def _get_approved_data(request, orequest): """Given an HTTP request and an OpenID request, return a nested dict of values requested in the request and approved by the user. """ if not orequest: return None approved_data = {} rpconfig = utils.get_rpconfig(orequest.trust_root) sreg_request = SRegRequest.fromOpenIDRequest(orequest) ax_request = ax.FetchRequest.fromOpenIDRequest(orequest) user_attribs_form = UserAttribsRequestForm( request, sreg_request, ax_request, rpconfig) if user_attribs_form.has_data: approved_data['user_attribs'] = { 'requested': user_attribs_form.data.keys(), 'approved': user_attribs_form.data_approved_for_request.keys()} args = orequest.message.getArgs(LAUNCHPAD_TEAMS_NS) team_names = args.get('query_membership') if team_names: team_names = team_names.split(',') teams_form = TeamsRequestForm( request, TeamsRequest.fromOpenIDRequest(orequest), rpconfig, ) approved_data['teams'] = { 'requested': team_names, 'approved': teams_form.teams_approved_by_user} return approved_data
def createPositiveResponse(self): """Create a positive assertion OpenIDResponse. This method should be called to create the response to successful checkid requests. If the trust root for the request is in openid_sreg_trustroots, then additional user information is included with the response. """ assert self.account is not None, ( 'Must be logged in for positive OpenID response') assert self.openid_request is not None, ( 'No OpenID request to respond to.') if not self.isIdentityOwner(): return self.createFailedResponse() if self.openid_request.idSelect(): response = self.openid_request.answer( True, identity=self.user_identity_url) else: response = self.openid_request.answer(True) person = IPerson(self.account) sreg_fields = dict(nickname=person.name, email=person.preferredemail.email, fullname=self.account.displayname) sreg_request = SRegRequest.fromOpenIDRequest(self.openid_request) sreg_response = SRegResponse.extractResponse(sreg_request, sreg_fields) response.addExtension(sreg_response) return response
def test_login_create_users(self): settings.OPENID_CREATE_USERS = True # Create a user with the same name as we'll pass back via sreg. User.objects.create_user('someuser', '*****@*****.**') # Posting in an identity URL begins the authentication request: response = self.client.post('/openid/login/', {'openid_identifier': 'http://example.com/identity', 'next': '/getuser/'}) self.assertContains(response, 'OpenID transaction in progress') # Complete the request, passing back some simple registration # data. The user is redirected to the next URL. openid_request = self.provider.parseFormPost(response.content) sreg_request = SRegRequest.fromOpenIDRequest(openid_request) openid_response = openid_request.answer(True) sreg_response = SRegResponse.extractResponse( sreg_request, {'nickname': 'someuser', 'fullname': 'Some User', 'email': '*****@*****.**'}) openid_response.addExtension(sreg_response) response = self.complete(openid_response) self.assertRedirects(response, 'http://testserver/getuser/') # And they are now logged in as a new user (they haven't taken # over the existing "someuser" user). response = self.client.get('/getuser/') self.assertEquals(response.content, 'someuser2') # Check the details of the new user. user = User.objects.get(username='******') self.assertEquals(user.first_name, 'Some') self.assertEquals(user.last_name, 'User') self.assertEquals(user.email, '*****@*****.**')
def createPositiveResponse(self): """Create a positive assertion OpenIDResponse. This method should be called to create the response to successful checkid requests. If the trust root for the request is in openid_sreg_trustroots, then additional user information is included with the response. """ assert self.account is not None, ( 'Must be logged in for positive OpenID response') assert self.openid_request is not None, ( 'No OpenID request to respond to.') if not self.isIdentityOwner(): return self.createFailedResponse() if self.openid_request.idSelect(): response = self.openid_request.answer( True, identity=self.user_identity_url) else: response = self.openid_request.answer(True) person = IPerson(self.account) sreg_fields = dict( nickname=person.name, email=person.preferredemail.email, fullname=self.account.displayname) sreg_request = SRegRequest.fromOpenIDRequest(self.openid_request) sreg_response = SRegResponse.extractResponse( sreg_request, sreg_fields) response.addExtension(sreg_response) return response
