paulb@127 | 1 | #!/usr/bin/env python |
paulb@127 | 2 | |
paulb@127 | 3 | "Login redirection." |
paulb@127 | 4 | |
paulb@127 | 5 | import md5 |
paulb@127 | 6 | |
paulb@127 | 7 | class LoginRedirectResource: |
paulb@127 | 8 | |
paulb@127 | 9 | "A resource redirecting to a login URL." |
paulb@127 | 10 | |
paulb@131 | 11 | def __init__(self, login_url, app_url, resource, authenticator, anonymous_parameter_name=None): |
paulb@127 | 12 | |
paulb@127 | 13 | """ |
paulb@131 | 14 | Initialise the resource with a 'login_url', an 'app_url' where the 'resource' for |
paulb@131 | 15 | the application being protected should be reachable, and an 'authenticator'. |
paulb@131 | 16 | |
paulb@131 | 17 | If the optional 'anonymous_parameter_name' is set, clients providing a parameter |
paulb@131 | 18 | of that name in the URL will not be authenticated, but then such clients will not |
paulb@131 | 19 | get a user identity associated with them. |
paulb@127 | 20 | """ |
paulb@127 | 21 | |
paulb@127 | 22 | self.login_url = login_url |
paulb@127 | 23 | self.app_url = app_url |
paulb@127 | 24 | self.resource = resource |
paulb@127 | 25 | self.authenticator = authenticator |
paulb@131 | 26 | self.anonymous_parameter_name = anonymous_parameter_name |
paulb@127 | 27 | |
paulb@127 | 28 | def respond(self, trans): |
paulb@127 | 29 | |
paulb@131 | 30 | # Check for the anonymous parameter, if appropriate. |
paulb@131 | 31 | |
paulb@131 | 32 | fields = trans.get_fields_from_path() |
paulb@131 | 33 | if self.anonymous_parameter_name is not None and fields.has_key(self.anonymous_parameter_name): |
paulb@131 | 34 | is_anonymous = 1 |
paulb@131 | 35 | else: |
paulb@131 | 36 | is_anonymous = 0 |
paulb@131 | 37 | |
paulb@127 | 38 | # Check the authentication details with the specified authenticator. |
paulb@127 | 39 | |
paulb@131 | 40 | if is_anonymous or self.authenticator.authenticate(trans): |
paulb@127 | 41 | self.resource.respond(trans) |
paulb@127 | 42 | else: |
paulb@127 | 43 | # Redirect to the login URL. |
paulb@127 | 44 | |
paulb@136 | 45 | trans.set_header_value("Location", "%s?redirect=%s%s" % (self.login_url, self.app_url, self._encode(trans.get_path()))) |
paulb@127 | 46 | trans.set_response_code(307) |
paulb@127 | 47 | |
paulb@136 | 48 | def _encode(self, url): |
paulb@136 | 49 | |
paulb@136 | 50 | "Encode the given 'url' for redirection purposes." |
paulb@136 | 51 | |
paulb@136 | 52 | return url.replace("?", "%3f").replace("&", "%26") |
paulb@136 | 53 | |
paulb@127 | 54 | class LoginRedirectAuthenticator: |
paulb@127 | 55 | |
paulb@127 | 56 | """ |
paulb@127 | 57 | An authenticator which verifies the credentials provided in a special login cookie. |
paulb@127 | 58 | """ |
paulb@127 | 59 | |
paulb@131 | 60 | def __init__(self, secret_key, cookie_name=None): |
paulb@127 | 61 | |
paulb@131 | 62 | "Initialise the authenticator with a 'secret_key' and an optional 'cookie_name'." |
paulb@127 | 63 | |
paulb@127 | 64 | self.secret_key = secret_key |
paulb@131 | 65 | self.cookie_name = cookie_name or "LoginAuthenticator" |
paulb@127 | 66 | |
paulb@127 | 67 | def authenticate(self, trans): |
paulb@131 | 68 | |
paulb@131 | 69 | "Authenticate the originator of 'trans', updating the object if successful." |
paulb@131 | 70 | |
paulb@131 | 71 | cookie = trans.get_cookie(self.cookie_name) |
paulb@136 | 72 | if cookie is None or cookie.value is None: |
paulb@127 | 73 | return 0 |
paulb@127 | 74 | |
paulb@127 | 75 | # Test the token from the cookie against a recreated token using the |
paulb@127 | 76 | # given information. |
paulb@127 | 77 | # NOTE: This should be moved into a common library. |
paulb@127 | 78 | |
paulb@127 | 79 | username, code = cookie.value.split(":") |
paulb@131 | 80 | if code == md5.md5(username + self.secret_key).hexdigest(): |
paulb@131 | 81 | |
paulb@131 | 82 | # Update the transaction with the user details. |
paulb@131 | 83 | |
paulb@131 | 84 | trans.set_user(username) |
paulb@131 | 85 | return 1 |
paulb@131 | 86 | else: |
paulb@131 | 87 | return 0 |
paulb@127 | 88 | |
paulb@127 | 89 | # vim: tabstop=4 expandtab shiftwidth=4 |