Changeset 4082

Timestamp:

04/08/08 10:35:20 (11 years ago)

Author:

pjkersha

Message:

Further cleaning up of OpenID Provider code - TODO: AuthKit? and templating (if any) integration

Location:

TI12-security/trunk/python

Files:

• Tests/m2Crypto (added)
• Tests/m2Crypto/httpsTest.py (added)
• Tests/m2Crypto/test.crt (added)
• Tests/m2Crypto/test.key (added)
• Tests/m2Crypto/test_encryption.py (added)
• Tests/m2Crypto/unicode.py (added)
• Tests/openid-provider/op/development.ini (modified) (1 diff)
• Tests/openid-provider/op/op/config/middleware.py (modified) (2 diffs)
• Tests/openid-provider/op/op/controllers/auth.py (added)
• ndg.security.server/ndg/security/server/wsgi/openid_provider.py (modified) (30 diffs)

TI12-security/trunk/python/Tests/openid-provider/op/development.ini

@@ -22 +22 @@
 beaker.session.key = op
 beaker.session.secret = somesecret
+
+authkit.setup.method = form, cookie
+authkit.form.authenticate.user.data = visitor:open_sesame
+authkit.cookie.secret = secret string
+authkit.cookie.signin = /auth/signin
 
 # If you'd like to fine-tune the individual locations of the cache data dirs

TI12-security/trunk/python/Tests/openid-provider/op/op/config/middleware.py

@@ -15 +15 @@
 from ndg.security.server.wsgi.openid_provider import OpenIDProviderMiddleware
 from beaker.middleware import SessionMiddleware
+import authkit.authenticate
 
 def make_app(global_conf, full_stack=True, **app_conf):
@@ -42 +43 @@
     # CUSTOM MIDDLEWARE HERE (filtered by error handling middlewares)
     app = OpenIDProviderMiddleware(app, base_url='http://localhost:8700')
-    app = SessionMiddleware(
-        app, 
-        key='authkit.open_id', 
-        secret='some secret',
-    )
+    app = authkit.authenticate.middleware(app, app_conf)
+    app = SessionMiddleware(app)
     
     if asbool(full_stack):

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid_provider.py

@@ -25 +25 @@
 from openid.consumer import discover
 
+import httplib
+import sys
 
 class OpenIDProviderMiddlewareError(Exception):
@@ -102 +104 @@
             
         if pathMatch in self.method:
-            requestType = environ.get('REQUEST_METHOD')
-            if requestType == 'GET':
-                pass
-            elif requestType == 'POST':
-                pass
             self.query = dict(paste.request.parse_formvars(environ)) 
-            log.debug("Calling method %s ..." % self.method[pathMatch])   
-            return getattr(self,self.method[pathMatch])(environ,start_response)
+            log.debug("Calling method %s ..." % self.method[pathMatch]) 
+            
+            action = getattr(self, self.method[pathMatch]) 
+            return action(environ, start_response)
         else:
             log.debug("No match for path %s" % self.path)
@@ -116 +115 @@
 
     def do_id(self, environ, start_response):
-        link_tag = '<link rel="openid.server" href="%s/openidserver">' %\
-              self.base_url
+        '''Handle ID request'''
+        log.debug("OpenIDProviderMiddleware.do_id ...")
+        
+        link_tag = '<link rel="openid.server" href="%s%sr">' % \
+              (self.base_url, self.paths['path_openidserver'])
         yadis_loc_tag = '<meta http-equiv="x-xrds-location" content="%s">'%\
-            (self.base_url+'/yadis/'+self.path[4:])
+            (self.base_url+self.paths['path_yadis']+'/'+self.path[4:])
         disco_tags = link_tag + yadis_loc_tag
         ident = self.base_url + self.path
@@ -137 +139 @@
             msg = ''
 
