paulb@155 | 1 | #!/usr/bin/env python |
paulb@155 | 2 | |
paulb@155 | 3 | "Login resources which redirect clients back to an application after a successful login." |
paulb@155 | 4 | |
paulb@155 | 5 | import WebStack.Generic |
paulb@155 | 6 | from WebStack.Helpers.Auth import get_token |
paulb@155 | 7 | |
paulb@155 | 8 | class LoginResource: |
paulb@155 | 9 | |
paulb@155 | 10 | "A resource providing a login screen." |
paulb@155 | 11 | |
paulb@155 | 12 | def __init__(self, authenticator, use_redirect=1): |
paulb@155 | 13 | |
paulb@155 | 14 | """ |
paulb@155 | 15 | Initialise the resource with an 'authenticator'. |
paulb@155 | 16 | |
paulb@155 | 17 | If the optional 'use_redirect' flag is set to 0, a confirmation screen is given |
paulb@155 | 18 | instead of redirecting the user back to the original application. |
paulb@155 | 19 | """ |
paulb@155 | 20 | |
paulb@155 | 21 | self.authenticator = authenticator |
paulb@155 | 22 | self.use_redirect = use_redirect |
paulb@155 | 23 | |
paulb@155 | 24 | def respond(self, trans): |
paulb@155 | 25 | |
paulb@155 | 26 | "Respond using the transaction 'trans'." |
paulb@155 | 27 | |
paulb@155 | 28 | fields_path = trans.get_fields_from_path() |
paulb@155 | 29 | fields_body = trans.get_fields_from_body() |
paulb@155 | 30 | |
paulb@155 | 31 | # NOTE: Handle missing redirects better. |
paulb@155 | 32 | |
paulb@155 | 33 | if fields_body.has_key("redirect"): |
paulb@155 | 34 | redirects = fields_body["redirect"] |
paulb@155 | 35 | redirect = redirects[0] |
paulb@155 | 36 | elif fields_path.has_key("redirect"): |
paulb@155 | 37 | redirects = fields_path["redirect"] |
paulb@155 | 38 | redirect = redirects[0] |
paulb@155 | 39 | else: |
paulb@155 | 40 | redirect = "" |
paulb@155 | 41 | |
paulb@155 | 42 | # Check for a submitted login form. |
paulb@155 | 43 | |
paulb@155 | 44 | if fields_body.has_key("login"): |
paulb@155 | 45 | if self.authenticator.authenticate(trans): |
paulb@155 | 46 | self._redirect(trans, redirect) |
paulb@155 | 47 | return |
paulb@155 | 48 | |
paulb@155 | 49 | # Otherwise, show the login form. |
paulb@155 | 50 | |
paulb@155 | 51 | self._show_login(trans, redirect) |
paulb@155 | 52 | |
paulb@155 | 53 | def _redirect(self, trans, redirect): |
paulb@155 | 54 | |
paulb@155 | 55 | "Redirect the client using 'trans' and the given 'redirect' URL." |
paulb@155 | 56 | |
paulb@155 | 57 | if self.use_redirect: |
paulb@155 | 58 | trans.set_header_value("Location", redirect) |
paulb@208 | 59 | trans.set_response_code(302) # was 307 |
paulb@155 | 60 | |
paulb@155 | 61 | # Show the success page anyway. |
paulb@155 | 62 | |
paulb@155 | 63 | self._show_success(trans, redirect) |
paulb@155 | 64 | |
paulb@155 | 65 | def _show_login(self, trans, redirect): |
paulb@155 | 66 | |
paulb@155 | 67 | """ |
paulb@155 | 68 | Writes a login screen using the transaction 'trans', including details of the |
paulb@155 | 69 | 'redirect' URL which the client was attempting to access. |
paulb@155 | 70 | """ |
paulb@155 | 71 | |
paulb@155 | 72 | trans.set_content_type(WebStack.Generic.ContentType("text/html")) |
paulb@155 | 73 | out = trans.get_response_stream() |
paulb@155 | 74 | out.write(""" |
paulb@155 | 75 | <html> |
paulb@155 | 76 | <head> |
paulb@155 | 77 | <title>Login Example</title> |
paulb@155 | 78 | </head> |
paulb@155 | 79 | <body> |
paulb@155 | 80 | <h1>Login</h1> |
paulb@155 | 81 | <form method="POST"> |
paulb@155 | 82 | <p>Username: <input name="username" type="text" size="12"/></p> |
paulb@155 | 83 | <p>Password: <input name="password" type="text" size="12"/></p> |
paulb@155 | 84 | <p><input name="login" type="submit" value="Login"/></p> |
paulb@155 | 85 | <input name="redirect" type="hidden" value="%s"/> |
