def browserid_verify(request):
next = request.REQUEST.get('next')
redirect_to = next or getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
result = verify(form.cleaned_data['assertion'], get_audience(request))
if result:
if request.user.is_authenticated():
# User is already signed in so they must want an email change
request.user.email = result['email']
request.user.save()
return redirect(reverse('users.edit_profile'))
else:
# Verified so log in
email = result['email']
user = User.objects.filter(email=email)
if len(user) == 0:
form = BrowserIDSignupForm()
request.session['browserid-email'] = email
return render(request, 'users/browserid_signup.html',
{'email': email, 'next': next, 'form': form})
else:
user = user[0]
user.backend = 'django_browserid.auth.BrowserIDBackend'
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def browserid_info(request):
"""
Output the HTML for the login form and the info tag. Should be called once
at the top of the page just below the <body> tag.
"""
form = BrowserIDForm(auto_id=False)
# Force request_args to be a dictionary, in case it is lazily generated.
request_args = dict(getattr(settings, 'BROWSERID_REQUEST_ARGS', {}))
# Only pass an email to the JavaScript if the current user was authed with
# our auth backend.
backend = getattr(request.user, 'backend', None)
if backend == 'django_browserid.auth.BrowserIDBackend':
email = getattr(request.user, 'email', '')
else:
email = ''
return render_to_string(
'browserid/info.html', {
'email': email,
'login_url': reverse('browserid_login'),
'request_args': json.dumps(request_args, cls=LazyEncoder),
'form': form,
}, RequestContext(request))
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_forceAuthentication': 'true',
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(assertion, audience, extra_params)
log.info('Reverify got result: %s' % result)
if result:
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
logged_user = request.session.get('uuid')
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
log.error('User %r tried to reverify as '
'new email: %s' % (logged_user, email))
return http.HttpResponseBadRequest()
request.session['was_reverified'] = True
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' %
(url, audience, extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
user_uuid = set_user(request, email)
redirect_url = check_pin_status(request)
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_uuid
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def browserid_form(request):
"""
A context processor that adds a BrowserID form to the request
when the user is not authenticated
"""
if request.user.is_authenticated():
return {}
else:
return {'browserid_form': BrowserIDForm()}
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
if result and result['email'].split('@')[-1] in settings.ALLOWED_BID:
user = auth.authenticate(assertion=assertion, audience=audience)
auth.login(request, user)
return redirect(settings.LOGIN_REDIRECT_URL)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def browserid(request):
"""
Context processor that adds django-browserid helpers to the template
context.
"""
form = BrowserIDForm(auto_id=False)
return {
'browserid_form': form, # For custom buttons.
'browserid_info': partial(helpers.browserid_info, request),
'browserid_login': helpers.browserid_login,
'browserid_logout': helpers.browserid_logout,
'browserid_js': helpers.browserid_js
}
def browserid_verify(request):
"""Process a submitted BrowserID assertion.
If valid, try to find either a Django or MindTouch user that matches the
verified email address. If neither is found, we bounce to a profile
creation page (ie. browserid_register)."""
redirect_to = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL', reverse('home')))
redirect_to_failure = (_clean_next_url(request) or
getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', reverse('home')))
failure_resp = set_browserid_explained(
HttpResponseRedirect(redirect_to_failure))
# If the form's not valid, then this is a failure.
form = BrowserIDForm(data=request.POST)
if not form.is_valid():
return failure_resp
# If the BrowserID assersion is not valid, then this is a failure.
result = _verify_browserid(form, request)
if not result:
return failure_resp
# So far, so good: We have a verified email address. But, no user, yet.
email = result['email']
user = None
# Look for first most recently used Django account, use if found.
user = _get_latest_user_with_email(email)
# If no Django account, look for a MindTouch account by email. But, only if
# there's a MindTouch API available. If found, auto-create the user.
if not user and settings.DEKIWIKI_ENDPOINT:
deki_user = DekiUserBackend.get_deki_user_by_email(email)
if deki_user:
user = DekiUserBackend.get_or_create_user(deki_user)
# If we got a user from either the Django or MT paths, complete login for
# Django and MT and redirect.
if user:
user.backend = 'django_browserid.auth.BrowserIDBackend'
auth.login(request, user)
return set_browserid_explained(
_redirect_with_mindtouch_login(redirect_to, user.username))
# Retain the verified email in a session, redirect to registration page.
request.session[SESSION_VERIFIED_EMAIL] = email
request.session[SESSION_REDIRECT_TO] = redirect_to
return set_browserid_explained(
HttpResponseRedirect(reverse('users.browserid_register')))
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_ok_assertion = False
_is_contributor = False
if result:
_domain = result['email'].split('@')[-1]
if _domain in settings.ALLOWED_BID:
_ok_assertion = True
elif is_vouched(result['email']):
_ok_assertion = True
_is_contributor = True
if _ok_assertion:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
# if _is_contributor:
# try:
# profile = user.get_profile()
# if not profile.contributor:
# profile.contributor = True
# profile.save()
# except UserProfile.DoesNotExist:
# profile = UserProfile.objects.create(
# user=user,
# contributor=True
# )
if auth.models.User.objects.count() == 1:
auth.models.User.objects.update(is_superuser=True,
is_staff=True)
return redirect(
request.POST.get('next', settings.LOGIN_REDIRECT_URL))
elif result:
messages.error(
request, 'Hmmm. Are you sure you\'re a vouched mozillian?')
