Exemplo n.º 1
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(
            reverse('openid-provider-root')))

    # Cancellation
    if 'cancel' in request.REQUEST:
        if 'OPENID_REQUEST' in request.session:
            return oresponse_to_response(server,
                request.session['OPENID_REQUEST'].answer(False))
        else:
            return HttpResponseRedirect('/')

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    try:
        orequest = server.decodeRequest(querydict)
    except ProtocolError, why:
        logger.error('Invalid OpenID message %s' % querydict)
        return oresponse_to_response(server, why)
Exemplo n.º 2
0
 def __init__(self, base_url):
     self.store = MemoryStore()
     self.identity_url = base_url + 'identity'
     self.localid_url = base_url + 'localid'
     self.endpoint_url = base_url + 'endpoint'
     self.server = Server(self.store, self.endpoint_url)
     self.last_request = None
Exemplo n.º 3
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by
    the <link rel="openid.server"> tag.
    """
    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(
            reverse('openid-provider-root')))

    # Cancellation
    if 'cancel' in request.REQUEST:
        if 'OPENID_REQUEST' in request.session:
            return oresponse_to_response(server,
                request.session['OPENID_REQUEST'].answer(False))
        else:
            return HttpResponseRedirect('/')

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    try:
        orequest = server.decodeRequest(querydict)
    except ProtocolError, why:
        logger.error('Invalid OpenID message %s' % querydict)
        return oresponse_to_response(server, why)
Exemplo n.º 4
0
 def __init__(self, base_url):
     self.store = MemoryStore()
     self.identity_url = base_url + 'identity'
     self.localid_url = base_url + 'localid'
     self.endpoint_url = base_url + 'endpoint'
     self.server = Server(self.store, self.endpoint_url)
     self.last_request = None
     self.type_uris = ['http://specs.openid.net/auth/2.0/signon']
Exemplo n.º 5
0
def openid_decide(request):
    """
    The page that asks the user if they really want to sign in to the site, and
    lets them add the consumer to their trusted whitelist.
    # If user is logged in, ask if they want to trust this trust_root
    # If they are NOT logged in, show the landing page
    """
    custom_log(request, "User entered openid_decide page", level="debug")
    server = Server(get_store(request),
	op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
    orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
    trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')

    if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
        custom_log(request, "User is not authenticated. Redirect to sign-in page", level="debug")
        return landing_page(request, orequest)

    if not orequest:
        custom_log(request, "Entered decide page with no OpenID session in progress", level="warn")
        return error_page(request, "You don't have OpenID login session in progress.")

    openid = openid_get_identity(request, orequest.identity)
    if openid is None:
        custom_log(request, "No OpenID exists for user %s" % request.browser.user, level="warn")
        return error_page(
            request, "You are signed in but you don't have OpenID here!")

    if request.method == 'POST' and request.POST.get('decide_page', False):
        if request.POST.get("cancel"):
            custom_log(request, "User cancelled authentication from the decide page", level="info")
            for k in ["AuthorizationInfo", "OPENID_TRUSTROOT_VALID", "OPENID_REQUEST", get_trust_session_key(orequest)]:
                try:
                    del request.session[k]
                except KeyError:
                    pass
            custom_log(request, "Cancelled. Redirect to front page", level="debug")
            return HttpResponseRedirect(reverse("login_frontend.views.indexview"))
        (obj, created) = TrustedRoot.objects.get_or_create(
            openid=openid, trust_root=orequest.trust_root)
        if created:
            custom_log(request, "Created a new TrustRoot for %s" % orequest.trust_root)
        else:
            custom_log(request, "Old TrustRoot for %s exists" % orequest.trust_root)
        if not conf.FAILED_DISCOVERY_AS_VALID:
            custom_log(request, "Setting %s=True" % (get_trust_session_key(orequest)), level="debug")
            request.session[get_trust_session_key(orequest)] = True
        custom_log(request, "Redirecting to OpenID server root", level="debug")
        return HttpResponseRedirect(reverse('openid-provider-root'))

    custom_log(request, "Showing decide page", level="info")
    return render_to_response('openid_provider/decide.html', {
        'title': _('Trust this site?'),
        'trust_root': orequest.trust_root,
        'trust_root_valid': trust_root_valid,
        'return_to': orequest.return_to,
        'identity': orequest.identity,
        'sreg': get_default_sreg_data(request, orequest),
    }, context_instance=RequestContext(request))
Exemplo n.º 6
0
def openid_server(req):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    host = get_base_uri(req)
    try:
        # if we have django_openid_auth in applications directory
        # then we can use DjangoOpenIDStore
        from django_openid_auth.store import DjangoOpenIDStore
        store = DjangoOpenIDStore()
    except:
        # otherwise use FileOpenIDStore
        OPENID_FILESTORE = '/tmp/openid-filestore'
        from openid.store.filestore import FileOpenIDStore
        store = FileOpenIDStore(OPENID_FILESTORE)
    server = Server(store, op_endpoint="%s%s" % (host, reverse('openid-provider-root')))
    # Clear AuthorizationInfo session var, if it is set
    if req.session.get('AuthorizationInfo', None):
        del req.session['AuthorizationInfo']
    querydict = dict(req.REQUEST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = req.session.get('OPENID_REQUEST', None)
        if not orequest:
            # not request, render info page:
            return render_to_response('openid_provider/server.html',
                {'host': host,},
                context_instance=RequestContext(req))
        else:
            # remove session stored data:
            del req.session['OPENID_REQUEST']
    if orequest.mode in ("checkid_immediate", "checkid_setup"):
        if not req.user.is_authenticated():
            return landing_page(req, orequest)
        #openid = openid_is_authorized(req, orequest.identity, orequest.trust_root)
        #if openid is not None:
        oresponse = orequest.answer(True, identity="%s%s" % (
                    host, reverse('openid-provider-identity', args=[req.user.username])))
        fullname = "%s %s" % (req.user.first_name, req.user.last_name)
        if fullname == " ":
            fullname = req.user.username
        if fullname.strip().find(" ") == -1:
            fullname = "%s %s" % (fullname, fullname)
        sreg_data = { 'fullname': fullname , 'email': req.user.email, 'nickname': req.user.username, }
        sreg_req = sreg.SRegRequest.fromOpenIDRequest(orequest)
        sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
        oresponse.addExtension(sreg_resp)
        #elif orequest.immediate:
        #    raise Exception('checkid_immediate mode not supported')
        #else:
        #    req.session['OPENID_REQUEST'] = orequest
        #    return HttpResponseRedirect(reverse('openid-provider-decide'))
    else:
        oresponse = server.handleRequest(orequest)
    webresponse = server.encodeResponse(oresponse)
    return django_response(webresponse)
Exemplo n.º 7
0
def openid_decide(request):
    """
    The page that asks the user if they really want to sign in to the site, and
    lets them add the consumer to their trusted whitelist.
    # If user is logged in, ask if they want to trust this trust_root
    # If they are NOT logged in, show the landing page
    """
    custom_log(request, "User entered openid_decide page", level="debug")
    server = Server(get_store(request),
	op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))
    orequest = server.decodeRequest(request.session.get('OPENID_REQUEST'))
    trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID')

    if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
        custom_log(request, "User is not authenticated. Redirect to sign-in page", level="debug")
        return landing_page(request, orequest)

    openid = openid_get_identity(request, orequest.identity)
    if openid is None:
        custom_log(request, "No OpenID exists for user %s" % request.browser.user, level="warn")
        return error_page(
            request, "You are signed in but you don't have OpenID here!")

    if request.method == 'POST' and request.POST.get('decide_page', False):
        if request.POST.get("cancel"):
            custom_log(request, "User cancelled authentication from the decide page", level="info")
            for k in ["AuthorizationInfo", "OPENID_TRUSTROOT_VALID", "OPENID_REQUEST", get_trust_session_key(orequest)]:
                try:
                    del request.session[k]
                except KeyError:
                    pass
            custom_log(request, "Cancelled. Redirect to front page", level="debug")
            return HttpResponseRedirect(reverse("login_frontend.views.indexview"))
        (obj, created) = TrustedRoot.objects.get_or_create(
            openid=openid, trust_root=orequest.trust_root)
        if created:
            custom_log(request, "Created a new TrustRoot for %s" % orequest.trust_root)
        else:
            custom_log(request, "Old TrustRoot for %s exists" % orequest.trust_root)
        if not conf.FAILED_DISCOVERY_AS_VALID:
            custom_log(request, "Setting %s=True" % (get_trust_session_key(orequest)), level="debug")
            request.session[get_trust_session_key(orequest)] = True
        custom_log(request, "Redirecting to OpenID server root", level="debug")
        return HttpResponseRedirect(reverse('openid-provider-root'))