def Respond(self, oidresponse): logging.warning('Respond: oidresponse.request.mode ' + oidresponse.request.mode) if oidresponse.request.mode in ['checkid_immediate', 'checkid_setup']: user = users.get_current_user() if user: from openid.extensions.sreg import SRegRequest, SRegResponse sreg_req = SRegRequest.fromOpenIDRequest(oidresponse.request) if sreg_req.wereFieldsRequested(): logging.info("sreg_req:%s", sreg_req.allRequestedFields()) user_data = {'nickname':user.nickname(), 'email':user.email()} sreg_resp = SRegResponse.extractResponse(sreg_req, user_data) sreg_resp.toMessage(oidresponse.fields) logging.info('Using response: %s' % oidresponse) encoded_response = oidserver.encodeResponse(oidresponse) for header, value in encoded_response.headers.items(): self.response.headers[header] = str(value) if encoded_response.code in (301, 302): self.redirect(self.response.headers['location']) else: self.response.set_status(encoded_response.code) if encoded_response.body: logging.debug('Sending response body: %s' % encoded_response.body) self.response.out.write(encoded_response.body) else: self.response.out.write('')
def Respond(self, oidresponse): logging.warning('Respond: oidresponse.request.mode ' + oidresponse.request.mode) if oidresponse.request.mode in ['checkid_immediate', 'checkid_setup']: user = users.get_current_user() if user: from openid.extensions.sreg import SRegRequest, SRegResponse sreg_req = SRegRequest.fromOpenIDRequest(oidresponse.request) if sreg_req.wereFieldsRequested(): logging.info("sreg_req:%s", sreg_req.allRequestedFields()) user_data = { 'nickname': user.nickname(), 'email': user.email() } sreg_resp = SRegResponse.extractResponse( sreg_req, user_data) sreg_resp.toMessage(oidresponse.fields) logging.info('Using response: %s' % oidresponse) encoded_response = oidserver.encodeResponse(oidresponse) for header, value in encoded_response.headers.items(): self.response.headers[header] = str(value) if encoded_response.code in (301, 302): self.redirect(self.response.headers['location']) else: self.response.set_status(encoded_response.code) if encoded_response.body: logging.debug('Sending response body: %s' % encoded_response.body) self.response.out.write(encoded_response.body) else: self.response.out.write('')
def test_login_create_users(self): settings.OPENID_CREATE_USERS = True # Create a user with the same name as we'll pass back via sreg. User.objects.create_user('someuser', '*****@*****.**') # Posting in an identity URL begins the authentication request: response = self.client.post('/openid/login/', {'openid_identifier': 'http://example.com/identity', 'next': '/getuser/'}) self.assertContains(response, 'OpenID transaction in progress') # Complete the request, passing back some simple registration # data. The user is redirected to the next URL. openid_request = self.provider.parseFormPost(response.content) sreg_request = SRegRequest.fromOpenIDRequest(openid_request) openid_response = openid_request.answer(True) sreg_response = SRegResponse.extractResponse( sreg_request, {'nickname': 'someuser', 'fullname': 'Some User', 'email': '*****@*****.**'}) openid_response.addExtension(sreg_response) response = self.complete(openid_response) self.assertRedirects(response, 'http://testserver/getuser/') # And they are now logged in as a new user (they haven't taken # over the existing "someuser" user). response = self.client.get('/getuser/') self.assertEquals(response.content, 'someuser2') # Check the details of the new user. user = User.objects.get(username='******') self.assertEquals(user.first_name, 'Some') self.assertEquals(user.last_name, 'User') self.assertEquals(user.email, '*****@*****.**')
def decide(request, token): try: orequest = _get_orequest(request, token) rpconfig = utils.get_rpconfig(orequest.trust_root) except: return HttpResponse("Invalid OpenID transaction") if not request.user.is_authenticated(): # XXX: need to remove this circular dep to the webui app from webui.views import ui return ui.LoginView.as_view()(request, token, rpconfig=rpconfig) if not _user_is_verified_for_rp(request.user, rpconfig): name = rpconfig.displayname if rpconfig else orequest.trust_root messages.warning( request, SITE_REQUIRES_VERIFIED.format(rp_name=name) ) return HttpResponseRedirect(reverse('account-emails')) site_requires_twofactor = twofactor.site_requires_twofactor_auth( request, token, rpconfig) if (not twofactor.is_authenticated(request) or (site_requires_twofactor and not twofactor.is_upgraded(request))): if is_twofactor_enabled(request): return HttpResponseRedirect(reverse('twofactor', args=[token])) else: return _process_decide(request, orequest, decision=False) if ('ok' in request.POST or (rpconfig is not None and rpconfig.auto_authorize)): return _process_decide(request, orequest, decision=True) sreg_request = SRegRequest.fromOpenIDRequest(orequest) ax_request = ax.FetchRequest.fromOpenIDRequest(orequest) teams_request = TeamsRequest.fromOpenIDRequest(orequest) try: summary = OpenIDRPSummary.objects.get( account=request.user, trust_root=orequest.trust_root, openid_identifier=request.user.openid_identity_url) approved_data = summary.get_approved_data() except OpenIDRPSummary.DoesNotExist: approved_data = {} user_attribs_form = UserAttribsRequestForm( request, sreg_request, ax_request, rpconfig, approved_data=approved_data.get('user_attribs')) teams_form = TeamsRequestForm(request, teams_request, rpconfig, approved_data=approved_data.get('teams')) context = RequestContext(request, { 'account': request.user, 'trust_root': orequest.trust_root, 'rpconfig': rpconfig, 'user_attribs_form': user_attribs_form, 'teams_form': teams_form, 'token': token, 'sane_trust_root': _request_has_sane_trust_root(orequest) }) return render_to_response('server/decide.html', context)
