1 #!/usr/bin/env python 2 3 "Login redirection." 4 5 from WebStack.Helpers.Auth import get_token 6 import WebStack.Generic 7 8 class LoginRedirectResource: 9 10 "A resource redirecting to a login URL." 11 12 def __init__(self, login_url, app_url, resource, authenticator, anonymous_parameter_name=None, 13 anonymous_username="anonymous", logout_parameter_name=None, logout_url="/", 14 use_logout_redirect=1): 15 16 """ 17 Initialise the resource with a 'login_url', an 'app_url' where the 'resource' for 18 the application being protected should be reachable, and an 'authenticator'. 19 20 If the optional 'anonymous_parameter_name' is set, clients providing a parameter 21 of that name in the URL will not be authenticated, but then such clients will get 22 a predefined user identity associated with them, configurable using the optional 23 'anonymous_username'. 24 25 If the optional 'logout_parameter_name' is set, clients providing a parameter of 26 that name in the URL will become logged out. After logging out, clients are 27 redirected to a location which can be configured by the optional 'logout_url'. 28 29 If the optional 'use_logout_redirect' flag is set to 0, a confirmation screen is 30 given instead of redirecting the user to the 'logout_url'. 31 """ 32 33 self.login_url = login_url 34 self.app_url = app_url 35 self.resource = resource 36 self.authenticator = authenticator 37 self.anonymous_parameter_name = anonymous_parameter_name 38 self.anonymous_username = anonymous_username 39 self.logout_parameter_name = logout_parameter_name 40 self.logout_url = logout_url 41 self.use_logout_redirect = use_logout_redirect 42 43 def respond(self, trans): 44 45 fields_path = trans.get_fields_from_path() 46 47 # Check for the logout parameter, if appropriate. 48 49 if self.logout_parameter_name is not None and fields_path.has_key(self.logout_parameter_name): 50 51 # Remove the special cookie token, then pass on the transaction. 52 53 self.authenticator.unset_token(trans) 54 55 # Redirect to the logout URL. 56 57 if self.use_logout_redirect: 58 trans.set_header_value("Location", self.logout_url) 59 trans.set_response_code(307) 60 61 # Show the logout confirmation anyway. 62 63 self._show_logout(trans, self.logout_url) 64 65 # Check the authentication details with the specified authenticator. 66 67 elif self.authenticator.authenticate(trans): 68 69 # If successful, pass on the transaction. 70 71 self.resource.respond(trans) 72 73 # Check for the anonymous parameter, if appropriate. 74 75 elif self.anonymous_parameter_name is not None and fields_path.has_key(self.anonymous_parameter_name): 76 77 # Make a special cookie token, then pass on the transaction. 78 79 self.authenticator.set_token(trans, self.anonymous_username) 80 self.resource.respond(trans) 81 82 else: 83 84 # Redirect to the login URL. 85 86 trans.set_header_value("Location", "%s?redirect=%s%s" % ( 87 self.login_url, self.app_url, self._encode(trans.get_path())) 88 ) 89 trans.set_response_code(307) 90 91 def _encode(self, url): 92 93 "Encode the given 'url' for redirection purposes." 94 95 return url.replace("?", "%3f").replace("&", "%26") 96 97 def _show_logout(self, trans, redirect): 98 99 # When logout takes place, show the login screen. 100 101 trans.set_content_type(WebStack.Generic.ContentType("text/html")) 102 out = trans.get_response_stream() 103 out.write(""" 104 <html> 105 <head> 106 <title>Logout</title> 107 </head> 108 <body> 109 <h1>Logout Successful</h1> 110 <p>Please proceed <a href="%s">to the application</a>.</p> 111 </body> 112 </html> 113 """ % redirect) 114 115 class LoginRedirectAuthenticator: 116 117 """ 118 An authenticator which verifies the credentials provided in a special login cookie. 119 """ 120 121 def __init__(self, secret_key, cookie_name=None): 122 123 "Initialise the authenticator with a 'secret_key' and an optional 'cookie_name'." 124 125 self.secret_key = secret_key 126 self.cookie_name = cookie_name or "LoginAuthenticator" 127 128 def authenticate(self, trans): 129 130 "Authenticate the originator of 'trans', updating the object if successful." 131 132 cookie = trans.get_cookie(self.cookie_name) 133 if cookie is None or cookie.value is None: 134 return 0 135 136 # Test the token from the cookie against a recreated token using the 137 # given information. 138 139 username, code = cookie.value.split(":") 140 if cookie.value == get_token(username, self.secret_key): 141 142 # Update the transaction with the user details. 143 144 trans.set_user(username) 145 return 1 146 else: 147 return 0 148 149 def set_token(self, trans, username): 150 151 "Set an authentication token in 'trans' with the given 'username'." 152 153 trans.set_cookie_value( 154 self.cookie_name, 155 get_token(username, self.secret_key) 156 ) 157 158 # Update the transaction with the user details. 159 160 trans.set_user(username) 161 162 def unset_token(self, trans): 163 164 "Unset the authentication token in 'trans'." 165 166 trans.delete_cookie(self.cookie_name) 167 168 # vim: tabstop=4 expandtab shiftwidth=4