    custom_log(request, "Showing decide page", level="info")
    return render_to_response('openid_provider/decide.html', {
        'title': _('Trust this site?'),
        'trust_root': orequest.trust_root,
        'trust_root_valid': trust_root_valid,
        'return_to': orequest.return_to,
        'identity': orequest.identity,
        'sreg': get_default_sreg_data(request, orequest),
    }, context_instance=RequestContext(request))
Exemplo n.º 8
0
 def __init__(self, request):
     self.request = request
     self.openid_server = Server(SFOpenIDStore(self.request.db_session),
                                 request.route_url('openid_provider'))
     userid = authenticated_userid(request)
     self.auth_userid = userid or request.session.get('auth_userid')
     if self.auth_userid:
         query = self.request.db_session.query(UserProfile)
         self.auth_user = query.get(self.auth_userid)
     else:
         self.auth_user = None
Exemplo n.º 9
0
 def setUp(self):
     super(TestGetMacaroonNS, self).setUp()
     params = {
         'openid.mode': 'checkid_setup',
         'openid.trust_root': 'http://localhost/',
         'openid.return_to': 'http://localhost/',
         'openid.identity': IDENTIFIER_SELECT,
     }
     openid_store = getUtility(IOpenIDConsumerStore)
     openid_server = Server(openid_store, get_server_url())
     self.orequest = openid_server.decodeRequest(params)
Exemplo n.º 10
0
 def test_fromSuccessResponse_no_signed(self):
     params = {
         'openid.mode': 'checkid_setup',
         'openid.trust_root': 'http://localhost/',
         'openid.return_to': 'http://localhost/',
         'openid.identity': IDENTIFIER_SELECT,
     }
     openid_store = getUtility(IOpenIDConsumerStore)
     openid_server = Server(openid_store, get_server_url())
     orequest = openid_server.decodeRequest(params)
     success_resp = SuccessResponse(orequest, orequest.message)
     resp = MacaroonResponse.fromSuccessResponse(success_resp)
     self.assertIsNone(resp.discharge_macaroon_raw)
Exemplo n.º 11
0
 def test_fromOpenIDRequest(self):
     params = {
         'openid.mode': 'checkid_setup',
         'openid.trust_root': 'http://localhost/',
         'openid.return_to': 'http://localhost/',
         'openid.identity': IDENTIFIER_SELECT,
     }
     openid_store = getUtility(IOpenIDConsumerStore)
     openid_server = Server(openid_store, get_server_url())
     orequest = openid_server.decodeRequest(params)
     req = MacaroonRequest.fromOpenIDRequest(orequest)
     self.assertIsNone(req.caveat_id)
     self.assertEqual(MACAROON_NS, req.ns_uri)
Exemplo n.º 12
0
 def __init__(self, base_url):
     self.store = MemoryStore()
     self.identity_url = base_url + 'identity'
     self.localid_url = base_url + 'localid'
     self.endpoint_url = base_url + 'endpoint'
     self.server = Server(self.store, self.endpoint_url)
     self.last_request = None
Exemplo n.º 13
0
 def __init__(self, base_url):
     self.store = MemoryStore()
     self.identity_url = base_url + 'identity'
     self.localid_url = base_url + 'localid'
     self.endpoint_url = base_url + 'endpoint'
     self.server = Server(self.store, self.endpoint_url)
     self.last_request = None
     self.type_uris = ['http://specs.openid.net/auth/2.0/signon']
Exemplo n.º 14
0
def getServer(request):
    """
    Get a Server object to perform OpenID authentication.
    """
    endpoint_url = request.build_absolute_uri(reverse('server:endpoint'))
    # Method `build_absolute_uri` returns str in both python 2 and 3, convert to text_type in 2.7
    if isinstance(endpoint_url, six.binary_type):
        endpoint_url = endpoint_url.decode('utf-8')
    return Server(getOpenIDStore(), endpoint_url)
Exemplo n.º 15
0
def endpoint(request):
    """
    Respond to low-level OpenID protocol messages.
    """
    s = Server(OpenIDStore(), request.build_absolute_uri(reverse(endpoint)))

    query = request.GET or request.POST

    # First, decode the incoming request into something the OpenID
    # library can use.
    try:
        openid_request = s.decodeRequest(query)
    except ProtocolError, why:
        # This means the incoming request was invalid.
        return direct_to_template(
            request,
            'endpoint.html',
            {'error': str(why)})
Exemplo n.º 16
0
def endpoint():
    endpoint_url = url_for('.endpoint', _external=True)
    openid = OpenIDServer(OpenIDStore(), endpoint_url)
    query = request.args if request.method == 'GET' else request.form
    try:
        oid_req = openid.decodeRequest(query)
    except ProtocolError as e:
        return openid_exception(e)
    if not oid_req:
        return render_template('papersplease/openid/index.html')
    if oid_req.mode in ('checkid_immediate', 'checkid_setup'):
        if current_user.is_authenticated():
            return openid_response(openid, oid_req.answer(True))
        elif oid_req.immediate:
            return openid_response(openid, oid_req.answer(False))
        else:
            return login_manager.unauthorized()
    else:
        return openid_response(openid, openid.handleRequest(oid_req))
Exemplo n.º 17
0
def display_response(request, openid_response):
    """
    Display an OpenID response.  Errors will be displayed directly to
    the user; successful responses and other protocol-level messages
    will be sent using the proper mechanism (i.e., direct response,
    redirection, etc.).
    """
    s = Server(OpenIDStore(), request.build_absolute_uri(reverse(endpoint)))

    # Encode the response into something that is renderable.
    try:
        webresponse = s.encodeResponse(openid_response)
    except EncodingError, why:
        # If it couldn't be encoded, display an error.
        text = why.response.encodeToKVForm()
        return direct_to_template(
            request,
            'endpoint.html',
            {'error': cgi.escape(text)})
Exemplo n.º 18
0
def prep_response(request, orequest, oresponse, server=None):
    # Convert a webresponse from the OpenID library in to a Django HttpResponse

    if not server:
        server = Server(get_store(request),
            op_endpoint=request.build_absolute_uri(
                reverse('openid-provider-root')))
    webresponse = server.encodeResponse(oresponse)
    if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
        response = render_to_response('openid_provider/response.html', {
            'body': webresponse.body,
        }, context_instance=RequestContext(request))
        logger.debug('rendering browser response')
    else:
        response = HttpResponse(webresponse.body)
        response.status_code = webresponse.code
        for key, value in webresponse.headers.items():
            response[key] = value
        logger.debug('rendering raw response')
    return response
Exemplo n.º 19
0
def prep_response(request, orequest, oresponse, server=None):
    # Convert a webresponse from the OpenID library in to a Django HttpResponse

    if not server:
        server = Server(get_store(request),
            op_endpoint=request.build_absolute_uri(
                reverse('openid-provider-root')))
    webresponse = server.encodeResponse(oresponse)
    if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
        response = render_to_response('openid_provider/response.html', {
            'body': webresponse.body,
        }, context_instance=RequestContext(request))
        logger.debug('rendering browser response')
    else:
        response = HttpResponse(webresponse.body)
        response.status_code = webresponse.code
        for key, value in webresponse.headers.items():
            response[key] = value
        logger.debug('rendering raw response')
    return response
Exemplo n.º 20
0
 def __init__(self, request):
     self.request = request
     self.openid_server = Server(SFOpenIDStore(self.request.db_session),
                                 request.route_url('openid_provider'))
     userid = authenticated_userid(request)
     self.auth_userid = userid or request.session.get('auth_userid')
     if self.auth_userid:
         query = self.request.db_session.query(UserProfile)
         self.auth_user = query.get(self.auth_userid)
     else:
         self.auth_user = None
Exemplo n.º 21
0
def index():
    oidstore = Web2pyStore(db)
    cache.ram('oid_cleanup', lambda: oidstore.cleanup(), time_expire=25200) #call cleanup approx. every 7h
    oserver = Server(oidstore, OID_SERVER)
    orequest = oserver.decodeRequest(request.vars)
    
    #if another controller asked to cancel this authentication request do so
    if session.oid_cancel:
       session.oid_cancel = None
       return redirect(orequest.getCancelURL())
    
    user_is_logged_in = auth.is_logged_in()
    user_owns_id = user_is_logged_in and auth.user['nickname'] == orequest.identity.split('/').pop().lower() #lazy eval
    user_trusts_root = user_is_logged_in and _userTrustsRoot(orequest.trust_root) #lazy eval

    if orequest.mode in ['checkid_immediate', 'checkid_setup']:
        if user_is_logged_in and user_owns_id and user_trusts_root:
            resp = orequest.answer(True)
        elif orequest.immediate:
            resp = orequest.answer(False)
        else:
            #populate oid session with details as required by other controllers such as the url to
            #redirect to after logon or after approving data transfer to the relying party.
            session.oid_url = URL(r=request, args=request.args, vars=request.vars)
            #redirect user to authenticate herself or to authorise request 
            if user_is_logged_in:
                session.oid_orequest = orequest
                session.oid_user_owns_id = user_owns_id
                return redirect(URL(r=request, c='auth', f='data'))
            else:
                return redirect(URL(r=request, c='auth', f='user', args=['login']))            
    else:
        #let the library handle it
        resp = oserver.handleRequest(orequest)
    
    oresp = oserver.encodeResponse(resp)
    if oresp.code==200:
        return oresp.body
    else:
        return redirect(oresp.headers['location'], oresp.code)
Exemplo n.º 22
0
    def init_idp(self):
        self.datastore = OpenIDStore(self.get_config_value('database url'))
        self.server = Server(self.datastore, op_endpoint=self.endpoint_url)

        # Expose OpenID presence in the root
        headers = self._root.default_headers
        headers['X-XRDS-Location'] = self.endpoint_url + 'XRDS'

        html_heads = self._root.html_heads
        HEAD_LINK = '<link rel="%s" href="%s">'
        openid_heads = [
            HEAD_LINK % ('openid2.provider', self.endpoint_url),
            HEAD_LINK % ('openid.server', self.endpoint_url)
        ]
        html_heads['openid'] = openid_heads
Exemplo n.º 23
0
class OpenIDApp(object):
    def __init__(self):
        from openid.server.server import Server
        from openid.store.memstore import MemoryStore
        store = MemoryStore()
        self.server = Server(store, 'http://www.jaraco.com/')

    def __call__(self, environ, start_response):
        """
		The WSGI App - verifies the identity against the requested identity
		"""
        start_response("200 OK", [('Content-Type', 'text/html')])
        return ["foo"]
        query = dict(urlparse.parse_qsl(environ['QUERY_STRING']))
        request = self.server.decodeRequest(query)
        if not request:
            path_info = environ['PATH_INFO']
            if path_info:
                username = path_info.rsplit('/', 1)[-1]
                start_response("200 OK", [('Content-Type', 'text/html')])
                provider = 'http://drake.jaraco.com/isapi-openid'
                local_id = '%(provider)s/%(username)s' % vars()
                return [
                    """<HTML><HEAD><LINK rel="openid2.provider" href="%(provider)s"><LINK rel="openid2.local_id" href="%(local_id)s"></HEAD><BODY>Id for %(username)s</BODY></HTML>"""
                    % vars()
                ]
            else:
                start_response("401 Unauthorized")
                return [""]
        id_requested = request.identity.rsplit('/', 1)[-1]
        # assume the user has already authenticated using basic auth
        id_authenticated = environ['REMOTE_USER'].rsplit('\\', 1)[-1]
        matched = id_requested and id_requested == id_authenticated
        response = request.answer(matched)
        start_response("303 found", [('Location', response.encodeToURL())])
        return ['']
Exemplo n.º 24
0
class OpenIDProvider(object):
    # OpenID service type URIs, listed in order of preference.  The
    # ordering of this list affects yadis and XRI service discovery.
    openid_type_uris = [
        #discover.OPENID_IDP_2_0_TYPE,
        discover.OPENID_2_0_TYPE,
        discover.OPENID_1_1_TYPE,
        discover.OPENID_1_0_TYPE,
        sreg.ns_uri,
    ]

