source: TI12-security/trunk/NDGSecurity/python/Tests/openidaxtest/openidaxtest/controllers/hello.py @ 6440

Subversion URL: http://proj.badc.rl.ac.uk/svn/ndg-security/TI12-security/trunk/NDGSecurity/python/Tests/openidaxtest/openidaxtest/controllers/hello.py@6440
Revision 6440, 1.9 KB checked in by pjkersha, 11 years ago (diff)
  • #1088 Important fix to AuthnRedirectResponseMiddleware? to set redirect ONLY when SSL client authentication has just succeeded in the upstream middleware AuthKitSSLAuthnMiddleware. This bug was causing the browser to redirect to the wrong place following OpenID sign in in the case where the user is already logged into their provider and selects a new relying party to sign into.
    • Improvements to Provider decide page interface: leave out messages about attributes that the provider can't retrieve for the RP. Also included NDG style help icon.
Line 
1import logging
2
3from pylons import request, response, session, tmpl_context as c
4from pylons.controllers.util import abort, redirect_to
5
6from openidaxtest.lib.base import BaseController, render
7
8log = logging.getLogger(__name__)
9
10from authkit.authorize import NotAuthorizedError
11from authkit.permissions import RequestPermission
12from authkit.authorize.pylons_adaptors import authorize
13
14class OpenIdAxPermission(RequestPermission):
15    def __init__(self):
16        # custom settings here...
17        self.authzEmail = 'somebody@somewhere'
18       
19    def check(self, app, environ, start_response): 
20        remoteUserData = environ.get('REMOTE_USER_DATA')
21        #remoteUserData = "{'ax':{'value.email.1':'somebody@somewhere'}}"
22        if remoteUserData:
23            # Cookie *MUST* be signed otherwise this is unsafe
24            remoteUserDataDict = eval(remoteUserData)
25            if (isinstance(remoteUserDataDict, dict) and 
26                'ax' in remoteUserDataDict):
27                axDict = remoteUserDataDict['ax']
28               
29                if axDict.get('value.email.1') != self.authzEmail:
30                    raise NotAuthorizedError("Access denied ...")
31           
32        return app(environ, start_response)
33   
34
35class HelloController(BaseController):
36
37    @authorize(OpenIdAxPermission())
38    def index(self):
39        # Return a rendered template
40        #return render('/hello.mako')
41        # or, return a response
42        return 'Hello World'
43
44    def signin(self):
45        if not request.environ.get('REMOTE_USER'):
46            # This triggers the AuthKit middleware into displaying the sign-in form
47            abort(401)
48        else:
49            return render('signedin.html')
50
51    def signout(self):
52        # The actual removal of the AuthKit cookie occurs when the response passes
53        # through the AuthKit middleware, we simply need to display a page
54        # confirming the user is signed out
55        return render('signedout.html')
Note: See TracBrowser for help on using the repository browser.