paulb@733 | 1 | #!/usr/bin/env python |
paulb@733 | 2 | |
paulb@733 | 3 | """ |
paulb@733 | 4 | OpenID provider login resources which redirect clients back to the application |
paulb@733 | 5 | ("relying party"). |
paulb@733 | 6 | |
paulb@733 | 7 | Copyright (C) 2004, 2005, 2006, 2007 Paul Boddie <paul@boddie.org.uk> |
paulb@733 | 8 | |
paulb@733 | 9 | This library is free software; you can redistribute it and/or |
paulb@733 | 10 | modify it under the terms of the GNU Lesser General Public |
paulb@733 | 11 | License as published by the Free Software Foundation; either |
paulb@733 | 12 | version 2.1 of the License, or (at your option) any later version. |
paulb@733 | 13 | |
paulb@733 | 14 | This library is distributed in the hope that it will be useful, |
paulb@733 | 15 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
paulb@733 | 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
paulb@733 | 17 | Lesser General Public License for more details. |
paulb@733 | 18 | |
paulb@733 | 19 | You should have received a copy of the GNU Lesser General Public |
paulb@733 | 20 | License along with this library; if not, write to the Free Software |
paulb@733 | 21 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
paulb@733 | 22 | """ |
paulb@733 | 23 | |
paulb@733 | 24 | import WebStack.Generic |
paulb@733 | 25 | from WebStack.Helpers.Auth import Authenticator, check_openid_signature, make_openid_signature |
paulb@733 | 26 | import datetime |
paulb@733 | 27 | import time |
paulb@733 | 28 | import random |
paulb@740 | 29 | import cgi # for escape |
paulb@733 | 30 | |
paulb@742 | 31 | class OpenIDLoginUtils: |
paulb@733 | 32 | |
paulb@742 | 33 | "Utilities for OpenID login screens which may be inherited." |
paulb@733 | 34 | |
paulb@742 | 35 | openid_ns = "http://specs.openid.net/auth/2.0" |
paulb@742 | 36 | signed_names = ["op_endpoint", "return_to", "response_nonce", "assoc_handle", "claimed_id", "identity"] |
paulb@733 | 37 | |
paulb@742 | 38 | def __init__(self, associations=None, use_redirect=1): |
paulb@733 | 39 | self.associations = associations or {} |
paulb@733 | 40 | self.use_redirect = use_redirect |
paulb@733 | 41 | |
paulb@742 | 42 | def urlencode(self, trans, value): |
paulb@742 | 43 | if not trans.default_charset: |
paulb@742 | 44 | return trans.encode_path(value, self.urlencoding) |
paulb@742 | 45 | else: |
paulb@742 | 46 | return trans.encode_path(value) |
paulb@733 | 47 | |
paulb@742 | 48 | def get_openid_fields(self, trans, claimed_id, local_id, username, return_to, endpoint): |
paulb@733 | 49 | |
paulb@733 | 50 | # Make an association that can be used in signature verification. |
paulb@733 | 51 | # NOTE: Probably need to consider the secret key a bit more. |
paulb@733 | 52 | |
paulb@733 | 53 | handle = username + str(time.time()) |
paulb@733 | 54 | secret_key = str(random.randint(0, 999999999)) |
paulb@733 | 55 | self.associations[handle] = secret_key |
paulb@733 | 56 | |
paulb@733 | 57 | # Make a timestamp. |
paulb@733 | 58 | |
paulb@733 | 59 | now = datetime.datetime.utcnow() |
paulb@733 | 60 | timestamp = now.strftime("%Y-%m-%dT%H:%M:%SZ") + str(now.microsecond) |
paulb@733 | 61 | |
paulb@733 | 62 | # Make a signature. |
paulb@733 | 63 | |
paulb@733 | 64 | fields = { |
paulb@742 | 65 | "openid.ns" : [self.openid_ns], |
paulb@742 | 66 | "openid.mode" : ["id_res"], |
paulb@742 | 67 | "openid.signed" : [",".join(self.signed_names)], |
paulb@742 | 68 | "openid.op_endpoint" : [endpoint], |
paulb@742 | 69 | "openid.return_to" : [return_to], |