    def __init__(self, request):
        self.request = request
        self.openid_server = Server(SFOpenIDStore(self.request.db_session),
                                    request.route_url('openid_provider'))
        userid = authenticated_userid(request)
        self.auth_userid = userid or request.session.get('auth_userid')
        if self.auth_userid:
            query = self.request.db_session.query(UserProfile)
            self.auth_user = query.get(self.auth_userid)
        else:
            self.auth_user = None

    def process(self, request_params):
        logger.debug('Processing openid request: %s', request_params)
        if request_params.get('openid.identity'):
            home_url = self.request.route_url('home')
            if request_params['openid.identity'] == request_params['openid.claimed_id'] and \
               request_params['openid.identity'] == home_url:
                username = self.request.user and self.request.user.username or \
                           self.auth_userid
                if username:
                    username = username.lower()
                    user_url = self.request.route_url('user_profile',
                                                      username=username)
                    request_params['openid.identity'] = user_url
                    request_params['openid.claimed_id'] = user_url
        try:
            openid_request = self.openid_server.decodeRequest(request_params)
        # MalformedReturnURL, UntrustedReturnURL, etc.
        except ProtocolError as e:
            logger.info('Unable to decode request: %s %s', e.__class__,
                        e.openid_message)
            return ''
        logger.debug('Decoded request: %s', openid_request)

        if openid_request is None:
            return ''

        if openid_request.mode in ["checkid_immediate", "checkid_setup"]:
            if self.request.user or self.auth_userid:
                openid_response = self.handleCheckIDRequest(openid_request)
            else:
                # If the user has not logged in yet, stash the OpenID
                # consuming site request (if there isn't one already) and
                # send them to the login view. The openid_tween will take
                # care of sending them back to the OpenID consuming site.
                rp_dict = dict(request_params.items())
                self.request.session['openid_request'] = rp_dict
                self.request.session.save()
                return HTTPFound(location=self.request.route_url('login'))
        else:
            openid_response = self.openid_server.handleRequest(openid_request)

        logger.debug('Decoded response: %s', openid_response)
        encoded_response = self.openid_server.encodeResponse(openid_response)

        if 'location' in encoded_response.headers:
            response = HTTPFound(location=encoded_response.headers['location'])
            return response
        return encoded_response.body

    def get(self):
        return self.process(self.request.GET)

    def post(self):
        if self.request.method != "POST":
            return HTTPMethodNotAllowed()
        return self.process(self.request.POST)

    def approved(self, request, identifier=None):
        response = request.answer(True, identity=identifier)
        self.addSRegResponse(request, response)
        return response

    def handleCheckIDRequest(self, request):
        is_authorized = self.isAuthorized(request.identity, request.trust_root)
        if is_authorized:
            return self.approved(request, request.identity)
        else:
            return request.answer(False, identity=request.identity)

    def isAuthorized(self, identity_url, trust_root):
        if not self.auth_userid:
            return False

        self.request.registry.notify(
            CheckIDAuthorized(self.request, self.auth_user))
        # TODO: prompt user for authorization
        return True

    def addSRegResponse(self, request, response):
        sreg_req = sreg.SRegRequest.fromOpenIDRequest(request)
        sreg_data = dict([(fname, None) for fname in sreg.data_fields])
        sreg_data['fullname'] = '%s %s' % (self.auth_user.first_name,
                                           self.auth_user.last_name)
        sreg_data['nickname'] = self.auth_userid
        sreg_data['email'] = self.auth_user.email
        sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
        response.addExtension(sreg_resp)

    def identity(self):
        query = self.request.db_session.query(UserProfile)
        target_username = self.request.matchdict['username']
        target_user = query.get(target_username)
        if target_user is None:
            raise HTTPNotFound()
        return {
            'username': target_user.username.lower(),
        }
Exemplo n.º 25
0
class OpenIDMixin:
    """A mixin with OpenID helper methods."""

    openid_request = None

    def __init__(self, context, request):
        super(OpenIDMixin, self).__init__(context, request)
        self.server_url = get_server_url()
        self.openid_server = Server(openid_store, self.server_url)

    @property
    def user_identity_url(self):
        return ITestOpenIDPersistentIdentity(self.account).openid_identity_url

    def isIdentityOwner(self):
        """Return True if the user can authenticate as the given ID."""
        assert self.account is not None, "user should be logged in by now."
        return (self.openid_request.idSelect()
                or self.openid_request.identity == self.user_identity_url)

    @cachedproperty
    def openid_parameters(self):
        """A dictionary of OpenID query parameters from request."""
        query = {}
        for key, value in self.request.form.items():
            if key.startswith('openid.'):
                # All OpenID query args are supposed to be ASCII.
                query[key.encode('US-ASCII')] = value.encode('US-ASCII')
        return query

    def getSession(self):
        """Get the session data container that stores the OpenID request."""
        if IUnauthenticatedPrincipal.providedBy(self.request.principal):
            # A dance to assert that we want to break the rules about no
            # unauthenticated sessions. Only after this next line is it
            # safe to set session values.
            allowUnauthenticatedSession(self.request,
                                        duration=timedelta(minutes=60))
        return ISession(self.request)[SESSION_PKG_KEY]

    def restoreRequestFromSession(self):
        """Get the OpenIDRequest from our session."""
        session = self.getSession()
        cache = get_property_cache(self)
        try:
            cache.openid_parameters = session[OPENID_REQUEST_SESSION_KEY]
        except KeyError:
            raise UnexpectedFormData("No OpenID request in session")

        # Decode the request parameters and create the request object.
        self.openid_request = self.openid_server.decodeRequest(
            self.openid_parameters)
        assert zisinstance(
            self.openid_request,
            CheckIDRequest), ('Invalid OpenIDRequest in session')

    def saveRequestInSession(self):
        """Save the OpenIDRequest in our session."""
        query = self.openid_parameters
        assert query.get('openid.mode') == 'checkid_setup', (
            'Can only serialise checkid_setup OpenID requests')

        session = self.getSession()
        # If this was meant for use in production we'd have to use a nonce
        # as the key when storing the openid request in the session, but as
        # it's meant to run only on development instances we can simplify
        # things a bit by storing the openid request using a well known key.
        session[OPENID_REQUEST_SESSION_KEY] = query

    def renderOpenIDResponse(self, openid_response):
        """Return a web-suitable response constructed from openid_response."""
        webresponse = self.openid_server.encodeResponse(openid_response)
        response = self.request.response
        response.setStatus(webresponse.code)
        # encodeResponse doesn't generate a content-type, help it out
        if (webresponse.code == 200 and webresponse.body
                and openid_response.whichEncoding() == ENCODE_HTML_FORM):
            response.setHeader('content-type', 'text/html')
        for header, value in webresponse.headers.items():
            response.setHeader(header, value)
        return webresponse.body

    def createPositiveResponse(self):
        """Create a positive assertion OpenIDResponse.

        This method should be called to create the response to
        successful checkid requests.

        If the trust root for the request is in openid_sreg_trustroots,
        then additional user information is included with the
        response.
        """
        assert self.account is not None, (
            'Must be logged in for positive OpenID response')
        assert self.openid_request is not None, (
            'No OpenID request to respond to.')

        if not self.isIdentityOwner():
            return self.createFailedResponse()

        if self.openid_request.idSelect():
            response = self.openid_request.answer(
                True, identity=self.user_identity_url)
        else:
            response = self.openid_request.answer(True)

        person = IPerson(self.account)
        sreg_fields = dict(nickname=person.name,
                           email=person.preferredemail.email,
                           fullname=self.account.displayname)
        sreg_request = SRegRequest.fromOpenIDRequest(self.openid_request)
        sreg_response = SRegResponse.extractResponse(sreg_request, sreg_fields)
        response.addExtension(sreg_response)

        return response

    def createFailedResponse(self):
        """Create a failed assertion OpenIDResponse.

        This method should be called to create the response to
        unsuccessful checkid requests.
        """
        assert self.openid_request is not None, (
            'No OpenID request to respond to.')
        response = self.openid_request.answer(False, self.server_url)
        return response
Exemplo n.º 26
0
def openid_server(req):
    """
    This view is the actual OpenID server - running at the URL pointed to by
    the <link rel="openid.server"> tag.
    """
    host = get_base_uri(req)
    try:
        # if we have django_openid_auth in applications directory
        # then we can use DjangoOpenIDStore
        from django_openid_auth.store import DjangoOpenIDStore
        store = DjangoOpenIDStore()
    except:
        # otherwise use FileOpenIDStore
        OPENID_FILESTORE = '/tmp/openid-filestore'
        from openid.store.filestore import FileOpenIDStore
        store = FileOpenIDStore(OPENID_FILESTORE)

    server = Server(store,
                    op_endpoint="%s%s" %
                    (host, reverse('openid-provider-root')))

