paulb@733 | 1 | #!/usr/bin/env python |
paulb@733 | 2 | |
paulb@733 | 3 | """ |
paulb@733 | 4 | OpenID provider login resources which redirect clients back to the application |
paulb@733 | 5 | ("relying party"). |
paulb@733 | 6 | |
paulb@733 | 7 | Copyright (C) 2004, 2005, 2006, 2007 Paul Boddie <paul@boddie.org.uk> |
paulb@733 | 8 | |
paulb@733 | 9 | This library is free software; you can redistribute it and/or |
paulb@733 | 10 | modify it under the terms of the GNU Lesser General Public |
paulb@733 | 11 | License as published by the Free Software Foundation; either |
paulb@733 | 12 | version 2.1 of the License, or (at your option) any later version. |
paulb@733 | 13 | |
paulb@733 | 14 | This library is distributed in the hope that it will be useful, |
paulb@733 | 15 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
paulb@733 | 16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
paulb@733 | 17 | Lesser General Public License for more details. |
paulb@733 | 18 | |
paulb@733 | 19 | You should have received a copy of the GNU Lesser General Public |
paulb@733 | 20 | License along with this library; if not, write to the Free Software |
paulb@733 | 21 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA |
paulb@733 | 22 | """ |
paulb@733 | 23 | |
paulb@733 | 24 | import WebStack.Generic |
paulb@733 | 25 | from WebStack.Helpers.Auth import Authenticator, check_openid_signature, make_openid_signature |
paulb@733 | 26 | import datetime |
paulb@733 | 27 | import time |
paulb@733 | 28 | import random |
paulb@733 | 29 | |
paulb@733 | 30 | class OpenIDLoginResource: |
paulb@733 | 31 | |
paulb@733 | 32 | "A resource providing a login screen." |
paulb@733 | 33 | |
paulb@733 | 34 | encoding = "utf-8" |
paulb@733 | 35 | openid_ns = "http://specs.openid.net/auth/2.0" |
paulb@733 | 36 | |
paulb@733 | 37 | def __init__(self, app_url, authenticator, associations=None, use_redirect=1, urlencoding=None, encoding=None): |
paulb@733 | 38 | |
paulb@733 | 39 | """ |
paulb@733 | 40 | Initialise the resource with the application URL 'app_url' and an |
paulb@733 | 41 | 'authenticator'. |
paulb@733 | 42 | |
paulb@733 | 43 | The optional 'associations' is a mapping from association handles to |
paulb@733 | 44 | secret keys. |
paulb@733 | 45 | |
paulb@738 | 46 | If the optional 'use_redirect' flag is set to a false value (which is |
paulb@738 | 47 | not the default), a confirmation screen is given instead of immediately |
paulb@738 | 48 | redirecting the user back to the original application. |
paulb@733 | 49 | |
paulb@733 | 50 | The optional 'urlencoding' parameter allows a special encoding to be |
paulb@733 | 51 | used in producing the redirection path. |
paulb@733 | 52 | |
paulb@733 | 53 | The optional 'encoding' parameter allows a special encoding to be used |
paulb@733 | 54 | in producing the login pages. |
paulb@733 | 55 | |
paulb@733 | 56 | To change the pages employed by this resource, either redefine the |
paulb@733 | 57 | 'login_page' and 'success_page' attributes in instances of this class or |
paulb@733 | 58 | a subclass, or override the 'show_login' and 'show_success' methods. |
paulb@733 | 59 | """ |
paulb@733 | 60 | |
paulb@733 | 61 | self.app_url = app_url |
paulb@733 | 62 | self.authenticator = authenticator |
paulb@733 | 63 | self.associations = associations or {} |
