diff options
Diffstat (limited to 'baserock_openid_provider/openid_provider')
15 files changed, 0 insertions, 721 deletions
diff --git a/baserock_openid_provider/openid_provider/__init__.py b/baserock_openid_provider/openid_provider/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/baserock_openid_provider/openid_provider/__init__.py +++ /dev/null diff --git a/baserock_openid_provider/openid_provider/admin.py b/baserock_openid_provider/openid_provider/admin.py deleted file mode 100644 index 0d1b62aa..00000000 --- a/baserock_openid_provider/openid_provider/admin.py +++ /dev/null @@ -1,17 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set ts=4 sw=4 : */ - -from django.contrib import admin - -from openid_provider.models import TrustedRoot, OpenID - -class TrustedRootInline(admin.TabularInline): - model = TrustedRoot - -class OpenIDAdmin(admin.ModelAdmin): - list_display = ['openid', 'user', 'default'] - inlines = [TrustedRootInline, ] - raw_id_fields = ("user",) - search_fields = ('user__email',) - -admin.site.register(OpenID, OpenIDAdmin) diff --git a/baserock_openid_provider/openid_provider/conf.py b/baserock_openid_provider/openid_provider/conf.py deleted file mode 100644 index 7355c840..00000000 --- a/baserock_openid_provider/openid_provider/conf.py +++ /dev/null @@ -1,27 +0,0 @@ -import os -from django.conf import settings - -STORE = getattr(settings, 'OPENID_PROVIDER_STORE', - 'openid.store.filestore.FileOpenIDStore') - -if STORE == 'openid.store.filestore.FileOpenIDStore': - import tempfile - tempdir = tempfile.gettempdir() - - FILESTORE_PATH = getattr(settings, 'OPENID_PROVIDER_FILESTORE_PATH', - os.path.join(tempdir, 'openid-filestore')) - -SREG_DATA_CALLBACK = getattr(settings, 'OPENID_PROVIDER_SREG_DATA_CALLBACK', - 'openid_provider.utils.get_default_sreg_data') - -AX_DATA_CALLBACK = getattr(settings, 'OPENID_PROVIDER_AX_DATA_CALLBACK', - 'openid_provider.utils.get_default_ax_data') - -AX_EXTENSION = getattr(settings, 'OPENID_PROVIDER_AX_EXTENSION', False) - -AUTH_USER_MODEL = getattr(settings, 'AUTH_USER_MODEL', 'auth.User') - -# RPs without relying party verification mechanisms will be each time -# redirected to decide page, set to True to disable this: -FAILED_DISCOVERY_AS_VALID = getattr( - settings, 'OPENID_FAILED_DISCOVERY_AS_VALID', False) diff --git a/baserock_openid_provider/openid_provider/models.py b/baserock_openid_provider/openid_provider/models.py deleted file mode 100644 index bad24d9a..00000000 --- a/baserock_openid_provider/openid_provider/models.py +++ /dev/null @@ -1,42 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set ts=4 sw=4 : */ - -from django.utils.translation import ugettext_lazy as _ -from django.db import models - -from openid_provider.conf import AUTH_USER_MODEL -from openid_provider.utils import get_username - -class OpenID(models.Model): - user = models.ForeignKey(AUTH_USER_MODEL) - openid = models.CharField(max_length=200, blank=True, unique=True) - default = models.BooleanField(default=False) - - class Meta: - verbose_name = _('OpenID') - verbose_name_plural = _('OpenIDs') - ordering = ['openid'] - - def __unicode__(self): - return u"%s|%s" % (get_username(self.user), self.openid) - - def save(self, *args, **kwargs): - if self.openid in ['', u'', None]: - from hashlib import sha1 - import random, base64 - sha = sha1() - sha.update(unicode(get_username(self.user)).encode('utf-8')) - sha.update(str(random.random())) - value = str(base64.b64encode(sha.digest())) - value = value.replace('/', '').replace('+', '').replace('=', '') - self.openid = value - super(OpenID, self).save(*args, **kwargs) - if self.default: - self.user.openid_set.exclude(pk=self.pk).update(default=False) - -class TrustedRoot(models.Model): - openid = models.ForeignKey(OpenID) - trust_root = models.CharField(max_length=200) - - def __unicode__(self): - return unicode(self.trust_root) diff --git a/baserock_openid_provider/openid_provider/south_migrations/0001_initial.py b/baserock_openid_provider/openid_provider/south_migrations/0001_initial.py deleted file mode 100644 index 1857f59a..00000000 --- a/baserock_openid_provider/openid_provider/south_migrations/0001_initial.py +++ /dev/null @@ -1,89 +0,0 @@ -# -*- coding: utf-8 -*- -import datetime -from south.db import db -from south.v2 import SchemaMigration -from django.db import models - - -class Migration(SchemaMigration): - - def