paulb@154 | 1 | #!/usr/bin/env python |
paulb@154 | 2 | |
paulb@155 | 3 | "Login redirection resources, sending unauthenticated users to a login screen URL." |
paulb@154 | 4 | |
paulb@154 | 5 | from WebStack.Helpers.Auth import get_token |
paulb@154 | 6 | import WebStack.Generic |
paulb@154 | 7 | |
paulb@154 | 8 | class LoginRedirectResource: |
paulb@154 | 9 | |
paulb@154 | 10 | "A resource redirecting to a login URL." |
paulb@154 | 11 | |
paulb@154 | 12 | def __init__(self, login_url, app_url, resource, authenticator, anonymous_parameter_name=None, |
paulb@154 | 13 | anonymous_username="anonymous", logout_parameter_name=None, logout_url="/", |
paulb@154 | 14 | use_logout_redirect=1): |
paulb@154 | 15 | |
paulb@154 | 16 | """ |
paulb@154 | 17 | Initialise the resource with a 'login_url', an 'app_url' where the 'resource' for |
paulb@154 | 18 | the application being protected should be reachable, and an 'authenticator'. |
paulb@154 | 19 | |
paulb@154 | 20 | If the optional 'anonymous_parameter_name' is set, clients providing a parameter |
paulb@154 | 21 | of that name in the URL will not be authenticated, but then such clients will get |
paulb@154 | 22 | a predefined user identity associated with them, configurable using the optional |
paulb@154 | 23 | 'anonymous_username'. |
paulb@154 | 24 | |
paulb@154 | 25 | If the optional 'logout_parameter_name' is set, clients providing a parameter of |
paulb@154 | 26 | that name in the URL will become logged out. After logging out, clients are |
paulb@154 | 27 | redirected to a location which can be configured by the optional 'logout_url'. |
paulb@154 | 28 | |
paulb@154 | 29 | If the optional 'use_logout_redirect' flag is set to 0, a confirmation screen is |
paulb@154 | 30 | given instead of redirecting the user to the 'logout_url'. |
paulb@154 | 31 | """ |
paulb@154 | 32 | |
paulb@154 | 33 | self.login_url = login_url |
paulb@154 | 34 | self.app_url = app_url |
paulb@154 | 35 | self.resource = resource |
paulb@154 | 36 | self.authenticator = authenticator |
paulb@154 | 37 | self.anonymous_parameter_name = anonymous_parameter_name |
paulb@154 | 38 | self.anonymous_username = anonymous_username |
paulb@154 | 39 | self.logout_parameter_name = logout_parameter_name |
paulb@154 | 40 | self.logout_url = logout_url |
paulb@154 | 41 | self.use_logout_redirect = use_logout_redirect |
paulb@154 | 42 | |
paulb@154 | 43 | def respond(self, trans): |
paulb@154 | 44 | |
paulb@154 | 45 | "Respond using the given transaction 'trans'." |
paulb@154 | 46 | |
paulb@154 | 47 | fields_path = trans.get_fields_from_path() |
paulb@154 | 48 | |
paulb@154 | 49 | # Check for the logout parameter, if appropriate. |
paulb@154 | 50 | |
paulb@154 | 51 | if self.logout_parameter_name is not None and fields_path.has_key(self.logout_parameter_name): |
paulb@154 | 52 | |
paulb@154 | 53 | # Remove the special cookie token, then pass on the transaction. |
paulb@154 | 54 | |
paulb@154 | 55 | self.authenticator.unset_token(trans) |
paulb@154 | 56 | |
paulb@154 | 57 | # Redirect to the logout URL. |
paulb@154 | 58 | |
paulb@154 | 59 | if self.use_logout_redirect: |
paulb@154 | 60 | trans.set_header_value("Location", self.logout_url) |
paulb@154 | 61 | trans.set_response_code(307) |
paulb@154 | 62 | |
paulb@154 | 63 | # Show the logout confirmation anyway. |
paulb@154 | 64 | |
paulb@154 | 65 | self._show_logout(trans, self.logout_url) |
paulb@154 | 66 | |
paulb@154 | 67 | # Check the authentication details with the specified authenticator. |
paulb@154 | 68 | |
paulb@154 | 69 | elif self.authenticator.authenticate(trans): |
paulb@154 | 70 | |
paulb@154 | 71 | # If successful, pass on the transaction. |
paulb@154 | 72 | |
paulb@154 | 73 | self.resource.respond(trans) |
paulb@154 | 74 | |
paulb@154 | 75 | # Check for the anonymous parameter, if appropriate. |
paulb@154 | 76 | |
paulb@154 | 77 | elif self.anonymous_parameter_name is not None and fields_path.has_key(self.anonymous_parameter_name): |
paulb@154 | 78 | |
paulb@154 | 79 | # Make a special cookie token, then pass on the transaction. |
paulb@154 | 80 | |
