paulb@733 | 1 | #!/usr/bin/env python |
paulb@733 | 2 | |
paulb@733 | 3 | """ |
paulb@733 | 4 | OpenID provider login resources which redirect clients back to the application |
paulb@733 | 5 | ("relying party"). |
paulb@733 | 6 | |
paulb@733 | 7 | Copyright (C) 2004, 2005, 2006, 2007 Paul Boddie <paul@boddie.org.uk> |
paulb@733 | 8 | |
paulb@733 | 9 | This library is free software; you can redistribute it and/or |
paulb@733 | 10 | modify it under the terms of the GNU Lesser General Public |
paulb@733 | 11 | License as published by the Free Software Foundation; either |
paulb@733 | 12 | version 2.1 of the License, or (at your option) any later version. |
paulb@733 | 13 | |
paulb@733 | 14 | This library is distributed in the hope that it will be useful, |
paulb@733 | 15 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
paulb@733 | 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
paulb@733 | 17 | Lesser General Public License for more details. |
paulb@733 | 18 | |
paulb@733 | 19 | You should have received a copy of the GNU Lesser General Public |
paulb@733 | 20 | License along with this library; if not, write to the Free Software |
paulb@733 | 21 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
paulb@733 | 22 | """ |
paulb@733 | 23 | |
paulb@733 | 24 | import WebStack.Generic |
paulb@733 | 25 | from WebStack.Helpers.Auth import Authenticator, check_openid_signature, make_openid_signature |
paulb@733 | 26 | import datetime |
paulb@733 | 27 | import time |
paulb@733 | 28 | import random |
paulb@733 | 29 | |
paulb@733 | 30 | class OpenIDLoginResource: |
paulb@733 | 31 | |
paulb@733 | 32 | "A resource providing a login screen." |
paulb@733 | 33 | |
paulb@733 | 34 | encoding = "utf-8" |
paulb@733 | 35 | openid_ns = "http://specs.openid.net/auth/2.0" |
paulb@733 | 36 | |
paulb@733 | 37 | def __init__(self, app_url, authenticator, associations=None, use_redirect=1, urlencoding=None, encoding=None): |
paulb@733 | 38 | |
paulb@733 | 39 | """ |
paulb@733 | 40 | Initialise the resource with the application URL 'app_url' and an |
paulb@733 | 41 | 'authenticator'. |
paulb@733 | 42 | |
paulb@733 | 43 | The optional 'associations' is a mapping from association handles to |
paulb@733 | 44 | secret keys. |
paulb@733 | 45 | |
paulb@733 | 46 | If the optional 'use_redirect' flag is set to 0, a confirmation screen |
paulb@733 | 47 | is given instead of redirecting the user back to the original |
paulb@733 | 48 | application. |
paulb@733 | 49 | |
paulb@733 | 50 | The optional 'urlencoding' parameter allows a special encoding to be |
paulb@733 | 51 | used in producing the redirection path. |
paulb@733 | 52 | |
paulb@733 | 53 | The optional 'encoding' parameter allows a special encoding to be used |
paulb@733 | 54 | in producing the login pages. |
paulb@733 | 55 | |
paulb@733 | 56 | To change the pages employed by this resource, either redefine the |
paulb@733 | 57 | 'login_page' and 'success_page' attributes in instances of this class or |
paulb@733 | 58 | a subclass, or override the 'show_login' and 'show_success' methods. |
paulb@733 | 59 | """ |
paulb@733 | 60 | |
paulb@733 | 61 | self.app_url = app_url |
paulb@733 | 62 | self.authenticator = authenticator |
paulb@733 | 63 | self.associations = associations or {} |
paulb@733 | 64 | self.use_redirect = use_redirect |
paulb@733 | 65 | self.urlencoding = urlencoding |
paulb@733 | 66 | self.encoding = encoding or self.encoding |
paulb@733 | 67 | |
paulb@733 | 68 | def respond(self, trans): |
paulb@733 | 69 | |
paulb@733 | 70 | "Respond using the transaction 'trans'." |
paulb@733 | 71 | |
paulb@733 | 72 | # Check for a submitted login form. |
paulb@733 | 73 | |
paulb@733 | 74 | fields_body = trans.get_fields_from_body(self.encoding) |
paulb@733 | 75 | |
paulb@733 | 76 | if fields_body.has_key("login"): |
paulb@733 | 77 | |
paulb@733 | 78 | # Check a combination of local identifier and username together with |
paulb@733 | 79 | # the password. |
paulb@733 | 80 | |
paulb@733 | 81 | claimed_id = fields_body.get("claimed_id", [""])[0] |
paulb@733 | 82 | local_id = fields_body.get("local_id", [""])[0] |
