Changeset 6440 for TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

Timestamp:

29/01/10 14:07:36 (11 years ago)

Author:

pjkersha

Message:

• #1088 Important fix to AuthnRedirectResponseMiddleware? to set redirect ONLY when SSL client authentication has just succeeded in the upstream middleware AuthKitSSLAuthnMiddleware. This bug was causing the browser to redirect to the wrong place following OpenID sign in in the case where the user is already logged into their provider and selects a new relying party to sign into.
  • Improvements to Provider decide page interface: leave out messages about attributes that the provider can't retrieve for the RP. Also included NDG style help icon.

File:

• TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py (modified) (8 diffs)

TI12-security/trunk/NDGSecurity/python/ndg_security_server/ndg/security/server/wsgi/openid/provider/__init__.py

@@ -85 +85 @@
 # Place here to avoid circular import error with IdentityMapping class     
 from ndg.security.server.wsgi.openid.provider.authninterface import (
-    AbstractAuthNInterface, AuthNInterfaceError)
+    AbstractAuthNInterface, AuthNInterfaceError, 
+    AuthNInterfaceInvalidCredentials)
 from ndg.security.server.wsgi.openid.provider.axinterface import (AXInterface,
     MissingRequiredAttrs, AXInterfaceReloginRequired)
@@ -127 +128 @@
     @type: defPaths: dict
     
-    @cvar formRespWrapperTmpl: If the response to the Relying Party is too long
-    it's rendered as form with the POST method instead of query arguments in a 
-    GET 302 redirect.  Wrap the form in this document to make the form submit 
-    automatically without user intervention.  See _displayResponse method 
+    @cvar FORM_RESP_WRAPPER_TMPL: If the response to the Relying Party is too 
+    long it's rendered as form with the POST method instead of query arguments 
+    in a GET 302 redirect.  Wrap the form in this document to make the form 
+    submit automatically without user intervention.  See _displayResponse method 
     below...
-    @type formRespWrapperTmpl: basestring"""
-    
-    formRespWrapperTmpl = """<html>
+    @type FORM_RESP_WRAPPER_TMPL: basestring"""
+    
+    FORM_RESP_WRAPPER_TMPL = """<html>
     <head>
         <script type="text/javascript">
             function doRedirect()
             {
+                document.forms[0].style.visibility = "hidden";
                 document.forms[0].submit();
             }
@@ -361 +363 @@
                             os.path.expandvars(opt['consumer_store_dirpath']))
         self.oidserver = server.Server(store, self.urls['url_openidserver'])
-
-    def getCharset(self):
-        return self.__charset
-
-    def getPaths(self):
-        return self.__paths
-
-    def getBase_url(self):
-        return self.__base_url
-
-    def getUrls(self):
-        return self.__urls
-
-    def getMethod(self):
-        return self.__method
-
-    def getSessionMiddlewareEnvironKeyName(self):
-        return self.__sessionMiddlewareEnvironKeyName
-
-    def getSession(self):
-        return self.__session
-
-    def setCharset(self, value):        
-        # Convert from string type where required   
-        if not value:
-            self.__charset = ''
-        elif isinstance(value, basestring):
-            self.__charset = '; charset=' + value
-        else:
-            raise TypeError('Expecting string type for "charset" attribute; '
-                            'got %r' % type(value))
-
-    def setPaths(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"paths" attribute; got %r' %
-                            type(value))
-        self.__paths = value
-
-    def setBase_url(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for '
-                            '"base_url" attribute; got %r' %
-                            type(value))
-        self.__base_url = value
-
-    def setUrls(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"urls" attribute; got %r' %
-                            type(value))
-        self.__urls = value
-
-    def setMethod(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"method" attribute; got %r' %
-                            type(value))
-        self.__method = value
-
-    def setSessionMiddlewareEnvironKeyName(self, value):
-        if not isinstance(value, basestring):
-            raise TypeError('Expecting string type for '
-                            '"sessionMiddlewareEnvironKeyName" attribute; '
-                            'got %r' %
-                            type(value))
-        self.__sessionMiddlewareEnvironKeyName = value
-
-    def setSession(self, value):
-        if not isinstance(value, beaker.session.SessionObject):
-            raise TypeError('Expecting beaker.session.SessionObject type for '
-                            '"session" attribute; got %r' %
-                            type(value))
-
-        self.__session = value
-
-    def getOidResponse(self):
-        return self.__oidResponse
-
-    def getSregResponse(self):
-        return self.__sregResponse
-
-    def getAxResponse(self):
-        return self.__axResponse
-
-    def getOidserver(self):
-        return self.__oidserver
-
-    def getQuery(self):
-        return self.__query
-
-    def getTrustedRelyingParties(self):
-        return self.__trustedRelyingParties
-
-    def setOidResponse(self, value):
-        if not isinstance(value, server.OpenIDResponse):
-            raise TypeError('Expecting OpenIDResponse type for '
-                            '"oidResponse" attribute; got %r' %
-                            type(value))
-        self.__oidResponse = value
-
-    def setSregResponse(self, value):
-        self.__sregResponse = value
-
-    def setAxResponse(self, value):
-        if not isinstance(value, AXInterface):
-            raise TypeError('Expecting AXInterface type for '
-                            '"axResponse" attribute; got %r' %
-                            type(value))
-        self.__axResponse = value
-
-    def setOidserver(self, value):
-        if not isinstance(value, server.Server):
-            raise TypeError('Expecting openid.server.server.Server type for '
-                            '"oidserver" attribute; got %r' %
-                            type(value))
-        self.__oidserver = value
-
-    def setQuery(self, value):
-        if not isinstance(value, dict):
-            raise TypeError('Expecting dict type for '
-                            '"query" attribute; got %r' %
-                            type(value))
-        self.__query = value
-
-    def setTrustedRelyingParties(self, value):
-        if isinstance(value, basestring):
-            pat = OpenIDProviderMiddleware.TRUSTED_RELYINGPARTIES_SEP_PAT
-            self.__trustedRelyingParties = tuple([i for i in pat.split(value)])
-            
-        elif isinstance(value, (list, tuple)):
-            self.__trustedRelyingParties = tuple(value)
-        else:
-            raise TypeError('Expecting list or tuple type for '
-                            '"trustedRelyingParties" attribute; got %r' %
-                            type(value))
         
