Changeset 4132

Timestamp:

21/08/08 16:53:48 (12 years ago)

Author:

pjkersha

Message:

OpenID Provider:

• Added support for transfer of ESG attributes using OpenID Attribute Exchange extension
• If content to be returned from OP makes the URL too long the OpenID API converts the response into form via POST. Updated code to wrap this in a Javascript OnLoad? call to automatically submit and return the redirect the user back to the Relying Party.

Location:

TI12-security/trunk/python/ndg.security.server/ndg/security/server

Files:

• pylons/container/lib/openid_provider_util.py (modified) (2 diffs)
• pylons/development.ini (modified) (2 diffs)
• wsgi/openid_provider.py (modified) (17 diffs)

TI12-security/trunk/python/ndg.security.server/ndg/security/server/pylons/container/lib/openid_provider_util.py

@@ -105 +105 @@
         c.xml = "<b><pre>%s</pre></b>" % identityURL
         
-        return _render('ndg.security.identityPage',
-                       c=c, g=config, h=h)    
-    
+        return _render('ndg.security.identityPage', c=c, g=config, h=h)    
+
+   
     def renderDecidePage(self, environ, oidRequest):
         """Handle user interaction required before final submit back to Relying
@@ -124 +124 @@
         c.xml = msg
         return _render('ndg.security.error', c=c, g=config, h=h)
+
+# Earth System Grid interoperability tests
+
+#esgAxAttr = {'urn:esg.security.gateway': 'BADC',
+#        'urn:esg.security.authority': 'group_IPCC_role_default',
+#        'http://axschema.org/namePerson/last': 'UserLastName',
+#        'http://axschema.org/contact/country/home': 'UK',
+#        'http://axschema.org/namePerson/middle': 'UserMiddleName',
+#        'urn:esg.security.uuid': '0123456789abcdef',
+#        'http://axschema.org/namePerson/first': 'UserFirstName',
+#        'http://axschema.org/namePerson/friendly': '',
+#        'http://axschema.org/contact/email': 'tester@test.com',
+#        'urn:esg.security.organization': 'British Atmospheric Data Centre',
+#}
+
+esgAxAttr = {
+ 'http://openid.net/schema/contact/state/home': 'Oxfordshire', 
+ 'http://openid.net/schema/namePerson/middle': 'George', 
+ 'http://openid.net/schema/contact/city/home': 'Didcot', 
+ 'http://openid.net/schema/person/guid': '0123456789abcdef', 
+ 'http://openid.net/schema/namePerson/friendly': 'username', 
+ 'http://openid.net/schema/company/name': 'The British Atmospheric Data Centre', 
+ 'http://openid.net/schema/contact/country/home': 'UK', 
+ 'http://openid.net/schema/namePerson/first': 'John', 
+ 'http://openid.net/schema/namePerson/last': 'Smith', 
+ 'http://openid.net/schema/contact/internet/email': 'testABC@rl.ac.uk',
+ 'http://www.earthsystemgrid.org/authority': 'group_IPCC_role_default',
+ 'http://www.earthsystemgrid.org/gateway': 'BADC',
+}
+esgAxAlias = {
+ 'http://openid.net/schema/contact/state/home': 'state', 
+ 'http://openid.net/schema/namePerson/middle': 'middlename', 
+ 'http://openid.net/schema/contact/city/home': 'city', 
+ 'http://openid.net/schema/person/guid': 'uuid', 
+ 'http://openid.net/schema/namePerson/friendly': 'username', 
+ 'http://openid.net/schema/company/name': 'organization', 
+ 'http://openid.net/schema/contact/country/home': 'country', 
+ 'http://openid.net/schema/namePerson/first': 'firstname', 
+ 'http://openid.net/schema/namePerson/last': 'lastname', 
+ 'http://openid.net/schema/contact/internet/email': 'email',
+ 'http://www.earthsystemgrid.org/authority': 'authority',
+ 'http://www.earthsystemgrid.org/gateway': 'gateway',
+              }
+
+esgSRegAttr = {
+    'nickname':'',
+    'email':'E-mail Address',
+    'country':'UK',
+    'language':'English',
+    'timezone':'BST',
+    }
+
+
+def esgSRegResponseHandler(username):
+    """Interface function to OpenIdProviderMiddleware to set custom attributes
+    """
+    attr = esgSRegAttr.copy()
+#    attr['username'] = username
+    attr['nickname'] = username
+    return attr
+
+def esgAXResponseHandler(axReq, axResp, username):  
+    """Respond to attributes requested by Relying Party via the Attribute
+    Exchange interface"""
+    attr = esgAxAttr.copy()
+    attr['http://openid.net/schema/namePerson/friendly'] = username
+    
+    for typeURI, attrInfo in axReq.requested_attributes.items():
+        # Value input must be list type
+        axResp.setValues(typeURI, [attr[typeURI]])