paulb@733 | 64 | self.use_redirect = use_redirect |
paulb@733 | 65 | self.urlencoding = urlencoding |
paulb@733 | 66 | self.encoding = encoding or self.encoding |
paulb@733 | 67 | |
paulb@733 | 68 | def respond(self, trans): |
paulb@733 | 69 | |
paulb@733 | 70 | "Respond using the transaction 'trans'." |
paulb@733 | 71 | |
paulb@733 | 72 | # Check for a submitted login form. |
paulb@733 | 73 | |
paulb@738 | 74 | fields = trans.get_fields(self.encoding) |
paulb@733 | 75 | |
paulb@738 | 76 | if fields.has_key("login"): |
paulb@733 | 77 | |
paulb@733 | 78 | # Check a combination of local identifier and username together with |
paulb@733 | 79 | # the password. |
paulb@733 | 80 | |
paulb@738 | 81 | claimed_id = fields.get("claimed_id", [""])[0] |
paulb@738 | 82 | local_id = fields.get("local_id", [""])[0] |
paulb@738 | 83 | username = fields.get("username", [""])[0] |
paulb@738 | 84 | password = fields.get("password", [""])[0] |
paulb@738 | 85 | app = fields.get("app", [""])[0] |
paulb@733 | 86 | |
paulb@736 | 87 | # NOTE: Permit flexibility in the credentials. |
paulb@736 | 88 | |
paulb@733 | 89 | if self.authenticator.authenticate(trans, (local_id, username), password): |
paulb@733 | 90 | self._redirect(trans, claimed_id, local_id, username, app) |
paulb@733 | 91 | # The above method does not return. |
paulb@733 | 92 | |
paulb@733 | 93 | # Check for an OpenID signature verification request. |
paulb@733 | 94 | |
paulb@738 | 95 | elif fields.get("openid.mode", [None])[0] == "check_authentication": |
paulb@733 | 96 | |
paulb@733 | 97 | # Obtain the secret key from recorded associations. |
paulb@733 | 98 | |
paulb@738 | 99 | handle = fields.get("openid.assoc_handle", [None])[0] |
paulb@733 | 100 | if handle is not None and self.associations.has_key(handle): |
paulb@738 | 101 | valid = check_openid_signature(fields, self.associations[handle]) |
paulb@733 | 102 | del self.associations[handle] |
paulb@733 | 103 | else: |
paulb@733 | 104 | valid = 0 |
paulb@733 | 105 | |
paulb@733 | 106 | # Produce a response for this request. |
paulb@733 | 107 | |
paulb@733 | 108 | self.show_verification(trans, valid) |
paulb@733 | 109 | # The above method does not return. |
paulb@733 | 110 | |
paulb@736 | 111 | # NOTE: Permit association requests here. |
paulb@736 | 112 | |
paulb@733 | 113 | # Otherwise, show the login form. |
paulb@733 | 114 | |
paulb@738 | 115 | app = fields.get("openid.return_to", [""])[0] |
paulb@738 | 116 | claimed_id = fields.get("openid.claimed_id", [""])[0] |
paulb@738 | 117 | local_id = fields.get("openid.identity", [""])[0] |
paulb@733 | 118 | |
paulb@733 | 119 | self.show_login(trans, app, claimed_id, local_id) |
paulb@733 | 120 | |
paulb@733 | 121 | def _redirect(self, trans, claimed_id, local_id, username, app): |
paulb@733 | 122 | |
paulb@733 | 123 | """ |
paulb@733 | 124 | Redirect the client using 'trans', 'claimed_id', 'local_id', 'username' |
paulb@733 | 125 | and the given 'app' details. |
paulb@733 | 126 | """ |
paulb@733 | 127 | |
paulb@733 | 128 | app_url = self.app_url + trans.get_path_without_query(self.urlencoding) |
paulb@733 | 129 | |
paulb@733 | 130 | # Make an association that can be used in signature verification. |
paulb@733 | 131 | # NOTE: Probably need to consider the secret key a bit more. |