def post(self): parsed = urlparse.urlparse(self.request.uri) request_url_without_path = parsed[0] + '://' + parsed[1] request_url_without_params = request_url_without_path + parsed[2] token = self.request.get('token') or urlparse.urlparse(self.request.uri)[2].rsplit('/',2)[2] oid_args = False query = datastore.Query('Verification') query['token ='] = token v = query.Get(1) if v: v = v[0] if v['expires'] > time.time(): self.user = v['email'] self.oid_args = pickle.loads(str(v['oidrequest'])) else: error = 'That token has expired. Please try again.' datastore.Delete(v) else: error = 'No such token found.' if not self.CheckUser(): self.ShowFrontPage(error) return args = self.ArgsToDict() try: oidrequest = OpenIDServer.CheckIDRequest.fromMessage(OpenIDMessage.fromPostArgs(args), '') except: trace = ''.join(traceback.format_exception(*sys.exc_info())) self.ReportError('Error decoding login request:\n%s' % trace) return if True: #args.has_key('yes'): logging.debug('Confirming identity to %s' % oidrequest.trust_root) if args.get('remember', '') == 'yes': logging.info('Setting cookie to remember openid login for two weeks') expires = datetime.datetime.now() + datetime.timedelta(weeks=2) expires_rfc822 = expires.strftime('%a, %d %b %Y %H:%M:%S +0000') self.response.headers.add_header( 'Set-Cookie', 'openid_remembered=yes; expires=%s' % expires_rfc822) self.store_login(oidrequest, 'confirmed') sreg_req = SRegRequest.fromOpenIDRequest(oidrequest) self.Respond(oidrequest.answer(True, request_url_without_path + '/id/' + urllib.quote(self.user)), sreg_req) elif args.has_key('no'): logging.debug('Login denied, sending cancel to %s' % oidrequest.trust_root) self.store_login(oidrequest, 'declined') return self.Respond(oidrequest.answer(False)) else: self.ReportError('Bad login request.')
def openid_decide(request): """ The page that asks the user if they really want to sign in to the site, and lets them add the consumer to their trusted whitelist. # If user is logged in, ask if they want to trust this trust_root # If they are NOT logged in, show the landing page """ orequest = request.session.get('OPENID_REQUEST') # No request ? Failure.. if not orequest: logger.warning('OpenID decide view failed, \ because no OpenID request is saved') return HttpResponseRedirect('/') sreg_request = SRegRequest.fromOpenIDRequest(orequest) logger.debug('SREG request: %s' % sreg_request.__dict__) if not request.user.is_authenticated(): # Not authenticated ? Authenticate and go back to the server endpoint return redirect_to_login(request, next=reverse(openid_server), nonce='1') if request.method == 'POST': if 'cancel' in request.POST: # User refused logger.info('OpenID decide canceled') return HttpResponseRedirect('%s?cancel' % reverse(openid_server)) else: form = DecideForm(sreg_request=sreg_request, data=request.POST) if form.is_valid(): data = form.cleaned_data # Remember the choice t, created = models.TrustedRoot.objects.get_or_create( user=request.user.id, trust_root=orequest.trust_root) t.choices = sreg_request.required \ + [ field for field in data if data[field] ] t.save() logger.debug('OpenID decide, user choice:%s' % data) return HttpResponseRedirect(reverse('openid-provider-root')) else: form = DecideForm(sreg_request=sreg_request) logger.info('OpenID device view, orequest:%s' % orequest) # verify return_to of trust_root try: trust_root_valid = verifyReturnTo(orequest.trust_root, orequest.return_to) and "Valid" or "Invalid" except HTTPFetchingError: trust_root_valid = "Unreachable" except DiscoveryFailure: trust_root_valid = "DISCOVERY_FAILED" return render_to_response('idp/openid/decide.html', { 'title': _('Trust this site?'), 'required': sreg_request.required, 'optional': sreg_request.optional, 'trust_root_valid': trust_root_valid, 'form': form, }, context_instance=RequestContext(request))