forwards(self, orm): - # Adding model 'OpenID' - db.create_table('openid_provider_openid', ( - ('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)), - ('user', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['auth.User'])), - ('openid', self.gf('django.db.models.fields.CharField')(unique=True, max_length=200, blank=True)), - ('default', self.gf('django.db.models.fields.BooleanField')(default=False)), - )) - db.send_create_signal('openid_provider', ['OpenID']) - - # Adding model 'TrustedRoot' - db.create_table('openid_provider_trustedroot', ( - ('id', self.gf('django.db.models.fields.AutoField')(primary_key=True)), - ('openid', self.gf('django.db.models.fields.related.ForeignKey')(to=orm['openid_provider.OpenID'])), - ('trust_root', self.gf('django.db.models.fields.CharField')(max_length=200)), - )) - db.send_create_signal('openid_provider', ['TrustedRoot']) - - - def backwards(self, orm): - # Deleting model 'OpenID' - db.delete_table('openid_provider_openid') - - # Deleting model 'TrustedRoot' - db.delete_table('openid_provider_trustedroot') - - - models = { - 'auth.group': { - 'Meta': {'object_name': 'Group'}, - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'name': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '80'}), - 'permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}) - }, - 'auth.permission': { - 'Meta': {'ordering': "('content_type__app_label', 'content_type__model', 'codename')", 'unique_together': "(('content_type', 'codename'),)", 'object_name': 'Permission'}, - 'codename': ('django.db.models.fields.CharField', [], {'max_length': '100'}), - 'content_type': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['contenttypes.ContentType']"}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'name': ('django.db.models.fields.CharField', [], {'max_length': '50'}) - }, - 'auth.user': { - 'Meta': {'object_name': 'User'}, - 'date_joined': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}), - 'email': ('django.db.models.fields.EmailField', [], {'max_length': '75', 'blank': 'True'}), - 'first_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}), - 'groups': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Group']", 'symmetrical': 'False', 'blank': 'True'}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'is_active': ('django.db.models.fields.BooleanField', [], {'default': 'True'}), - 'is_staff': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), - 'is_superuser': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), - 'last_login': ('django.db.models.fields.DateTimeField', [], {'default': 'datetime.datetime.now'}), - 'last_name': ('django.db.models.fields.CharField', [], {'max_length': '30', 'blank': 'True'}), - 'password': ('django.db.models.fields.CharField', [], {'max_length': '128'}), - 'user_permissions': ('django.db.models.fields.related.ManyToManyField', [], {'to': "orm['auth.Permission']", 'symmetrical': 'False', 'blank': 'True'}), - 'username': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '30'}) - }, - 'contenttypes.contenttype': { - 'Meta': {'ordering': "('name',)", 'unique_together': "(('app_label', 'model'),)", 'object_name': 'ContentType', 'db_table': "'django_content_type'"}, - 'app_label': ('django.db.models.fields.CharField', [], {'max_length': '100'}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'model': ('django.db.models.fields.CharField', [], {'max_length': '100'}), - 'name': ('django.db.models.fields.CharField', [], {'max_length': '100'}) - }, - 'openid_provider.openid': { - 'Meta': {'ordering': "['openid']", 'object_name': 'OpenID'}, - 'default': ('django.db.models.fields.BooleanField', [], {'default': 'False'}), - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'openid': ('django.db.models.fields.CharField', [], {'unique': 'True', 'max_length': '200', 'blank': 'True'}), - 'user': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['auth.User']"}) - }, - 'openid_provider.trustedroot': { - 'Meta': {'object_name': 'TrustedRoot'}, - 'id': ('django.db.models.fields.AutoField', [], {'primary_key': 'True'}), - 'openid': ('django.db.models.fields.related.ForeignKey', [], {'to': "orm['openid_provider.OpenID']"}), - 'trust_root': ('django.db.models.fields.CharField', [], {'max_length': '200'}) - } - } - - complete_apps = ['openid_provider']
