return on_failure(request, _('The request was cancelled'),
failure_template)
elif openid_response.status == FAILURE:
return on_failure(request, openid_response.message, failure_template)
elif openid_response.status == SETUP_NEEDED:
return on_failure(request, _('Setup needed'), failure_template)
else:
assert False, "Bad openid status: %s" % openid_response.status
def signin(request, redirect_to=None):
trust_root = getattr(
settings, 'OPENID_TRUST_ROOT', get_url_host(request) + '/'
)
# foo derbis.
redirect_to = redirect_to or reverse('openid_complete')
# In case they were lazy...
if not redirect_to.startswith('http://') or redirect_to.startswith('https://'):
redirect_to = get_url_host(request) + redirect_to
if request.GET.get('next') and is_valid_next_url(request.GET['next']):
if '?' in redirect_to:
join = '&'
else:
join = '?'
redirect_to += join + urllib.urlencode({
'next': request.GET['next']
})
if xri.identifierScheme(STEAM_PROVIDER_URL) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False
):
return on_failure(request, 'i-names are not supported')
consumer = Consumer(request.session, DjangoOpenIDStore())
try:
auth_request = consumer.begin(STEAM_PROVIDER_URL)
except DiscoveryFailure:
return on_failure(request, 'The OpenID was invalid')
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
return HttpResponseRedirect(redirect_url)
def complete(request, on_success=None, on_failure=None, return_to=None):
""" complete openid signin """
on_success = on_success or default_on_success
on_failure = on_failure or default_on_failure
consumer = Consumer(request.session, DjangoOpenIDStore())
openid_response = consumer.complete(dict(request.GET.items()),
return_to)
try:
rel = UserAssociation.objects.get(openid_url__exact = openid_response.identity_url)
try:
rel.user
except User.DoesNotExist:
rel.delete()
return register(request)
except UserAssociation.DoesNotExist:
pass
if openid_response.status == SUCCESS:
return on_success(request, openid_response.identity_url,
openid_response)
elif openid_response.status == CANCEL:
return on_failure(request, 'The request was cancelled')
elif openid_response.status == FAILURE:
return on_failure(request, openid_response.message)
elif openid_response.status == SETUP_NEEDED:
return on_failure(request, 'Setup needed')
else:
assert False, "Bad openid status: %s" % openid_response.status
def callback(request):
consumer = Consumer(request.session, FileOpenIDStore('/tmp/gtugdemo'))
openid_response = consumer.complete(request.REQUEST, 'http://%s/login/callback' % request.get_host())
if openid_response.status == SUCCESS:
print "SUCCESS"
ax_response = ax.FetchResponse.fromSuccessResponse(openid_response)
if ax_response:
ax_items = {
'firstname': ax_response.get(
'http://axschema.org/namePerson/first'),
'lastname': ax_response.get(
'http://axschema.org/namePerson/last'),
'email': ax_response.get(
'http://axschema.org/contact/email'),
}
username = ''.join(ax_items['email'])
firstname = ''.join(ax_items['firstname'])
lastname = ''.join(ax_items['lastname'])
email = ''.join(ax_items['email'])
register_user(username, firstname , lastname , email)
print "%s %s %s" % (firstname, lastname, email)
user = User.objects.get(username=username)
user.backend='django.contrib.auth.backends.ModelBackend'
login(request, user)
return redirect(to='http://%s/' % request.get_host())
if openid_response.status == FAILURE:
print "NOOOOOOOOOOO: %s" % openid_response.message
return render_to_response('login.html', locals(), context_instance=RequestContext(request))
def begin_openid(request, openid_url,
redirect_field_name=REDIRECT_FIELD_NAME, redirect=None,
return_view_name='openid_auth-complete_openid_login',
sreg=None, extension_args=None):
"""
Setup the openid Consumer and redirect to the openid URL.