def openid_decide(request): """ The page that asks the user if they really want to sign in to the site, and lets them add the consumer to their trusted whitelist. # If user is logged in, ask if they want to trust this trust_root # If they are NOT logged in, show the landing page """ orequest = request.session.get('OPENID_REQUEST') # No request ? Failure.. if not orequest: logger.warning('OpenID decide view failed, \ because no OpenID request is saved') return HttpResponseRedirect('/') sreg_request = SRegRequest.fromOpenIDRequest(orequest) logger.debug('SREG request: %s' % sreg_request.__dict__) if not request.user.is_authenticated(): # Not authenticated ? Authenticate and go back to the server endpoint return redirect_to_login(request, next=reverse(openid_server), nonce='1') if request.method == 'POST': if 'cancel' in request.POST: # User refused logger.info('OpenID decide canceled') return HttpResponseRedirect('%s?cancel' % reverse(openid_server)) else: form = DecideForm(sreg_request=sreg_request, data=request.POST) if form.is_valid(): data = form.cleaned_data # Remember the choice t, created = models.TrustedRoot.objects.get_or_create( user=request.user.id, trust_root=orequest.trust_root) t.choices = sreg_request.required \ + [ field for field in data if data[field] ] t.save() logger.debug('OpenID decide, user choice:%s' % data) return HttpResponseRedirect(reverse('openid-provider-root')) else: form = DecideForm(sreg_request=sreg_request) logger.info('OpenID device view, orequest:%s' % orequest) # verify return_to of trust_root try: trust_root_valid = verifyReturnTo(orequest.trust_root, orequest.return_to) and "Valid" or "Invalid" except HTTPFetchingError: trust_root_valid = "Unreachable" except DiscoveryFailure: trust_root_valid = "DISCOVERY_FAILED" return render_to_response('idp/openid/decide.html', { 'title': _('Trust this site?'), 'required': sreg_request.required, 'optional': sreg_request.optional, 'trust_root_valid': trust_root_valid, 'form': form, }, context_instance=RequestContext(request))
def handle_sreg(request, response): """Handle any sreg data requests""" sreg_req = SRegRequest.fromOpenIDRequest(request) # Extract information if required if sreg_req.wereFieldsRequested(): fields = config.sreg_fields() if not fields: return sreg_resp = SRegResponse.extractResponse(sreg_req, config.sreg_fields()) sreg_resp.toMessage(response.fields)
def Respond(self, oidresponse): """Send an OpenID response. Args: oidresponse: OpenIDResponse The response to send, usually created by OpenIDRequest.answer(). """ logging.warning('Respond: oidresponse.request.mode ' + oidresponse.request.mode) if oidresponse.request.mode in ['checkid_immediate', 'checkid_setup']: # user = users.get_current_user() user = self.get_current_user() if user: from openid.extensions.sreg import SRegRequest,SRegResponse sreg_req = SRegRequest.fromOpenIDRequest(oidresponse.request) logging.info("sreg_req:%s",sreg_req.allRequestedFields()) if sreg_req.wereFieldsRequested(): user_data = {'nickname':user.nickname, 'email':user.email} sreg_resp = SRegResponse.extractResponse(sreg_req, user_data) sreg_resp.toMessage(oidresponse.fields) # add nickname, using the Simple Registration Extension: # http://www.openidenabled.com/openid/simple-registration-extension/ #oidresponse.fields.setArg('http://openid.net/sreg/1.0', 'nickname', user.nickname) #oidresponse.fields.setArg('http://openid.net/sreg/1.0', 'email', user.email) #oidresponse.fields.setArg('http://openid.net/srv/ax/1.0', 'nickname', user.nickname) #oidresponse.fields.setArg('http://openid.net/srv/ax/1.0', 'email', user.email) from openid.extensions.ax import FetchRequest, FetchResponse res ={'nickname':user.nickname,'email':user.email,'attr0':user.email,'attr1':user.nickname} ax_req = FetchRequest.fromOpenIDRequest(oidresponse.request) logging.info("ax_req:%s",ax_req.getRequiredAttrs()) ax_res = FetchResponse() for x in ax_req.iterAttrs(): ax_res.addValue(x.type_uri,res[x.alias] ) ax_res.toMessage(oidresponse.fields) pass logging.info('Using response: %s' % oidresponse) encoded_response = oidserver.encodeResponse(oidresponse) # update() would be nice, but wsgiref.headers.Headers doesn't implement it for header, value in encoded_response.headers.items(): self.response.headers[header] = str(value) if encoded_response.code in (301, 302): self.redirect(self.response.headers['location']) else: self.response.set_status(encoded_response.code) if encoded_response.body: logging.debug('Sending response body: %s' % encoded_response.body) self.response.out.write(encoded_response.body) else: self.response.out.write('')
def add_sreg_fields(self, oidresponse, user): """ Add requested Simple Registration Extension fields to oidresponse and return it. """ sreg_req = SRegRequest.fromOpenIDRequest(oidresponse.request) if sreg_req.wereFieldsRequested(): logging.debug("respond: sreg_req:%s", sreg_req.allRequestedFields()) sreg_map = dict(((key, val) for (key, val) in { 'nickname': user.nickname(), 'email': user.email() }.items() if key in sreg_req.allRequestedFields())) oidresponse.addExtension( SRegResponse.extractResponse(sreg_req, sreg_map)) return oidresponse
def add_sreg_fields(self, oidresponse, user): """ Add requested Simple Registration Extension fields to oidresponse and return it. """ sreg_req = SRegRequest.fromOpenIDRequest(oidresponse.request) if sreg_req.wereFieldsRequested(): logging.debug("respond: sreg_req:%s", sreg_req.allRequestedFields()) sreg_map = dict( ((key, val) for (key, val) in {'nickname':user.nickname(), 'email':user.email()}.items() if key in sreg_req.allRequestedFields())) oidresponse.addExtension( SRegResponse.extractResponse(sreg_req, sreg_map)) return oidresponse