paulb@733 | 70 | "openid.response_nonce" : [timestamp], |
paulb@733 | 71 | "openid.assoc_handle" : [handle], |
paulb@733 | 72 | "openid.claimed_id" : [claimed_id], |
paulb@733 | 73 | "openid.identity" : [local_id] |
paulb@733 | 74 | } |
paulb@742 | 75 | signature = make_openid_signature(self.signed_names, fields, secret_key) |
paulb@742 | 76 | fields["openid.sig"] = [signature] |
paulb@733 | 77 | |
paulb@742 | 78 | return fields |
paulb@742 | 79 | |
paulb@742 | 80 | def get_openid_url(self, trans, fields): |
paulb@733 | 81 | |
paulb@733 | 82 | # Build an URL for returning to the application. |
paulb@733 | 83 | |
paulb@742 | 84 | url = "%s?" % fields["openid.return_to"][0] |
paulb@742 | 85 | |
paulb@742 | 86 | first = 1 |
paulb@742 | 87 | for name, value in fields.items(): |
paulb@742 | 88 | if not first: |
paulb@742 | 89 | url += "&" |
paulb@742 | 90 | url += "%s=%s" % (name, self.urlencode(trans, value[0])) |
paulb@742 | 91 | first = 0 |
paulb@733 | 92 | |
paulb@742 | 93 | return url |
paulb@742 | 94 | |
paulb@742 | 95 | def redirect_to_application(self, trans, claimed_id, local_id, username, return_to, endpoint): |
paulb@742 | 96 | |
paulb@742 | 97 | """ |
paulb@742 | 98 | Redirect the client using 'trans', 'claimed_id', 'local_id', 'username' |
paulb@742 | 99 | and the given 'return_to' and 'endpoint' details. |
paulb@742 | 100 | """ |
paulb@742 | 101 | |
paulb@742 | 102 | fields = self.get_openid_fields(trans, claimed_id, local_id, username, return_to, endpoint) |
paulb@742 | 103 | url = self.get_openid_url(trans, fields) |
paulb@733 | 104 | |
paulb@733 | 105 | # Show the success page anyway. |
paulb@738 | 106 | # Offer a POST-based form for redirection. |
paulb@733 | 107 | |
paulb@742 | 108 | self.show_success(trans, fields) |
paulb@733 | 109 | if self.use_redirect: |
paulb@733 | 110 | trans.redirect(url) |
paulb@733 | 111 | else: |
paulb@733 | 112 | raise WebStack.Generic.EndOfResponse |
paulb@733 | 113 | |
paulb@733 | 114 | def show_verification(self, trans, status): |
paulb@733 | 115 | |
paulb@733 | 116 | """ |
paulb@733 | 117 | Writes a signature verification response using the transaction 'trans' |
paulb@733 | 118 | and the 'status' of the verification. |
paulb@733 | 119 | """ |
paulb@733 | 120 | |
paulb@733 | 121 | trans.set_content_type(WebStack.Generic.ContentType("text/plain")) |
paulb@733 | 122 | out = trans.get_response_stream() |
paulb@733 | 123 | |
paulb@733 | 124 | # NOTE: Need to use invalidate_handle, too. |
paulb@733 | 125 | |
paulb@733 | 126 | if status: |
paulb@733 | 127 | status_str = "true" |
paulb@733 | 128 | else: |
paulb@733 | 129 | status_str = "false" |
paulb@733 | 130 | out.write("ns:%s\nis_valid:%s\n" % (self.openid_ns, status_str)) |
paulb@733 | 131 | raise WebStack.Generic.EndOfResponse |
paulb@733 | 132 | |
paulb@742 | 133 | def check_authentication(self, trans, fields): |
paulb@742 | 134 | |
paulb@742 | 135 | "Check the authentication details supplied in 'trans' and 'fields'." |
paulb@742 | 136 | |
paulb@742 | 137 | # Obtain the secret key from recorded associations. |
paulb@742 | 138 | |
paulb@742 | 139 | handle = fields.get("openid.assoc_handle", [None])[0] |
paulb@742 | 140 | if handle is not None and self.associations.has_key(handle): |
paulb@742 | 141 | valid = check_openid_signature(fields, self.associations[handle]) |
paulb@742 | 142 | del self.associations[handle] |
paulb@742 | 143 | else: |
paulb@742 | 144 | valid = 0 |
paulb@742 | 145 | |
paulb@742 | 146 | # Produce a response for this request. |
paulb@742 | 147 | |
paulb@742 | 148 | self.show_verification(trans, valid) |