    # Clear AuthorizationInfo session var, if it is set
    if req.session.get('AuthorizationInfo', None):
        del req.session['AuthorizationInfo']

    querydict = dict(req.REQUEST.items())
    try:
        orequest = server.decodeRequest(querydict)
    except:
        L.exception("Request decode failed")
        orequest = None
    if not orequest:
        orequest = req.session.get('OPENID_REQUEST', None)
        if not orequest:
            # not request, render info page:
            return render_to_response('openid_provider/server.html', {
                'host': host,
            },
                                      context_instance=RequestContext(req))
        else:
            # remove session stored data:
            del req.session['OPENID_REQUEST']

    if orequest.mode in ("checkid_immediate", "checkid_setup"):

        if not req.user.is_authenticated():
            return landing_page(req, orequest)

        openid = openid_is_authorized(req, orequest.identity,
                                      orequest.trust_root)

        if openid is not None:
            oresponse = orequest.answer(
                True,
                identity="%s%s" %
                (host, reverse('openid-provider-identity',
                               args=[openid.openid])))

            sreg_data = {'nickname': req.user.username}
            sreg_req = sreg.SRegRequest.fromOpenIDRequest(orequest)
            sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
            oresponse.addExtension(sreg_resp)

        elif orequest.immediate:
            raise Exception('checkid_immediate mode not supported')
        else:
            req.session['OPENID_REQUEST'] = orequest
            return HttpResponseRedirect(reverse('openid-provider-decide'))
    else:
        oresponse = server.handleRequest(orequest)
    webresponse = server.encodeResponse(oresponse)
    return django_response(webresponse)
Exemplo n.º 27
0
def getServer(request):
    """
    Get a Server object to perform OpenID authentication.
    """
    return Server(getOpenIDStore(), getViewURL(request, endpoint))
Exemplo n.º 28
0
def get_openid_server(request):
    store = DjangoDBOpenIDStore()
    return Server(store, endpoint_url(request))
Exemplo n.º 29
0
def openid_get_server(request):
    return Server(get_store(request),
                  op_endpoint=request.build_absolute_uri(
                      reverse('openid-provider-root')))
Exemplo n.º 30
0
def getServer(request):
    """
    Get a Server object to perform OpenID authentication.
    """
    endpoint_url = request.build_absolute_uri(reverse('server:endpoint'))
    return Server(getOpenIDStore(), endpoint_url)
Exemplo n.º 31
0
def get_server(request):
    """
    Get a Server object to perform OpenID authentication.
    """
    return Server(get_openid_store(), get_view_url(request, endpoint))
Exemplo n.º 32
0
 def __init__(self, context, request):
     super(OpenIDMixin, self).__init__(context, request)
     self.server_url = get_server_url()
     self.openid_server = Server(openid_store, self.server_url)
Exemplo n.º 33
0
def cgi_main():
    logger.html_mode()
    global config
    cgi_request = CGIParser()
    response = CGIResponse()

    # Load configuration
    config_file = ConfigManager.find_config_file()

    if not config_file:
        logger.error("No configuration file found")
        response.type = "no_config"
        response.output(None)
        return
    else:
        try:
            config = ConfigManager(config_file)
        except configparser.ParsingError as e:
            logger.error("Unable to parse config file: {0}".format(err))
            response.error = "Error parsing poit configuration file"

    if config:
        # Make sure an endpoint is set
        endpoint = config.get_option("server", "endpoint")
        if not endpoint:
            endpoint = cgi_request.self_uri(https=config.force_https())
            config.set_option("server", "endpoint", endpoint, save=False)

        logger.debug("Endpoint: " + endpoint)
        ostore = FileOpenIDStore(os.path.expanduser(config.get_option("server", "session_dir")))
        oserver = OpenIDServer(ostore, endpoint)
        logger.debug("Initialized server")
    else:
        # Stilll need to create a OpenIDServer to parse the request
        ostore = MemoryStore()
        oserver = OpenIDServer(ostore, "")
        logger.debug("Initialized dummy server")

    # Decode request
    try:
        request = oserver.decodeRequest(cgi_request.openid)
    except server.ProtocolError as err:
        logger.warn("Not an OpenID request: " + str(err))
        request = None

    session = Session(cgi_request)

    # Redirect to HTTPS if required
    if (not session.is_secure()) and config.force_https() and ((not request) or type(request) == CheckIDRequest):
        response.redirect_url = "{endpoint}?{fields}".format(
            endpoint=re.sub("^http:", "https:", endpoint), fields=urllib.urlencode(cgi_request.openid)
        )
        response.output(session)
        return

    action = PoitAction.from_request(cgi_request.post)

    logger.debug("Action: " + str(action))

    if action and action.type == "authenticate" and not session.authenticated:
        session.authenticated = True

    if request:
        handle_openid(session, oserver, request, response, action)
    else:
        handle_normal(session, response, action)

    config.save()
    ostore.cleanup()
    response.output(session)
Exemplo n.º 34
0
 def get_server(self, request):
     return Server(DjangoOpenIDStore())
Exemplo n.º 35
0
def provider_login(request):
    """
    OpenID login endpoint
    """

    # make and validate endpoint
    endpoint = get_xrds_url('login', request)
    if not endpoint:
        return default_render_failure(request, "Invalid OpenID request")

    # initialize store and server
    store = DjangoOpenIDStore()
    server = Server(store, endpoint)

    # first check to see if the request is an OpenID request.
    # If so, the client will have specified an 'openid.mode' as part
    # of the request.
    querydict = dict(request.REQUEST.items())
    error = False
    if 'openid.mode' in request.GET or 'openid.mode' in request.POST:
        # decode request
        try:
            openid_request = server.decodeRequest(querydict)
        except (UntrustedReturnURL, ProtocolError):
            openid_request = None

        if not openid_request:
            return default_render_failure(request, "Invalid OpenID request")

        # don't allow invalid and non-trusted trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # checkid_immediate not supported, require user interaction
        if openid_request.mode == 'checkid_immediate':
            return provider_respond(server, openid_request,
                                    openid_request.answer(False), {})

        # checkid_setup, so display login page
        # (by falling through to the provider_login at the
        # bottom of this method).
        elif openid_request.mode == 'checkid_setup':
            if openid_request.idSelect():
                # remember request and original path
                request.session['openid_setup'] = {
                    'request': openid_request,
                    'url': request.get_full_path()
                }

                # user failed login on previous attempt
                if 'openid_error' in request.session:
                    error = True
                    del request.session['openid_error']

        # OpenID response
        else:
            return provider_respond(server, openid_request,
                                    server.handleRequest(openid_request), {})

    # handle login redirection:  these are also sent to this view function,
    # but are distinguished by lacking the openid mode.  We also know that
    # they are posts, because they come from the popup
    elif request.method == 'POST' and 'openid_setup' in request.session:
        # get OpenID request from session
        openid_setup = request.session['openid_setup']
        openid_request = openid_setup['request']
        openid_request_url = openid_setup['url']
        del request.session['openid_setup']

        # don't allow invalid trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # check if user with given email exists
        # Failure is redirected to this method (by using the original URL),
        # which will bring up the login dialog.
        email = request.POST.get('email', None)
        try:
            user = User.objects.get(email=email)
        except User.DoesNotExist:
            request.session['openid_error'] = True
            msg = "OpenID login failed - Unknown user email: %s"
            AUDIT_LOG.warning(msg, email)
            return HttpResponseRedirect(openid_request_url)

        # attempt to authenticate user (but not actually log them in...)
        # Failure is again redirected to the login dialog.
        username = user.username
        password = request.POST.get('password', None)
        try:
            user = authenticate(username=username, password=password, request=request)
        except RateLimitException:
            AUDIT_LOG.warning('OpenID - Too many failed login attempts.')
            return HttpResponseRedirect(openid_request_url)

        if user is None:
            request.session['openid_error'] = True
            msg = "OpenID login failed - password for %s is invalid"
            AUDIT_LOG.warning(msg, email)
            return HttpResponseRedirect(openid_request_url)

        # authentication succeeded, so fetch user information
        # that was requested
        if user is not None and user.is_active:
            # remove error from session since login succeeded
            if 'openid_error' in request.session:
                del request.session['openid_error']

            AUDIT_LOG.info("OpenID login success - %s (%s)",
                           user.username, user.email)

            # redirect user to return_to location
            url = endpoint + urlquote(user.username)
            response = openid_request.answer(True, None, url)

            # TODO: for CS50 we are forcibly returning the username
            # instead of fullname. In the OpenID simple registration
            # extension, we don't have to return any fields we don't
            # want to, even if they were marked as required by the
            # Consumer. The behavior of what to do when there are
            # missing fields is up to the Consumer. The proper change
            # should only return the username, however this will likely
            # break the CS50 client. Temporarily we will be returning
            # username filling in for fullname in addition to username
            # as sreg nickname.

            # Note too that this is hardcoded, and not really responding to
            # the extensions that were registered in the first place.
            results = {
                'nickname': user.username,
                'email': user.email,
                'fullname': user.username
            }

            # the request succeeded:
            return provider_respond(server, openid_request, response, results)

        # the account is not active, so redirect back to the login page:
        request.session['openid_error'] = True
        msg = "Login failed - Account not active for user %s"
        AUDIT_LOG.warning(msg, username)
        return HttpResponseRedirect(openid_request_url)

    # determine consumer domain if applicable
    return_to = ''
    if 'openid.return_to' in request.REQUEST:
        return_to = request.REQUEST['openid.return_to']
        matches = re.match(r'\w+:\/\/([\w\.-]+)', return_to)
        return_to = matches.group(1)

    # display login page
    response = render_to_response('provider_login.html', {
        'error': error,
        'return_to': return_to
    })

    # add custom XRDS header necessary for discovery process
    response['X-XRDS-Location'] = get_xrds_url('xrds', request)
    return response
Exemplo n.º 36
0
 def __init__(self, context, request):
     super(OpenIDMixin, self).__init__(context, request)
     self.server_url = get_server_url()
     self.openid_server = Server(openid_store, self.server_url)
Exemplo n.º 37
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    logger.debug('server request %s: %s', request.method, request.POST
                 or request.GET)
    server = Server(get_store(request),
                    op_endpoint=request.build_absolute_uri(
                        reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = request.session.get('OPENID_REQUEST', None)
        if orequest:
            # remove session stored data:
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host':
                request.build_absolute_uri('/'),
                'xrds_location':
                request.build_absolute_uri(reverse('openid-provider-xrds')),
            }
            logger.debug('invalid request, sending info: %s', data)
            return render_to_response('openid_provider/server.html',
                                      data,
                                      context_instance=RequestContext(request))

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not request.user.is_authenticated():