paulb@733 | 83 | username = fields_body.get("username", [""])[0] |
paulb@733 | 84 | password = fields_body.get("password", [""])[0] |
paulb@733 | 85 | app = fields_body.get("app", [""])[0] |
paulb@733 | 86 | |
paulb@736 | 87 | # NOTE: Permit flexibility in the credentials. |
paulb@736 | 88 | |
paulb@733 | 89 | if self.authenticator.authenticate(trans, (local_id, username), password): |
paulb@733 | 90 | self._redirect(trans, claimed_id, local_id, username, app) |
paulb@733 | 91 | # The above method does not return. |
paulb@733 | 92 | |
paulb@733 | 93 | # Check for an OpenID signature verification request. |
paulb@733 | 94 | |
paulb@733 | 95 | elif fields_body.get("openid.mode", [None])[0] == "check_authentication": |
paulb@733 | 96 | |
paulb@733 | 97 | # Obtain the secret key from recorded associations. |
paulb@733 | 98 | |
paulb@733 | 99 | handle = fields_body.get("openid.assoc_handle", [None])[0] |
paulb@733 | 100 | if handle is not None and self.associations.has_key(handle): |
paulb@733 | 101 | valid = check_openid_signature(fields_body, self.associations[handle]) |
paulb@733 | 102 | del self.associations[handle] |
paulb@733 | 103 | else: |
paulb@733 | 104 | valid = 0 |
paulb@733 | 105 | |
paulb@733 | 106 | # Produce a response for this request. |
paulb@733 | 107 | |
paulb@733 | 108 | self.show_verification(trans, valid) |
paulb@733 | 109 | # The above method does not return. |
paulb@733 | 110 | |
paulb@736 | 111 | # NOTE: Permit association requests here. |
paulb@736 | 112 | |
paulb@733 | 113 | # Otherwise, show the login form. |
paulb@733 | 114 | |
paulb@733 | 115 | fields_path = trans.get_fields_from_path(self.urlencoding) |
paulb@733 | 116 | app = fields_path.get("openid.return_to", [""])[0] |
paulb@733 | 117 | claimed_id = fields_path.get("openid.claimed_id", [""])[0] |
paulb@733 | 118 | local_id = fields_path.get("openid.identity", [""])[0] |
paulb@733 | 119 | |
paulb@733 | 120 | self.show_login(trans, app, claimed_id, local_id) |
paulb@733 | 121 | |
paulb@733 | 122 | def _redirect(self, trans, claimed_id, local_id, username, app): |
paulb@733 | 123 | |
paulb@733 | 124 | """ |
paulb@733 | 125 | Redirect the client using 'trans', 'claimed_id', 'local_id', 'username' |
paulb@733 | 126 | and the given 'app' details. |
paulb@733 | 127 | """ |
paulb@733 | 128 | |
paulb@733 | 129 | app_url = self.app_url + trans.get_path_without_query(self.urlencoding) |
paulb@733 | 130 | |
paulb@733 | 131 | # Make an association that can be used in signature verification. |
paulb@733 | 132 | # NOTE: Probably need to consider the secret key a bit more. |
paulb@733 | 133 | |
paulb@733 | 134 | handle = username + str(time.time()) |
paulb@733 | 135 | secret_key = str(random.randint(0, 999999999)) |
paulb@733 | 136 | self.associations[handle] = secret_key |
paulb@733 | 137 | |
paulb@733 | 138 | # Make a timestamp. |
paulb@733 | 139 | |
paulb@733 | 140 | now = datetime.datetime.utcnow() |
paulb@733 | 141 | timestamp = now.strftime("%Y-%m-%dT%H:%M:%SZ") + str(now.microsecond) |
paulb@733 | 142 | |
paulb@733 | 143 | # Make a signature. |
paulb@733 | 144 | |
paulb@733 | 145 | signed_names = ["op_endpoint", "return_to", "response_nonce", "assoc_handle", "claimed_id", "identity"] |
paulb@733 | 146 | fields = { |
paulb@733 | 147 | "openid.op_endpoint" : [app_url], |
paulb@733 | 148 | "openid.return_to" : [app], |
paulb@733 | 149 | "openid.response_nonce" : [timestamp], |
paulb@733 | 150 | "openid.assoc_handle" : [handle], |
paulb@733 | 151 | "openid.claimed_id" : [claimed_id], |
paulb@733 | 152 | "openid.identity" : [local_id] |
paulb@733 | 153 | } |
paulb@733 | 154 | |
paulb@733 | 155 | signature = make_openid_signature(signed_names, fields, secret_key) |
paulb@733 | 156 | |
paulb@733 | 157 | # Build an URL for returning to the application. |
paulb@733 | 158 | |
paulb@733 | 159 | url = "%s?openid.ns=%s&openid.mode=%s&openid.signed=%s&openid.sig=%s" % ( |
paulb@733 | 160 | app, |
paulb@733 | 161 | trans.encode_path(self.openid_ns, self.urlencoding), |
paulb@733 | 162 | trans.encode_path("id_res", self.urlencoding), |