def _add_user_attribs(request, openid_request, openid_response): # Add ax and sreg result data sreg_request = SRegRequest.fromOpenIDRequest(openid_request) ax_request = ax.FetchRequest.fromOpenIDRequest(openid_request) rpconfig = utils.get_rpconfig(openid_request.trust_root) form = UserAttribsRequestForm( request, sreg_request, ax_request, rpconfig) if form.data_approved_for_request: sreg_response = SRegResponse.extractResponse( sreg_request, form.data_approved_for_request) openid_response.addExtension(sreg_response) if ax_request is not None: ax_response = ax.FetchResponse(ax_request) for k, v in form.data_approved_for_request.iteritems(): if AX_DATA_FIELDS.getNamespaceURI(k) in ax_request: ax_response.addValue(AX_DATA_FIELDS.getNamespaceURI(k), v) openid_response.addExtension(ax_response)
def Respond(self, oidresponse): """Send an OpenID response. Args: oidresponse: OpenIDResponse The response to send, usually created by OpenIDRequest.answer(). """ logging.info('Respond: oidresponse.request.mode ' + oidresponse.request.mode) if oidresponse.request.mode in ['checkid_immediate', 'checkid_setup']: user = Auth.AuthenticatedUser(self.request) if user: from openid.extensions.sreg import SRegRequest,SRegResponse sreg_req = SRegRequest.fromOpenIDRequest(oidresponse.request) if sreg_req.wereFieldsRequested(): logging.info("sreg_req:%s",sreg_req.allRequestedFields()) user_data = {'nickname':user.nickname(), 'email':user.email} sreg_resp = SRegResponse.extractResponse(sreg_req, user_data) sreg_resp.toMessage(oidresponse.fields) # add nickname, using the Simple Registration Extension: # http://www.openidenabled.com/openid/simple-registration-extension/ #mrk # oidresponse.fields.setArg('http://openid.net/sreg/1.0', 'nickname', user.nickname()) # oidresponse.fields.setArg('http://openid.net/sreg/1.0', 'email', user.email()) pass logging.info('Using response: %s' % oidresponse) encoded_response = oidserver.encodeResponse(oidresponse) # update() would be nice, but wsgiref.headers.Headers doesn't implement it for header, value in encoded_response.headers.items(): self.response.headers[header] = str(value) if encoded_response.code in (301, 302): self.redirect(self.response.headers['location']) else: self.response.set_status(encoded_response.code) if encoded_response.body: logging.debug('Sending response body: %s' % encoded_response.body) self.response.out.write(encoded_response.body) else: self.response.out.write('')
def test_login_update_details(self): settings.OPENID_UPDATE_DETAILS_FROM_SREG = True user = User.objects.create_user('testuser', '*****@*****.**') useropenid = UserOpenID( user=user, claimed_id='http://example.com/identity', display_id='http://example.com/identity') useropenid.save() # Posting in an identity URL begins the authentication request: response = self.client.post('/openid/login/', {'openid_identifier': 'http://example.com/identity', 'next': '/getuser/'}) self.assertContains(response, 'OpenID transaction in progress') # Complete the request, passing back some simple registration # data. The user is redirected to the next URL. openid_request = self.provider.parseFormPost(response.content) sreg_request = SRegRequest.fromOpenIDRequest(openid_request) openid_response = openid_request.answer(True) sreg_response = SRegResponse.extractResponse( sreg_request, {'nickname': 'someuser', 'fullname': 'Some User', 'email': '*****@*****.**'}) openid_response.addExtension(sreg_response) response = self.complete(openid_response) self.assertRedirects(response, 'http://testserver/getuser/') # And they are now logged in as testuser (the passed in # nickname has not caused the username to change). response = self.client.get('/getuser/') self.assertEquals(response.content, 'testuser') # The user's full name and email have been updated. user = User.objects.get(username='******') self.assertEquals(user.first_name, 'Some') self.assertEquals(user.last_name, 'User') self.assertEquals(user.email, '*****@*****.**')
def test_login_update_details(self): settings.OPENID_UPDATE_DETAILS_FROM_SREG = True user = User.objects.create_user('testuser', '*****@*****.**') useropenid = UserOpenID( user=user, claimed_id='http://example.com/identity', display_id='http://example.com/identity') useropenid.save() # Posting in an identity URL begins the authentication request: response = self.client.post('/openid/login/', {'openid_identifier': 'http://example.com/identity', 'next': '/getuser/'}) self.assertContains(response, 'OpenID transaction in progress') # Complete the request, passing back some simple registration # data. The user is redirected to the next URL. openid_request = self.provider.parseFormPost(response.content) sreg_request = SRegRequest.fromOpenIDRequest(openid_request) openid_response = openid_request.answer(True) sreg_response = SRegResponse.extractResponse( sreg_request, {'nickname': 'someuser', 'fullname': 'Some User', 'email': '*****@*****.**'}) openid_response.addExtension(sreg_response) response = self.complete(openid_response) self.assertRedirects(response, 'http://testserver/getuser/') # And they are now logged in as testuser (the passed in # nickname has not caused the username to change). response = self.client.get('/getuser/') self.assertEquals(response.content, 'testuser') # The user's full name and email have been updated. user = User.objects.get(username='******') self.assertEquals(user.first_name, 'Some') self.assertEquals(user.last_name, 'User') self.assertEquals(user.email, '*****@*****.**')
