414 lines
16 KiB
Python
414 lines
16 KiB
Python
# (c) 2005 Ben Bangert
|
|
# This module is part of the Python Paste Project and is released under
|
|
# the MIT License: http://www.opensource.org/licenses/mit-license.php
|
|
"""
|
|
OpenID Authentication (Consumer)
|
|
|
|
OpenID is a distributed authentication system for single sign-on originally
|
|
developed at/for LiveJournal.com.
|
|
|
|
http://openid.net/
|
|
|
|
URL. You can have multiple identities in the same way you can have multiple
|
|
URLs. All OpenID does is provide a way to prove that you own a URL (identity).
|
|
And it does this without passing around your password, your email address, or
|
|
anything you don't want it to. There's no profile exchange component at all:
|
|
your profiile is your identity URL, but recipients of your identity can then
|
|
learn more about you from any public, semantically interesting documents
|
|
linked thereunder (FOAF, RSS, Atom, vCARD, etc.).
|
|
|
|
``Note``: paste.auth.openid requires installation of the Python-OpenID
|
|
libraries::
|
|
|
|
http://www.openidenabled.com/
|
|
|
|
This module is based highly off the consumer.py that Python OpenID comes with.
|
|
|
|
Using the OpenID Middleware
|
|
===========================
|
|
|
|
Using the OpenID middleware is fairly easy, the most minimal example using the
|
|
basic login form thats included::
|
|
|
|
# Add to your wsgi app creation
|
|
from paste.auth import open_id
|
|
|
|
wsgi_app = open_id.middleware(wsgi_app, '/somewhere/to/store/openid/data')
|
|
|
|
You will now have the OpenID form available at /oid on your site. Logging in will
|
|
verify that the login worked.
|
|
|
|
A more complete login should involve having the OpenID middleware load your own
|
|
login page after verifying the OpenID URL so that you can retain the login
|
|
information in your webapp (session, cookies, etc.)::
|
|
|
|
wsgi_app = open_id.middleware(wsgi_app, '/somewhere/to/store/openid/data',
|
|
login_redirect='/your/login/code')
|
|
|
|
Your login code should then be configured to retrieve 'paste.auth.open_id' for
|
|
the users OpenID URL. If this key does not exist, the user has not logged in.
|
|
|
|
Once the login is retrieved, it should be saved in your webapp, and the user
|
|
should be redirected to wherever they would normally go after a successful
|
|
login.
|
|
"""
|
|
|
|
__all__ = ['AuthOpenIDHandler']
|
|
|
|
import cgi
|
|
import urlparse
|
|
import re
|
|
import six
|
|
|
|
import paste.request
|
|
from paste import httpexceptions
|
|
|
|
def quoteattr(s):
|
|
qs = cgi.escape(s, 1)
|
|
return '"%s"' % (qs,)
|
|
|
|
# You may need to manually add the openid package into your
|
|
# python path if you don't have it installed with your system python.
|
|
# If so, uncomment the line below, and change the path where you have
|
|
# Python-OpenID.
|
|
# sys.path.append('/path/to/openid/')
|
|
|
|
from openid.store import filestore
|
|
from openid.consumer import consumer
|
|
from openid.oidutil import appendArgs
|
|
|
|
class AuthOpenIDHandler(object):
|
|
"""
|
|
This middleware implements OpenID Consumer behavior to authenticate a
|
|
URL against an OpenID Server.
|
|
"""
|
|
|
|
def __init__(self, app, data_store_path, auth_prefix='/oid',
|
|
login_redirect=None, catch_401=False,
|
|
url_to_username=None):
|
|
"""
|
|
Initialize the OpenID middleware
|
|
|
|
``app``
|
|
Your WSGI app to call
|
|
|
|
``data_store_path``
|
|
Directory to store crypto data in for use with OpenID servers.
|
|
|
|
``auth_prefix``
|
|
Location for authentication process/verification
|
|
|
|
``login_redirect``
|
|
Location to load after successful process of login
|
|
|
|
``catch_401``
|
|
If true, then any 401 responses will turn into open ID login
|
|
requirements.
|
|
|
|
``url_to_username``
|
|
A function called like ``url_to_username(environ, url)``, which should
|
|
return a string username. If not given, the URL will be the username.