"""
#Set up the openid authorization request
consumer = Consumer(request.session, DjangoOpenIDStore())
openid_auth = consumer.begin(openid_url)
#Add openid extension args (for things like simple registration)
extension_args = extension_args or {}
#If we want simple registration, set the correct extension argument
if sreg:
extension_args['sreg.optional'] = sreg
for name, value in extension_args.items():
namespace, key = name.split('.', 1)
openid_auth.addExtensionArg(namespace, key, value)
#Get the host to authenticate for
trust_root = getattr(settings, 'OPENID_TRUST_ROOT', get_openid_return_host(request) + '/')
#Make sure we have a full return URL and that we append any redirect parameters to it
openid_return_url = get_openid_return_url(request,
return_view_name=return_view_name,
redirect_field_name=redirect_field_name,
redirect=redirect)
#Redirect to the authentication service
openid_redirect_url = openid_auth.redirectURL(trust_root, openid_return_url)
return HttpResponseRedirect(openid_redirect_url)
def try_login(self, identity_url, ask_for=None):
"""This tries to login with the given identity URL. This function
must be called from the login_handler. The `ask_for` parameter can
be a set of values to be asked from the openid provider.
The following strings can be used in the `ask_for` parameter:
``aim``, ``blog``, ``country``, ``dob`` (date of birth), ``email``,
``fullname``, ``gender``, ``icq``, ``image``, ``jabber``, ``language``,
``msn``, ``nickname``, ``phone``, ``postcode``, ``skype``,
``timezone``, ``website``, ``yahoo``
"""
if ask_for and __debug__:
for key in ask_for:
if key not in ALL_KEYS:
raise ValueError('invalid key %r' % key)
try:
consumer = Consumer(session, self.store_factory())
auth_request = consumer.begin(identity_url)
if ask_for:
self.attach_reg_info(auth_request, ask_for)
except discover.DiscoveryFailure:
self.signal_error(u'The OpenID was invalid')
return redirect(self.get_current_url())
trust_root = request.host_url
return redirect(
auth_request.redirectURL(request.host_url, self.get_success_url()))
def ask_openid(request,
openid_url,
redirect_to,
on_failure=None,
sreg_request=None):
""" basic function to ask openid and return response """
on_failure = on_failure or signin_failure
trust_root = getattr(settings, 'OPENID_TRUST_ROOT',
get_url_host(request) + '/')
if xri.identifierScheme(openid_url) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False):
msg = _("i-names are not supported")
logging.debug('openid failed because i-names are not supported')
return on_failure(request, msg)
consumer = Consumer(request.session, util.DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
msg = _(u"OpenID %(openid_url)s is invalid" %
{'openid_url': openid_url})
logging.debug(msg)
return on_failure(request, msg)
logging.debug('openid seemed to work')
if sreg_request:
logging.debug('adding sreg_request - wtf it is?')
auth_request.addExtension(sreg_request)
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
logging.debug('redirecting to %s' % redirect_url)
return HttpResponseRedirect(redirect_url)
def get_auth_redirect_url(cls, identifier):
s = FileOpenIDStore(cherrypy.request.app.config['appSettings']['openid.datastore_directory'])
consumer = Consumer(session=cherrypy.session, store=s)
authRequest = consumer.begin(identifier)
return authRequest.redirectURL(
realm=ApplicationPaths.get_site_root(),
return_to=ApplicationPaths.get_handle_openid_auth_response_path())
def complete(request, on_success=None, on_failure=None, return_to=None):
""" complete openid signin """
on_success = on_success or default_on_success
on_failure = on_failure or default_on_failure
logging.debug('in django_authopenid.complete')
consumer = Consumer(request.session, DjangoOpenIDStore())
# make sure params are encoded in utf8
params = dict((k,smart_unicode(v)) for k, v in request.GET.items())
openid_response = consumer.complete(params, return_to)
if openid_response.status == SUCCESS:
logging.debug('SUCCESS')
return on_success(request, openid_response.identity_url,
openid_response)
elif openid_response.status == CANCEL:
logging.debug('CANCEL')
return on_failure(request, 'The request was canceled')
elif openid_response.status == FAILURE:
logging.debug('FAILURE')
return on_failure(request, openid_response.message)
elif openid_response.status == SETUP_NEEDED:
logging.debug('SETUP NEEDED')
return on_failure(request, 'Setup needed')
else:
logging.debug('BAD OPENID STATUS')
assert False, "Bad openid status: %s" % openid_response.status
def get(self, request, *args, **kwargs):
consumer = Consumer(request.session, DjangoOpenIDStore())
query = dict((k, smart_unicode(v)) for k, v in request.GET.items())
openid_response = consumer.complete(query, self.get_return_url())
self.openid_response = openid_response
