paulb@154 | 1 | #!/usr/bin/env python |
paulb@154 | 2 | |
paulb@403 | 3 | """ |
paulb@403 | 4 | Login redirection resources, sending unauthenticated users to a login screen |
paulb@403 | 5 | URL. |
paulb@403 | 6 | |
paulb@612 | 7 | Copyright (C) 2004, 2005, 2006, 2007 Paul Boddie <paul@boddie.org.uk> |
paulb@403 | 8 | |
paulb@403 | 9 | This library is free software; you can redistribute it and/or |
paulb@403 | 10 | modify it under the terms of the GNU Lesser General Public |
paulb@403 | 11 | License as published by the Free Software Foundation; either |
paulb@403 | 12 | version 2.1 of the License, or (at your option) any later version. |
paulb@403 | 13 | |
paulb@403 | 14 | This library is distributed in the hope that it will be useful, |
paulb@403 | 15 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
paulb@403 | 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
paulb@403 | 17 | Lesser General Public License for more details. |
paulb@403 | 18 | |
paulb@403 | 19 | You should have received a copy of the GNU Lesser General Public |
paulb@403 | 20 | License along with this library; if not, write to the Free Software |
paulb@489 | 21 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
paulb@403 | 22 | """ |
paulb@154 | 23 | |
paulb@154 | 24 | from WebStack.Helpers.Auth import get_token |
paulb@154 | 25 | import WebStack.Generic |
paulb@154 | 26 | |
paulb@154 | 27 | class LoginRedirectResource: |
paulb@154 | 28 | |
paulb@154 | 29 | "A resource redirecting to a login URL." |
paulb@154 | 30 | |
paulb@452 | 31 | encoding = "utf-8" |
paulb@452 | 32 | |
paulb@589 | 33 | def __init__(self, resource, authenticator, login_url=None, app_url=None, |
paulb@589 | 34 | anonymous_parameter_name=None, anonymous_username="anonymous", |
paulb@589 | 35 | logout_parameter_name=None, logout_url="/", use_logout_redirect=1, |
paulb@612 | 36 | urlencoding=None, path_encoding=None): |
paulb@154 | 37 | |
paulb@154 | 38 | """ |
paulb@589 | 39 | Initialise the resource with a 'resource' for the application being |
paulb@589 | 40 | protected and an 'authenticator' protecting the resource. |
paulb@589 | 41 | |
paulb@589 | 42 | If the optional 'login_url' and 'app_url' are provided, these values |
paulb@589 | 43 | will be used to locate the login application and protected application |
paulb@589 | 44 | respectively. Such values, if not provided, must be otherwise set at a |
paulb@589 | 45 | later time or provided by 'get_login_url' and 'get_app_url' methods in |
paulb@589 | 46 | a subclass of this class. |
paulb@451 | 47 | |
paulb@451 | 48 | If the optional 'anonymous_parameter_name' is set, clients providing a |
paulb@451 | 49 | parameter of that name in the URL will not be authenticated, but then |
paulb@451 | 50 | such clients will get a predefined user identity associated with them, |
paulb@451 | 51 | configurable using the optional 'anonymous_username'. |
paulb@154 | 52 | |
paulb@451 | 53 | If the optional 'logout_parameter_name' is set, clients providing a |
paulb@451 | 54 | parameter of that name in the URL will become logged out. After logging |
paulb@451 | 55 | out, clients are redirected to a location which can be configured by the |
paulb@451 | 56 | optional 'logout_url'. |
paulb@154 | 57 | |
paulb@451 | 58 | If the optional 'use_logout_redirect' flag is set to 0, a confirmation |
paulb@451 | 59 | screen is given instead of redirecting the user to the 'logout_url'. |
paulb@154 | 60 | |
paulb@612 | 61 | The optional 'path_encoding' parameter (previously 'urlencoding', which |
paulb@612 | 62 | is still supported) allows a special encoding to be used in producing |
paulb@612 | 63 | the redirection path. |
paulb@612 | 64 | |
paulb@612 | 65 | To change the page used by this resource, either redefine the |
paulb@612 | 66 | 'logout_page' attribute in instances of this class or a subclass, or |
paulb@612 | 67 | override the 'show_logout' method. |