def openid_decide(request): """ The page that asks the user if they really want to sign in to the site, and lets them add the consumer to their trusted whitelist. # If user is logged in, ask if they want to trust this trust_root # If they are NOT logged in, show the landing page """ orequest = request.session.get("OPENID_REQUEST") # No request ? Failure.. if not orequest: logger.warning( "OpenID decide view failed, \ because no OpenID request is saved" ) return redirect("auth_homepage") sreg_request = SRegRequest.fromOpenIDRequest(orequest) logger.debug("SREG request: %s" % sreg_request.__dict__) if not request.user.is_authenticated(): # Not authenticated ? Authenticate and go back to the server endpoint return login_require(request, params={NONCE_FIELD_NAME: "1"}) if request.method == "POST": if "cancel" in request.POST: # User refused logger.info("OpenID decide canceled") return redirect(openid_server, params={"cancel": ""}) else: form = DecideForm(sreg_request=sreg_request, data=request.POST) if form.is_valid(): data = form.cleaned_data # Remember the choice t, created = models.TrustedRoot.objects.get_or_create( user=request.user.id, trust_root=orequest.trust_root ) t.choices = sreg_request.required + [field for field in data if data[field]] t.save() logger.debug("OpenID decide, user choice:%s" % data) return redirect("openid-provider-root") else: form = DecideForm(sreg_request=sreg_request) logger.info("OpenID device view, orequest:%s" % orequest) # verify return_to of trust_root try: trust_root_valid = verifyReturnTo(orequest.trust_root, orequest.return_to) and "Valid" or "Invalid" except HTTPFetchingError: trust_root_valid = "Unreachable" except DiscoveryFailure: trust_root_valid = "DISCOVERY_FAILED" return render_to_response( "idp/openid/decide.html", { "title": _("Trust this site?"), "required": sreg_request.required, "optional": sreg_request.optional, "trust_root_valid": trust_root_valid, "form": form, }, context_instance=RequestContext(request), )
except ProtocolError, why: logger.error('Invalid OpenID message %s' % querydict) return oresponse_to_response(server, why) if not orequest: orequest = request.session.get('OPENID_REQUEST', None) if orequest: logger.info('Restarting saved request by %s' % orequest.trust_root) # remove session stored data: pass # del request.session['OPENID_REQUEST'] else: logger.info('No OpenID request redirecting to homepage') return HttpResponseRedirect('/') else: logger.info('Received OpenID request: %s' % querydict) sreg_request = SRegRequest.fromOpenIDRequest(orequest) logger.debug('SREG request: %s' % sreg_request.__dict__) if orequest.mode in ("checkid_immediate", "checkid_setup"): # User is not logged if not request.user.is_authenticated(): # Site does not want interaction if orequest.immediate: logger.debug('User not logged and checkid immediate request, \ returning OpenID failure') return oresponse_to_response(server, orequest.answer(False)) else: # Try to login request.session['OPENID_REQUEST'] = orequest logger.debug('User not logged and checkid request, \ redirecting to login page')
def openid_auth_site(request): try: oreq = request.session['openid_request'] except KeyError: return render(request, 'openid-auth-site.html', { 'error': 'No OpenID request associated. The request may have \ expired.', }, status=400) sreg = SRegRequest.fromOpenIDRequest(oreq) ax = FetchRequest.fromOpenIDRequest(oreq) sreg_fields = set(sreg.allRequestedFields()) if ax: for uri in ax.requested_attributes: k = openid_ax_attribute_mapping.get(uri) if k: sreg_fields.add(k) ldap_user = LDAPUser.objects.get(username=request.user.username) if sreg_fields: sreg_data = { 'nickname': ldap_user.username, 'email': ldap_user.email, 'fullname': ldap_user.full_name, 'dob': ldap_user.birthday, } for k in list(sreg_data): if not sreg_data[k]: del sreg_data[k] else: sreg_data = {} sreg_fields = sreg_data.keys() # Read preferences from the db. try: saved_pref = OpenID_Attributes.objects.get( uid=ldap_user.uid, trust_root=oreq.trust_root, ) except OpenID_Attributes.DoesNotExist: saved_pref = None auto_auth = False else: auto_auth = saved_pref.always_auth if auto_auth or request.POST: if auto_auth: # TODO: can we do this