TI12-security/trunk/python/ndg.security.server/ndg/security/server/pylons/development.ini

@@ -12 +12 @@
 
 # Layout
-server = http://localhost:8200
+#server = http://localhost:8200
+server = https://gabriel.badc.rl.ac.uk
 LeftLogo = %(server)s/layout/NERC_Logo.gif
 LeftAlt = Natural Environment Research Council
@@ -72 +73 @@
 openid_provider.session_middleware=beaker.session 
 openid_provider.base_url=http://localhost:8200
-openid_provider.consumer_store_dirpath=./
+openid_provider.base_url=https://gabriel.badc.rl.ac.uk
+#openid_provider.consumer_store_dirpath=./
 openid_provider.charset=None
 openid_provider.trace=False
 openid_provider.renderingClass=ndg.security.server.pylons.container.lib.openid_provider_util.OpenIDProviderKidRendering
-openid_provider.getSRegData=
+openid_provider.sregResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgSRegResponseHandler
+openid_provider.axResponseHandler=ndg.security.server.pylons.container.lib.openid_provider_util:esgAXResponseHandler
 
 # Logging configuration

TI12-security/trunk/python/ndg.security.server/ndg/security/server/wsgi/openid_provider.py

@@ -23 +23 @@
 from authkit.authenticate import AuthKitConfigError
 
-from openid.extensions import sreg
+from openid.extensions import sreg, ax
 from openid.server import server
 from openid.store.filestore import FileOpenIDStore
@@ -37 +37 @@
 class OpenIDProviderMiddlewareError(Exception):
     """OpenID Provider WSGI Middleware Error"""
-    
+
+class OpenIDProviderConfigError(Exception):
+    """OpenID Provider Configuration Error"""
+   
 class OpenIDProviderMiddleware(object):
     """WSGI Middleware to implement an OpenID Provider"""
@@ -56 +59 @@
                trace=False,
                renderingClass=None,
-               getSRegData=None)
+               sregResponseHandler=None,
+               axResponseHandler=None)
     
     defPaths=dict([(k,v) for k,v in defKw.items() if k.startswith('path_')])
@@ -91 +95 @@
                 opt['renderingClass'] = eval_import(renderingClassVal)
             
-            getSRegDataVal = opt.get('getSRegData', None)  
-            if getSRegDataVal:
-                opt['getSRegData'] = eval_import(getSRegDataVal)  
+            sregResponseHandlerVal = opt.get('sregResponseHandler', None)  
+            if sregResponseHandlerVal:
+                opt['sregResponseHandler']=eval_import(sregResponseHandlerVal)  
             else:
-                 opt['getSRegData'] = None
-                     
+                 opt['sregResponseHandler'] = None
+
+            axResponseHandlerVal = opt.get('axResponseHandler', None)  
+            if axResponseHandlerVal:
+                opt['axResponseHandler'] = eval_import(axResponseHandlerVal)
+            else:
+                opt['axResponseHandler'] = None
+                          
         invalidKw = getInvalidKw(kw)
         if len(invalidKw) > 0:
@@ -104 +114 @@
         # overwritten
         opt.update(kw)
-        log.debug("opt=%r", opt)        
 
         # Paths relative to base URL - Nb. remove trailing '/'
@@ -131 +140 @@
         # If True and debug log level is set display content of response
         self._trace = opt['trace']
-        
+
+        log.debug("opt=%r", opt)        
+       
         # Pages can be customised by setting external rendering interface
         # class
@@ -148 +159 @@
             raise
             