paulb@733 | 163 | trans.encode_path(",".join(signed_names), self.urlencoding), |
paulb@733 | 164 | trans.encode_path(signature, self.urlencoding) |
paulb@733 | 165 | ) |
paulb@733 | 166 | |
paulb@733 | 167 | for name, value in fields.items(): |
paulb@733 | 168 | url += "&%s=%s" % (name, trans.encode_path(value[0], self.urlencoding)) |
paulb@733 | 169 | |
paulb@733 | 170 | # Show the success page anyway. |
paulb@736 | 171 | # NOTE: Offer a POST-based form for redirection. |
paulb@733 | 172 | |
paulb@733 | 173 | self.show_success(trans, url) |
paulb@733 | 174 | if self.use_redirect: |
paulb@733 | 175 | trans.redirect(url) |
paulb@733 | 176 | else: |
paulb@733 | 177 | raise WebStack.Generic.EndOfResponse |
paulb@733 | 178 | |
paulb@733 | 179 | def show_verification(self, trans, status): |
paulb@733 | 180 | |
paulb@733 | 181 | """ |
paulb@733 | 182 | Writes a signature verification response using the transaction 'trans' |
paulb@733 | 183 | and the 'status' of the verification. |
paulb@733 | 184 | """ |
paulb@733 | 185 | |
paulb@733 | 186 | trans.set_content_type(WebStack.Generic.ContentType("text/plain")) |
paulb@733 | 187 | out = trans.get_response_stream() |
paulb@733 | 188 | |
paulb@733 | 189 | # NOTE: Need to use invalidate_handle, too. |
paulb@733 | 190 | |
paulb@733 | 191 | if status: |
paulb@733 | 192 | status_str = "true" |
paulb@733 | 193 | else: |
paulb@733 | 194 | status_str = "false" |
paulb@733 | 195 | out.write("ns:%s\nis_valid:%s\n" % (self.openid_ns, status_str)) |
paulb@733 | 196 | raise WebStack.Generic.EndOfResponse |
paulb@733 | 197 | |
paulb@733 | 198 | def show_login(self, trans, app, claimed_id, local_id): |
paulb@733 | 199 | |
paulb@733 | 200 | """ |
paulb@733 | 201 | Writes a login screen using the transaction 'trans', including details |
paulb@733 | 202 | of the 'app' which the client was attempting to access, along with the |
paulb@733 | 203 | 'claimed_id' and 'local_id'. |
paulb@733 | 204 | """ |
paulb@733 | 205 | |
paulb@733 | 206 | trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding)) |
paulb@733 | 207 | out = trans.get_response_stream() |
paulb@733 | 208 | out.write(self.login_page % (app, claimed_id, local_id)) |
paulb@733 | 209 | |
paulb@733 | 210 | def show_success(self, trans, app): |
paulb@733 | 211 | |
paulb@733 | 212 | """ |
paulb@733 | 213 | Writes a success screen using the transaction 'trans', including details |
paulb@733 | 214 | of the 'app' which the client was attempting to access. |
paulb@733 | 215 | """ |
paulb@733 | 216 | |
paulb@733 | 217 | trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding)) |
paulb@733 | 218 | out = trans.get_response_stream() |
paulb@733 | 219 | out.write(self.success_page % (app, app)) |
paulb@733 | 220 | |
paulb@733 | 221 | login_page = """ |
paulb@733 | 222 | <html> |
paulb@733 | 223 | <head> |
paulb@733 | 224 | <title>Login</title> |
paulb@733 | 225 | </head> |
paulb@733 | 226 | <body> |
paulb@733 | 227 | <h1>Login</h1> |
paulb@733 | 228 | <form method="POST"> |
paulb@733 | 229 | <p>Username: <input name="username" type="text" size="12"/></p> |
paulb@733 | 230 | <p>Password: <input name="password" type="password" size="12"/></p> |
paulb@733 | 231 | <p><input name="login" type="submit" value="Login"/></p> |
paulb@733 | 232 | <input name="app" type="hidden" value="%s"/> |
paulb@733 | 233 | <input name="claimed_id" type="hidden" value="%s"/> |
paulb@733 | 234 | <input name="local_id" type="hidden" value="%s"/> |
paulb@733 | 235 | </form> |
paulb@733 | 236 | </body> |
paulb@733 | 237 | </html> |
paulb@733 | 238 | """ |
paulb@733 | 239 | |
paulb@733 | 240 | success_page = """ |
paulb@733 | 241 | <html> |
paulb@733 | 242 | <head> |
paulb@733 | 243 | <title>Login Example</title> |
paulb@733 | 244 | </head> |
paulb@733 | 245 | <body> |
paulb@733 | 246 | <h1>Login Successful</h1> |
paulb@733 | 247 | <p>Please proceed to the application: <a href="%s">%s</a></p> |
paulb@733 | 248 | </body> |
paulb@733 | 249 | </html> |
paulb@733 | 250 | """ |
paulb@733 | 251 | |
paulb@733 | 252 | # vim: tabstop=4 expandtab shiftwidth=4 |