            #return HttpResponse(orequest.return_to)
            logger.debug('no local authentication, sending landing page')
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        if openid is not None:
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            oresponse = orequest.answer(True, identity=id_url)
            logger.debug('orequest.answer(True, identity="%s")', id_url)
        elif orequest.immediate:
            logger.debug('checkid_immediate mode not supported')
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest
            logger.debug('redirecting to decide page')
            return HttpResponseRedirect(reverse('openid-provider-decide'))
    else:
        oresponse = server.handleRequest(orequest)
    if request.user.is_authenticated():
        add_sreg_data(request, orequest, oresponse)
        if conf.AX_EXTENSION:
            add_ax_data(request, orequest, oresponse)
    # Convert a webresponse from the OpenID library in to a Django HttpResponse
    webresponse = server.encodeResponse(oresponse)
    if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
        response = render_to_response('openid_provider/response.html', {
            'body': webresponse.body,
        },
                                      context_instance=RequestContext(request))
        logger.debug('rendering browser response')
    else:
        response = HttpResponse(webresponse.body)
        response.status_code = webresponse.code
        for key, value in webresponse.headers.items():
            response[key] = value
        logger.debug('rendering raw response')
    return response
Exemplo n.º 38
0
def provider_login(request):
    """
    OpenID login endpoint
    """

    # make and validate endpoint
    endpoint = get_xrds_url("login", request)
    if not endpoint:
        return default_render_failure(request, "Invalid OpenID request")

    # initialize store and server
    store = DjangoOpenIDStore()
    server = Server(store, endpoint)

    # first check to see if the request is an OpenID request.
    # If so, the client will have specified an 'openid.mode' as part
    # of the request.
    querydict = dict(request.REQUEST.items())
    error = False
    if "openid.mode" in request.GET or "openid.mode" in request.POST:
        # decode request
        try:
            openid_request = server.decodeRequest(querydict)
        except (UntrustedReturnURL, ProtocolError):
            openid_request = None

        if not openid_request:
            return default_render_failure(request, "Invalid OpenID request")

        # don't allow invalid and non-trusted trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # checkid_immediate not supported, require user interaction
        if openid_request.mode == "checkid_immediate":
            return provider_respond(server, openid_request, openid_request.answer(False), {})

        # checkid_setup, so display login page
        # (by falling through to the provider_login at the
        # bottom of this method).
        elif openid_request.mode == "checkid_setup":
            if openid_request.idSelect():
                # remember request and original path
                request.session["openid_setup"] = {"request": openid_request, "url": request.get_full_path()}

                # user failed login on previous attempt
                if "openid_error" in request.session:
                    error = True
                    del request.session["openid_error"]

        # OpenID response
        else:
            return provider_respond(server, openid_request, server.handleRequest(openid_request), {})

    # handle login redirection:  these are also sent to this view function,
    # but are distinguished by lacking the openid mode.  We also know that
    # they are posts, because they come from the popup
    elif request.method == "POST" and "openid_setup" in request.session:
        # get OpenID request from session
        openid_setup = request.session["openid_setup"]
        openid_request = openid_setup["request"]
        openid_request_url = openid_setup["url"]
        del request.session["openid_setup"]

        # don't allow invalid trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # check if user with given email exists
        # Failure is redirected to this method (by using the original URL),
        # which will bring up the login dialog.
        email = request.POST.get("email", None)
        try:
            user = User.objects.get(email=email)
        except User.DoesNotExist:
            request.session["openid_error"] = True
            if settings.FEATURES["SQUELCH_PII_IN_LOGS"]:
                AUDIT_LOG.warning("OpenID login failed - Unknown user email")
            else:
                msg = "OpenID login failed - Unknown user email: {0}".format(email)
                AUDIT_LOG.warning(msg)
            return HttpResponseRedirect(openid_request_url)

        # attempt to authenticate user (but not actually log them in...)
        # Failure is again redirected to the login dialog.
        username = user.username
        password = request.POST.get("password", None)
        try:
            user = authenticate(username=username, password=password, request=request)
        except RateLimitException:
            AUDIT_LOG.warning("OpenID - Too many failed login attempts.")
            return HttpResponseRedirect(openid_request_url)

        if user is None:
            request.session["openid_error"] = True
            if settings.FEATURES["SQUELCH_PII_IN_LOGS"]:
                AUDIT_LOG.warning("OpenID login failed - invalid password")
            else:
                msg = "OpenID login failed - password for {0} is invalid".format(email)
                AUDIT_LOG.warning(msg)
            return HttpResponseRedirect(openid_request_url)

        # authentication succeeded, so fetch user information
        # that was requested
        if user is not None and user.is_active:
            # remove error from session since login succeeded
            if "openid_error" in request.session:
                del request.session["openid_error"]

            if settings.FEATURES["SQUELCH_PII_IN_LOGS"]:
                AUDIT_LOG.info("OpenID login success - user.id: {0}".format(user.id))
            else:
                AUDIT_LOG.info("OpenID login success - {0} ({1})".format(user.username, user.email))

            # redirect user to return_to location
            url = endpoint + urlquote(user.username)
            response = openid_request.answer(True, None, url)

            # Note too that this is hardcoded, and not really responding to
            # the extensions that were registered in the first place.
            results = {"nickname": user.username, "email": user.email, "fullname": user.profile.name}

            # the request succeeded:
            return provider_respond(server, openid_request, response, results)

        # the account is not active, so redirect back to the login page:
        request.session["openid_error"] = True
        if settings.FEATURES["SQUELCH_PII_IN_LOGS"]:
            AUDIT_LOG.warning("Login failed - Account not active for user.id {0}".format(user.id))
        else:
            msg = "Login failed - Account not active for user {0}".format(username)
            AUDIT_LOG.warning(msg)
        return HttpResponseRedirect(openid_request_url)

    # determine consumer domain if applicable
    return_to = ""
    if "openid.return_to" in request.REQUEST:
        return_to = request.REQUEST["openid.return_to"]
        matches = re.match(r"\w+:\/\/([\w\.-]+)", return_to)
        return_to = matches.group(1)

    # display login page
    response = render_to_response("provider_login.html", {"error": error, "return_to": return_to})

    # add custom XRDS header necessary for discovery process
    response["X-XRDS-Location"] = get_xrds_url("xrds", request)
    return response
Exemplo n.º 39
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    custom_log(request, "Server request: %s: %s" % (request.method, request.POST or request.GET), level="debug")

    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        custom_log(request, "Request is not secure. Switching to encrypted negotiator", level="debug")
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        custom_log(request, "Clearing AuthorizationInfo session var", level="debug")
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None))
        if orequest:
            # remove session stored data:
            custom_log(request, "Removing stored data from session", level="debug")
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host': request.build_absolute_uri('/'),
                'xrds_location': request.build_absolute_uri(
                    reverse('openid-provider-xrds')),
            }
            custom_log(request, "Not an OpenID request, sending info: %s" % data, level="info")
            if request.browser and request.browser.user:
                data["openid_identifier"] = "https://" + request.get_host() +  reverse('openid-provider-identity', args=[request.browser.user.username])
            else:
                data["page_url"] = request.build_absolute_uri()
            return render_to_response('openid_provider/server.html',
                                      data,
                                      context_instance=RequestContext(request))

    custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
            custom_log(request, "no local authentication, sending landing page", level="debug")
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        # verify return_to:
        trust_root_valid = trust_root_validation(orequest)
        custom_log(request, "trust_root_valid=%s" % trust_root_valid, level="debug")
        validated = False

        # Allow per-url exceptions for trust roots.
        for global_trusted_root in settings.OPENID_TRUSTED_ROOTS:
            if orequest.trust_root.startswith(global_trusted_root):
                custom_log(request, "Trust root %s is in always trusted roots. Set validated=True" % orequest.trust_root, level="debug")
                validated = True
                break

        if conf.FAILED_DISCOVERY_AS_VALID:
            if trust_root_valid == 'DISCOVERY_FAILED' or trust_root_valid == 'Unreachable':
                custom_log(request, "Setting validated=True as FAILED_DISCOVERY_AS_VALID is True", level="debug")
                validated = True
        else:
            # if in decide already took place, set as valid:
            if request.session.get(get_trust_session_key(orequest), False):
                custom_log(request, "Setting validated=True as session var %s is True" % (get_trust_session_key(orequest)), level="debug")
                validated = True

        custom_log(request, "Session key: %s=%s" % (get_trust_session_key(orequest), request.session.get(get_trust_session_key(orequest))), level="debug")

        custom_log(request, "OpenID is %s" % openid, level="debug")
        if openid is not None and (validated or trust_root_valid == 'Valid'):
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            try:
                oresponse = orequest.answer(True, identity=id_url)
            except ValueError, e:
                return render_to_response("openid_provider/error.html", {"title": "Invalid identity URL", "msg": e.message}, context_instance=RequestContext(request))
            custom_log(request, 'orequest.answer(True, identity="%s")' % id_url, level="debug")
        elif orequest.immediate:
            custom_log(request, 'checkid_immediate mode not supported', level="debug")
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
            request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
            custom_log(request, "redirecting to decide page", level="debug")
            return HttpResponseRedirect(reverse('openid-provider-decide'))
Exemplo n.º 40
0
class StubOpenIDProvider(HTTPFetcher):

    def __init__(self, base_url):
        self.store = MemoryStore()
        self.identity_url = base_url + 'identity'
        self.localid_url = base_url + 'localid'
        self.endpoint_url = base_url + 'endpoint'
        self.server = Server(self.store, self.endpoint_url)
        self.last_request = None
        self.type_uris = ['http://specs.openid.net/auth/2.0/signon']

    def fetch(self, url, body=None, headers=None):
        if url == self.identity_url:
            # Serve an XRDS document directly, pointing at our endpoint.
            type_uris = ['<Type>%s</Type>' % uri for uri in self.type_uris]
            return HTTPResponse(
                url, 200, {'content-type': 'application/xrds+xml'}, """\
<?xml version="1.0"?>
<xrds:XRDS
    xmlns="xri://$xrd*($v*2.0)"
    xmlns:xrds="xri://$xrds">
  <XRD>
    <Service priority="0">
      %s
      <URI>%s</URI>
      <LocalID>%s</LocalID>
    </Service>
  </XRD>
</xrds:XRDS>
""" % ('\n'.join(type_uris), self.endpoint_url, self.localid_url))
        elif url.startswith(self.endpoint_url):
            # Gather query parameters
            query = {}
            if '?' in url:
                query.update(cgi.parse_qsl(url.split('?', 1)[1]))
            if body is not None:
                query.update(cgi.parse_qsl(body))
            self.last_request = self.server.decodeRequest(query)