-        # Callable for setting of additional attributes in HTTP header of
-        # response to Relying Party
-        self.getSRegData = opt.get('getSRegData', None)
-        if self.getSRegData and not callable(self.getSRegData):
+        # Callable for setting of Simple Registration attributes in HTTP header
+        # of response to Relying Party
+        self.sregResponseHandler = opt.get('sregResponseHandler', None)
+        if self.sregResponseHandler and not callable(self.sregResponseHandler):
             raise OpenIDProviderMiddlewareError("Expecting callable for "
-                                                "getSRegData keyword, got %r"%\
-                                                self.getSRegData)
+                                                "sregResponseHandler keyword, "
+                                                "got %r" % \
+                                                self.sregResponseHandler)
+            
+        # Callable to handle OpenID Attribute Exchange (AX) requests from
+        # the Relying Party
+        self.axResponseHandler = opt.get('axResponseHandler', None)
+        if self.axResponseHandler and not callable(self.axResponseHandler):
+            raise OpenIDProviderMiddlewareError("Expecting callable for "
+                                                "axResponseHandler keyword, "
+                                                "got %r" % \
+                                                self.axResponseHandler)
         
         self.app = app
@@ -166 +187 @@
     
     def __call__(self, environ, start_response):
+        
         if not environ.has_key(self.session_middleware):
-            raise AuthKitConfigError(
-                'The session middleware %r is not present. '
-                'Have you set up the session middleware?'%(
-                    self.session_middleware
-                )
-            )
+            raise OpenIDProviderConfigError('The session middleware %r is not '
+                                            'present. Have you set up the '
+                                            'session middleware?' % \
+                                            self.session_middleware)
 
         self.path = environ.get('PATH_INFO').rstrip('/')
@@ -218 +238 @@
         response = self._renderer.renderIdentityPage(environ)
 
-        start_response("200 OK", [('Content-length', str(len(response)))])
+        start_response("200 OK", 
+                       [('Content-type', 'text/html'+self.charset),
+                        ('Content-length', str(len(response)))])
         return response
 
@@ -272 +294 @@
                 self.session['approved'] = {trust_root: 'always'}
                 self.session.save()
-                
+             
             oidResponse = self._identityApproved(oidRequest, identity)
-            return self._displayResponse(oidResponse)
+            response = self._displayResponse(oidResponse)
+            log.debug("do_allow response = \n%s" % response)
+            return response
         
         elif 'No' in self.query:
@@ -288 +312 @@
                                                 'post.  %r' % self.query)
 
-    
-    tmplServerYadis = """\
-<?xml version="1.0" encoding="UTF-8"?>
-<xrds:XRDS
-    xmlns:xrds="xri://$xrds"
-    xmlns="xri://$xrd*($v*2.0)">
-  <XRD>
-
-    <Service priority="0">
-      <Type>%(openid20type)s</Type>
-      <URI>%(endpoint_url)s</URI>
-    </Service>
-
-  </XRD>
-</xrds:XRDS>
-"""
 
     def do_serveryadis(self, environ, start_response):
         """Handle Server Yadis call"""
-        start_response("200 OK", [('Content-type', 'application/xrds+xml')])
-        
-        endpoint_url = self.urls['url_openidserver']
-        return [OpenIDProviderMiddleware.tmplServerYadis % \
-                {'openid20type': discover.OPENID_IDP_2_0_TYPE, 
-                 'endpoint_url': endpoint_url}]
+        response = self._renderer.renderServerYadis(environ)
+        start_response("200 OK", 
+                       [('Content-type', 'application/xrds+xml'),
+                        ('Content-length', str(len(response)))])
+        return response
 
 
@@ -424 +431 @@
 
     def _addSRegResponse(self, request, response):
-        '''Add additional attributes to response to Relying Party'''
-        if self.getSRegData is None:
+        '''Add Simple Registration attributes to response to Relying Party'''
+        if self.sregResponseHandler is None:
             return
         
@@ -432 +439 @@
         # Callout to external callable sets additional user attributes to be
         # returned in response to Relying Party        
-        sreg_data = self.getSRegData(self.session.get('username'))
-
+        sreg_data = self.sregResponseHandler(self.session.get('username'))
         sreg_resp = sreg.SRegResponse.extractResponse(sreg_req, sreg_data)
         response.addExtension(sreg_resp)
 