if openid_response.status == SUCCESS:
if 'openids' not in request.session.keys():
request.session['openids'] = []
request.session['openids'] = filter(
lambda o: o.openid != openid_response.identity_url,
request.session['openids'],
)
request.session['openids'].append(
from_openid_response(openid_response), )
OpenIDMiddleware().process_request(request)
return self.success()
elif openid_response.status == CANCEL:
return self.failure(_('The request was cancelled'))
elif openid_response.status == FAILURE:
return self.failure(openid_response.message)
elif openid_response.status == SETUP_NEEDED:
return self.failure(_('Setup needed'))
else:
raise BadOpenIDStatus(openid_response.status)
def get(self, request, *args, **kwargs):
consumer = Consumer(request.session, DjangoOpenIDStore())
query = dict((k, smart_unicode(v)) for k, v in request.GET.items())
openid_response = consumer.complete(query, self.get_return_url())
self.openid_response = openid_response
if openid_response.status == SUCCESS:
if 'openids' not in request.session.keys():
request.session['openids'] = []
request.session['openids'] = filter(
lambda o: o.openid != openid_response.identity_url,
request.session['openids'],
)
request.session['openids'].append(
from_openid_response(openid_response),
)
OpenIDMiddleware().process_request(request)
return self.success()
elif openid_response.status == CANCEL:
return self.failure(_('The request was cancelled'))
elif openid_response.status == FAILURE:
return self.failure(openid_response.message)
elif openid_response.status == SETUP_NEEDED:
return self.failure(_('Setup needed'))
else:
raise BadOpenIDStatus(openid_response.status)
def __call__(self, *args, **kw):
request = self.request
context = self.context
siteURL = u'%s/'%absoluteURL(context, request)
if not IUnauthenticatedPrincipal.providedBy(request.principal):
self.redirect(siteURL)
return u''
if not 'openid_form_submitted' in request:
self.redirect(siteURL)
return u''
identifier = request.get('openid_identifier')
if not identifier or identifier == 'http://':
IStatusMessage(request).add(
_(u"Please specify your OpenID identifier."))
self.redirect(u'%slogin.html'%siteURL)
return u''
authenticator = getUtility(IUsersPlugin)
session = ISession(request)[SESSION_KEY]
consumer = Consumer(session, authenticator.store)
try:
authRequest = consumer.begin(identifier)
redirectURL = authRequest.redirectURL(
siteURL, getReturnToURL(request))
except Exception, err:
IStatusMessage(request).add(err, 'error')
self.redirect(u'%slogin.html'%siteURL)
return u''
def login_begin(self):
"""Step one of logging in with OpenID; we redirect to the provider"""
cons = Consumer(session=session, store=self.openid_store)
try:
openid_url = request.params['openid_identifier']
except KeyError:
return self._bail("Gotta enter an OpenID to log in.")
try:
auth_request = cons.begin(openid_url)
except DiscoveryFailure:
return self._bail(
"Can't connect to '{0}'. You sure it's an OpenID?"
.format(openid_url)
)
sreg_req = SRegRequest(optional=['nickname', 'email', 'dob', 'gender',
'country', 'language', 'timezone'])
auth_request.addExtension(sreg_req)
host = request.headers['host']
protocol = request_config().protocol
return_url = url(host=host, controller='accounts', action='login_finish')
new_url = auth_request.redirectURL(return_to=return_url,
realm=protocol + '://' + host)
redirect(new_url)
def ask_openid(
request,
openid_url,
redirect_to,
on_failure=None,
sreg_request=None
):
""" basic function to ask openid and return response """
on_failure = on_failure or signin_failure
trust_root = getattr(
settings, 'OPENID_TRUST_ROOT', get_url_host(request) + '/'
)
if xri.identifierScheme(openid_url) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False
):
msg = _("i-names are not supported")
logging.debug('openid failed because i-names are not supported')
return on_failure(request, msg)
consumer = Consumer(request.session, util.DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
msg = _(u"OpenID %(openid_url)s is invalid" % {'openid_url':openid_url})
logging.debug(msg)
return on_failure(request, msg)
logging.debug('openid seemed to work')
if sreg_request:
logging.debug('adding sreg_request - wtf it is?')
auth_request.addExtension(sreg_request)
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
logging.debug('redirecting to %s' % redirect_url)
return HttpResponseRedirect(redirect_url)
def try_login(self,
identity_url,
ask_for=None,
ask_for_optional=None,
extensions=None,
immediate=False):
"""This tries to login with the given identity URL. This function
must be called from the login_handler. The `ask_for` and
`ask_for_optional`parameter can be a set of values to be asked
from the openid provider, where keys in `ask_for` are marked as
required, and keys in `ask_for_optional` are marked as optional.