nicer? form_inp = model_to_dict(saved_pref) else: form_inp = request.POST form = SiteAuthForm(form_inp, instance=saved_pref) # can it be invalid somehow? assert(form.is_valid()) attrs = form.save(commit=False) # nullify fields that were not requested for fn in form.cleaned_data: if fn in ('always_auth',): pass elif hasattr(attrs, fn) and fn not in sreg_fields: setattr(attrs, fn, None) if auto_auth or 'accept' in request.POST: # prepare sreg response for fn, send in form.cleaned_data.items(): if fn not in sreg_data: pass elif not send: del sreg_data[fn] elif isinstance(sreg_data[fn], list): form_key = 'which_%s' % fn val = form.cleaned_data[form_key] if val not in sreg_data[fn]: raise NotImplementedError( 'Changing choices not implemented yet') sreg_data[fn] = val if not auto_auth: setattr(attrs, form_key, val) if not auto_auth: # save prefs in the db # (if auto_auth, then nothing changed) attrs.uid = ldap_user.uid attrs.trust_root = oreq.trust_root attrs.save() oresp = oreq.answer(True, identity=request.build_absolute_uri( reverse(user_page, args=(request.user.username,)))) sreg_resp = SRegResponse.extractResponse(sreg, sreg_data) oresp.addExtension(sreg_resp) if ax: ax_resp = FetchResponse(ax) for uri in ax.requested_attributes: k = openid_ax_attribute_mapping.get(uri) if k and k in sreg_data: ax_resp.addValue(uri, sreg_data[k]) oresp.addExtension(ax_resp) elif 'reject' in request.POST: oresp = oreq.answer(False) else: return render(request, 'openid-auth-site.html', { 'error': 'Invalid request submitted.', }, status=400) if request.session.get('auto_logout', False): # _logout clears request.session _logout(request) else: del request.session['openid_request'] return render_openid_response(request, oresp) form = SiteAuthForm(instance=saved_pref) sreg_form = {} # Fill in lists for choices for f in sreg_fields: if f not in sreg_data: pass elif isinstance(sreg_data[f], list): form.fields['which_%s' % f].widget.choices = [ (x, x) for x in sreg_data[f] ] sreg_form[f] = form['which_%s' % f] else: sreg_form[f] = format_html("<input type='text'" + " readonly='readonly'" + " value='{0}' />", sreg_data[f]) try: # TODO: cache it if oreq.returnToVerified(): tr_valid = 'Return-To valid and trusted' else: tr_valid = 'Return-To untrusted' except openid.yadis.discover.DiscoveryFailure: tr_valid = 'Unable to verify trust (Yadis unsupported)' except openid.fetchers.HTTPFetchingError: tr_valid = 'Unable to verify trust (HTTP error)' return render(request, 'openid-auth-site.html', { 'openid_request': oreq, 'return_to_valid': tr_valid, 'form': form, 'sreg': sreg_fields, 'sreg_form': sreg_form, 'policy_url': sreg.policy_url, })
def openid_auth_site(request): try: oreq = request.session['openid_request'] except KeyError: return render(request, 'openid-auth-site.html', { 'error': 'No OpenID request associated. The request may have \ expired.', }, status=400) sreg = SRegRequest.fromOpenIDRequest(oreq) ax = FetchRequest.fromOpenIDRequest(oreq) sreg_fields = set(sreg.allRequestedFields()) if ax: for uri in ax.requested_attributes: k = openid_ax_attribute_mapping.get(uri) if k: sreg_fields.add(k) ldap_user = LDAPUser.objects.get(username=request.user.username) if sreg_fields: sreg_data = { 'nickname': ldap_user.username, 'email': ldap_user.email, 'fullname': ldap_user.full_name, 'dob': ldap_user.birthday, } for k in list(sreg_data): if not sreg_data[k]: del sreg_data[k] else: sreg_data = {} sreg_fields = sreg_data.keys() # Read preferences from the db. try: saved_pref = OpenID_Attributes.objects.get( uid=ldap_user.uid, trust_root=oreq.trust_root, ) except OpenID_Attributes.DoesNotExist: saved_pref = None auto_auth = False else: auto_auth = saved_pref.always_auth if auto_auth or request.POST: if auto_auth: # TODO: can we do this nicer? form_inp = model_to_dict(saved_pref) else: form_inp = request.POST form = SiteAuthForm(form_inp, instance=saved_pref) # can it be invalid somehow? assert (form.is_valid()) attrs = form.save(commit=False) # nullify fields that were not requested for fn in form.cleaned_data: if fn in ('always_auth', ): pass elif hasattr(attrs, fn) and fn not in sreg_fields: setattr(attrs, fn, None) if auto_auth or 'accept' in request.POST: # prepare sreg response for fn, send in form.cleaned_data.items(): if fn not in sreg_data: pass elif not send: del sreg_data[fn] elif isinstance(sreg_data[fn], list): form_key = 'which_%s' % fn val = form.cleaned_data[form_key] if val not in sreg_data[fn]: raise NotImplementedError( 'Changing choices not implemented yet') sreg_data[fn] = val if not auto_auth: setattr(attrs, form_key, val) if not auto_auth: # save prefs in the db # (if auto_auth, then nothing changed) attrs.uid = ldap_user.uid attrs.trust_root = oreq.trust_root attrs.save() oresp = oreq.answer(True, identity=request.build_absolute_uri( reverse(user_page, args=(request.user.username, )))) sreg_resp = SRegResponse.extractResponse(sreg, sreg_data) oresp.addExtension(sreg_resp) if