-        return self.showPage(200, 'An Identity Page', 
+        return self._showPage(200, 'An Identity Page', 
                              head_extras=disco_tags, 
                              msg='''\
@@ -146 +148 @@
 
     def do_yadis(self, environ, start_response):
-        
+        """Generate Yadis document"""
+        log.debug("OpenIDProviderMiddleware.do_yadis ...")
+
         self.user = self.path.split('/')[-1]
         
-        endpoint_url = self.base_url + '/openidserver'
-        user_url = self.base_url + '/id/' + self.user
+        endpoint_url = self.base_url + self.paths['path_openidserver']
+        user_url = self.base_url + self.paths['path_id'] + '/' + self.user
         response = """\
 <?xml version="1.0" encoding="UTF-8"?>
@@ -179 +183 @@
 
     def do_openidserver(self, environ, start_response):
+        """Handle OpenID Server Request"""
+        log.debug("OpenIDProviderMiddleware.do_openidserver ...")
+
         try:
             request = self.oidserver.decodeRequest(self.query)
         except server.ProtocolError, why:
-            return self.displayResponse(why)
+            return self._displayResponse(why)
 
         if request is None:
             # Display text indicating that this is an endpoint.
-            return self.showAboutPage()
+            return self._showAboutPage()
 
         if request.mode in ["checkid_immediate", "checkid_setup"]:
-            return self.handleCheckIDRequest(request)
+            return self._handleCheckIDRequest(request)
         else:
             response = self.oidserver.handleRequest(request)
-            return self.displayResponse(response)
+            return self._displayResponse(response)
             
-            
-    def do_GET(self):
-        import pdb;pdb.set_trace()
-        try:
-            self.parsed_uri = urlparse(self.path)
-            self.query = {}
-            for k, v in cgi.parse_qsl(self.parsed_uri[4]):
-                self.query[k] = v
-
-            self.setUser()
-
-            path = self.parsed_uri[2].lower()
-
-            if path == '/':
-                self.showMainPage()
-            elif path == '/openidserver':
-                self.serverEndPoint(self.query)
-
-            elif path == '/login':
-                self.showLoginPage('/', '/')
-            elif path == '/loginsubmit':
-                self.doLogin()
-            elif path.startswith('/id/'):
-                self.showIdPage(path)
-            elif path.startswith('/yadis/'):
-                self.showYadis(path[7:])
-            elif path == '/serveryadis':
-                self.showServerYadis()
-            else:
-                self.send_response(404)
-                self.end_headers()
-
-        except (KeyboardInterrupt, SystemExit):
-            raise
-        except:
-            self.send_response(500)
-            self.send_header('Content-type', 'text/html')
-            self.end_headers()
-            self.wfile.write(cgitb.html(sys.exc_info(), context=10))
-
-    def do_POST(self):
-        import pdb;pdb.set_trace()
-        try:
-            self.parsed_uri = urlparse(self.path)
-
-            self.setUser()
-            content_length = int(self.headers['Content-Length'])
-            post_data = self.rfile.read(content_length)
-
-            self.query = {}
-            for k, v in cgi.parse_qsl(post_data):
-                self.query[k] = v
-
-            path = self.parsed_uri[2]
-            if path == '/openidserver':
-                self.serverEndPoint(self.query)
-
-            elif path == '/allow':
-                self.handleAllow(self.query)
-            else:
-                self.send_response(404)
-                self.end_headers()
-
-        except (KeyboardInterrupt, SystemExit):
-            raise
-        except:
-            self.send_response(500)
-            self.send_header('Content-type', 'text/html')
-            self.end_headers()
-            self.wfile.write(cgitb.html(sys.exc_info(), context=10))
 
     def do_allow(self, environ, start_response):
+        """Handle allow request - user allow credentials to be passed back to
+        the Relying Party?"""
+        log.debug("OpenIDProviderMiddleware.do_openidserver ...")
+        
         # pretend this next bit is keying off the user's session or something,
         # right?
@@ -275 +216 @@
 
             if request.idSelect():
-                identity = self.base_url + '/id/' + self.query['identifier']
+                identity = self.base_url+self.paths['path_id']+'/'+\
+                            self.query['identifier']
             else:
                 identity = request.identity
@@ -283 +225 @@
                 self.approved[(identity, trust_root)] = 'always'
 