 
+    def _addAXResponse(self, request, response):
+        '''Add attributes to response based on the OpenID Attribute Exchange 
+        interface'''
+
+        ax_req = ax.FetchRequest.fromOpenIDRequest(request)
+        if ax_req is None:
+            log.debug("No Attribute Exchange extension set in request")
+            return
+        
+        ax_resp = ax.FetchResponse(request=ax_req)
+        
+        if self.axResponseHandler is None:
+            requiredAttr = ax_req.getRequiredAttrs()
+            if len(requiredAttr) > 0:
+                log.error("Relying party requires these attributes: %s; but no"
+                          "Attribute exchange handler 'axResponseHandler' has "
+                          "been set" % requiredAttr)
+            return
+        
+        # Set requested values - need user intervention here to confirm 
+        # release of attributes + assignment based on required attributes - 
+        # possibly via FetchRequest.getRequiredAttrs()
+#        for typeURI, attrInfo in ax_req.requested_attributes.items():
+#            # Value input must be list type
+#            ax_resp.setValues(typeURI, [attrInfo.alias+"Value"])
+        self.axResponseHandler(ax_req, ax_resp, self.session.get('username'))
+        
+        response.addExtension(ax_resp)
+        
+        
     def _identityApproved(self, request, identifier=None):
         '''Action following approval of a Relying Party by the user'''
         response = request.answer(True, identity=identifier)
         self._addSRegResponse(request, response)
+        self._addAXResponse(request, response)
         return response
 
@@ -482 +519 @@
             return response
 
-
-    def _displayResponse(self, response):
+    # If the response to the Relying Party is too long it's rendered as form
+    # with the POST method instead of query arguments in a GET 302 redirect.
+    # Wrap the form in this document to make the form submit automatically
+    # without user intervention.  See _displayResponse method below...
+    formRespWrapperTmpl = """<html>
+    <head>
+        <script type="text/javascript">
+            function doRedirect()
+            {
+                document.forms[0].submit();
+            }
+        </script>
+    </head>
+    <body onLoad="doRedirect()">
+        %s
+    </body>
+</html>"""
+
+    def _displayResponse(self, oidResponse):
         try:
-            webresponse = self.oidserver.encodeResponse(response)
+            webresponse = self.oidserver.encodeResponse(oidResponse)
         except server.EncodingError, why:
             text = why.response.encodeToKVForm()
@@ -494 +548 @@
         lenWebResponseBody = len(webresponse.body)
         if lenWebResponseBody:
-            response = webresponse.body
-        else:
-            response = []
-            
-        hdr += [('Content-length', str(lenWebResponseBody))]
-            
+            # Wrap in HTML with JAvascript OnLoad to submit the form
+            # automatically without user intervention
+            response = OpenIDProviderMiddleware.formRespWrapperTmpl % \
+                                                        webresponse.body
+        else:
+            response = ''
+            
+        hdr += [('Content-type', 'text/html'+self.charset),
+                ('Content-length', str(lenWebResponseBody))]
+            
+        log.debug("webresponse.code = %d" % webresponse.code)
         self.start_response('%d %s' % (webresponse.code, 
                                        httplib.responses[webresponse.code]), 
@@ -552 +611 @@
                                 %s
                                 ''' % (ident, msg))
+    
+    tmplServerYadis = """\
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS
+    xmlns:xrds="xri://$xrds"
+    xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+
+    <Service priority="0">
+      <Type>%(openid20type)s</Type>
+      <URI>%(endpoint_url)s</URI>
+    </Service>
+
+  </XRD>
+</xrds:XRDS>
+"""
+
+    def renderServerYadis(self, environ):
+        '''Render Yadis info'''
+        endpoint_url = self.urls['url_openidserver']
+        return RenderingInterface.tmplServerYadis % \
+            {'openid20type': discover.OPENID_IDP_2_0_TYPE, 
+             'endpoint_url': endpoint_url}
         
     tmplYadis = """\
@@ -569 +651 @@
   </XRD>
 </xrds:XRDS>"""    
+    
     
     def renderYadis(self, environ):