\ No newline at end of file diff --git a/baserock_openid_provider/openid_provider/south_migrations/__init__.py b/baserock_openid_provider/openid_provider/south_migrations/__init__.py deleted file mode 100644 index e69de29b..00000000 --- a/baserock_openid_provider/openid_provider/south_migrations/__init__.py +++ /dev/null diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/base.html b/baserock_openid_provider/openid_provider/templates/openid_provider/base.html deleted file mode 100644 index 94d9808c..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/base.html +++ /dev/null @@ -1 +0,0 @@ -{% extends "base.html" %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/decide.html b/baserock_openid_provider/openid_provider/templates/openid_provider/decide.html deleted file mode 100644 index 5b87f824..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/decide.html +++ /dev/null @@ -1,41 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block content %} -{% ifequal trust_root_valid "Valid" %} - <!-- Trust root has been validated by OpenID 2 mechanism. --> - <p>The site <tt>{{ trust_root|escape }}</tt> has requested verification - of your OpenID.</p> -{% endifequal %} -{% ifequal trust_root_valid "Invalid" %} -<div class="error"> - <p>This request claims to be from {{ trust_root|escape }} but I have - determined that <em>it is a pack of lies</em>. Beware, if you release - information to them, they are likely to do unconscionable things with it, - being the lying liars that they are.</p> - <p>Please tell the <em>real</em> {{ trust_root|escape }} that someone is - trying to abuse your trust in their good name.</p> -</div> -{% endifequal %} -{% ifequal trust_root_valid "Unreachable" %} - <p>The site <tt>{{ trust_root|escape }}</tt> has requested verification - of your OpenID. I have failed to reach it and thus cannot vouch for its - authenticity. Perhaps it is on your local network.</p> -{% endifequal %} -{% ifequal trust_root_valid "DISCOVERY_FAILED" %} - <p>The site <tt>{{ trust_root|escape }}</tt> has requested verification - of your OpenID. However, <tt>{{ trust_root|escape }}</tt> does not - implement OpenID 2.0's relying party verification mechanism. Please use - extra caution in deciding whether to release information to this party, - and ask <tt>{{ trust_root|escape }}</tt> to implement relying party - verification for your future transactions.</p> - <p>You will return to <tt>{{ return_to|escape }}</tt></p> -{% endifequal %} - -<form method="post">{% csrf_token %} -Verify your identity to the relying party? -<br/> -<input type="hidden" name="decide_page" value="True" /> -<input type="submit" value="Yes (Allow)" name="allow" /> -<input type="submit" value="No (Cancel)" name="cancel" /> -</form> -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/error.html b/baserock_openid_provider/openid_provider/templates/openid_provider/error.html deleted file mode 100644 index 11b77b21..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/error.html +++ /dev/null @@ -1,6 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block content %} -<h1>{{ title }}</h1> -{{ msg }} -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/response.html b/baserock_openid_provider/openid_provider/templates/openid_provider/response.html deleted file mode 100644 index 5f7e46fa..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/response.html +++ /dev/null @@ -1,12 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block content %} -<div id="openid-body"> - {{ body|safe }} -</div> -<script type="text/javascript"> - // the url is too long (> 2047) to be submitted via GET. It needs to be POSTed. - // the should not require to click the "Continue"-Button, therefore we submit it via js - document.getElementById('openid-body').getElementsByTagName('form')[0].submit(); -</script> -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/server.html b/baserock_openid_provider/openid_provider/templates/openid_provider/server.html deleted file mode 100644 index 80615157..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/server.html +++ /dev/null @@ -1,9 +0,0 @@ -{% extends "openid_provider/base.html" %} - -{% block extrahead %}{{ block.super }} -<meta http-equiv="x-xrds-location" content="{{ xrds_location }}"> -{% endblock %} - -{% block content %} -This is an OpenID server. -{% endblock %} diff --git a/baserock_openid_provider/openid_provider/templates/openid_provider/xrds.xml b/baserock_openid_provider/openid_provider/templates/openid_provider/xrds.xml deleted file mode 100644 index 960685b0..00000000 --- a/baserock_openid_provider/openid_provider/templates/openid_provider/xrds.xml +++ /dev/null @@ -1,10 +0,0 @@ -<?xml version="1.0" encoding="UTF-8"?