paulb@742 | 149 | |
paulb@742 | 150 | def check_login(self, trans, fields): |
paulb@742 | 151 | |
paulb@742 | 152 | "Check the login details supplied in 'trans' and 'fields'." |
paulb@742 | 153 | |
paulb@742 | 154 | return_to = fields.get("openid.return_to", [""])[0] |
paulb@742 | 155 | claimed_id = fields.get("openid.claimed_id", [""])[0] |
paulb@742 | 156 | local_id = fields.get("openid.identity", [""])[0] |
paulb@742 | 157 | |
paulb@742 | 158 | # Check a combination of local identifier and username together with |
paulb@742 | 159 | # the password. |
paulb@742 | 160 | |
paulb@742 | 161 | username = fields.get("username", [""])[0] |
paulb@742 | 162 | password = fields.get("password", [""])[0] |
paulb@742 | 163 | |
paulb@742 | 164 | # NOTE: Permit flexibility in the credentials. |
paulb@742 | 165 | |
paulb@742 | 166 | if self.authenticator.authenticate(trans, (local_id, username), password): |
paulb@742 | 167 | endpoint = self.app_url + trans.get_path_without_query(self.urlencoding) |
paulb@742 | 168 | self.redirect_to_application(trans, claimed_id, local_id, username, return_to, endpoint) |
paulb@742 | 169 | |
paulb@742 | 170 | class OpenIDLoginResource(OpenIDLoginUtils): |
paulb@742 | 171 | |
paulb@742 | 172 | "A resource providing a login screen." |
paulb@742 | 173 | |
paulb@742 | 174 | encoding = "utf-8" |
paulb@742 | 175 | |
paulb@742 | 176 | def __init__(self, app_url, authenticator, associations=None, use_redirect=1, urlencoding=None, encoding=None): |
paulb@733 | 177 | |
paulb@733 | 178 | """ |
paulb@742 | 179 | Initialise the resource with the application URL 'app_url' and an |
paulb@742 | 180 | 'authenticator'. |
paulb@742 | 181 | |
paulb@742 | 182 | The optional 'associations' is a mapping from association handles to |
paulb@742 | 183 | secret keys. |
paulb@742 | 184 | |
paulb@742 | 185 | If the optional 'use_redirect' flag is set to a false value (which is |
paulb@742 | 186 | not the default), a confirmation screen is given instead of immediately |
paulb@742 | 187 | redirecting the user back to the original application. |
paulb@742 | 188 | |
paulb@742 | 189 | The optional 'urlencoding' parameter allows a special encoding to be |
paulb@742 | 190 | used in producing the redirection path. |
paulb@742 | 191 | |
paulb@742 | 192 | The optional 'encoding' parameter allows a special encoding to be used |
paulb@742 | 193 | in producing the login pages. |
paulb@742 | 194 | |
paulb@742 | 195 | To change the pages employed by this resource, either redefine the |
paulb@742 | 196 | 'login_page' and 'success_page' attributes in instances of this class or |
paulb@742 | 197 | a subclass, or override the 'show_login' and 'show_success' methods. |
paulb@733 | 198 | """ |
paulb@733 | 199 | |
paulb@742 | 200 | OpenIDLoginUtils.__init__(self, associations, use_redirect) |
paulb@742 | 201 | self.app_url = app_url |
paulb@742 | 202 | self.authenticator = authenticator |
paulb@742 | 203 | self.urlencoding = urlencoding |
paulb@742 | 204 | self.encoding = encoding or self.encoding |
paulb@742 | 205 | |
paulb@742 | 206 | def respond(self, trans): |
paulb@742 | 207 | |
paulb@742 | 208 | "Respond using the transaction 'trans'." |
paulb@742 | 209 | |
paulb@742 | 210 | # Check for a submitted login form. |
paulb@742 | 211 | |
paulb@742 | 212 | fields = trans.get_fields(self.encoding) |
paulb@742 | 213 | |
paulb@742 | 214 | if fields.has_key("login"): |
paulb@742 | 215 | self.check_login(trans, fields) |
paulb@742 | 216 | # The above method may not return. |
paulb@742 | 217 | |