The following strings can be used in the `ask_for` and
`ask_for_optional` parameters:
``aim``, ``blog``, ``country``, ``dob`` (date of birth), ``email``,
``fullname``, ``gender``, ``icq``, ``image``, ``jabber``, ``language``,
``msn``, ``nickname``, ``phone``, ``postcode``, ``skype``,
``timezone``, ``website``, ``yahoo``
`extensions` can be a list of instances of OpenID extension requests
that should be passed on with the request. If you use this, please make
sure to pass the Response classes of these extensions when initializing
OpenID.
`immediate` can be used to indicate this request should be a so-called
checkid_immediate request, resulting in the provider not showing any
UI.
Note that this adds a new possible response: SetupNeeded, which is the
server saying it doesn't have enough information yet to authorized or
reject the authentication (probably, the user needs to sign in or
approve the trust root).
"""
if ask_for and __debug__:
for key in ask_for:
if key not in ALL_KEYS:
raise ValueError('invalid key %r' % key)
if ask_for_optional:
for key in ask_for_optional:
if key not in ALL_KEYS:
raise ValueError('invalid optional key %r' % key)
try:
consumer = Consumer(SessionWrapper(self), self.store_factory())
auth_request = consumer.begin(identity_url)
if ask_for or ask_for_optional:
self.attach_reg_info(auth_request, ask_for, ask_for_optional)
if extensions:
for extension in extensions:
auth_request.addExtension(extension)
except discover.DiscoveryFailure:
self.signal_error(u'The OpenID was invalid')
return redirect(self.get_current_url())
if self.url_root_as_trust_root:
trust_root = request.url_root
else:
trust_root = request.host_url
return redirect(
auth_request.redirectURL(trust_root,
self.get_success_url(),
immediate=immediate))
def login(request):
"Display the login form and handle the login action."
try:
del request.session['account_id']
except KeyError:
# request.session did not have a has_key() last I checked...
pass
just_signed_up = False
openid_failure = ''
if request.POST:
data = request.POST.copy()
# don't validate fields that the user might have filled in before
# changing the type..
if data.get('method', 'email') == 'email':
data['openid'] = ''
else:
data['email'] = ''
data['password'] = ''
data['confirm_password'] = ''
form = LoginForm(data)
if form.is_valid():
if data.get('method', 'email') == 'email':
account = form.get_account()
request.session['account_id'] = account.id
account.last_login = datetime.datetime.now()
account.save()
return HttpResponseRedirect('/feeds/unread/')
else:
openid = form.get_openid()
consumer = Consumer(request.session, DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid)
except DiscoveryFailure:
openid_failure = "The OpenID was invalid"
else:
trust_root = 'http://'+settings.SEYMOUR_DOMAIN + '/'
redirect_to = 'http://'+settings.SEYMOUR_DOMAIN+'/login/openid/'
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
return HttpResponseRedirect(redirect_url)
else:
initial = {'method': 'email'}
form = LoginForm(initial=initial)
return render_to_response('accounts/login.html', {
'form': form,
'just_signed_up': just_signed_up,
'openid_failure': openid_failure,
'section': 'login',
'method': request.POST.get('method', 'email')
}, context_instance=RequestContext(request))
def ask_openid(request, openid_url, redirect_to, on_failure=None):
on_failure = on_failure or signin_failure
sreg_req = None
ax_req = None
_openid_url = openid_url
trust_root = getattr(settings, 'OPENID_TRUST_ROOT',
get_url_host(request) + '/')
if xri.identifierScheme(openid_url) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False):
msg = ("i-names are not supported")
auth_oidlogin.send(sender=None,
openid_url=_openid_url,
state='not_supported')
return on_failure(request, msg)
consumer = Consumer(request.session, DjangoOpenIDStore())
try:
auth_request = consumer.begin(openid_url)
except DiscoveryFailure:
msg = ("The OpenID %s was invalid") % openid_url
auth_oidlogin.send(sender=None,
openid_url=_openid_url,
state='invalid')
return on_failure(request, msg)
# get capabilities
use_ax, use_sreg = discover_extensions(openid_url)
if use_sreg:
# set sreg extension
# we always ask for nickname and email
sreg_attrs = getattr(settings, 'OPENID_SREG', {})
sreg_attrs.update({"optional": ['nickname', 'email']})
sreg_req = sreg.SRegRequest(**sreg_attrs)
if use_ax:
# set ax extension
# we always ask for nickname and email
ax_req = ax.FetchRequest()
ax_req.add(
ax.AttrInfo('http://schema.openid.net/contact/email',
alias='email',
required=True))
ax_req.add(
ax.AttrInfo('http://schema.openid.net/namePerson/friendly',
alias='nickname',
required=True))
# add custom ax attrs
ax_attrs = getattr(settings, 'OPENID_AX', [])
for attr in ax_attrs:
if len(attr) == 2:
ax_req.add(ax.AttrInfo(attr[0], required=alias[1]))
else:
ax_req.add(ax.AttrInfo(attr[0]))
if sreg_req is not None:
auth_request.addExtension(sreg_req)
if ax_req is not None:
auth_request.addExtension(ax_req)
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
return HttpResponseRedirect(redirect_url)
def step1_get_authorize_url(self, openid_url, callback_url):
"""Returns a URI to redirect to the provider.