> -<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> - <XRD> - <Service priority="0">{% for uri in types %} - <Type>{{ uri|escape }}</Type> - {% endfor %}{% for endpoint in endpoints %} - <URI>{{ endpoint }}</URI> - {% endfor %}</Service> - </XRD> -</xrds:XRDS> diff --git a/baserock_openid_provider/openid_provider/urls.py b/baserock_openid_provider/openid_provider/urls.py deleted file mode 100644 index 33f79ce7..00000000 --- a/baserock_openid_provider/openid_provider/urls.py +++ /dev/null @@ -1,14 +0,0 @@ -# -*- coding: utf-8 -*- -# vim: set ts=4 sw=4 : */ - -try: - from django.conf.urls import patterns, url -except ImportError: # Django < 1.4 - from django.conf.urls.defaults import patterns, url - -urlpatterns = patterns('openid_provider.views', - url(r'^$', 'openid_server', name='openid-provider-root'), - url(r'^decide/$', 'openid_decide', name='openid-provider-decide'), - url(r'^xrds/$', 'openid_xrds', name='openid-provider-xrds'), - url(r'^(?P<id>.*)/$', 'openid_xrds', {'identity': True}, name='openid-provider-identity'), -) diff --git a/baserock_openid_provider/openid_provider/utils.py b/baserock_openid_provider/openid_provider/utils.py deleted file mode 100644 index dc0c714f..00000000 --- a/baserock_openid_provider/openid_provider/utils.py +++ /dev/null @@ -1,130 +0,0 @@ -# -*- coding: utf-8 -*- vim: set et ts=4 sw=4 : -# some code from http://www.djangosnippets.org/snippets/310/ by simon -# and from examples/djopenid from python-openid-2.2.4 -from hashlib import sha1 -from openid_provider import conf -from openid.extensions import ax, sreg -from openid.server.server import Server, BROWSER_REQUEST_MODES -from openid.server.trustroot import verifyReturnTo -from openid.yadis.discover import DiscoveryFailure -from openid.fetchers import HTTPFetchingError - -from django.core.exceptions import ImproperlyConfigured -from django.core.urlresolvers import reverse -from django.http import HttpResponse -from django.shortcuts import render_to_response - -from importlib import import_module - -import logging - -logger = logging.getLogger(__name__) - -def import_module_attr(path): - package, module = path.rsplit('.', 1) - return getattr(import_module(package), module) - -def get_username(u): - if hasattr(u, 'get_username'): - return u.get_username() - return u.username - -def get_default_sreg_data(request, orequest): - return { - 'email': request.user.email, - 'nickname': get_username(request.user), - 'fullname': request.user.get_full_name(), - } - -def get_default_ax_data(request, orequest): - return { - 'http://axschema.org/contact/email': request.user.email, - 'http://axschema.org/namePerson': request.user.get_full_name(), - 'http://axschema.org/namePerson/friendly': get_username(request.user), - 'http://axschema.org/namePerson/first': request.user.first_name, - 'http://axschema.org/namePerson/last': request.user.last_name, - } - -def add_sreg_data(request, orequest, oresponse): - callback = get_sreg_callback() - if callback is None or not callable(callback): - return - sreg_data = callback(request, orequest) - sreg_req = sreg.SRegRequest.fromOpenIDRequest(orequest) - sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data) - oresponse.addExtension(sreg_resp) - -def add_ax_data(request, orequest, oresponse): - callback = get_ax_callback() - if callback is None or not callable(callback): - return - ax_data = callback(request, orequest) - ax_req = ax.FetchRequest.fromOpenIDRequest(orequest) - ax_resp = ax.FetchResponse(ax_req) - if ax_req is not None: - for attr in ax_req.getRequiredAttrs(): - value = ax_data.get(attr, None) - if value is not None: - ax_resp.addValue(attr, value) - oresponse.addExtension(ax_resp) - -def get_sreg_callback(): - try: - return import_module_attr(conf.SREG_DATA_CALLBACK) - except (ImportError, AttributeError): - return None - -def get_ax_callback(): - try: - return import_module_attr(conf.AX_DATA_CALLBACK) - except (ImportError, AttributeError): - return None - -def get_store(request): - try: - store_class = import_module_attr(conf.STORE) - except ImportError: - raise ImproperlyConfigured( - "OpenID