paulb@126 | 1 | #!/usr/bin/env python |
paulb@126 | 2 | |
paulb@126 | 3 | "An example login screen." |
paulb@126 | 4 | |
paulb@126 | 5 | import WebStack.Generic |
paulb@143 | 6 | from WebStack.Helpers.Auth import get_token |
paulb@126 | 7 | |
paulb@126 | 8 | class LoginResource: |
paulb@126 | 9 | |
paulb@126 | 10 | "A resource providing a login screen." |
paulb@126 | 11 | |
paulb@145 | 12 | def __init__(self, authenticator, anonymous_parameter_name=None, anonymous_username="anonymous", use_redirect=1): |
paulb@126 | 13 | |
paulb@138 | 14 | """ |
paulb@145 | 15 | Initialise the resource with an 'authenticator'. |
paulb@145 | 16 | |
paulb@145 | 17 | If the optional 'anonymous_parameter_name' is set, clients providing a parameter |
paulb@145 | 18 | of that name in the URL will not be authenticated, but then such clients will not |
paulb@145 | 19 | get a user identity associated with them. The optional 'anonymous_username' is the |
paulb@145 | 20 | username appearing as the identity of anonymous users. |
paulb@145 | 21 | |
paulb@145 | 22 | If the optional 'use_redirect' flag is set to 0, a confirmation screen is given |
paulb@145 | 23 | instead of redirecting the user back to the original application. |
paulb@138 | 24 | """ |
paulb@126 | 25 | |
paulb@126 | 26 | self.authenticator = authenticator |
paulb@145 | 27 | self.anonymous_parameter_name = anonymous_parameter_name |
paulb@145 | 28 | self.anonymous_username = anonymous_username |
paulb@138 | 29 | self.use_redirect = use_redirect |
paulb@126 | 30 | |
paulb@126 | 31 | def respond(self, trans): |
paulb@126 | 32 | |
paulb@145 | 33 | fields_path = trans.get_fields_from_path() |
paulb@145 | 34 | fields_body = trans.get_fields_from_body() |
paulb@145 | 35 | |
paulb@145 | 36 | # NOTE: Handle missing redirects better. |
paulb@145 | 37 | |
paulb@145 | 38 | if fields_body.has_key("redirect"): |
paulb@145 | 39 | redirects = fields_body["redirect"] |
paulb@145 | 40 | redirect = redirects[0] |
paulb@145 | 41 | elif fields_path.has_key("redirect"): |
paulb@145 | 42 | redirects = fields_path["redirect"] |
paulb@145 | 43 | redirect = redirects[0] |
paulb@145 | 44 | else: |
paulb@145 | 45 | redirect = "" |
paulb@126 | 46 | |
paulb@145 | 47 | # Check for the anonymous parameter, if appropriate. |
paulb@145 | 48 | |
paulb@145 | 49 | if self.anonymous_parameter_name is not None and fields_path.has_key(self.anonymous_parameter_name): |
paulb@145 | 50 | |
paulb@145 | 51 | # Make a special cookie token. |
paulb@145 | 52 | |
paulb@145 | 53 | self.authenticator.set_token(trans, self.anonymous_username) |
paulb@145 | 54 | self._redirect(trans, redirect) |
paulb@145 | 55 | return |
paulb@145 | 56 | |
paulb@145 | 57 | # Otherwise, check for a submitted login form. |
paulb@145 | 58 | |
paulb@145 | 59 | elif fields_body.has_key("login"): |
paulb@126 | 60 | if self.authenticator.authenticate(trans): |
paulb@145 | 61 | self._redirect(trans, redirect) |
paulb@145 | 62 | |
paulb@145 | 63 | # Otherwise, show the login form. |
paulb@126 | 64 | |
paulb@138 | 65 | self._show_login(trans, redirect) |
paulb@138 | 66 | |
paulb@145 | 67 | def _redirect(self, trans, redirect): |
paulb@145 | 68 | |
paulb@145 | 69 | "Redirect the client using 'trans' and the given 'redirect' URL." |
paulb@145 | 70 | |
paulb@145 | 71 | if self.use_redirect: |
paulb@145 | 72 | trans.set_header_value("Location", redirect) |
paulb@145 | 73 | trans.set_response_code(307) |
paulb@145 | 74 | |
paulb@145 | 75 | # Show the success page anyway. |
paulb@145 | 76 | |
paulb@145 | 77 | self._show_success(trans, redirect) |
paulb@145 | 78 | |
paulb@138 | 79 | def _show_login(self, trans, redirect): |
paulb@138 | 80 | |
paulb@126 | 81 | # When authentication fails or is yet to take place, show the login |
paulb@126 | 82 | # screen. |
paulb@126 | 83 | |
paulb@135 | 84 | trans.set_content_type(WebStack.Generic.ContentType("text/html")) |
paulb@126 | 85 | out = trans.get_response_stream() |
paulb@126 | 86 | out.write(""" |