"""
consumer = Consumer(self.session, self.store)
# if consumer discovery or authentication fails, show error page
try:
request = consumer.begin(openid_url)
except Exception, e:
raise e
def complete_login(self, request):
consumer = Consumer(request.session, SolaceOpenIDStore())
openid_response = consumer.complete(
request.args.to_dict(), url_for('core.login', _external=True))
if openid_response.status == SUCCESS:
return self.create_or_login(request, openid_response.identity_url)
elif openid_response.status == CANCEL:
raise LoginUnsucessful(_(u'The request was cancelled'))
else:
raise LoginUnsucessful(_(u'OpenID authentication error'))
def begin(request,
sreg=None,
extension_args=None,
redirect_to=None,
on_failure=None):
on_failure = on_failure or default_on_failure
if request.GET.get('logo'):
# Makes for a better demo
return HttpResponse(OPENID_LOGO_BASE_64.decode('base64'),
mimetype='image/gif')
extension_args = extension_args or {}
if sreg:
extension_args['sreg.optional'] = sreg
trust_root = getattr(settings, 'OPENID_TRUST_ROOT',
get_url_host(request) + '/')
redirect_to = redirect_to or getattr(
settings,
'OPENID_REDIRECT_TO',
# If not explicitly set, assume current URL with complete/ appended
get_full_url(request).split('?')[0] + 'complete/')
# In case they were lazy...
if not redirect_to.startswith('http://'):
redirect_to = get_url_host(request) + redirect_to
if request.GET.get('next') and is_valid_next_url(request.GET['next']):
if '?' in redirect_to:
join = '&'
else:
join = '?'
redirect_to += join + 'next=' + urllib.urlencode(request.GET['next'])
user_url = request.POST.get('openid_url', None)
if not user_url:
return render('openid_signin.html', {'action': request.path})
if xri.identifierScheme(user_url) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False):
return on_failure(request, 'i-names are not supported')
consumer = Consumer(request.session, DjangoOpenIDStore())
try:
auth_request = consumer.begin(user_url)
except DiscoveryFailure:
return on_failure(request, "The OpenID was invalid")
# Add extension args (for things like simple registration)
for name, value in extension_args.items():
namespace, key = name.split('.', 1)
auth_request.addExtensionArg(namespace, key, value)
redirect_url = auth_request.redirectURL(trust_root, redirect_to)
return HttpResponseRedirect(redirect_url)
def begin_openid_login(
request,
openid_url,
redirect_field_name=REDIRECT_FIELD_NAME,
redirect=None,
return_view_name='openid_auth.views.complete_openid_login',
sreg=None,
extension_args=None):
"""
Setup the openid Consumer and redirect to the openid URL.