store %r could not be imported" % conf.STORE) - # The FileOpenIDStore requires a path to save the user files. - if conf.STORE == 'openid.store.filestore.FileOpenIDStore': - return store_class(conf.FILESTORE_PATH) - return store_class() - -def trust_root_validation(orequest): - """ - OpenID specs 9.2.1: using realm for return url verification - """ - try: - return verifyReturnTo( - orequest.trust_root, orequest.return_to) and "Valid" or "Invalid" - except HTTPFetchingError: - return "Unreachable" - except DiscoveryFailure: - return "DISCOVERY_FAILED" - -def get_trust_session_key(orequest): - return 'OPENID_' + sha1( - orequest.trust_root + orequest.return_to).hexdigest() - -def prep_response(request, orequest, oresponse, server=None): - # Convert a webresponse from the OpenID library in to a Django HttpResponse - - if not server: - server = Server(get_store(request), - op_endpoint=request.build_absolute_uri( - reverse('openid-provider-root'))) - webresponse = server.encodeResponse(oresponse) - if webresponse.code == 200 and orequest.mode in BROWSER_REQUEST_MODES: - response = render_to_response('openid_provider/response.html', { - 'body': webresponse.body, - }, context_instance=RequestContext(request)) - logger.debug('rendering browser response') - else: - response = HttpResponse(webresponse.body) - response.status_code = webresponse.code - for key, value in webresponse.headers.items(): - response[key] = value - logger.debug('rendering raw response') - return response - diff --git a/baserock_openid_provider/openid_provider/views.py b/baserock_openid_provider/openid_provider/views.py deleted file mode 100644 index 1b8ef6d5..00000000 --- a/baserock_openid_provider/openid_provider/views.py +++ /dev/null @@ -1,323 +0,0 @@ -# -*- coding: utf-8 -*- -# some code from http://www.djangosnippets.org/snippets/310/ by simon -# and from examples/djopenid from python-openid-2.2.4 -import urlparse -import logging -from urllib import urlencode, quote - -from django.conf import settings -from django.core.urlresolvers import reverse -from django.http import HttpResponse, HttpResponseRedirect, QueryDict -from django.shortcuts import render_to_response -from django.template import RequestContext -from django.utils.translation import ugettext as _ - -from django.utils.encoding import smart_str -try: - from django.views.decorators.csrf import csrf_exempt -except ImportError: - from django.contrib.csrf.middleware import csrf_exempt - -from django.contrib.auth import REDIRECT_FIELD_NAME - -from openid.association import default_negotiator, encrypted_negotiator -from openid.consumer.discover import OPENID_IDP_2_0_TYPE, OPENID_2_0_TYPE -from openid.extensions import sreg, ax -from openid.server.server import Server, BROWSER_REQUEST_MODES -from openid.yadis.constants import YADIS_CONTENT_TYPE - -from openid_provider import conf -from openid_provider.utils import add_sreg_data, add_ax_data, get_store, \ - trust_root_validation, get_trust_session_key, prep_response -from openid_provider.models import TrustedRoot - -logger = logging.getLogger(__name__) - - -# Special URL which means 'let the user choose whichever identity'. -IDENTIFIER_SELECT_URL = 'http://specs.openid.net/auth/2.0/identifier_select' - - -@csrf_exempt -def openid_server(request): - """ - This view is the actual OpenID server - running at the URL pointed to by - the <link rel="openid.server"> tag. - """ - logger.debug('server request %s: %s', - request.method, request.POST or request.GET) - server = openid_get_server(request) - - if not request.is_secure(): - # if request is not secure allow only encrypted association sessions - server.negotiator = encrypted_negotiator - - # Clear AuthorizationInfo session var, if it is set - if request.session.get('AuthorizationInfo', None): - del request.session['AuthorizationInfo'] - - if request.method == 'GET': - querydict = dict(request.GET.items()) - elif request.method == 'POST': - querydict = dict(request.POST.items()) - else: - return HTTPResponseNotAllowed(['GET', 'POST']) - - orequest = server.decodeRequest(querydict) - if not orequest: - orequest = server.decodeRequest(request.session.get('OPENID_REQUEST', None)) - if orequest: - # remove session stored data: - del request.session['OPENID_REQUEST'] - else: - # not request, render info page: - data = { - 'host': request.build_absolute_uri('/'), - 