     @classmethod
@@ -797 +663 @@
                 identity = oidRequest.identity
 
-            trust_root = oidRequest.trust_root
-            if self.query.get('remember', 'no').lower() == 'yes':
-                self.session[
-                    OpenIDProviderMiddleware.APPROVED_FLAG_SESSION_KEYNAME] = {
-                        trust_root: 'always'
-                    }
-                self.session.save()
-            
+            # Check for user selected to trust this RP for future logins.
+            self._applyTrustRoot(oidRequest)
+
             # Check for POST'ed user explicit setting of AX parameters
             self._applyUserAXSelections()
@@ -827 +688 @@
                                           code=400)
             
+    def _applyTrustRoot(self, oidRequest):
+        """Check to see if user wants to trust the current Relying Party and if
+        so set record this decision in the session
+        """
+        if self.query.get('remember', 'no').lower() == 'yes':
+            self.session[
+                OpenIDProviderMiddleware.APPROVED_FLAG_SESSION_KEYNAME] = {
+                    oidRequest.trust_root: 'always'
+                }
+            self.session.save()
+                        
     def _applyUserAXSelections(self):
         """Helper for do_allow method - process the query response checking 
@@ -945 +817 @@
                                                 environ,
                                                 self.query['username'])
+                
+            except AuthNInterfaceInvalidCredentials:
+                log.error("No username %r matching an OpenID URL: %s",
+                          self.query.get('username'),
+                          traceback.format_exc())
+                msg = ("No match was found for your account name.  Please "
+                       "check that your details are correct or contact the "
+                       "site administrator.")
+
+                response = self._render.login(environ, start_response,
+                                          msg=msg,
+                                          success_to=self.urls['url_decide'])
+                return response
+            
             except Exception:
-                log.error("Associating username %r with OpenID URL: %s"% 
-                          (self.query.get('username'),
-                           traceback.format_exc()))
-                msg = ("An internal error occured matching an OpenID "
-                       "to your account.  If the problem persists "
-                       "contact your system administrator.")
-
-                response = self._render.errorPage(environ, 
-                                                  start_response,
-                                                  msg) 
+                log.error("Associating username %r with OpenID URL: %s", 
+                          self.query.get('username'),
+                          traceback.format_exc())
+                msg = ("An error occured matching an OpenID to your account.  "
+                       "If the problem persists contact the site "
+                       "administrator.")
+
+                response = self._render.login(environ, start_response,
+                                          msg=msg,
+                                          success_to=self.urls['url_decide'])
                 return response
 
