def persona_sign(email, publicKey, certDuration): header = {'alg': 'RS%s' % digest_size} header = json.dumps(header) header = base64_url_encode(header) claim = {} # Valid for at most 24 hours claim['iat'] = 1000 * int(time.time() - 10) claim['exp'] = 1000 * int(time.time() + \ min(certDuration, 24 * 60 * 60)) claim['iss'] = app.config['PERSONA_DOMAIN'] claim['public-key'] = json.loads(publicKey) claim['principal'] = {'email': email} claim_json = claim claim = json.dumps(claim) claim = base64_url_encode(claim) certificate = '%s.%s' % (header, claim) digest = M2Crypto.EVP.MessageDigest('sha%s' % digest_size) digest.update(certificate) signature = key.sign(digest.digest(), 'sha%s' % digest_size) signature = base64_url_encode(signature) signed_certificate = '%s.%s' % (certificate, signature) log_info('Success', { 'email': email, 'issuedAt': str(claim_json['iat']), 'expiresAt': str(claim_json['exp']), 'message': 'The user succesfully acquired a Persona certificate'}) return signed_certificate
def view_fas_login(): if not 'next' in request.args and not 'next' in get_session(): return redirect(url_for('view_main')) if 'next' in request.args: get_session()['next'] = request.args['next'] get_session().save() if get_auth_module().logged_in() and not \ ('timeout' in get_session() and get_session()['timeout']): # We can also have "timeout" as of 0.4.0 # indicating PAPE or application configuration requires a re-auth log_debug('Info', { 'message': 'User tried to login but is already authenticated'}) return redirect(get_session()['next']) if request.method == 'POST': username = request.form['username'] password = request.form['password'] if (not app.config['FAS_AVAILABLE_FILTER']) or \ (username in app.config['FAS_AVAILABLE_TO']): if username == '' or password == '': user = None else: user = get_auth_module().check_login(username, password) if user: log_info('Success', { 'username': username, 'message': 'User authenticated succesfully'}) user = user.toDict() # A bunch is not serializable... user['groups'] = [x['name'] for x in user['approved_memberships']] get_session()['user'] = user get_session()['last_auth_time'] = time() get_session()['timeout'] = False get_session()['trust_root'] = '' get_session().save() return redirect(get_session()['next']) else: log_warning('Failure', { 'username': username, 'message': 'User entered incorrect username or password'}) flash(_('Incorrect username or password')) else: log_warning('Failure', { 'username': username, 'message': 'Tried to login with an account that is not ' 'allowed to use this service'}) flash(_('This service is limited to the following ' 'users: %(users)s', users=', '.join(app.config['FAS_AVAILABLE_TO']))) return render_template( 'auth_fas_login.html', trust_root=get_session()['trust_root'])
def view_persona_fas_login(): if not 'username' in request.form or not 'password' in request.form: return Response('No user or pw', status=400) if get_auth_module().logged_in(): return Response('Already logged in', status=409) username = request.form['username'] password = request.form['password'] if (not app.config['FAS_AVAILABLE_FILTER']) or \ (username in app.config['FAS_AVAILABLE_TO']): if username == '' or password == '': user = None else: user = get_auth_module().check_login(username, password) if user: log_info('Success', { 'username': username, 'message': 'User authenticated succesfully'}) user = user.toDict() # A bunch is not serializable... user['groups'] = [x['name'] for x in user['approved_memberships']] get_session()['user'] = user get_session()['last_auth_time'] = time() get_session()['timeout'] = False get_session()['trust_root'] = '' get_session().save() return Response('Success', status=200) else: log_warning('Failure', { 'username': username, 'message': 'User entered incorrect username or password'}) return Response('Incorrect username or password', status=403) else: log_warning('Failure', { 'username': username, 'message': 'Tried to login with an account that is not ' 'allowed to use this service'}) return Response('Service limited to a restricted set of users', status=403)
), claimed_id=get_claimed_id(get_auth_module().get_username()) ) sreg_info = addSReg(openid_request, openid_response) teams_info = addTeams( openid_request, openid_response, filter_cla_groups(get_auth_module().get_groups())) cla_info = addCLAs( openid_request, openid_response, get_cla_uris(get_auth_module().get_groups())) auth_level = addPape(openid_request, openid_response) log_info('Success', { 'claimed_id': get_claimed_id(get_auth_module().get_username()), 'trust_root': openid_request.trust_root, 'security_level': auth_level, 'message': 'The user succesfully claimed the identity'}) log_debug('Info', {'teams': teams_info}) return openid_respond(openid_response) elif authed == AUTH_TRUST_ROOT_ASK: # User needs to confirm trust root return user_ask_trust_root(openid_request) elif authed == AUTH_TRUST_ROOT_NOT_OK: log_info('Info', { 'trust_root': openid_request.trust_root, 'message': 'User chose not to trust trust_root'}) return openid_respond(openid_request.answer(False)) elif authed == AUTH_TRUST_ROOT_CONFIG_NOT_OK: log_info('Info', { 'trust_root': openid_request.trust_root,