-            response = self.identityApproved(request, identity)
+            response = self._identityApproved(request, identity)
 
         elif 'no' in self.query:
@@ -291 +233 @@
             assert False, 'Expecting yes/no in allow post.  %r' % (self.query,)
 
-        return self.displayResponse(response)
-
-    def setUser(self):
+        return self._displayResponse(response)
+
+    def _setUser(self):
         session = environ[self.session_middleware]
         self.user = session.get('openid_provider_username')
         
-    def isAuthorized(self, identity_url, trust_root):
+    def _isAuthorized(self, identity_url, trust_root):
         if self.user is None:
             return False
 
-        if identity_url != self.base_url + '/id/' + self.user:
+        if identity_url != self.base_url+self.paths['path_id']+'/'+self.user:
             return False
 
@@ -307 +249 @@
         return self.approved.get(key) is not None
 
-    def addSRegResponse(self, request, response):
+    def _addSRegResponse(self, request, response):
         sreg_req = sreg.SRegRequest.fromOpenIDRequest(request)
 
@@ -320 +262 @@
         response.addExtension(sreg_resp)
 
-    def identityApproved(self, request, identifier=None):
+    def _identityApproved(self, request, identifier=None):
         response = request.answer(True, identity=identifier)
-        self.addSRegResponse(request, response)
+        self._addSRegResponse(request, response)
         return response
 
-    def handleCheckIDRequest(self, request):
-        is_authorized = self.isAuthorized(request.identity, request.trust_root)
+    def _handleCheckIDRequest(self, request):
+        is_authorized = self._isAuthorized(request.identity,request.trust_root)
         if is_authorized:
-            response = self.identityApproved(request)
-            return self.displayResponse(response)
+            response = self._identityApproved(request)
+            return self._displayResponse(response)
         elif request.immediate:
             response = request.answer(False)
-            return self.displayResponse(response)
+            return self._displayResponse(response)
         else:
             self.lastCheckIDRequest[self.user] = request
-            return self.showDecidePage(request)
-
-    def displayResponse(self, response):
+            return self._showDecidePage(request)
+
+    def _displayResponse(self, response):
         try:
             webresponse = self.oidserver.encodeResponse(response)
         except server.EncodingError, why:
             text = why.response.encodeToKVForm()
-            return self.showErrorPage('<pre>%s</pre>' % cgi.escape(text))
-
-        hdr = webresponse.headers.items() + self.writeUserHeader()
+            return self._showErrorPage('<pre>%s</pre>' % cgi.escape(text))
+
+        hdr = webresponse.headers.items() + self._writeUserHeader()
         
         lenWebResponseBody = len(webresponse.body)
@@ -354 +296 @@
         hdr += [('Content-length', str(lenWebResponseBody))]
             
-        # TODO: fix status message
-        self.start_response('%d OK' % webresponse.code, hdr)
+        self.start_response('%d %s' % (webresponse.code, 
+                                       httplib.responses[webresponse.code]), 
+                            hdr)
         return response
 
-    def doLogin(self):
+    def _doLogin(self):
         if 'submit' in self.query:
             if 'user' in self.query:
@@ -364 +307 @@
             else:
                 self.user = None
-            self.redirect(self.query['success_to'])
+            self._redirect(self.query['success_to'])
         elif 'cancel' in self.query:
-            self.redirect(self.query['fail_to'])
+            self._redirect(self.query['fail_to'])
         else:
             assert 0, 'strange login %r' % (self.query,)
 
-    def redirect(self, url):
+    def _redirect(self, url):
         self.send_response(302)
         self.send_header('Location', url)
-        self.writeUserHeader()
+        self._writeUserHeader()
 
         self.end_headers()
 
-    def writeUserHeader(self):
+    def _writeUserHeader(self):
         if self.user is None:
             t1970 = time.gmtime(0)
@@ -386 +329 @@
             return [('Set-Cookie', 'user=%s' % self.user)]
 