            # The browser based requests should not be handled through
            # the fetcher interface.
            assert self.last_request.mode not in BROWSER_REQUEST_MODES

            response = self.server.handleRequest(self.last_request)
            webresponse = self.server.encodeResponse(response)
            return HTTPResponse(url,  webresponse.code, webresponse.headers,
                                webresponse.body)
        else:
            raise HTTPFetchingError('unknown URL %s' % url)

    def parseFormPost(self, content):
        """Parse an HTML form post to create an OpenID request."""
        # Hack to make the javascript XML compliant ...
        content = content.replace('i < elements.length',
                                  'i &lt; elements.length')
        tree = ET.XML(content)
        form = tree.find('.//form')
        assert form is not None, 'No form in document'
        assert form.get('action') == self.endpoint_url, (
            'Form posts to %s instead of %s' % (form.get('action'),
                                                self.endpoint_url))
        query = {}
        for input in form.findall('input'):
            if input.get('type') != 'hidden':
                continue
            query[input.get('name').encode('UTF-8')] = \
                input.get('value').encode('UTF-8')
        self.last_request = self.server.decodeRequest(query)
        return self.last_request
Exemplo n.º 41
0
class OpenIDMixin:
    """A mixin with OpenID helper methods."""

    openid_request = None

    def __init__(self, context, request):
        super(OpenIDMixin, self).__init__(context, request)
        self.server_url = get_server_url()
        self.openid_server = Server(openid_store, self.server_url)

    @property
    def user_identity_url(self):
        return ITestOpenIDPersistentIdentity(self.account).openid_identity_url

    def isIdentityOwner(self):
        """Return True if the user can authenticate as the given ID."""
        assert self.account is not None, "user should be logged in by now."
        return (self.openid_request.idSelect() or
                self.openid_request.identity == self.user_identity_url)

    @cachedproperty
    def openid_parameters(self):
        """A dictionary of OpenID query parameters from request."""
        query = {}
        for key, value in self.request.form.items():
            if key.startswith('openid.'):
                # All OpenID query args are supposed to be ASCII.
                query[key.encode('US-ASCII')] = value.encode('US-ASCII')
        return query

    def getSession(self):
        """Get the session data container that stores the OpenID request."""
        if IUnauthenticatedPrincipal.providedBy(self.request.principal):
            # A dance to assert that we want to break the rules about no
            # unauthenticated sessions. Only after this next line is it
            # safe to set session values.
            allowUnauthenticatedSession(
                self.request, duration=timedelta(minutes=60))
        return ISession(self.request)[SESSION_PKG_KEY]

    def restoreRequestFromSession(self):
        """Get the OpenIDRequest from our session."""
        session = self.getSession()
        cache = get_property_cache(self)
        try:
            cache.openid_parameters = session[OPENID_REQUEST_SESSION_KEY]
        except KeyError:
            raise UnexpectedFormData("No OpenID request in session")

        # Decode the request parameters and create the request object.
        self.openid_request = self.openid_server.decodeRequest(
            self.openid_parameters)
        assert zisinstance(self.openid_request, CheckIDRequest), (
            'Invalid OpenIDRequest in session')

    def saveRequestInSession(self):
        """Save the OpenIDRequest in our session."""
        query = self.openid_parameters
        assert query.get('openid.mode') == 'checkid_setup', (
            'Can only serialise checkid_setup OpenID requests')

        session = self.getSession()
        # If this was meant for use in production we'd have to use a nonce
        # as the key when storing the openid request in the session, but as
        # it's meant to run only on development instances we can simplify
        # things a bit by storing the openid request using a well known key.
        session[OPENID_REQUEST_SESSION_KEY] = query

    def renderOpenIDResponse(self, openid_response):
        """Return a web-suitable response constructed from openid_response."""
        webresponse = self.openid_server.encodeResponse(openid_response)
        response = self.request.response
        response.setStatus(webresponse.code)
        # encodeResponse doesn't generate a content-type, help it out
        if (webresponse.code == 200 and webresponse.body
                and openid_response.whichEncoding() == ENCODE_HTML_FORM):
            response.setHeader('content-type', 'text/html')
        for header, value in webresponse.headers.items():
            response.setHeader(header, value)
        return webresponse.body

    def createPositiveResponse(self):
        """Create a positive assertion OpenIDResponse.

        This method should be called to create the response to
        successful checkid requests.

        If the trust root for the request is in openid_sreg_trustroots,
        then additional user information is included with the
        response.
        """
        assert self.account is not None, (
            'Must be logged in for positive OpenID response')
        assert self.openid_request is not None, (
            'No OpenID request to respond to.')

        if not self.isIdentityOwner():
            return self.createFailedResponse()

        if self.openid_request.idSelect():
            response = self.openid_request.answer(
                True, identity=self.user_identity_url)
        else:
            response = self.openid_request.answer(True)

        person = IPerson(self.account)
        sreg_fields = dict(
            nickname=person.name,
            email=person.preferredemail.email,
            fullname=self.account.displayname)
        sreg_request = SRegRequest.fromOpenIDRequest(self.openid_request)
        sreg_response = SRegResponse.extractResponse(
            sreg_request, sreg_fields)
        response.addExtension(sreg_response)

        return response

    def createFailedResponse(self):
        """Create a failed assertion OpenIDResponse.

        This method should be called to create the response to
        unsuccessful checkid requests.
        """
        assert self.openid_request is not None, (
            'No OpenID request to respond to.')
        response = self.openid_request.answer(False, self.server_url)
        return response
Exemplo n.º 42
0
def provider_login(request):
    """
    OpenID login endpoint
    """
    # pylint: disable=too-many-statements
    # make and validate endpoint
    endpoint = get_xrds_url('login', request)
    if not endpoint:
        return default_render_failure(request, "Invalid OpenID request")

    # initialize store and server
    store = DjangoOpenIDStore()
    server = Server(store, endpoint)

    # first check to see if the request is an OpenID request.
    # If so, the client will have specified an 'openid.mode' as part
    # of the request.
    if request.method == 'GET':
        querydict = dict(request.GET.items())
    else:
        querydict = dict(request.POST.items())
    error = False
    if 'openid.mode' in request.GET or 'openid.mode' in request.POST:
        # decode request
        try:
            openid_request = server.decodeRequest(querydict)
        except (UntrustedReturnURL, ProtocolError):
            openid_request = None

        if not openid_request:
            return default_render_failure(request, "Invalid OpenID request")

        # don't allow invalid and non-trusted trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # checkid_immediate not supported, require user interaction
        if openid_request.mode == 'checkid_immediate':
            return provider_respond(server, openid_request,
                                    openid_request.answer(False), {})

        # checkid_setup, so display login page
        # (by falling through to the provider_login at the
        # bottom of this method).
        elif openid_request.mode == 'checkid_setup':
            if openid_request.idSelect():
                # remember request and original path
                request.session['openid_setup'] = {
                    'request': openid_request,
                    'url': request.get_full_path(),
                    'post_params': request.POST,
                }

                # user failed login on previous attempt
                if 'openid_error' in request.session:
                    error = True
                    del request.session['openid_error']

        # OpenID response
        else:
            return provider_respond(server, openid_request,
                                    server.handleRequest(openid_request), {})

    # handle login redirection:  these are also sent to this view function,
    # but are distinguished by lacking the openid mode.  We also know that
    # they are posts, because they come from the popup
    elif request.method == 'POST' and 'openid_setup' in request.session:
        # get OpenID request from session
        openid_setup = request.session['openid_setup']
        openid_request = openid_setup['request']
        openid_request_url = openid_setup['url']
        post_params = openid_setup['post_params']
        # We need to preserve the parameters, and the easiest way to do this is
        # through the URL
        url_post_params = {
            param: post_params[param] for param in post_params if param.startswith('openid')
        }

        encoded_params = urllib.urlencode(url_post_params)

        if '?' not in openid_request_url:
            openid_request_url = openid_request_url + '?' + encoded_params
        else:
            openid_request_url = openid_request_url + '&' + encoded_params

        del request.session['openid_setup']

        # don't allow invalid trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # check if user with given email exists
        # Failure is redirected to this method (by using the original URL),
        # which will bring up the login dialog.
        email = request.POST.get('email', None)
        try:
            user = User.objects.get(email=email)
        except User.DoesNotExist:
            request.session['openid_error'] = True
            if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
                AUDIT_LOG.warning(u"OpenID login failed - Unknown user email")
            else:
                msg = u"OpenID login failed - Unknown user email: {0}".format(email)
                AUDIT_LOG.warning(msg)
            return HttpResponseRedirect(openid_request_url)

        # attempt to authenticate user (but not actually log them in...)
        # Failure is again redirected to the login dialog.
        username = user.username
        password = request.POST.get('password', None)
        try:
            user = authenticate(username=username, password=password, request=request)
        except RateLimitException:
            AUDIT_LOG.warning(u'OpenID - Too many failed login attempts.')
            return HttpResponseRedirect(openid_request_url)

        if user is None:
            request.session['openid_error'] = True
            if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
                AUDIT_LOG.warning(u"OpenID login failed - invalid password")
            else:
                AUDIT_LOG.warning(
                    u"OpenID login failed - password for %s is invalid", email)
            return HttpResponseRedirect(openid_request_url)