"""
#Set up the openid authorization request
consumer = Consumer(request.session, DjangoOpenIDStore())
openid_auth = consumer.begin(openid_url)
#Check if the openId provider is allowed
if hasattr(settings, 'OPENID_PROVIDERS') and settings.OPENID_PROVIDERS:
found = False
for provider_name in settings.OPENID_PROVIDERS:
if provider_name in openid_auth.endpoint.server_url:
found = True
break
if not found:
error_message = "%s: %s" % (_("Not allowed OpenID provider"),
openid_auth.endpoint.server_url)
return failure_openid_login(
request,
openid_url,
error_message,
redirect_field_name=redirect_field_name)
#Add openid extension args (for things like simple registration)
extension_args = extension_args or {}
#If we want simple registration, set the correct extension argument
if sreg:
extension_args['sreg.optional'] = sreg
for name, value in extension_args.items():
namespace, key = name.split('.', 1)
openid_auth.addExtensionArg(namespace, key, value)
#Get the host to authenticate for
trust_root = getattr(settings, 'OPENID_TRUST_ROOT',
get_openid_return_host(request) + '/')
#Make sure we have a full return URL and that we append any redirect parameters to it
openid_return_url = get_openid_return_url(
request,
return_view_name=return_view_name,
redirect_field_name=redirect_field_name,
redirect=redirect)
#Redirect to the authentication service
openid_redirect_url = openid_auth.redirectURL(trust_root,
openid_return_url)
return HttpResponseRedirect(openid_redirect_url)
def perform_login(self, request, openid_identifier):
try:
consumer = Consumer(request.session, SolaceOpenIDStore())
auth_request = consumer.begin(openid_identifier)
except discover.DiscoveryFailure:
raise LoginUnsucessful(_(u'The OpenID was invalid'))
trust_root = request.host_url
redirect_to = url_for('core.login',
openid_complete='yes',
next=request.next_url,
_external=True)
return redirect(auth_request.redirectURL(trust_root, redirect_to))
def openid_end(return_url, request):
"""Step two of logging in; the OpenID provider redirects back here."""
cons = Consumer(session=request.session, store=openid_store)
params = request.params
if 'return_key' in params and not key_from_request(request):
# We've followed a return_key that has terminated at the OpenID request
# i.e. this is a stashed OpenID request (or a bogus return_key); the
# OpenID request will therefore NOT have the return_key in its
# return_to URL, so strip it
log.debug("OpenID check stripping stale or bogus return_key(s) '{0}'"
.format(params.getall('return_key')))
# Janrain OpenID treats params as a normal dict, so it's safe to lose
# the MultiDict here (AFAICT).
params = dict((k, v) for k, v in params.iteritems() if k != 'return_key')
res = cons.complete(params, return_url)
if res.status == SUCCESS:
pass
elif res.status == FAILURE:
# The errors are, very helpfully, plain strings. Nevermind that
# there's a little hierarchy of exception classes inside the openid
# library; they all get squashed into homogenous goo in the return
# value. F*****g awesome. Check for a few common things here and
# assume the rest are wacky internal errors
log.error('openid failure: ' + res.message)
if res.message == 'Nonce already used or out of range':
# You tend to get this if you hit refresh on login_finish
raise OpenIDError("Sorry! Your login attempt expired; please start over.")
else:
raise OpenIDError("Something has gone hilariously wrong.")
elif res.status == CANCEL:
raise OpenIDError("Looks like you canceled the login.")
else:
log.error("Unexpected OpenID return status '{0}' with message '{1}'"
.format(res.status, res.message))
raise OpenIDError("Something has gone hilariously wrong.")