paulb@155 | 86 | </form> |
paulb@155 | 87 | </body> |
paulb@155 | 88 | </html> |
paulb@155 | 89 | """ % redirect) |
paulb@155 | 90 | |
paulb@155 | 91 | def _show_success(self, trans, redirect): |
paulb@155 | 92 | |
paulb@155 | 93 | # When authentication fails or is yet to take place, show the login |
paulb@155 | 94 | # screen. |
paulb@155 | 95 | |
paulb@155 | 96 | trans.set_content_type(WebStack.Generic.ContentType("text/html")) |
paulb@155 | 97 | out = trans.get_response_stream() |
paulb@155 | 98 | out.write(""" |
paulb@155 | 99 | <html> |
paulb@155 | 100 | <head> |
paulb@155 | 101 | <title>Login Example</title> |
paulb@155 | 102 | </head> |
paulb@155 | 103 | <body> |
paulb@155 | 104 | <h1>Login Successful</h1> |
paulb@155 | 105 | <p>Please proceed <a href="%s">to the application</a>.</p> |
paulb@155 | 106 | </body> |
paulb@155 | 107 | </html> |
paulb@155 | 108 | """ % redirect) |
paulb@155 | 109 | |
paulb@155 | 110 | def _decode(self, url): |
paulb@155 | 111 | |
paulb@155 | 112 | "Decode the given 'url' for redirection purposes." |
paulb@155 | 113 | |
paulb@155 | 114 | return url.replace("%3f", "?").replace("%26", "&") |
paulb@155 | 115 | |
paulb@155 | 116 | class LoginAuthenticator: |
paulb@155 | 117 | |
paulb@155 | 118 | def __init__(self, secret_key, credentials, cookie_name=None): |
paulb@155 | 119 | |
paulb@155 | 120 | """ |
paulb@155 | 121 | Initialise the authenticator with a 'secret_key', the authenticator's registry of |
paulb@155 | 122 | 'credentials' and an optional 'cookie_name'. |
paulb@155 | 123 | |
paulb@155 | 124 | The 'credentials' must be an object which supports tests of the form |
paulb@155 | 125 | '(username, password) in credentials'. |
paulb@155 | 126 | """ |
paulb@155 | 127 | |
paulb@155 | 128 | self.secret_key = secret_key |
paulb@155 | 129 | self.credentials = credentials |
paulb@155 | 130 | self.cookie_name = cookie_name or "LoginAuthenticator" |
paulb@155 | 131 | |
paulb@155 | 132 | def authenticate(self, trans): |
paulb@155 | 133 | |
paulb@155 | 134 | """ |
paulb@155 | 135 | Authenticate the sender of the transaction 'trans', returning 1 (true) if they are |
paulb@155 | 136 | recognised, 0 (false) otherwise. |
paulb@155 | 137 | """ |
paulb@155 | 138 | |
paulb@155 | 139 | # Process any supplied parameters. |
paulb@155 | 140 | |
paulb@155 | 141 | fields = trans.get_fields_from_body() |
paulb@155 | 142 | |
paulb@155 | 143 | if fields.has_key("username") and fields.has_key("password"): |
paulb@155 | 144 | usernames, passwords = fields["username"], fields["password"] |
paulb@155 | 145 | |
paulb@155 | 146 | # Insist on only one username and password. |
paulb@155 | 147 | |
paulb@155 | 148 | if len(usernames) == 1 and len(passwords) == 1: |
paulb@155 | 149 | username, password = usernames[0], passwords[0] |
paulb@155 | 150 | |
paulb@155 | 151 | # Check against the class's credentials. |
paulb@155 | 152 | |
paulb@155 | 153 | if (username, password) in self.credentials: |
paulb@155 | 154 | |
paulb@155 | 155 | # Make a special cookie token. |
paulb@155 | 156 | |
paulb@155 | 157 | self.set_token(trans, username) |
paulb@155 | 158 | return 1 |
paulb@155 | 159 | |
paulb@155 | 160 | return 0 |
paulb@155 | 161 | |
paulb@155 | 162 | def set_token(self, trans, username): |
paulb@155 | 163 | |
paulb@155 | 164 | "Set an authentication token in 'trans' with the given 'username'." |
paulb@155 | 165 | |
paulb@155 | 166 | trans.set_cookie_value( |
paulb@155 | 167 | self.cookie_name, |
paulb@268 | 168 | get_token(username, self.secret_key), |
paulb@268 | 169 | path="/" |
paulb@155 | 170 | ) |
paulb@155 | 171 | |
paulb@155 | 172 | # vim: tabstop=4 expandtab shiftwidth=4 |