except BadStatusCodeError:
logging.error('Unable to call out to mozillians', exc_info=True)
messages.error(
request, 'Email (%s) authenticated but unable to connect to '
'Mozillians to see if are vouched. ' % result['email'])
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def browserid_info(request):
"""
Output the HTML for the login form and the info tag. Should be called once
at the top of the page just below the <body> tag.
"""
form = BrowserIDForm(auto_id=False)
request_args = getattr(settings, 'BROWSERID_REQUEST_ARGS', {})
return render_to_string(
'browserid/info.html', {
'email': getattr(request.user, 'email', ''),
'login_url': reverse('browserid_login'),
'request_args': json.dumps(request_args),
'form': form,
}, RequestContext(request))
def verify(request, redirect_field_name=auth.REDIRECT_FIELD_NAME):
"""Process browserid assertions."""
redirect_to = request.REQUEST.get(redirect_field_name, '')
if not redirect_to:
redirect_to = getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
host, port = _get_host_and_port(request)
user = auth.authenticate(assertion=assertion, host=host, port=port)
if user is not None and user.is_active:
auth.login(request, user)
return HttpResponseRedirect(redirect_to)
return HttpResponseRedirect(redirect_to_failure)
def browserid(request):
"""
A context processor necessary for BrowserID auth
Similar to django_browserid.context_processors, but in addition to the
BrowserID form, we include whether a user has been logged on via the
BrowserID authentication backend.
"""
auth_backend = request.session.get('_auth_user_backend', None)
return {
'browserid_form':
BrowserIDForm(),
'browserid_authenticated':
auth_backend == 'django_browserid.auth.BrowserIDBackend'
}
def browserid_info(request):
"""
Output the HTML for the login form and the info tag. Should be called once
at the top of the page just below the <body> tag.
"""
form = BrowserIDForm(auto_id=False)
# Force request_args to be a dictionary, in case it is lazily generated.
request_args = dict(getattr(settings, 'BROWSERID_REQUEST_ARGS', {}))
return render_to_string(
'browserid/info.html', {
'email': getattr(request.user, 'email', ''),
'login_url': reverse('browserid_login'),
'request_args': json.dumps(request_args, cls=LazyEncoder),
'form': form,
}, RequestContext(request))
def mozilla_browserid_verify(request):
"""
Custom BrowserID verifier for ReMo users
and vouched mozillians.
"""
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
try:
_is_valid_login = False
if result:
if User.objects.filter(email=result['email']).exists():
_is_valid_login = True
else:
data = is_vouched(result['email'])
if data and data['is_vouched']:
_is_valid_login = True
user = User.objects.create_user(username=USERNAME_ALGO(
data['email']),
email=data['email'])
first_name, last_name = (data['full_name'].split(
' ', 1) if ' ' in data['full_name'] else
('', data['full_name']))
user.first_name = first_name
user.last_name = last_name
user.save()
user.groups.add(Group.objects.get(name='Mozillians'))
if _is_valid_login:
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
return redirect('dashboard')
except BadStatusCodeError:
message = ('Email (%s) authenticated but unable to '
'connect to Mozillians to see if you are vouched' %
result['email'])
return login_failed(request, message)
return redirect(settings.LOGIN_REDIRECT_URL_FAILURE)
def browserid_change_email(request):
"""Process a submitted BrowserID assertion to change email."""
form = BrowserIDForm(data=request.POST)
if not form.is_valid():
messages.error(request, form.errors)
return HttpResponseRedirect(reverse('users.change_email'))
result = _verify_browserid(form, request)
email = result['email']
user = _get_latest_user_with_email(email)
if user and user != request.user:
messages.error(request, 'That email already belongs to another '
'user.')