@@ -1448 +1334 @@
             # Wrap in HTML with Javascript OnLoad to submit the form
             # automatically without user intervention
-            response = OpenIDProviderMiddleware.formRespWrapperTmpl % \
+            response = OpenIDProviderMiddleware.FORM_RESP_WRAPPER_TMPL % \
                                                         webresponse.body
         else:
@@ -1478 +1364 @@
                         ('Location', url)])
         return []
+
+    def getCharset(self):
+        return self.__charset
+
+    def getPaths(self):
+        return self.__paths
+
+    def getBase_url(self):
+        return self.__base_url
+
+    def getUrls(self):
+        return self.__urls
+
+    def getMethod(self):
+        return self.__method
+
+    def getSessionMiddlewareEnvironKeyName(self):
+        return self.__sessionMiddlewareEnvironKeyName
+
+    def getSession(self):
+        return self.__session
+
+    def setCharset(self, value):        
+        # Convert from string type where required   
+        if not value:
+            self.__charset = ''
+        elif isinstance(value, basestring):
+            self.__charset = '; charset=' + value
+        else:
+            raise TypeError('Expecting string type for "charset" attribute; '
+                            'got %r' % type(value))
+
+    def setPaths(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"paths" attribute; got %r' %
+                            type(value))
+        self.__paths = value
+
+    def setBase_url(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for '
+                            '"base_url" attribute; got %r' %
+                            type(value))
+        self.__base_url = value
+
+    def setUrls(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"urls" attribute; got %r' %
+                            type(value))
+        self.__urls = value
+
+    def setMethod(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"method" attribute; got %r' %
+                            type(value))
+        self.__method = value
+
+    def setSessionMiddlewareEnvironKeyName(self, value):
+        if not isinstance(value, basestring):
+            raise TypeError('Expecting string type for '
+                            '"sessionMiddlewareEnvironKeyName" attribute; '
+                            'got %r' %
+                            type(value))
+        self.__sessionMiddlewareEnvironKeyName = value
+
+    def setSession(self, value):
+        if not isinstance(value, beaker.session.SessionObject):
+            raise TypeError('Expecting beaker.session.SessionObject type for '
+                            '"session" attribute; got %r' %
+                            type(value))
+
+        self.__session = value
+
+    def getOidResponse(self):
+        return self.__oidResponse
+
+    def getSregResponse(self):
+        return self.__sregResponse
+
+    def getAxResponse(self):
+        return self.__axResponse
+
+    def getOidserver(self):
+        return self.__oidserver
+
+    def getQuery(self):
+        return self.__query
+
+    def getTrustedRelyingParties(self):
+        return self.__trustedRelyingParties
+
+    def setOidResponse(self, value):
+        if not isinstance(value, server.OpenIDResponse):
+            raise TypeError('Expecting OpenIDResponse type for '
+                            '"oidResponse" attribute; got %r' %
+                            type(value))
+        self.__oidResponse = value
+
+    def setSregResponse(self, value):
+        self.__sregResponse = value
+
+    def setAxResponse(self, value):
+        if not isinstance(value, AXInterface):
+            raise TypeError('Expecting AXInterface type for '
+                            '"axResponse" attribute; got %r' %
+                            type(value))
+        self.__axResponse = value
+
+    def setOidserver(self, value):
+        if not isinstance(value, server.Server):
+            raise TypeError('Expecting openid.server.server.Server type for '
+                            '"oidserver" attribute; got %r' %
+                            type(value))
+        self.__oidserver = value
+
+    def setQuery(self, value):
+        if not isinstance(value, dict):
+            raise TypeError('Expecting dict type for '
+                            '"query" attribute; got %r' %
+                            type(value))
+        self.__query = value
+
+    def setTrustedRelyingParties(self, value):
+        if isinstance(value, basestring):
+            pat = OpenIDProviderMiddleware.TRUSTED_RELYINGPARTIES_SEP_PAT
+            self.__trustedRelyingParties = tuple([i for i in pat.split(value)])
+            
+        elif isinstance(value, (list, tuple)):
+            self.__trustedRelyingParties = tuple(value)
+        else:
+            raise TypeError('Expecting list or tuple type for '
+                            '"trustedRelyingParties" attribute; got %r' %
+                            type(value))
 
     charset = property(getCharset, setCharset, None, "Charset's Docstring")