-    def showAboutPage(self):
-        endpoint_url = self.base_url + '/openidserver'
+    def _showAboutPage(self):
+        endpoint_url = self.base_url + self.paths['path_openidserver']
 
         def link(url):
@@ -406 +349 @@
         resource_markup = ''.join([term(url, text) for url, text in resources])
 
-        return self.showPage(200, 'This is an OpenID server', msg="""\
+        return self._showPage(200, 'This is an OpenID server', msg="""\
         <p>%s is an OpenID server endpoint.<p>
         <p>For more information about OpenID, see:</p>
@@ -414 +357 @@
         """ % (link(endpoint_url), resource_markup,))
 
-    def showErrorPage(self, error_message):
-        return self.showPage(400, 'Error Processing Request', err='''\
+    def _showErrorPage(self, error_message):
+        return self._showPage(400, 'Error Processing Request', err='''\
         <p>%s</p>
         <!--
@@ -450 +393 @@
         ''' % error_message)
 
-    def showDecidePage(self, request):
-        id_url_base = self.base_url+'/id/'
+    def _showDecidePage(self, request):
+        id_url_base = self.base_url+self.paths['path_id'] + '/'
         # XXX: This may break if there are any synonyms for id_url_base,
         # such as referring to it by IP address or a CNAME.
@@ -468 +411 @@
             '''
             fdata = {
+                'path_allow': self.paths['path_allow'],
                 'id_url_base': id_url_base,
                 'trust_root': request.trust_root,
                 }
             form = '''\
-            <form method="POST" action="/allow">
+            <form method="POST" action="%(path_allow)s">
             <table>
               <tr><td>Identity:</td>
@@ -495 +439 @@
 
             fdata = {
+                'path_allow': self.paths['path_allow'],
                 'identity': request.identity,
                 'trust_root': request.trust_root,
@@ -504 +449 @@
             </table>
             <p>Allow this authentication to proceed?</p>
-            <form method="POST" action="/allow">
+            <form method="POST" action="%(path_allow)s">
               <input type="checkbox" id="remember" name="remember" value="yes"
                   /><label for="remember">Remember this
@@ -524 +469 @@
 
             fdata = {
+                'path_allow': self.paths['path_allow'],
                 'identity': request.identity,
                 'trust_root': request.trust_root,
@@ -534 +480 @@
             </table>
             <p>Allow this authentication to proceed?</p>
-            <form method="POST" action="/allow">
+            <form method="POST" action="%(path_allow)s">
               <input type="checkbox" id="remember" name="remember" value="yes"
                   /><label for="remember">Remember this
@@ -543 +489 @@
             </form>''' % fdata
 
-        return self.showPage(200, 'Approve OpenID request?', msg=msg,form=form)
-
-
-    def showIdPage(self, path):
+        return self._showPage(200, 'Approve OpenID request?',msg=msg,form=form)
+
+
+    def _showIdPage(self, path):
         link_tag = '<link rel="openid.server" href="%sopenidserver">' %\
-              self.server.base_url
+              self.base_url
         yadis_loc_tag = '<meta http-equiv="x-xrds-location" content="%s">'%\
-            (self.server.base_url+'yadis/'+path[4:])
+            (self.base_url+self.paths['path_yadis']+'/'+path[4:])
         disco_tags = link_tag + yadis_loc_tag
-        ident = self.server.base_url + path[1:]
+        ident = self.base_url + path[1:]
 
         approved_trust_roots = []
-        for (aident, trust_root) in self.server.approved.keys():
+        for (aident, trust_root) in self.approved.keys():
             if aident == ident:
                 trs = '<li><tt>%s</tt></li>\n' % cgi.escape(trust_root)
@@ -568 +514 @@
             msg = ''
 