'xrds_location': request.build_absolute_uri( - reverse('openid-provider-xrds')), - } - logger.debug('invalid request, sending info: %s', data) - return render_to_response('openid_provider/server.html', - data, - context_instance=RequestContext(request)) - - if orequest.mode in BROWSER_REQUEST_MODES: - if not request.user.is_authenticated(): - logger.debug('no local authentication, sending landing page') - return landing_page(request, orequest) - - openid = openid_is_authorized(request, orequest.identity, - orequest.trust_root) - - # verify return_to: - trust_root_valid = trust_root_validation(orequest) - validated = False - - if conf.FAILED_DISCOVERY_AS_VALID: - if trust_root_valid == 'DISCOVERY_FAILED': - validated = True - else: - # if in decide already took place, set as valid: - if request.session.get(get_trust_session_key(orequest), False): - validated = True - - if openid is not None and (validated or trust_root_valid == 'Valid'): - if orequest.identity == IDENTIFIER_SELECT_URL: - id_url = request.build_absolute_uri( - reverse('openid-provider-identity', args=[openid.openid])) - else: - # We must return exactly the identity URL that was requested, - # otherwise the openid.server module raises an error. - id_url = orequest.identity - - oresponse = orequest.answer(True, identity=id_url) - logger.debug('orequest.answer(True, identity="%s")', id_url) - elif orequest.immediate: - logger.debug('checkid_immediate mode not supported') - raise Exception('checkid_immediate mode not supported') - else: - request.session['OPENID_REQUEST'] = orequest.message.toPostArgs() - request.session['OPENID_TRUSTROOT_VALID'] = trust_root_valid - logger.debug( - 'Set OPENID_REQUEST to %s in session %s', - request.session['OPENID_REQUEST'], request.session) - logger.debug( - 'Set OPENID_TRUSTROOT_VALID to %s in session %s', - request.session['OPENID_TRUSTROOT_VALID'], request.session) - logger.debug('redirecting to decide page') - return HttpResponseRedirect(reverse('openid-provider-decide')) - else: - oresponse = server.handleRequest(orequest) - if request.user.is_authenticated(): - add_sreg_data(request, orequest, oresponse) - if conf.AX_EXTENSION: - add_ax_data(request, orequest, oresponse) - - return prep_response(request, orequest, oresponse, server) - -def openid_xrds(request, identity=False, id=None): - if identity: - types = [OPENID_2_0_TYPE] - else: - types = [OPENID_IDP_2_0_TYPE, sreg.ns_uri] - if conf.AX_EXTENSION: - types.append(ax.AXMessage.ns_uri) - endpoints = [request.build_absolute_uri(reverse('openid-provider-root'))] - return render_to_response('openid_provider/xrds.xml', { - 'host': request.build_absolute_uri('/'), - 'types': types, - 'endpoints': endpoints, - }, context_instance=RequestContext(request), content_type=YADIS_CONTENT_TYPE) - - -def url_for_openid(request, openid): - return request.build_absolute_uri( - reverse('openid-provider-identity', args=[openid.openid])) - - -def openid_not_found_error_message(request, identity_url): - ids = request.user.openid_set - if ids.count() == 0: - message = "You have no OpenIDs configured. Contact the administrator." - else: - id_urls = [url_for_openid(request, id) for id in ids.iterator()] - id_urls = ', '.join(id_urls) - if ids.count() != 1: - message = "You somehow have multiple OpenIDs: " + id_urls - else: - message = "Your OpenID URL is: " + id_urls - return "You do not have the OpenID '%s'. %s" % (identity_url, message) - - -def openid_decide(request): - """ - The page that asks the user if they really want to sign in to the site, and - lets them add the consumer to their trusted whitelist. - # If user is logged in, ask if they want to trust this trust_root - # If they are NOT logged in, show the landing page - """ - server = openid_get_server(request) - orequest = server.decodeRequest(request.session.get('OPENID_REQUEST')) - trust_root_valid = request.session.get('OPENID_TRUSTROOT_VALID') - - logger.debug('Got OPENID_REQUEST %s, OPENID_TRUSTROOT_VALID %s from ' - 'session %s', orequest, trust_root_valid, request.session) - - if not request.user.is_authenticated(): - return landing_page(request, orequest) - - if orequest is None: - # This isn't normal, but can occur if the user uses the 'back' button - # or if the session data is otherwise lost for some reason. - return error_page( - request, "I've lost track of your session now. Sorry! Please