return HttpResponseRedirect(reverse('users.change_email'))
else:
user = request.user
user.email = email
user.save()
return HttpResponseRedirect(reverse('devmo_profile_edit',
args=[user.username, ]))
def browserid_verify(request):
next = request.REQUEST.get('next')
redirect_to = next or getattr(settings, 'LOGIN_REDIRECT_URL', '/')
redirect_to_failure = getattr(settings, 'LOGIN_REDIRECT_URL_FAILURE', '/')
form = BrowserIDForm(data=request.POST)
if form.is_valid():
verifier = BrowserIDBackend().get_verifier()
result = verifier.verify(form.cleaned_data['assertion'],
get_audience(request))
if result:
if (request.user.is_authenticated()
and request.user.email != result.email):
# User is already signed and wants to change their email.
request.user.email = result.email
request.user.save()
return redirect(reverse('users.edit_profile'))
else:
# Verified so log in
email = result.email
user = User.objects.filter(email=email)
contributor = 'contributor' in request.POST
if len(user) == 0:
# Add the email to the session and redirect to signup
request.session['browserid-email'] = email
signup_url = reverse('users.browserid_signup')
return redirect('%s?%s' %
(signup_url, urlencode({'next': next})))
else:
user = user[0]
user.backend = 'django_browserid.auth.BrowserIDBackend'
if contributor:
add_to_contributors(request, user)
auth.login(request, user)
return redirect(redirect_to)
return redirect(redirect_to_failure)
def verify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
'experimental_allowUnverified': 'true'
}
assertion = form.cleaned_data['assertion']
log.info('verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s, assertion: %s' %
(url, audience, extra_params, assertion))
result = verify_assertion(assertion, audience, extra_params)
if result:
log.info('Persona assertion ok: %s' % result)
email = result.get('unverified-email', result.get('email'))
store_mkt_permissions(request, email, assertion, audience)
user_uuid = set_user(request, email)
redirect_url = check_pin_status(request)
# Before we verify the user's PIN let's save some
# time and get the transaction configured via Bango in the
# background.
log.info('configuring transaction {0} from auth'.format(
request.session.get('trans_id')))
pay_tasks.configure_transaction(request)
return {
'needs_redirect': redirect_url is not None,
'redirect_url': redirect_url,
'user_hash': user_uuid
}
log.error('Persona assertion failed.')
request.session.flush()
return http.HttpResponseBadRequest()
def mozilla_browserid_verify(request):
"""Custom BrowserID verifier for mozilla addresses."""
home_url = reverse('crashstats.home', args=(settings.DEFAULT_PRODUCT, ))
form = BrowserIDForm(request.POST)
if form.is_valid():
assertion = form.cleaned_data['assertion']
audience = get_audience(request)
result = verify(assertion, audience)
for name in ('LDAP_BIND_DN', 'LDAP_BIND_PASSWORD', 'LDAP_GROUP_NAMES'):
if not getattr(settings, name, None): # pragma: no cover
raise ValueError("Not configured `settings.%s`" % name)
if result:
allowed = in_allowed_group(result['email'])
debug_email_addresses = getattr(settings,
'DEBUG_LDAP_EMAIL_ADDRESSES', [])
if debug_email_addresses and not settings.DEBUG:
raise SuspiciousOperation(
"Can't debug login when NOT in DEBUG mode")
if allowed or result['email'] in debug_email_addresses:
if allowed:
logging.info('%r is in an allowed group', result['email'])
else:
logging.info('%r allowed for debugging', result['email'])
user = auth.authenticate(assertion=assertion,
audience=audience)
auth.login(request, user)
messages.success(request, 'You have successfully logged in.')
else:
if not allowed:
logging.info('%r NOT in an allowed group', result['email'])
messages.error(
request,
"You logged in as %s but you don't have sufficient "
"privileges." % result['email'])
else:
messages.error(request, "Login failed")
return redirect(home_url)
def reverify(request):
form = BrowserIDForm(data=request.POST)
if form.is_valid():
url = settings.BROWSERID_VERIFICATION_URL
audience = get_audience(request)
# TODO: when we want to require a forced-auth login across the
# entire site then how do we do it?
# See bug 836060.
extra_params = {
'experimental_forceIssuer': settings.BROWSERID_UNVERIFIED_ISSUER,
# TODO: how do we make sure this is a proper forced
# auth assertion?
# This can also be addressed in bug 836060
'experimental_forceAuthentication': 'true',
'experimental_allowUnverified': 'true'
}
log.info('Re-verifying Persona assertion. url: %s, audience: %s, '
'extra_params: %s' % (url, audience, extra_params))
result = verify_assertion(form.cleaned_data['assertion'], audience,
extra_params)
log.info('Reverify got result: %s')
if result:
logged_user = request.session.get('uuid')
email = result.get('unverified-email', result.get('email'))
reverified_user = get_uuid(email)
if logged_user and logged_user != reverified_user:
# TODO: Should we try to support this?
raise ValueError('A user tried to reverify herself with a '
'new email: %s' % email)
return {'user_hash': reverified_user}
log.error('Persona assertion failed.')
request.session.clear()
return http.HttpResponseBadRequest()
def browserid_form(request):
"""
A context processor that adds a BrowserID form to the request
"""
return {'browserid_form': BrowserIDForm()}
def test_invalid_assertion():
form = BrowserIDForm({'assertion': u'\xe3'})
assert not form.is_valid()
def test_valid_assertion():
form = BrowserIDForm({'assertion': b'xxx'})
assert form.is_valid()