-        self.showPage(200, 'An Identity Page', head_extras=disco_tags, msg='''\
+        self._showPage(200, 'An Identity Page',head_extras=disco_tags, msg='''\
         <p>This is an identity page for %s.</p>
         %s
         ''' % (ident, msg))
     
-    def showServerYadis(self):
+    def _showServerYadis(self):
         self.send_response(200)
         self.send_header('Content-type', 'application/xrds+xml')
         self.end_headers()
 
-        endpoint_url = self.server.base_url + 'openidserver'
+        endpoint_url = self.base_url + self.paths['path_openidserver']
         self.wfile.write("""\
 <?xml version="1.0" encoding="UTF-8"?>
@@ -595 +541 @@
 """%(discover.OPENID_IDP_2_0_TYPE, endpoint_url,))
 
-    def showMainPage(self):
+    def _showMainPage(self):
         yadis_tag = '<meta http-equiv="x-xrds-location" content="%s">'%\
-            (self.server.base_url + 'serveryadis')
+            (self.base_url + self.paths['path_serveryadis'])
         if self.user:
-            openid_url = self.server.base_url + 'id/' + self.user
+            openid_url = self.base_url + self.paths['path_id'] + '/' + \
+                        self.user
             user_message = """\
             <p>You are logged in as %s. Your OpenID identity URL is
@@ -609 +556 @@
             <p>This server uses a cookie to remember who you are in
             order to simulate a standard Web user experience. You are
-            not <a href='/login'>logged in</a>.</p>"""
-
-        self.showPage(200, 'Main Page', head_extras = yadis_tag, msg='''\
+            not <a href='%s'>logged in</a>.</p>""" % self.paths['path_login']
+
+        self._showPage(200, 'Main Page', head_extras = yadis_tag, msg='''\
         <p>This is a simple OpenID server implemented using the <a
         href="http://openid.schtuff.com/">Python OpenID
@@ -624 +571 @@
 
         <p>The URL for this server is <a href=%s><tt>%s</tt></a>.</p>
-        ''' % (user_message, quoteattr(self.server.base_url), self.server.base_url))
-
-    def showLoginPage(self, success_to, fail_to):
-        self.showPage(200, 'Login Page', form='''\
+        ''' % (user_message, quoteattr(self.base_url), self.base_url))
+
+    def _showLoginPage(self, success_to, fail_to):
+        self._showPage(200, 'Login Page', form='''\
         <h2>Login</h2>
         <p>You may log in with any name. This server does not use
         passwords because it is just a sample of how to use the OpenID
         library.</p>
-        <form method="GET" action="/loginsubmit">
+        <form method="GET" action="%s">
           <input type="hidden" name="success_to" value="%s" />
           <input type="hidden" name="fail_to" value="%s" />
@@ -639 +586 @@
           <input type="submit" name="cancel" value="Cancel" />
         </form>
-        ''' % (success_to, fail_to))
-
-    def showPage(self, response_code, title,
+        ''' % (self.paths['loginsubmit'], success_to, fail_to))
+
+    def _showPage(self, response_code, title,
                  head_extras='', msg=None, err=None, form=None):
 
@@ -647 +594 @@
             user_link = '<a href="/login">not logged in</a>.'
         else:
-            user_link = 'logged in as <a href="/id/%s">%s</a>.<br />'\
-                        '<a href="/loginsubmit?submit=true&'\
-                        'success_to=/login">Log out</a>'%(self.user, self.user)
+            user_link = 'logged in as <a href="%s/%s">%s</a>.<br />'\
+                        '<a href="%s?submit=true&'\
+                        'success_to=%s">Log out</a>' % \
+                        (self.paths['path_id'], self.user, self.user, 
+                         self.paths['path_loginsubmit'],
+                         self.paths['path_login'])
 
         body = ''
@@ -758 +708 @@
 ''' % contents
 
-        # TODO: fix response message to match code
-        self.start_response('%s OK' % response_code, 
+        self.start_response('%s %s' % (response_code, 
+                                       httplib.responses[response_code]), 
                 [
                     ('Content-type', 'text/html'+self.charset),