go " - "back to the site you are logging in to with a Baserock " - "OpenID and, if you're not yet logged in, try again.") - - openid = openid_get_identity(request, orequest.identity) - if openid is None: - # User should only ever have one OpenID, created for them when they - # registered. - message = openid_not_found_error_message(request, orequest.identity) - return error_page(request, message) - - if request.method == 'POST' and request.POST.get('decide_page', False): - if request.POST.get('allow', False): - TrustedRoot.objects.get_or_create( - openid=openid, trust_root=orequest.trust_root) - if not conf.FAILED_DISCOVERY_AS_VALID: - request.session[get_trust_session_key(orequest)] = True - return HttpResponseRedirect(reverse('openid-provider-root')) - - oresponse = orequest.answer(False) - logger.debug('orequest.answer(False)') - return prep_response(request, orequest, oresponse) - - return render_to_response('openid_provider/decide.html', { - 'title': _('Trust this site?'), - 'trust_root': orequest.trust_root, - 'trust_root_valid': trust_root_valid, - 'return_to': orequest.return_to, - 'identity': orequest.identity, - }, context_instance=RequestContext(request)) - -def error_page(request, msg): - return render_to_response('openid_provider/error.html', { - 'title': _('Error'), - 'msg': msg, - }, context_instance=RequestContext(request)) - -class SafeQueryDict(QueryDict): - """ - A custom QueryDict class that implements a urlencode method - knowing how to excempt some characters as safe. - - Backported from Django 1.3 - """ - def urlencode(self, safe=None): - output = [] - if safe: - encode = lambda k, v: '%s=%s' % ((quote(k, safe), quote(v, safe))) - else: - encode = lambda k, v: urlencode({k: v}) - for k, list_ in self.lists(): - k = smart_str(k, self.encoding) - output.extend([encode(k, smart_str(v, self.encoding)) - for v in list_]) - return '&'.join(output) - -def landing_page(request, orequest, login_url=None, - redirect_field_name=REDIRECT_FIELD_NAME): - """ - The page shown when the user attempts to sign in somewhere using OpenID - but is not authenticated with the site. For idproxy.net, a message telling - them to log in manually is displayed. - """ - request.session['OPENID_REQUEST'] = orequest.message.toPostArgs() - logger.debug( - 'Set OPENID_REQUEST to %s in session %s', - request.session['OPENID_REQUEST'], request.session) - if not login_url: - login_url = settings.LOGIN_URL - path = request.get_full_path() - login_url_parts = list(urlparse.urlparse(login_url)) - if redirect_field_name: - querystring = SafeQueryDict(login_url_parts[4], mutable=True) - querystring[redirect_field_name] = path - login_url_parts[4] = querystring.urlencode(safe='/') - return HttpResponseRedirect(urlparse.urlunparse(login_url_parts)) - -def openid_is_authorized(request, identity_url, trust_root): - """ - Check that they own the given identity URL, and that the trust_root is - in their whitelist of trusted sites. - """ - if not request.user.is_authenticated(): - return None - - openid = openid_get_identity(request, identity_url) - if openid is None: - return None - - if openid.trustedroot_set.filter(trust_root=trust_root).count() < 1: - return None - - return openid - - -def url_is_equivalent(a, b): - """ - Test if two URLs are equivalent OpenIDs. - """ - return a.rstrip('/') == b.rstrip('/') - - -def openid_get_identity(request, identity_url): - """ - Select openid based on claim (identity_url). - If none was claimed identity_url will be - 'http://specs.openid.net/auth/2.0/identifier_select' - - in that case return default one - - if user has no default one, return any - - in other case return None! - """ - logger.debug('Looking for %s in user %s set of OpenIDs %s', - identity_url, request.user, request.user.openid_set) - for openid in request.user.openid_set.iterator(): - if url_is_equivalent(identity_url, url_for_openid(request, openid)): - return openid - if identity_url == IDENTIFIER_SELECT_URL: - # no claim was made, choose user default openid: - openids = request.user.openid_set.filter(default=True) - if openids.count() == 1: - return openids[0] - if request.user.openid_set.count() > 0: - return request.user.openid_set.all()[0] - return None - - -def openid_get_server(request): - return Server( - get_store(request), - op_endpoint=request.build_absolute_uri( - reverse('openid-provider-root'))) |