|
|
"""
|
|
store = filestore.FileOpenIDStore(data_store_path)
|
|
self.oidconsumer = consumer.OpenIDConsumer(store)
|
|
|
|
self.app = app
|
|
self.auth_prefix = auth_prefix
|
|
self.data_store_path = data_store_path
|
|
self.login_redirect = login_redirect
|
|
self.catch_401 = catch_401
|
|
self.url_to_username = url_to_username
|
|
|
|
def __call__(self, environ, start_response):
|
|
if environ['PATH_INFO'].startswith(self.auth_prefix):
|
|
# Let's load everything into a request dict to pass around easier
|
|
request = dict(environ=environ, start=start_response, body=[])
|
|
request['base_url'] = paste.request.construct_url(environ, with_path_info=False,
|
|
with_query_string=False)
|
|
|
|
path = re.sub(self.auth_prefix, '', environ['PATH_INFO'])
|
|
request['parsed_uri'] = urlparse.urlparse(path)
|
|
request['query'] = dict(paste.request.parse_querystring(environ))
|
|
|
|
path = request['parsed_uri'][2]
|
|
if path == '/' or not path:
|
|
return self.render(request)
|
|
elif path == '/verify':
|
|
return self.do_verify(request)
|
|
elif path == '/process':
|
|
return self.do_process(request)
|
|
else:
|
|
return self.not_found(request)
|
|
else:
|
|
if self.catch_401:
|
|
return self.catch_401_app_call(environ, start_response)
|
|
return self.app(environ, start_response)
|
|
|
|
def catch_401_app_call(self, environ, start_response):
|
|
"""
|
|
Call the application, and redirect if the app returns a 401 response
|
|
"""
|
|
was_401 = []
|
|
def replacement_start_response(status, headers, exc_info=None):
|
|
if int(status.split(None, 1)) == 401:
|
|
# @@: Do I need to append something to go back to where we
|
|
# came from?
|
|
was_401.append(1)
|
|
def dummy_writer(v):
|
|
pass
|
|
return dummy_writer
|
|
else:
|
|
return start_response(status, headers, exc_info)
|
|
app_iter = self.app(environ, replacement_start_response)
|
|
if was_401:
|
|
try:
|
|
list(app_iter)
|
|
finally:
|
|
if hasattr(app_iter, 'close'):
|
|
app_iter.close()
|
|
redir_url = paste.request.construct_url(environ, with_path_info=False,
|
|
with_query_string=False)
|
|
exc = httpexceptions.HTTPTemporaryRedirect(redir_url)
|
|
return exc.wsgi_application(environ, start_response)
|
|
else:
|
|
return app_iter
|
|
|
|
def do_verify(self, request):
|
|
"""Process the form submission, initating OpenID verification.
|
|
"""
|
|
|
|
# First, make sure that the user entered something
|
|
openid_url = request['query'].get('openid_url')
|
|
if not openid_url:
|
|
return self.render(request, 'Enter an identity URL to verify.',
|
|
css_class='error', form_contents=openid_url)
|
|
|
|
oidconsumer = self.oidconsumer
|
|
|
|
# Then, ask the library to begin the authorization.
|
|
# Here we find out the identity server that will verify the
|
|
# user's identity, and get a token that allows us to
|
|
# communicate securely with the identity server.
|
|
status, info = oidconsumer.beginAuth(openid_url)
|
|
|
|
# If the URL was unusable (either because of network
|
|
# conditions, a server error, or that the response returned
|
|
# was not an OpenID identity page), the library will return
|
|
# an error code. Let the user know that that URL is unusable.
|
|
if status in [consumer.HTTP_FAILURE, consumer.PARSE_ERROR]:
|
|
if status == consumer.HTTP_FAILURE:
|
|
fmt = 'Failed to retrieve <q>%s</q>'
|
|
else:
|
|
fmt = 'Could not find OpenID information in <q>%s</q>'
|
|
|
|
message = fmt % (cgi.escape(openid_url),)
|
|
return self.render(request, message, css_class='error', form_contents=openid_url)
|
|
elif status == consumer.SUCCESS:
|
|
# The URL was a valid identity URL. Now we construct a URL
|
|
# that will get us to process the server response. We will
|
|
# need the token from the beginAuth call when processing
|
|
# the response. A cookie or a session object could be used
|
|
# to accomplish this, but for simplicity here we just add
|
|
# it as a query parameter of the return-to URL.
|
|
return_to = self.build_url(request, 'process', token=info.token)
|
|
|
|
# Now ask the library for the URL to redirect the user to
|
|
# his OpenID server. It is required for security that the
|
|
# return_to URL must be under the specified trust_root. We
|
|
# just use the base_url for this server as a trust root.
|
|
redirect_url = oidconsumer.constructRedirect(
|
|
info, return_to, trust_root=request['base_url'])
|
|
|
|
# Send the redirect response
|
|
return self.redirect(request, redirect_url)
|
|
else:
|
|
assert False, 'Not reached'
|
|
|
|
def do_process(self, request):
|
|
"""Handle the redirect from the OpenID server.
|
|
"""
|
|
oidconsumer = self.oidconsumer
|
|
|
|
# retrieve the token from the environment (in this case, the URL)
|
|
token = request['query'].get('token', '')
|
|
|
|
# Ask the library to check the response that the server sent
|
|
# us. Status is a code indicating the response type. info is
|
|
# either None or a string containing more information about
|
|
# the return type.
|
|
status, info = oidconsumer.completeAuth(token, request['query'])
|
|
|
|
css_class = 'error'
|
|
openid_url = None
|
|
if status == consumer.FAILURE and info:
|
|
# In the case of failure, if info is non-None, it is the
|
|
# URL that we were verifying. We include it in the error
|
|
# message to help the user figure out what happened.
|
|
openid_url = info
|
|
fmt = "Verification of %s failed."
|
|
message = fmt % (cgi.escape(openid_url),)
|
|
elif status == consumer.SUCCESS:
|
|
# Success means that the transaction completed without
|
|
# error. If info is None, it means that the user cancelled
|
|
# the verification.
|
|
css_class = 'alert'
|
|
if info:
|
|
# This is a successful verification attempt. If this
|
|
# was a real application, we would do our login,
|
|
# comment posting, etc. here.
|
|
openid_url = info
|
|
if self.url_to_username:
|
|
username = self.url_to_username(request['environ'], openid_url)
|
|
else:
|
|
username = openid_url
|
|
if 'paste.auth_tkt.set_user' in request['environ']:
|
|
request['environ']['paste.auth_tkt.set_user'](username)
|
|
if not self.login_redirect:
|
|
fmt = ("If you had supplied a login redirect path, you would have "
|
|
"been redirected there. "
|
|
"You have successfully verified %s as your identity.")
|
|
message = fmt % (cgi.escape(openid_url),)
|
|
else:
|
|
# @@: This stuff doesn't make sense to me; why not a remote redirect?
|
|
request['environ']['paste.auth.open_id'] = openid_url
|
|
request['environ']['PATH_INFO'] = self.login_redirect
|
|
return self.app(request['environ'], request['start'])
|
|
#exc = httpexceptions.HTTPTemporaryRedirect(self.login_redirect)
|
|
#return exc.wsgi_application(request['environ'], request['start'])
|
|
else:
|
|
# cancelled
|
|
message = 'Verification cancelled'
|
|
else:
|
|
# Either we don't understand the code or there is no
|
|
# openid_url included with the error. Give a generic
|
|
# failure message. The library should supply debug
|
|
# information in a log.
|
|
message = 'Verification failed.'
|
|
|
|
return self.render(request, message, css_class, openid_url)
|
|
|
|
def build_url(self, request, action, **query):
|
|
"""Build a URL relative to the server base_url, with the given
|
|
query parameters added."""
|
|
base = urlparse.urljoin(request['base_url'], self.auth_prefix + '/' + action)
|
|
return appendArgs(base, query)
|
|
|
|
def redirect(self, request, redirect_url):
|
|
"""Send a redirect response to the given URL to the browser."""
|
|
response_headers = [('Content-type', 'text/plain'),
|
|
('Location', redirect_url)]
|
|
request['start']('302 REDIRECT', response_headers)
|
|
return ["Redirecting to %s" % redirect_url]
|
|
|
|
def not_found(self, request):
|
|
"""Render a page with a 404 return code and a message."""