paulb@126 | 87 | <html> |
paulb@126 | 88 | <head> |
paulb@126 | 89 | <title>Login Example</title> |
paulb@126 | 90 | </head> |
paulb@126 | 91 | <body> |
paulb@126 | 92 | <h1>Login</h1> |
paulb@126 | 93 | <form method="POST"> |
paulb@126 | 94 | <p>Username: <input name="username" type="text" size="12"/></p> |
paulb@126 | 95 | <p>Password: <input name="password" type="text" size="12"/></p> |
paulb@126 | 96 | <p><input name="login" type="submit" value="Login"/></p> |
paulb@126 | 97 | <input name="redirect" type="hidden" value="%s"/> |
paulb@126 | 98 | </form> |
paulb@126 | 99 | </body> |
paulb@126 | 100 | </html> |
paulb@126 | 101 | """ % redirect) |
paulb@126 | 102 | |
paulb@138 | 103 | def _show_success(self, trans, redirect): |
paulb@138 | 104 | |
paulb@138 | 105 | # When authentication fails or is yet to take place, show the login |
paulb@138 | 106 | # screen. |
paulb@138 | 107 | |
paulb@138 | 108 | trans.set_content_type(WebStack.Generic.ContentType("text/html")) |
paulb@138 | 109 | out = trans.get_response_stream() |
paulb@138 | 110 | out.write(""" |
paulb@138 | 111 | <html> |
paulb@138 | 112 | <head> |
paulb@138 | 113 | <title>Login Example</title> |
paulb@138 | 114 | </head> |
paulb@138 | 115 | <body> |
paulb@138 | 116 | <h1>Login Successful</h1> |
paulb@138 | 117 | <p>Please proceed <a href="%s">to the application</a>.</p> |
paulb@138 | 118 | </body> |
paulb@138 | 119 | </html> |
paulb@138 | 120 | """ % redirect) |
paulb@138 | 121 | |
paulb@135 | 122 | def _decode(self, url): |
paulb@135 | 123 | |
paulb@135 | 124 | "Decode the given 'url' for redirection purposes." |
paulb@135 | 125 | |
paulb@135 | 126 | return url.replace("%3f", "?").replace("%26", "&") |
paulb@135 | 127 | |
paulb@126 | 128 | class LoginAuthenticator: |
paulb@126 | 129 | |
paulb@130 | 130 | def __init__(self, secret_key, credentials, cookie_name=None): |
paulb@126 | 131 | |
paulb@130 | 132 | """ |
paulb@130 | 133 | Initialise the authenticator with a 'secret_key', the authenticator's registry of |
paulb@130 | 134 | 'credentials' and an optional 'cookie_name'. |
paulb@126 | 135 | |
paulb@130 | 136 | The 'credentials' must be an object which supports tests of the form |
paulb@130 | 137 | '(username, password) in credentials'. |
paulb@130 | 138 | """ |
paulb@126 | 139 | |
paulb@126 | 140 | self.secret_key = secret_key |
paulb@130 | 141 | self.credentials = credentials |
paulb@130 | 142 | self.cookie_name = cookie_name or "LoginAuthenticator" |
paulb@126 | 143 | |
paulb@126 | 144 | def authenticate(self, trans): |
paulb@126 | 145 | |
paulb@126 | 146 | # Process any supplied parameters. |
paulb@126 | 147 | |
paulb@126 | 148 | fields = trans.get_fields_from_body() |
paulb@126 | 149 | |
paulb@126 | 150 | if fields.has_key("username") and fields.has_key("password"): |
paulb@126 | 151 | usernames, passwords = fields["username"], fields["password"] |
paulb@126 | 152 | |
paulb@126 | 153 | # Insist on only one username and password. |
paulb@126 | 154 | |
paulb@126 | 155 | if len(usernames) == 1 and len(passwords) == 1: |
paulb@126 | 156 | username, password = usernames[0], passwords[0] |
paulb@126 | 157 | |
paulb@126 | 158 | # Check against the class's credentials. |
paulb@126 | 159 | |
paulb@126 | 160 | if (username, password) in self.credentials: |
paulb@126 | 161 | |
paulb@126 | 162 | # Make a special cookie token. |
paulb@126 | 163 | |
paulb@145 | 164 | self.set_token(trans, username) |
paulb@126 | 165 | return 1 |
paulb@126 | 166 | |
paulb@126 | 167 | return 0 |
paulb@126 | 168 | |
paulb@145 | 169 | def set_token(self, trans, username): |
paulb@145 | 170 | |
paulb@145 | 171 | "Set an authentication in the 'trans' with the given 'username'." |
paulb@145 | 172 | |
paulb@145 | 173 | trans.set_cookie_value( |
paulb@145 | 174 | self.cookie_name, |
paulb@145 | 175 | get_token(username, self.secret_key) |
paulb@145 | 176 | ) |
paulb@145 | 177 | |
paulb@126 | 178 | # vim: tabstop=4 expandtab shiftwidth=4 |