identity_url = unicode(res.identity_url)
identity_webfinger = request.session.pop('pending_identity_webfinger', None)
sreg_res = SRegResponse.fromSuccessResponse(res) or dict()
pape_res = PAPEResponse.fromSuccessResponse(res)
auth_time = pape_res.auth_time
return identity_url, identity_webfinger, auth_time, sreg_res
def prepare_authentication_request(self, request, redirect_to):
if not redirect_to.startswith('http://') or redirect_to.startswith(
'https://'):
redirect_to = get_url_host(request) + redirect_to
user_url = self.get_user_url(request)
if xri.identifierScheme(user_url) == 'XRI' and getattr(
settings, 'OPENID_DISALLOW_INAMES', False):
raise InvalidAuthentication('i-names are not supported')
consumer = Consumer(request.session, OsqaOpenIDStore())
try:
auth_request = consumer.begin(user_url)
except DiscoveryFailure:
raise InvalidAuthentication(
_('Sorry, but your input is not a valid OpenId'))
sreg = getattr(self, 'sreg_attributes', False)
if sreg:
s = SRegRequest()
for k, attr_dic in sreg.items():
if k == "policy_url":
s.policy_url = attr_dic
continue
for attr_name in attr_dic.keys():
s.requestField(field_name=attr_name,
required=(k == "required"))
auth_request.addExtension(s)
ax_schema = getattr(self, 'dataype2ax_schema', False)
if ax_schema and request.session.get('force_email_request', True):
axr = AXFetchRequest()
for data_type, schema in ax_schema.items():
if isinstance(schema, tuple):
axr.add(AttrInfo(schema[0], required=True,
alias=schema[1]))
else:
axr.add(AttrInfo(schema, required=True, alias=data_type))
auth_request.addExtension(axr)
trust_root = getattr(settings, 'OPENID_TRUST_ROOT',
get_url_host(request) + '/')
return auth_request.redirectURL(trust_root, redirect_to)
def complete_openid(session, query_dict, url):
consumer = Consumer(session, DjangoOpenIDStore())
openid_response = consumer.complete(query_dict, url)
if openid_response.status == SUCCESS:
openid = from_openid_response(openid_response)
return "SUCCESS", openid.ax.getExtensionArgs()['value.ext0.1']
elif openid_response.status == CANCEL:
return "CANCEL", None
elif openid_response.status == FAILURE:
return "FAILURE", openid_response.message
else:
return None, None
def oid_login_handler(self, f, oid):
if request.args.get('openid_complete') != u'yes':
return f(False)
consumer = Consumer(SessionWrapper(self), oid.store_factory())
openid_response = consumer.complete(request.args.to_dict(),
oid.get_current_url())
if openid_response.status == SUCCESS:
return oid.after_login_func(OpenIDResponse(openid_response, []))
elif openid_response.status == CANCEL:
oid.signal_error(u'The request was cancelled')
return redirect(oid.get_current_url())
oid.signal_error(u'OpenID authentication error')
return redirect(oid.get_current_url())
def try_login(self, identity_url):
"""This tries to login with the given identity URL. This function
must be called from the login_handler.
"""
try:
consumer = Consumer(session, self.create_store())
auth_request = consumer.begin(identity_url)
except discover.DiscoveryFailure:
self.signal_error(u'The OpenID was invalid')
return redirect(self.get_current_url())
trust_root = request.host_url
return redirect(
auth_request.redirectURL(request.host_url, self.get_success_url()))
def decorated(*args, **kwargs):
if request.args.get('openid_complete') != u'yes':
return f(*args, **kwargs)
consumer = Consumer(session, self.store_factory())
openid_response = consumer.complete(request.args.to_dict(),
self.get_current_url())
if openid_response.status == SUCCESS:
return self.after_login_func(OpenIDResponse(openid_response))
elif openid_response.status == CANCEL:
self.signal_error(u'The request was cancelled')
return redirect(self.get_current_url())
self.signal_error(u'OpenID authentication error')
return redirect(self.get_current_url())
def openid_begin(identifier, return_url, request, max_auth_age=False, sreg=False):
"""Step one of logging in with OpenID; we resolve a webfinger,
if present, then redirect to the provider.
Set sreg to True to attempt to retrieve Simple Registration
information.
Set max_auth_age to a number of seconds to request the OP to
ensure that the user authenticated within that many seconds prior
to the request, or else force immediate re-authentication."""
session = request.session
openid_url = identifier
# Does it look like an email address?
# If so, try finding an OpenID URL via Webfinger.
webfinger_openid = resolve_webfinger(identifier)
if webfinger_openid:
openid_url = webfinger_openid
session['pending_identity_webfinger'] = identifier
session.save()
cons = Consumer(session=session, store=openid_store)
print 1
try:
auth_request = cons.begin(openid_url)
except DiscoveryFailure:
# XXX this error blows
raise OpenIDError(
"Can't connect to '{0}'. It might not support OpenID.".format(openid_url))
print 2
if sreg:
sreg_req = SRegRequest(optional=['nickname', 'email', 'timezone'])
auth_request.addExtension(sreg_req)
if max_auth_age is not False and max_auth_age >= 0:
auth_age_req = PAPERequest(max_auth_age=max_auth_age)
auth_request.addExtension(auth_age_req)
print 3
# XXX is this realm stuff correct
# ^^^ AFAICT, yes, as long as we don't need the assertion to be valid for
# sub-domains
new_url = auth_request.redirectURL(
return_to=return_url,
realm=request.host_url,
)
print new_url
return new_url