|
|
fmt = 'The path <q>%s</q> was not understood by this server.'
|
|
msg = fmt % (request['parsed_uri'],)
|
|
openid_url = request['query'].get('openid_url')
|
|
return self.render(request, msg, 'error', openid_url, status='404 Not Found')
|
|
|
|
def render(self, request, message=None, css_class='alert', form_contents=None,
|
|
status='200 OK', title="Python OpenID Consumer"):
|
|
"""Render a page."""
|
|
response_headers = [('Content-type', 'text/html')]
|
|
request['start'](str(status), response_headers)
|
|
|
|
self.page_header(request, title)
|
|
if message:
|
|
request['body'].append("<div class='%s'>" % (css_class,))
|
|
request['body'].append(message)
|
|
request['body'].append("</div>")
|
|
self.page_footer(request, form_contents)
|
|
return request['body']
|
|
|
|
def page_header(self, request, title):
|
|
"""Render the page header"""
|
|
request['body'].append('''\
|
|
<html>
|
|
<head><title>%s</title></head>
|
|
<style type="text/css">
|
|
* {
|
|
font-family: verdana,sans-serif;
|
|
}
|
|
body {
|
|
width: 50em;
|
|
margin: 1em;
|
|
}
|
|
div {
|
|
padding: .5em;
|
|
}
|
|
table {
|
|
margin: none;
|
|
padding: none;
|
|
}
|
|
.alert {
|
|
border: 1px solid #e7dc2b;
|
|
background: #fff888;
|
|
}
|
|
.error {
|
|
border: 1px solid #ff0000;
|
|
background: #ffaaaa;
|
|
}
|
|
#verify-form {
|
|
border: 1px solid #777777;
|
|
background: #dddddd;
|
|
margin-top: 1em;
|
|
padding-bottom: 0em;
|
|
}
|
|
</style>
|
|
<body>
|
|
<h1>%s</h1>
|
|
<p>
|
|
This example consumer uses the <a
|
|
href="http://openid.schtuff.com/">Python OpenID</a> library. It
|
|
just verifies that the URL that you enter is your identity URL.
|
|
</p>
|
|
''' % (title, title))
|
|
|
|
def page_footer(self, request, form_contents):
|
|
"""Render the page footer"""
|
|
if not form_contents:
|
|
form_contents = ''
|
|
|
|
request['body'].append('''\
|
|
<div id="verify-form">
|
|
<form method="get" action=%s>
|
|
Identity URL:
|
|
<input type="text" name="openid_url" value=%s />
|
|
<input type="submit" value="Verify" />
|
|
</form>
|
|
</div>
|
|
</body>
|
|
</html>
|
|
''' % (quoteattr(self.build_url(request, 'verify')), quoteattr(form_contents)))
|
|
|
|
|
|
middleware = AuthOpenIDHandler
|
|
|
|
def make_open_id_middleware(
|
|
app,
|
|
global_conf,
|
|
# Should this default to something, or inherit something from global_conf?:
|
|
data_store_path,
|
|
auth_prefix='/oid',
|
|
login_redirect=None,
|
|
catch_401=False,
|
|
url_to_username=None,
|
|
apply_auth_tkt=False,
|
|
auth_tkt_logout_path=None):
|
|
from paste.deploy.converters import asbool
|
|
from paste.util import import_string
|
|
catch_401 = asbool(catch_401)
|
|
if url_to_username and isinstance(url_to_username, six.string_types):
|
|
url_to_username = import_string.eval_import(url_to_username)
|
|
apply_auth_tkt = asbool(apply_auth_tkt)
|
|
new_app = AuthOpenIDHandler(
|
|
app, data_store_path=data_store_path, auth_prefix=auth_prefix,
|
|
login_redirect=login_redirect, catch_401=catch_401,
|
|
url_to_username=url_to_username or None)
|
|
if apply_auth_tkt:
|
|
from paste.auth import auth_tkt
|
|
new_app = auth_tkt.make_auth_tkt_middleware(
|
|
new_app, global_conf, logout_path=auth_tkt_logout_path)
|
|
return new_app
|