paulb@154 | 68 | """ |
paulb@154 | 69 | |
paulb@154 | 70 | self.login_url = login_url |
paulb@154 | 71 | self.app_url = app_url |
paulb@154 | 72 | self.resource = resource |
paulb@154 | 73 | self.authenticator = authenticator |
paulb@154 | 74 | self.anonymous_parameter_name = anonymous_parameter_name |
paulb@154 | 75 | self.anonymous_username = anonymous_username |
paulb@154 | 76 | self.logout_parameter_name = logout_parameter_name |
paulb@154 | 77 | self.logout_url = logout_url |
paulb@154 | 78 | self.use_logout_redirect = use_logout_redirect |
paulb@612 | 79 | self.path_encoding = path_encoding or urlencoding or self.encoding |
paulb@154 | 80 | |
paulb@154 | 81 | def respond(self, trans): |
paulb@154 | 82 | |
paulb@154 | 83 | "Respond using the given transaction 'trans'." |
paulb@154 | 84 | |
paulb@612 | 85 | fields_path = trans.get_fields_from_path(self.path_encoding) |
paulb@154 | 86 | |
paulb@154 | 87 | # Check for the logout parameter, if appropriate. |
paulb@154 | 88 | |
paulb@154 | 89 | if self.logout_parameter_name is not None and fields_path.has_key(self.logout_parameter_name): |
paulb@154 | 90 | |
paulb@154 | 91 | # Remove the special cookie token, then pass on the transaction. |
paulb@154 | 92 | |
paulb@154 | 93 | self.authenticator.unset_token(trans) |
paulb@154 | 94 | |
paulb@154 | 95 | # Redirect to the logout URL. |
paulb@154 | 96 | |
paulb@154 | 97 | if self.use_logout_redirect: |
paulb@154 | 98 | trans.set_header_value("Location", self.logout_url) |
paulb@208 | 99 | trans.set_response_code(302) # was 307 |
paulb@154 | 100 | |
paulb@154 | 101 | # Show the logout confirmation anyway. |
paulb@154 | 102 | |
paulb@612 | 103 | self.show_logout(trans, self.logout_url) |
paulb@154 | 104 | |
paulb@154 | 105 | # Check the authentication details with the specified authenticator. |
paulb@154 | 106 | |
paulb@154 | 107 | elif self.authenticator.authenticate(trans): |
paulb@154 | 108 | |
paulb@154 | 109 | # If successful, pass on the transaction. |
paulb@154 | 110 | |
paulb@154 | 111 | self.resource.respond(trans) |
paulb@154 | 112 | |
paulb@154 | 113 | # Check for the anonymous parameter, if appropriate. |
paulb@154 | 114 | |
paulb@154 | 115 | elif self.anonymous_parameter_name is not None and fields_path.has_key(self.anonymous_parameter_name): |
paulb@154 | 116 | |
paulb@154 | 117 | # Make a special cookie token, then pass on the transaction. |
paulb@154 | 118 | |
paulb@154 | 119 | self.authenticator.set_token(trans, self.anonymous_username) |
paulb@154 | 120 | self.resource.respond(trans) |
paulb@154 | 121 | |
paulb@154 | 122 | else: |
paulb@154 | 123 | |
paulb@154 | 124 | # Redirect to the login URL. |
paulb@154 | 125 | |
paulb@612 | 126 | path = trans.get_path_without_query(self.path_encoding) |
paulb@451 | 127 | qs = trans.get_query_string() |
paulb@451 | 128 | if qs: |
paulb@451 | 129 | qs = "?" + qs |
paulb@506 | 130 | trans.redirect("%s?app=%s&path=%s&qs=%s" % ( |
paulb@589 | 131 | self.get_login_url(trans), |
paulb@612 | 132 | trans.encode_path(self.get_app_url(trans), self.path_encoding), |
paulb@612 | 133 | trans.encode_path(path, self.path_encoding), |
paulb@612 | 134 | trans.encode_path(qs, self.path_encoding)) |
paulb@506 | 135 | ) |
paulb@154 | 136 | |
paulb@589 | 137 | def get_app_url(self, trans): |
paulb@612 | 138 | |
paulb@612 | 139 | """ |
paulb@612 | 140 | Return the application URL, using 'trans' if necessary, in order to |
paulb@612 | 141 | provide a complete URL to redirect an authenticated user to their |
paulb@612 | 142 | originally requested page. If the application URL is empty, any |
paulb@612 | 143 | redirects will be within the same application, rather than to |
paulb@612 | 144 | potentially completely different applications residing at arbitrary |
paulb@612 | 145 | locations. |
paulb@612 | 146 | """ |
paulb@612 | 147 | |
paulb@589 | 148 | return self.app_url |
paulb@589 | 149 | |