ax: ax_resp = FetchResponse(ax) for uri in ax.requested_attributes: k = openid_ax_attribute_mapping.get(uri) if k and k in sreg_data: ax_resp.addValue(uri, sreg_data[k]) oresp.addExtension(ax_resp) elif 'reject' in request.POST: oresp = oreq.answer(False) else: return render(request, 'openid-auth-site.html', { 'error': 'Invalid request submitted.', }, status=400) if request.session.get('auto_logout', False): # _logout clears request.session _logout(request) else: del request.session['openid_request'] return render_openid_response(request, oresp) form = SiteAuthForm(instance=saved_pref) sreg_form = {} # Fill in lists for choices for f in sreg_fields: if f not in sreg_data: pass elif isinstance(sreg_data[f], list): form.fields['which_%s' % f].widget.choices = [ (x, x) for x in sreg_data[f] ] sreg_form[f] = form['which_%s' % f] else: sreg_form[f] = format_html( "<input type='text'" + " readonly='readonly'" + " value='{0}' />", sreg_data[f]) try: # TODO: cache it if oreq.returnToVerified(): tr_valid = 'Return-To valid and trusted' else: tr_valid = 'Return-To untrusted' except openid.yadis.discover.DiscoveryFailure: tr_valid = 'Unable to verify trust (Yadis unsupported)' except openid.fetchers.HTTPFetchingError: tr_valid = 'Unable to verify trust (HTTP error)' return render( request, 'openid-auth-site.html', { 'openid_request': oreq, 'return_to_valid': tr_valid, 'form': form, 'sreg': sreg_fields, 'sreg_form': sreg_form, 'policy_url': sreg.policy_url, })
except ProtocolError, why: logger.error('Invalid OpenID message %s' % querydict) return oresponse_to_response(server, why) if not orequest: orequest = request.session.get('OPENID_REQUEST', None) if orequest: logger.info('Restarting saved request by %s' % orequest.trust_root) # remove session stored data: pass # del request.session['OPENID_REQUEST'] else: logger.info('No OpenID request redirecting to homepage') return HttpResponseRedirect('/') else: logger.info('Received OpenID request: %s' % querydict) sreg_request = SRegRequest.fromOpenIDRequest(orequest) logger.debug('SREG request: %s' % sreg_request.__dict__) if orequest.mode in ("checkid_immediate", "checkid_setup"): # User is not logged if not request.user.is_authenticated(): # Site does not want interaction if orequest.immediate: logger.debug('User not logged and checkid immediate request, \ returning OpenID failure') return oresponse_to_response(server, orequest.answer(False)) else: # Try to login request.session['OPENID_REQUEST'] = orequest logger.debug('User not logged and checkid request, \ redirecting to login page')
def get(self): """Handles GET requests.""" parsed = urlparse.urlparse(self.request.uri) request_url_without_path = parsed[0] + '://' + parsed[1] request_url_without_params = request_url_without_path + parsed[2] oidrequest = self.GetOpenIdRequest() if oidrequest is False: # there was an error, and GetOpenIdRequest displayed it. bail out. return elif oidrequest is None: # this is a request from a browser unverified_email = urllib.unquote(urlparse.urlparse(self.request.uri)[2][4:]) email_md5 = hashlib.md5(unverified_email).hexdigest() nickname = unverified_email.rsplit('@',1)[0] self.Render('index', vars()) elif oidrequest.mode in ['checkid_immediate', 'checkid_setup']: if self.HasCookie() and self.CheckUser(): logging.debug('Has cookie, confirming identity to ' + oidrequest.trust_root) self.store_login(oidrequest, 'remembered') sreg_req = SRegRequest.fromOpenIDRequest(oidrequest) self.Respond(oidrequest.answer(True, request_url_without_params), sreg_req) elif oidrequest.immediate: self.store_login(oidrequest, 'declined') oidresponse = oidrequest.answer(False, request_url_without_path) self.Respond(oidresponse) else: if self.CheckUser(): self.Render('prompt', vars()) else: email = urllib.unquote(urlparse.urlparse(self.request.uri)[2][4:]) if not email: self.ReportError('Error, no email address specified.') else: if not '@' in email or not '.' in email: self.ReportError('Error, invalid email address specified.') else: v = datastore.Entity('Verification') v['token'] = hashlib.md5(email+str(random.random())+str(time.time())).hexdigest() v['email'] = email v['expires'] = int(time.time())+1800 v['oidrequest'] = Text(pickle.dumps(self.ArgsToDict())) datastore.Put(v) mail.send_mail(sender="Email Verification <*****@*****.**>", to=email, subject="Please verify your email address", body="""You need to verify your email address to continue with your request to <%s>. To continue, follow this link: <%s/login/%s> or cut and paste the following verification code into the textbox back in your browser: %s""" % (oidrequest.trust_root, request_url_without_path, v['token'], v['token'])) self.Render('prompt', vars()) elif oidrequest.mode in ['associate', 'check_authentication']: self.Respond(oidserver.handleRequest(oidrequest)) else: self.ReportError('Unknown mode: %s' % oidrequest.mode)