paulb@733 | 132 | |
paulb@733 | 133 | handle = username + str(time.time()) |
paulb@733 | 134 | secret_key = str(random.randint(0, 999999999)) |
paulb@733 | 135 | self.associations[handle] = secret_key |
paulb@733 | 136 | |
paulb@733 | 137 | # Make a timestamp. |
paulb@733 | 138 | |
paulb@733 | 139 | now = datetime.datetime.utcnow() |
paulb@733 | 140 | timestamp = now.strftime("%Y-%m-%dT%H:%M:%SZ") + str(now.microsecond) |
paulb@733 | 141 | |
paulb@733 | 142 | # Make a signature. |
paulb@733 | 143 | |
paulb@733 | 144 | signed_names = ["op_endpoint", "return_to", "response_nonce", "assoc_handle", "claimed_id", "identity"] |
paulb@733 | 145 | fields = { |
paulb@733 | 146 | "openid.op_endpoint" : [app_url], |
paulb@733 | 147 | "openid.return_to" : [app], |
paulb@733 | 148 | "openid.response_nonce" : [timestamp], |
paulb@733 | 149 | "openid.assoc_handle" : [handle], |
paulb@733 | 150 | "openid.claimed_id" : [claimed_id], |
paulb@733 | 151 | "openid.identity" : [local_id] |
paulb@733 | 152 | } |
paulb@733 | 153 | |
paulb@733 | 154 | signature = make_openid_signature(signed_names, fields, secret_key) |
paulb@733 | 155 | |
paulb@733 | 156 | # Build an URL for returning to the application. |
paulb@733 | 157 | |
paulb@733 | 158 | url = "%s?openid.ns=%s&openid.mode=%s&openid.signed=%s&openid.sig=%s" % ( |
paulb@733 | 159 | app, |
paulb@733 | 160 | trans.encode_path(self.openid_ns, self.urlencoding), |
paulb@733 | 161 | trans.encode_path("id_res", self.urlencoding), |
paulb@733 | 162 | trans.encode_path(",".join(signed_names), self.urlencoding), |
paulb@733 | 163 | trans.encode_path(signature, self.urlencoding) |
paulb@733 | 164 | ) |
paulb@733 | 165 | |
paulb@733 | 166 | for name, value in fields.items(): |
paulb@733 | 167 | url += "&%s=%s" % (name, trans.encode_path(value[0], self.urlencoding)) |
paulb@733 | 168 | |
paulb@733 | 169 | # Show the success page anyway. |
paulb@738 | 170 | # Offer a POST-based form for redirection. |
paulb@733 | 171 | |
paulb@738 | 172 | self.show_success(trans, app, "id_res", signed_names, signature, fields) |
paulb@733 | 173 | if self.use_redirect: |
paulb@733 | 174 | trans.redirect(url) |
paulb@733 | 175 | else: |
paulb@733 | 176 | raise WebStack.Generic.EndOfResponse |
paulb@733 | 177 | |
paulb@733 | 178 | def show_verification(self, trans, status): |
paulb@733 | 179 | |
paulb@733 | 180 | """ |
paulb@733 | 181 | Writes a signature verification response using the transaction 'trans' |
paulb@733 | 182 | and the 'status' of the verification. |
paulb@733 | 183 | """ |
paulb@733 | 184 | |
paulb@733 | 185 | trans.set_content_type(WebStack.Generic.ContentType("text/plain")) |
paulb@733 | 186 | out = trans.get_response_stream() |
paulb@733 | 187 | |
paulb@733 | 188 | # NOTE: Need to use invalidate_handle, too. |
paulb@733 | 189 | |
paulb@733 | 190 | if status: |
paulb@733 | 191 | status_str = "true" |
paulb@733 | 192 | else: |
paulb@733 | 193 | status_str = "false" |
paulb@733 | 194 | out.write("ns:%s\nis_valid:%s\n" % (self.openid_ns, status_str)) |
paulb@733 | 195 | raise WebStack.Generic.EndOfResponse |
paulb@733 | 196 | |
paulb@733 | 197 | def show_login(self, trans, app, claimed_id, local_id): |
paulb@733 | 198 | |
paulb@733 | 199 | """ |
paulb@733 | 200 | Writes a login screen using the transaction 'trans', including details |
