Changeset 7507


Ignore:
Timestamp:
23/09/10 14:10:24 (9 years ago)
Author:
pjkersha
Message:

Complete - task 13: OpenID Provider doesn't validate OpenID against username

  • applied fix copied from 1.5.x branch.
Location:
TI12-security/trunk/NDGSecurity/python
Files:
10 added
4 edited

Legend:

Unmodified
Added
Removed
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/attributeauthority.py

    r6788 r7507  
    470470            return samlResponse 
    471471         
    472         elif attributeQuery.issuer.format not in Issuer.X509_SUBJECT: 
     472        elif attributeQuery.issuer.format != Issuer.X509_SUBJECT: 
    473473            log.error('SAML Attribute Query issuer format is %r; expecting ' 
    474474                      '%r' % (attributeQuery.issuer.format, 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

    r7350 r7507  
    871871            # Get the unique user identifier from the user's OpenID URL 
    872872            identityURI = oidRequest.identity 
     873             
     874            # Check the username used to login with matches the identity URI  
     875            # given.  This check is essential otherwise a user could impersonate 
     876            # someone else with an account with this provider 
     877            try: 
     878                userIdentifiers = self._authN.username2UserIdentifiers( 
     879                                                environ, 
     880                                                self.query['username']) 
     881                 
     882            except AuthNInterfaceInvalidCredentials: 
     883                log.error("No username %r matching an OpenID URL: %s", 
     884                          self.query.get('username'), 
     885                          traceback.format_exc()) 
     886                msg = ("No match was found for your account name.  Please " 
     887                       "check that your details are correct or contact the " 
     888                       "site administrator.") 
     889 
     890                response = self._render.login(environ, start_response, 
     891                                          msg=msg, 
     892                                          success_to=self.urls['url_decide']) 
     893                return response 
     894             
     895            except Exception: 
     896                log.error("Checking username %r association with OpenID URL: " 
     897                          "%s", self.query.get('username'), 
     898                          traceback.format_exc()) 
     899                msg = ("An error occured matching an OpenID to your account.  " 
     900                       "If the problem persists contact the site " 
     901                       "administrator.")  
     902                 
     903            expectedIdentityURI = self.createIdentityURI(self.identityUriTmpl, 
     904                                                         userIdentifiers[0]) 
     905            if identityURI != expectedIdentityURI: 
     906                log.error("OpenID given %r, doesn't match the expected " 
     907                          "OpenID %r for this account name %r" %  
     908                          (identityURI, expectedIdentityURI,  
     909                           self.query.get('username'))) 
     910                 
     911                msg = ("The OpenID you provided earlier %r doesn't match the " 
     912                       "username %r you entered above.  Please check that your " 
     913                       "OpenID and username are correct or contact the site " 
     914                       "administrator." %  
     915                       (identityURI, self.query.get('username', ''))) 
     916 
     917                response = self._render.login(environ, start_response, 
     918                                          msg=msg, 
     919                                          success_to=self.urls['url_decide']) 
     920                return response 
    873921             
    874922        # Invoke custom authentication interface plugin 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/session.py

    r7364 r7507  
    195195            session.pop(keyName, None) 
    196196        session.save() 
    197          
    198          
     197                
    199198        if self.__class__.LOGOUT_RETURN2URI_ARGNAME in environ['QUERY_STRING']: 
    200199            params = dict(parse_querystring(environ)) 
  • TI12-security/trunk/NDGSecurity/python/ndg_security_test/ndg/security/test/integration/full_system/securityservices.ini

    r7361 r7507  
    285285#openid.provider.renderingClass=ndg.security.server.wsgi.openid.provider.DemoRenderingInterface 
    286286 
     287# Templates 
     288openid.provider.rendering.templateRootDir = %(here)s/openidprovider/templates 
     289 
    287290# Layout 
    288291openid.provider.rendering.baseURL = %(openid.provider.base_url)s 
     
    363366attributeAuthority.attributeInterface.samlValidRequestorDNs = /O=Site A/CN=Authorisation Service,/O=Site A/CN=Attribute Authority, 
    364367                                                           /O=Site B/CN=Authorisation Service,  
    365                                                            /CN=test/O=NDG/OU=BADC 
     368                                                           /CN=test/O=NDG/OU=BADC, 
     369                                                           /O=NDG/OU=Security/CN=localhost 
    366370 
    367371# SAML SOAP Binding to the Attribute Authority 
     
    383387 
    384388saml.soapbinding.issuerName: /O=Site A/CN=Attribute Authority 
    385 saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName  
     389saml.soapbinding.issuerFormat: urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName  
    386390 
    387391#______________________________________________________________________________ 
     
    405409# Sets the identity of THIS authorisation service when filling in SAML responses 
    406410saml.issuerName = /O=Site A/CN=Authorisation Service 
    407 saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName 
     411saml.issuerFormat = urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName 
    408412 
    409413#______________________________________________________________________________ 
Note: See TracChangeset for help on using the changeset viewer.