        # authentication succeeded, so fetch user information
        # that was requested
        if user is not None and user.is_active:
            # remove error from session since login succeeded
            if 'openid_error' in request.session:
                del request.session['openid_error']

            if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
                AUDIT_LOG.info(u"OpenID login success - user.id: %s", user.id)
            else:
                AUDIT_LOG.info(
                    u"OpenID login success - %s (%s)", user.username, user.email)
            # redirect user to return_to location
            url = endpoint + urlquote(user.username)
            response = openid_request.answer(True, None, url)

            # Note too that this is hardcoded, and not really responding to
            # the extensions that were registered in the first place.
            results = {
                'nickname': user.username,
                'email': user.email,
                'fullname': user.profile.name,
            }

            # the request succeeded:
            return provider_respond(server, openid_request, response, results)

        # the account is not active, so redirect back to the login page:
        request.session['openid_error'] = True
        if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
            AUDIT_LOG.warning(
                u"Login failed - Account not active for user.id %s", user.id)
        else:
            AUDIT_LOG.warning(
                u"Login failed - Account not active for user %s", username)
        return HttpResponseRedirect(openid_request_url)

    # determine consumer domain if applicable
    return_to = request.GET.get('openid.return_to') or request.POST.get('openid.return_to') or ''
    if return_to:
        matches = re.match(r'\w+:\/\/([\w\.-]+)', return_to)
        return_to = matches.group(1)

    # display login page
    response = render_to_response('provider_login.html', {
        'error': error,
        'return_to': return_to
    })

    # add custom XRDS header necessary for discovery process
    response['X-XRDS-Location'] = get_xrds_url('xrds', request)
    return response
Exemplo n.º 43
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by 
    the <link rel="openid.server"> tag. 
    """
    custom_log(request, "Server request: %s: %s" % (request.method, request.POST or request.GET), level="debug")

    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        custom_log(request, "Request is not secure. Switching to encrypted negotiator", level="debug")
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        custom_log(request, "Clearing AuthorizationInfo session var", level="debug")
        del request.session['AuthorizationInfo']

    querydict = dict(request.REQUEST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None))
        if orequest:
            # remove session stored data:
            custom_log(request, "Removing stored data from session", level="debug")
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host': request.build_absolute_uri('/'),
                'xrds_location': request.build_absolute_uri(
                    reverse('openid-provider-xrds')),
            }
            custom_log(request, "Not an OpenID request, sending info: %s" % data, level="info")
            if request.browser and request.browser.user:
                data["openid_identifier"] = "https://" + request.get_host() +  reverse('openid-provider-identity', args=[request.browser.user.username])
            else:
                data["page_url"] = request.build_absolute_uri()
            return render_to_response('openid_provider/server.html',
                                      data,
                                      context_instance=RequestContext(request))

    custom_log(request, "orequest.mode: %s" % orequest.mode, level="debug")

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not (request.browser and request.browser.user and request.browser.is_authenticated() and request.user.is_authenticated()):
            custom_log(request, "no local authentication, sending landing page", level="debug")
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        # verify return_to:
        trust_root_valid = trust_root_validation(orequest)
        custom_log(request, "trust_root_valid=%s" % trust_root_valid, level="debug")
        validated = False

        # Allow per-url exceptions for trust roots.
        for global_trusted_root in settings.OPENID_TRUSTED_ROOTS:
            if orequest.trust_root.startswith(global_trusted_root):
                custom_log(request, "Trust root %s is in always trusted roots. Set validated=True" % orequest.trust_root, level="debug")
                validated = True
                break

        if conf.FAILED_DISCOVERY_AS_VALID:
            if trust_root_valid == 'DISCOVERY_FAILED' or trust_root_valid == 'Unreachable':
                custom_log(request, "Setting validated=True as FAILED_DISCOVERY_AS_VALID is True", level="debug")
                validated = True
        else:
            # if in decide already took place, set as valid:
            if request.session.get(get_trust_session_key(orequest), False):
                custom_log(request, "Setting validated=True as session var %s is True" % (get_trust_session_key(orequest)), level="debug")
                validated = True

        custom_log(request, "Session key: %s=%s" % (get_trust_session_key(orequest), request.session.get(get_trust_session_key(orequest))), level="debug")

        custom_log(request, "OpenID is %s" % openid, level="debug")
        if openid is not None and (validated or trust_root_valid == 'Valid'):
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            try:
                oresponse = orequest.answer(True, identity=id_url)
            except ValueError, e:
                return render_to_response("openid_provider/error.html", {"title": "Invalid identity URL", "msg": e.message}, context_instance=RequestContext(request))
            custom_log(request, 'orequest.answer(True, identity="%s")' % id_url, level="debug")
        elif orequest.immediate:
            custom_log(request, 'checkid_immediate mode not supported', level="debug")
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest.message.toPostArgs()
            request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid
            custom_log(request, "redirecting to decide page", level="debug")
            return HttpResponseRedirect(reverse('openid-provider-decide'))
Exemplo n.º 44
0
def openid_server(request):
    """
    This view is the actual OpenID server - running at the URL pointed to by
    the <link rel="openid.server"> tag.
    """
    logger.debug('server request %s: %s',
                 request.method, request.POST or request.GET)
    server = Server(get_store(request),
        op_endpoint=request.build_absolute_uri(reverse('openid-provider-root')))

    if not request.is_secure():
        # if request is not secure allow only encrypted association sessions
        server.negotiator = encrypted_negotiator

    # Clear AuthorizationInfo session var, if it is set
    if request.session.get('AuthorizationInfo', None):
        del request.session['AuthorizationInfo']

    querydict = dict(request.POST.items())
    orequest = server.decodeRequest(querydict)
    if not orequest:
        orequest = request.session.get('OPENID_REQUEST', None)
        if orequest:
            # remove session stored data:
            del request.session['OPENID_REQUEST']
        else:
            # not request, render info page:
            data = {
                'host': request.build_absolute_uri('/'),
                'xrds_location': request.build_absolute_uri(
                    reverse('openid-provider-xrds')),
            }
            # Return empty string
            return HttpResponse("", content_type="text/plain")

    if orequest.mode in BROWSER_REQUEST_MODES:
        if not request.user.is_authenticated:
            logger.debug('no local authentication, sending landing page')
            return landing_page(request, orequest)

        openid = openid_is_authorized(request, orequest.identity,
                                      orequest.trust_root)

        if openid is not None:
            id_url = request.build_absolute_uri(
                reverse('openid-provider-identity', args=[openid.openid]))
            oresponse = orequest.answer(True, identity=id_url)
            logger.debug('orequest.answer(True, identity="%s")', id_url)
        elif orequest.immediate:
            logger.debug('checkid_immediate mode not supported')
            raise Exception('checkid_immediate mode not supported')
        else:
            request.session['OPENID_REQUEST'] = orequest
            logger.debug('redirecting to decide page')
            return HttpResponseRedirect(reverse('openid-provider-decide'))
    else:
        oresponse = server.handleRequest(orequest)
    if request.user.is_authenticated:
        add_sreg_data(request, orequest, oresponse)
        if conf.AX_EXTENSION:
            add_ax_data(request, orequest, oresponse)
    # Convert a webresponse from the OpenID library in to a Django HttpResponse
    webresponse = server.encodeResponse(oresponse)
    if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES:
        response = render(request, 'openid_provider/response.html', {
            'body': webresponse.body,
        })
        logger.debug('rendering browser response')
    else:
        response = HttpResponse(webresponse.body)
        response.status_code = webresponse.code
        for key, value in webresponse.headers.items():
            response[key] = value
        logger.debug('rendering raw response')
    return response
Exemplo n.º 45
0
 def get_server(self, request):
     url = request.build_absolute_uri(request.path)
     return Server(DjangoOpenIDStore(), op_endpoint=url)
Exemplo n.º 46
0
class OpenIDProvider(object):
    # OpenID service type URIs, listed in order of preference.  The
    # ordering of this list affects yadis and XRI service discovery.
    openid_type_uris = [
        #discover.OPENID_IDP_2_0_TYPE,
        discover.OPENID_2_0_TYPE,
        discover.OPENID_1_1_TYPE,
        discover.OPENID_1_0_TYPE,
        sreg.ns_uri,
    ]

    def __init__(self, request):
        self.request = request
        self.openid_server = Server(SFOpenIDStore(self.request.db_session),
                                    request.route_url('openid_provider'))
        userid = authenticated_userid(request)
        self.auth_userid = userid or request.session.get('auth_userid')
        if self.auth_userid:
            query = self.request.db_session.query(UserProfile)
            self.auth_user = query.get(self.auth_userid)
        else:
            self.auth_user = None

    def process(self, request_params):
        logger.debug('Processing openid request: %s', request_params)
        if request_params.get('openid.identity'):
            home_url = self.request.route_url('home')
            if request_params['openid.identity'] == request_params['openid.claimed_id'] and \
               request_params['openid.identity'] == home_url:
                username = self.request.user and self.request.user.username or \
                           self.auth_userid
                if username:
                    username = username.lower()
                    user_url = self.request.route_url('user_profile',
                                                      username=username)
                    request_params['openid.identity'] = user_url
                    request_params['openid.claimed_id'] = user_url
        try:
            openid_request = self.openid_server.decodeRequest(request_params)
        # MalformedReturnURL, UntrustedReturnURL, etc.
        except ProtocolError as e:
            logger.info(
                'Unable to decode request: %s %s',
                e.__class__,
                e.openid_message
            )
            return ''
        logger.debug('Decoded request: %s', openid_request)

        if openid_request is None:
            return ''

        if openid_request.mode in ["checkid_immediate", "checkid_setup"]:
            if self.request.user or self.auth_userid:
                openid_response = self.handleCheckIDRequest(openid_request)
            else:
                # If the user has not logged in yet, stash the OpenID
                # consuming site request (if there isn't one already) and
                # send them to the login view. The openid_tween will take
                # care of sending them back to the OpenID consuming site.
                rp_dict = dict(request_params.items())
                self.request.session['openid_request'] = rp_dict
                self.request.session.save()
                return HTTPFound(location=self.request.route_url('login'))
        else:
            openid_response = self.openid_server.handleRequest(openid_request)

        logger.debug('Decoded response: %s', openid_response)
        encoded_response = self.openid_server.encodeResponse(openid_response)