paulb@733 | 201 | of the 'app' which the client was attempting to access, along with the |
paulb@733 | 202 | 'claimed_id' and 'local_id'. |
paulb@733 | 203 | """ |
paulb@733 | 204 | |
paulb@733 | 205 | trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding)) |
paulb@733 | 206 | out = trans.get_response_stream() |
paulb@733 | 207 | out.write(self.login_page % (app, claimed_id, local_id)) |
paulb@733 | 208 | |
paulb@738 | 209 | def show_success(self, trans, app, mode, signed_names, signature, fields): |
paulb@733 | 210 | |
paulb@733 | 211 | """ |
paulb@733 | 212 | Writes a success screen using the transaction 'trans', including details |
paulb@738 | 213 | of the 'app' which the client was attempting to access, the |
paulb@738 | 214 | communications 'mode', the 'signed_names' indicating the fields which |
paulb@738 | 215 | are signed, the 'signature' associated with the message, and a |
paulb@738 | 216 | dictionary of 'fields' indicating other information. |
paulb@733 | 217 | """ |
paulb@733 | 218 | |
paulb@733 | 219 | trans.set_content_type(WebStack.Generic.ContentType("text/html", self.encoding)) |
paulb@733 | 220 | out = trans.get_response_stream() |
paulb@738 | 221 | l = [] |
paulb@738 | 222 | for name, value in fields.items(): |
paulb@738 | 223 | l.append("""<input name="%s" type="hidden" value="%s" />""" % (name, value[0])) |
paulb@738 | 224 | out.write(self.success_page % (app, self.openid_ns, mode, ",".join(signed_names), signature, "\n".join(l))) |
paulb@733 | 225 | |
paulb@733 | 226 | login_page = """ |
paulb@733 | 227 | <html> |
paulb@733 | 228 | <head> |
paulb@733 | 229 | <title>Login</title> |
paulb@733 | 230 | </head> |
paulb@733 | 231 | <body> |
paulb@733 | 232 | <h1>Login</h1> |
paulb@733 | 233 | <form method="POST"> |
paulb@733 | 234 | <p>Username: <input name="username" type="text" size="12"/></p> |
paulb@733 | 235 | <p>Password: <input name="password" type="password" size="12"/></p> |
paulb@733 | 236 | <p><input name="login" type="submit" value="Login"/></p> |
paulb@733 | 237 | <input name="app" type="hidden" value="%s"/> |
paulb@733 | 238 | <input name="claimed_id" type="hidden" value="%s"/> |
paulb@733 | 239 | <input name="local_id" type="hidden" value="%s"/> |
paulb@733 | 240 | </form> |
paulb@733 | 241 | </body> |
paulb@733 | 242 | </html> |
paulb@733 | 243 | """ |
paulb@733 | 244 | |
paulb@733 | 245 | success_page = """ |
paulb@733 | 246 | <html> |
paulb@733 | 247 | <head> |
paulb@733 | 248 | <title>Login Example</title> |
paulb@733 | 249 | </head> |
paulb@733 | 250 | <body> |
paulb@733 | 251 | <h1>Login Successful</h1> |
paulb@738 | 252 | <form action="%s" method="POST" name="openid_redirect"> |
paulb@738 | 253 | <input name="openid.ns" type="hidden" value="%s" /> |
paulb@738 | 254 | <input name="openid.mode" type="hidden" value="%s" /> |
paulb@738 | 255 | <input name="openid.signed" type="hidden" value="%s" /> |
paulb@738 | 256 | <input name="openid.sig" type="hidden" value="%s" /> |
paulb@738 | 257 | %s |
paulb@738 | 258 | <p>Please proceed to the application: <input name="proceed" type="submit" value="Proceed!" /></p> |
paulb@738 | 259 | </form> |
paulb@733 | 260 | </body> |
paulb@733 | 261 | </html> |
paulb@733 | 262 | """ |
paulb@733 | 263 | |
paulb@733 | 264 | # vim: tabstop=4 expandtab shiftwidth=4 |