paulb@589 | 150 | def get_login_url(self, trans): |
paulb@612 | 151 | |
paulb@612 | 152 | """ |
paulb@612 | 153 | Return the login URL, using 'trans' if necessary, in order to |
paulb@612 | 154 | provide a complete URL to redirect an authenticated user to their |
paulb@612 | 155 | originally requested page. |
paulb@612 | 156 | """ |
paulb@612 | 157 | |
paulb@589 | 158 | return self.login_url |
paulb@589 | 159 | |
paulb@612 | 160 | def show_logout(self, trans, redirect): |
paulb@154 | 161 | |
paulb@154 | 162 | """ |
paulb@154 | 163 | Write a confirmation page to 'trans' containing the 'redirect' URL which the |
paulb@154 | 164 | client should be sent to upon logout. |
paulb@154 | 165 | """ |
paulb@154 | 166 | |
paulb@154 | 167 | # When logout takes place, show the login screen. |
paulb@154 | 168 | |
paulb@452 | 169 | trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding)) |
paulb@154 | 170 | out = trans.get_response_stream() |
paulb@612 | 171 | out.write(self.logout_page % redirect) |
paulb@612 | 172 | |
paulb@612 | 173 | logout_page = """ |
paulb@154 | 174 | <html> |
paulb@154 | 175 | <head> |
paulb@154 | 176 | <title>Logout</title> |
paulb@154 | 177 | </head> |
paulb@154 | 178 | <body> |
paulb@154 | 179 | <h1>Logout Successful</h1> |
paulb@154 | 180 | <p>Please proceed <a href="%s">to the application</a>.</p> |
paulb@154 | 181 | </body> |
paulb@154 | 182 | </html> |
paulb@612 | 183 | """ |
paulb@154 | 184 | |
paulb@154 | 185 | class LoginRedirectAuthenticator: |
paulb@154 | 186 | |
paulb@154 | 187 | """ |
paulb@154 | 188 | An authenticator which verifies the credentials provided in a special login cookie. |
paulb@154 | 189 | """ |
paulb@154 | 190 | |
paulb@154 | 191 | def __init__(self, secret_key, cookie_name=None): |
paulb@154 | 192 | |
paulb@154 | 193 | "Initialise the authenticator with a 'secret_key' and an optional 'cookie_name'." |
paulb@154 | 194 | |
paulb@154 | 195 | self.secret_key = secret_key |
paulb@154 | 196 | self.cookie_name = cookie_name or "LoginAuthenticator" |
paulb@154 | 197 | |
paulb@154 | 198 | def authenticate(self, trans): |
paulb@154 | 199 | |
paulb@155 | 200 | """ |
paulb@155 | 201 | Authenticate the originator of 'trans', updating the object if successful and |
paulb@155 | 202 | returning 1 (true) if successful, 0 (false) otherwise. |
paulb@155 | 203 | """ |
paulb@154 | 204 | |
paulb@154 | 205 | cookie = trans.get_cookie(self.cookie_name) |
paulb@154 | 206 | if cookie is None or cookie.value is None: |
paulb@154 | 207 | return 0 |
paulb@154 | 208 | |
paulb@154 | 209 | # Test the token from the cookie against a recreated token using the |
paulb@154 | 210 | # given information. |
paulb@154 | 211 | |
paulb@278 | 212 | username = cookie.value.split(":")[0] |
paulb@154 | 213 | if cookie.value == get_token(username, self.secret_key): |
paulb@154 | 214 | |
paulb@154 | 215 | # Update the transaction with the user details. |
paulb@154 | 216 | |
paulb@154 | 217 | trans.set_user(username) |
paulb@154 | 218 | return 1 |
paulb@154 | 219 | else: |
paulb@154 | 220 | return 0 |
paulb@154 | 221 | |
paulb@154 | 222 | def set_token(self, trans, username): |
paulb@154 | 223 | |
paulb@154 | 224 | "Set an authentication token in 'trans' with the given 'username'." |
paulb@154 | 225 | |
paulb@154 | 226 | trans.set_cookie_value( |
paulb@154 | 227 | self.cookie_name, |
paulb@268 | 228 | get_token(username, self.secret_key), |
paulb@268 | 229 | path="/" |
paulb@154 | 230 | ) |
paulb@154 | 231 | |
paulb@154 | 232 | # Update the transaction with the user details. |
paulb@154 | 233 | |
paulb@154 | 234 | trans.set_user(username) |
paulb@154 | 235 | |
paulb@154 | 236 | def unset_token(self, trans): |
paulb@154 | 237 | |
paulb@154 | 238 | "Unset the authentication token in 'trans'." |
paulb@154 | 239 | |
paulb@154 | 240 | trans.delete_cookie(self.cookie_name) |
paulb@154 | 241 | |
paulb@154 | 242 | # vim: tabstop=4 expandtab shiftwidth=4 |