        if 'location' in encoded_response.headers:
            response = HTTPFound(location=encoded_response.headers['location'])
            return response
        return encoded_response.body

    def get(self):
        return self.process(self.request.GET)

    def post(self):
        if self.request.method != "POST":
            return HTTPMethodNotAllowed()
        return self.process(self.request.POST)

    def approved(self, request, identifier=None):
        response = request.answer(True, identity=identifier)
        self.addSRegResponse(request, response)
        return response

    def handleCheckIDRequest(self, request):
        is_authorized = self.isAuthorized(request.identity, request.trust_root)
        if is_authorized:
            return self.approved(request, request.identity)
        else:
            return request.answer(False, identity=request.identity)

    def isAuthorized(self, identity_url, trust_root):
        if not self.auth_userid:
            return False

        self.request.registry.notify(CheckIDAuthorized(self.request,
                                                       self.auth_user))
        # TODO: prompt user for authorization
        return True

    def addSRegResponse(self, request, response):
        sreg_req = sreg.SRegRequest.fromOpenIDRequest(request)
        sreg_data = dict([
            (fname, None)
            for fname in sreg.data_fields
        ])
        sreg_data['fullname'] = '%s %s' % (self.auth_user.first_name,
                                           self.auth_user.last_name)
        sreg_data['nickname'] = self.auth_userid
        sreg_data['email'] = self.auth_user.email
        sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
        response.addExtension(sreg_resp)

    def identity(self):
        query = self.request.db_session.query(UserProfile)
        target_username = self.request.matchdict['username']
        target_user = query.get(target_username)
        if target_user is None:
            raise HTTPNotFound()
        return {
            'username': target_user.username.lower(),
        }
Exemplo n.º 47
0
 def __init__(self):
     from openid.server.server import Server
     from openid.store.memstore import MemoryStore
     store = MemoryStore()
     self.server = Server(store, 'http://www.jaraco.com/')
Exemplo n.º 48
0
def provider_login(request):
    """
    OpenID login endpoint
    """

    # make and validate endpoint
    endpoint = get_xrds_url('login', request)
    if not endpoint:
        return default_render_failure(request, "Invalid OpenID request")

    # initialize store and server
    store = DjangoOpenIDStore()
    server = Server(store, endpoint)

    # first check to see if the request is an OpenID request.
    # If so, the client will have specified an 'openid.mode' as part
    # of the request.
    if request.method == 'GET':
        querydict = dict(request.GET.items())
    else:
        querydict = dict(request.POST.items())
    error = False
    if 'openid.mode' in request.GET or 'openid.mode' in request.POST:
        # decode request
        try:
            openid_request = server.decodeRequest(querydict)
        except (UntrustedReturnURL, ProtocolError):
            openid_request = None

        if not openid_request:
            return default_render_failure(request, "Invalid OpenID request")

        # don't allow invalid and non-trusted trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # checkid_immediate not supported, require user interaction
        if openid_request.mode == 'checkid_immediate':
            return provider_respond(server, openid_request,
                                    openid_request.answer(False), {})

        # checkid_setup, so display login page
        # (by falling through to the provider_login at the
        # bottom of this method).
        elif openid_request.mode == 'checkid_setup':
            if openid_request.idSelect():
                # remember request and original path
                request.session['openid_setup'] = {
                    'request': openid_request,
                    'url': request.get_full_path(),
                    'post_params': request.POST,
                }

                # user failed login on previous attempt
                if 'openid_error' in request.session:
                    error = True
                    del request.session['openid_error']

        # OpenID response
        else:
            return provider_respond(server, openid_request,
                                    server.handleRequest(openid_request), {})

    # handle login redirection:  these are also sent to this view function,
    # but are distinguished by lacking the openid mode.  We also know that
    # they are posts, because they come from the popup
    elif request.method == 'POST' and 'openid_setup' in request.session:
        # get OpenID request from session
        openid_setup = request.session['openid_setup']
        openid_request = openid_setup['request']
        openid_request_url = openid_setup['url']
        post_params = openid_setup['post_params']
        # We need to preserve the parameters, and the easiest way to do this is
        # through the URL
        url_post_params = {
            param: post_params[param] for param in post_params if param.startswith('openid')
        }

        encoded_params = urllib.urlencode(url_post_params)

        if '?' not in openid_request_url:
            openid_request_url = openid_request_url + '?' + encoded_params
        else:
            openid_request_url = openid_request_url + '&' + encoded_params

        del request.session['openid_setup']

        # don't allow invalid trust roots
        if not validate_trust_root(openid_request):
            return default_render_failure(request, "Invalid OpenID trust root")

        # check if user with given email exists
        # Failure is redirected to this method (by using the original URL),
        # which will bring up the login dialog.
        email = request.POST.get('email', None)
        try:
            user = User.objects.get(email=email)
        except User.DoesNotExist:
            request.session['openid_error'] = True
            if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
                AUDIT_LOG.warning(u"OpenID login failed - Unknown user email")
            else:
                msg = u"OpenID login failed - Unknown user email: {0}".format(email)
                AUDIT_LOG.warning(msg)
            return HttpResponseRedirect(openid_request_url)

        # attempt to authenticate user (but not actually log them in...)
        # Failure is again redirected to the login dialog.
        username = user.username
        password = request.POST.get('password', None)
        try:
            user = authenticate(username=username, password=password, request=request)
        except RateLimitException:
            AUDIT_LOG.warning(u'OpenID - Too many failed login attempts.')
            return HttpResponseRedirect(openid_request_url)

        if user is None:
            request.session['openid_error'] = True
            if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
                AUDIT_LOG.warning(u"OpenID login failed - invalid password")
            else:
                AUDIT_LOG.warning(
                    u"OpenID login failed - password for %s is invalid", email)
            return HttpResponseRedirect(openid_request_url)

        # authentication succeeded, so fetch user information
        # that was requested
        if user is not None and user.is_active:
            # remove error from session since login succeeded
            if 'openid_error' in request.session:
                del request.session['openid_error']

            if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
                AUDIT_LOG.info(u"OpenID login success - user.id: %s", user.id)
            else:
                AUDIT_LOG.info(
                    u"OpenID login success - %s (%s)", user.username, user.email)
            # redirect user to return_to location
            url = endpoint + urlquote(user.username)
            response = openid_request.answer(True, None, url)

            # Note too that this is hardcoded, and not really responding to
            # the extensions that were registered in the first place.
            results = {
                'nickname': user.username,
                'email': user.email,
                'fullname': user.profile.name,
            }

            # the request succeeded:
            return provider_respond(server, openid_request, response, results)

        # the account is not active, so redirect back to the login page:
        request.session['openid_error'] = True
        if settings.FEATURES['SQUELCH_PII_IN_LOGS']:
            AUDIT_LOG.warning(
                u"Login failed - Account not active for user.id %s", user.id)
        else:
            AUDIT_LOG.warning(
                u"Login failed - Account not active for user %s", username)
        return HttpResponseRedirect(openid_request_url)

    # determine consumer domain if applicable
    return_to = request.GET.get('openid.return_to') or request.POST.get('openid.return_to') or ''
    if return_to:
        matches = re.match(r'\w+:\/\/([\w\.-]+)', return_to)
        return_to = matches.group(1)

    # display login page
    response = render_to_response('provider_login.html', {
        'error': error,
        'return_to': return_to
    })

    # add custom XRDS header necessary for discovery process
    response['X-XRDS-Location'] = get_xrds_url('xrds', request)
    return response
Exemplo n.º 49
0
class StubOpenIDProvider(HTTPFetcher):
    def __init__(self, base_url):
        self.store = MemoryStore()
        self.identity_url = base_url + 'identity'
        self.localid_url = base_url + 'localid'
        self.endpoint_url = base_url + 'endpoint'
        self.server = Server(self.store, self.endpoint_url)
        self.last_request = None
        self.type_uris = ['http://specs.openid.net/auth/2.0/signon']

    def fetch(self, url, body=None, headers=None):
        if url == self.identity_url:
            # Serve an XRDS document directly, pointing at our endpoint.
            type_uris = ['<Type>%s</Type>' % uri for uri in self.type_uris]
            return HTTPResponse(
                url, 200, {'content-type': 'application/xrds+xml'}, """\
<?xml version="1.0"?>
<xrds:XRDS
    xmlns="xri://$xrd*($v*2.0)"
    xmlns:xrds="xri://$xrds">
  <XRD>
    <Service priority="0">
      %s
      <URI>%s</URI>
      <LocalID>%s</LocalID>
    </Service>
  </XRD>
</xrds:XRDS>
""" % ('\n'.join(type_uris), self.endpoint_url, self.localid_url))
        elif url.startswith(self.endpoint_url):
            # Gather query parameters
            query = {}
            if '?' in url:
                query.update(cgi.parse_qsl(url.split('?', 1)[1]))
            if body is not None:
                query.update(cgi.parse_qsl(body))
            self.last_request = self.server.decodeRequest(query)

            # The browser based requests should not be handled through
            # the fetcher interface.
            assert self.last_request.mode not in BROWSER_REQUEST_MODES

            response = self.server.handleRequest(self.last_request)
            webresponse = self.server.encodeResponse(response)
            return HTTPResponse(url, webresponse.code, webresponse.headers,
                                webresponse.body)
        else:
            raise HTTPFetchingError('unknown URL %s' % url)

    def parseFormPost(self, content):
        """Parse an HTML form post to create an OpenID request."""
        # Hack to make the javascript XML compliant ...
        content = content.replace('i < elements.length',
                                  'i &lt; elements.length')
        tree = ET.XML(content)
        form = tree.find('.//form')
        assert form is not None, 'No form in document'
        assert form.get('action') == self.endpoint_url, (
            'Form posts to %s instead of %s' %
            (form.get('action'), self.endpoint_url))
        query = {}
        for input in form.findall('input'):
            if input.get('type') != 'hidden':
                continue
            query[input.get('name').encode('UTF-8')] = \
                input.get('value').encode('UTF-8')
        self.last_request = self.server.decodeRequest(query)
        return self.last_request