paulb@154 | 81 | self.authenticator.set_token(trans, self.anonymous_username) |
paulb@154 | 82 | self.resource.respond(trans) |
paulb@154 | 83 | |
paulb@154 | 84 | else: |
paulb@154 | 85 | |
paulb@154 | 86 | # Redirect to the login URL. |
paulb@154 | 87 | |
paulb@154 | 88 | trans.set_header_value("Location", "%s?redirect=%s%s" % ( |
paulb@154 | 89 | self.login_url, self.app_url, self._encode(trans.get_path())) |
paulb@154 | 90 | ) |
paulb@154 | 91 | trans.set_response_code(307) |
paulb@154 | 92 | |
paulb@154 | 93 | def _encode(self, url): |
paulb@154 | 94 | |
paulb@154 | 95 | "Encode the given 'url' for redirection purposes." |
paulb@154 | 96 | |
paulb@154 | 97 | return url.replace("?", "%3f").replace("&", "%26") |
paulb@154 | 98 | |
paulb@154 | 99 | def _show_logout(self, trans, redirect): |
paulb@154 | 100 | |
paulb@154 | 101 | """ |
paulb@154 | 102 | Write a confirmation page to 'trans' containing the 'redirect' URL which the |
paulb@154 | 103 | client should be sent to upon logout. |
paulb@154 | 104 | """ |
paulb@154 | 105 | |
paulb@154 | 106 | # When logout takes place, show the login screen. |
paulb@154 | 107 | |
paulb@154 | 108 | trans.set_content_type(WebStack.Generic.ContentType("text/html")) |
paulb@154 | 109 | out = trans.get_response_stream() |
paulb@154 | 110 | out.write(""" |
paulb@154 | 111 | <html> |
paulb@154 | 112 | <head> |
paulb@154 | 113 | <title>Logout</title> |
paulb@154 | 114 | </head> |
paulb@154 | 115 | <body> |
paulb@154 | 116 | <h1>Logout Successful</h1> |
paulb@154 | 117 | <p>Please proceed <a href="%s">to the application</a>.</p> |
paulb@154 | 118 | </body> |
paulb@154 | 119 | </html> |
paulb@154 | 120 | """ % redirect) |
paulb@154 | 121 | |
paulb@154 | 122 | class LoginRedirectAuthenticator: |
paulb@154 | 123 | |
paulb@154 | 124 | """ |
paulb@154 | 125 | An authenticator which verifies the credentials provided in a special login cookie. |
paulb@154 | 126 | """ |
paulb@154 | 127 | |
paulb@154 | 128 | def __init__(self, secret_key, cookie_name=None): |
paulb@154 | 129 | |
paulb@154 | 130 | "Initialise the authenticator with a 'secret_key' and an optional 'cookie_name'." |
paulb@154 | 131 | |
paulb@154 | 132 | self.secret_key = secret_key |
paulb@154 | 133 | self.cookie_name = cookie_name or "LoginAuthenticator" |
paulb@154 | 134 | |
paulb@154 | 135 | def authenticate(self, trans): |
paulb@154 | 136 | |
paulb@155 | 137 | """ |
paulb@155 | 138 | Authenticate the originator of 'trans', updating the object if successful and |
paulb@155 | 139 | returning 1 (true) if successful, 0 (false) otherwise. |
paulb@155 | 140 | """ |
paulb@154 | 141 | |
paulb@154 | 142 | cookie = trans.get_cookie(self.cookie_name) |
paulb@154 | 143 | if cookie is None or cookie.value is None: |
paulb@154 | 144 | return 0 |
paulb@154 | 145 | |
paulb@154 | 146 | # Test the token from the cookie against a recreated token using the |
paulb@154 | 147 | # given information. |
paulb@154 | 148 | |
paulb@154 | 149 | username, code = cookie.value.split(":") |
paulb@154 | 150 | if cookie.value == get_token(username, self.secret_key): |
paulb@154 | 151 | |
paulb@154 | 152 | # Update the transaction with the user details. |
paulb@154 | 153 | |
paulb@154 | 154 | trans.set_user(username) |
paulb@154 | 155 | return 1 |
paulb@154 | 156 | else: |
paulb@154 | 157 | return 0 |
paulb@154 | 158 | |
paulb@154 | 159 | def set_token(self, trans, username): |
paulb@154 | 160 | |
paulb@154 | 161 | "Set an authentication token in 'trans' with the given 'username'." |
paulb@154 | 162 | |
paulb@154 | 163 | trans.set_cookie_value( |
paulb@154 | 164 | self.cookie_name, |
paulb@154 | 165 | get_token(username, self.secret_key) |
paulb@154 | 166 | ) |
paulb@154 | 167 | |
paulb@154 | 168 | # Update the transaction with the user details. |
paulb@154 | 169 | |
paulb@154 | 170 | trans.set_user(username) |
paulb@154 | 171 | |
paulb@154 | 172 | def unset_token(self, trans): |
paulb@154 | 173 | |
paulb@154 | 174 | "Unset the authentication token in 'trans'." |
paulb@154 | 175 | |
paulb@154 | 176 | trans.delete_cookie(self.cookie_name) |
paulb@154 | 177 | |
paulb@154 | 178 | # vim: tabstop=4 expandtab shiftwidth=4 |