paulb@742 | 218 | # Check for an OpenID signature verification request. |
paulb@742 | 219 | |
paulb@742 | 220 | elif fields.get("openid.mode", [None])[0] == "check_authentication": |
paulb@742 | 221 | self.check_authentication(trans, fields) |
paulb@742 | 222 | # The above method does not return. |
paulb@742 | 223 | |
paulb@742 | 224 | # NOTE: Permit association requests here. |
paulb@742 | 225 | # Otherwise, show the login form. |
paulb@742 | 226 | |
paulb@742 | 227 | self.show_login(trans, fields) |
paulb@742 | 228 | |
paulb@742 | 229 | def show_login(self, trans, fields): |
paulb@742 | 230 | |
paulb@742 | 231 | """ |
paulb@742 | 232 | Writes a login screen using the transaction 'trans' and 'fields'. |
paulb@742 | 233 | """ |
paulb@742 | 234 | |
paulb@742 | 235 | return_to = fields.get("openid.return_to", [""])[0] |
paulb@742 | 236 | claimed_id = fields.get("openid.claimed_id", [""])[0] |
paulb@742 | 237 | local_id = fields.get("openid.identity", [""])[0] |
paulb@742 | 238 | |
paulb@733 | 239 | trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding)) |
paulb@733 | 240 | out = trans.get_response_stream() |
paulb@742 | 241 | out.write(self.login_page % tuple(map(cgi.escape, (return_to, claimed_id, local_id)))) |
paulb@733 | 242 | |
paulb@742 | 243 | def show_success(self, trans, fields): |
paulb@733 | 244 | |
paulb@733 | 245 | """ |
paulb@742 | 246 | Writes a success screen using the transaction 'trans', using a |
paulb@742 | 247 | dictionary of 'fields' providing details of the transaction. |
paulb@733 | 248 | """ |
paulb@733 | 249 | |
paulb@733 | 250 | trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding)) |
paulb@733 | 251 | out = trans.get_response_stream() |
paulb@738 | 252 | l = [] |
paulb@742 | 253 | for name, values in fields.items(): |
paulb@742 | 254 | l.append("""<input name="%s" type="hidden" value="%s" />""" % (name, cgi.escape(values[0]))) |
paulb@742 | 255 | out.write(self.success_page % (fields["openid.return_to"][0], "\n".join(l))) |
paulb@733 | 256 | |
paulb@733 | 257 | login_page = """ |
paulb@733 | 258 | <html> |
paulb@733 | 259 | <head> |
paulb@733 | 260 | <title>Login</title> |
paulb@733 | 261 | </head> |
paulb@733 | 262 | <body> |
paulb@733 | 263 | <h1>Login</h1> |
paulb@733 | 264 | <form method="POST"> |
paulb@733 | 265 | <p>Username: <input name="username" type="text" size="12"/></p> |
paulb@733 | 266 | <p>Password: <input name="password" type="password" size="12"/></p> |
paulb@733 | 267 | <p><input name="login" type="submit" value="Login"/></p> |
paulb@740 | 268 | <input name="openid.return_to" type="hidden" value="%s"/> |
paulb@740 | 269 | <input name="openid.claimed_id" type="hidden" value="%s"/> |
paulb@740 | 270 | <input name="openid.identity" type="hidden" value="%s"/> |
paulb@733 | 271 | </form> |
paulb@733 | 272 | </body> |
paulb@733 | 273 | </html> |
paulb@733 | 274 | """ |
paulb@733 | 275 | |
paulb@733 | 276 | success_page = """ |
paulb@733 | 277 | <html> |
paulb@733 | 278 | <head> |
paulb@733 | 279 | <title>Login Example</title> |
paulb@733 | 280 | </head> |
paulb@733 | 281 | <body> |
paulb@733 | 282 | <h1>Login Successful</h1> |
paulb@738 | 283 | <form action="%s" method="POST" name="openid_redirect"> |
paulb@738 | 284 | %s |
paulb@738 | 285 | <p>Please proceed to the application: <input name="proceed" type="submit" value="Proceed!" /></p> |
paulb@738 | 286 | </form> |
paulb@733 | 287 | </body> |
paulb@733 | 288 | </html> |
paulb@733 | 289 | """ |
paulb@733 | 290 | |
paulb@733 | 291 | # vim: tabstop=4 expandtab shiftwidth=4 |