Attachment 'oidauth.py'
Download 1 # -*- Python -*-
2 """Authenticate using OpenID.
3
4 See L{ConfigMixin} for information on how to configure your
5 installation to use this. When this authentication method is enabled,
6 a user can set her OpenID URL through her UserPreferences. Once set,
7 the user can log in to MoinMoin by entering their OpenID in the
8 Username login field. A password is not necessary; authorization will
9 be done through the OpenID server.
10
11 Known Issues:
12 =============
13
14 - No indication on the login form that it accepts OpenID.
15
16 - Lack of feedback to the user. There are a number of ways a user
17 can fail to authenticate, and sometimes we allow MoinMoin to fall
18 back to another authentication method, and sometimes we deny the
19 request outright. But while some cases are logged, the user gets
20 no information about why they were not logged in. It's impossible
21 for them to tell if their OpenID was not found in the user database
22 or if their server is down or if we had a problem parsing their
23 input. While it is in some cases advisable to hold back
24 information so as not to leak it to attackers, feedback in most of
25 the error cases is really only useful to a user in an honest login
26 attempt.
27
28 It's not clear how to fix this in the context of the current
29 pluggable authentication scheme. We should come up with revisions
30 to the API with this in mind.
31
32 - There is no validation of OpenID URL upon setting it in
33 UserPreferences. This leads to several potential problems. The
34 user won't be prompted to correct an invalid or unusable value. No
35 check is performed to ensure that the OpenID is unique within the
36 user database, or that the user is authorized to use that OpenID.
37
38 This leads to a per-user denial of service attack: If Alice wants
39 to harass Bob, she can enter Bob's OpenID in her preferences. This
40 will not give Alice access to Bob's account; rather, it may
41 (depending on who comes first in the user table) cause Bob to log
42 in as Alice when he logs in with OpenID. If Bob notices, he can
43 then fix the preferences for that account, but it's a nuisance at
44 best.
45
46 Again, it does not seem possible to correct this as a standalone
47 authentication module, as no hooks for the processing of the
48 UserPreferences form are provided by MoinMoin 1.5. The solution to
49 this lies in either revising the MoinMoin API or folding this code
50 into the MoinMoin core.
51
52 - User creation. Ideally, one should be able to create an account with
53 an OpenID and never set a password in MoinMoin at all. With
54 C{user_autocreate} in the wiki configuration this is partially implemented,
55 but users will quickly find that the userform code really doesn't want
56 to let them through that screen without setting a password and an email
57 address.
58
59 @see: U{OpenID Enabled<http://www.openidenabled.com/>}
60
61 @requires:
62 U{python-openid<http://www.openidenabled.com/openid/libraries/python>} 1.0.x
63
64 @requires: U{MoinMoin<http://moinmoin.wikiwikiweb.de/>}
65
66 @author: Kevin Turner
67 @contact: openid@janrain.com
68 @organization: JanRain, Inc.
69 @license: GPL
70
71 @copyright: Copyright 2005 by JanRain, Inc.
72 """
73
74 __version__ = '0.0.2005-12-19'
75
76 from openid.consumer import consumer
77 from openid import oidutil
78 from openid.store.filestore import FileOpenIDStore
79
80 try:
81 import cPickle as pickle
82 except ImportError:
83 import pickle
84
85 from MoinMoin import caching, user, wikiutil
86
87 def openid(request, name=None, password=None, login=None, logout=None,
88 _consumer=None, **kw):
89 """Authenticate by OpenID.
90
91 This is an authentication plug-in for use with MoinMoin 1.5's
92 modular authentication code. The signature is defined by L{MoinMoin.auth}.
93 """
94
95 # Set the log function for the OpenID libraries.
96 origlog = oidutil.log
97 oidutil.log = request.log
98
99 try:
100 if logout:
101 # Somebody Else's Problem
102 return (None, True)
103 elif login:
104 if _consumer is None:
105 _consumer = _getConsumer(request)
106
107 return beginAuth(request, _consumer, name)
108 elif request.form.has_key('openid.mode'):
109 try:
110 token = request.form['moidtoken'][0]
111 except KeyError:
112 # XXX: Malformed reply, should let someone know that the server
113 # is busted.
114 request.log("Can't find the token for the OpenID reply.")
115 return (None, False)
116 if _consumer is None:
117 _consumer = _getConsumer(request)
118
119 theuser, cont = completeAuth(request, _consumer, token)
120
121 if theuser is not None:
122 # If we don't set a cookie, we'll have to re-authenticate with
123 # every request.
124
125 # FIXME: We have a problem interfacing with request.setCookie,
126 # because it sets a cookie for "the current user." There's
127 # precedent for the following kludge in auth.moin_cookie and
128 # auth.interwiki, but that doesn't mean I think it's a good
129 # idea.
130 request.user = theuser
131 request.setCookie()
132
133 return (theuser, cont)
134 else:
135 # Somebody Else's Problem
136 return (None, True)
137 finally:
138 oidutil.log = origlog
139
140
141 def beginAuth(request, theconsumer, name):
142 """Handle user input and redirect to an OpenID server."""
143
144 status, info = theconsumer.beginAuth(name)
145
146 if status is not consumer.SUCCESS:
147 # Try other auth methods.
148 # XXX: Provides no feedback if they *did* want to log in with
149 # OpenID and need to know if their server is down, etc.
150 # Maybe include some heuristic here, e.g. "return an error
151 # iff username.startswith('http')."
152 return (None, True)
153
154 auth_request = info
155 trust_root = request.getBaseURL()
156 if request.query_string:
157 sep = '&'
158 else:
159 sep = '?'
160 return_to = '%s%smoidtoken=%s' % (
161 request.getQualifiedURL(request.request_uri),
162 sep,
163 wikiutil.url_quote(auth_request.token))
164
165 redirect = theconsumer.constructRedirect(auth_request,
166 return_to,
167 trust_root)
168 request.http_redirect(redirect)
169 request.finish()
170
171 # Don't bother trying more auth methods, we just hijacked the request.
172 return (None, False)
173
174 def completeAuth(request, theconsumer, token):
175 """Handle response from the OpenID server and return an authenticated user.
176 """
177 args = {}
178 for key, value in request.form.iteritems():
179 # openid.consumer doesn't want to believe that unicode objects
180 # come from GET requests.
181 args[key.encode('utf-8')] = value[0].encode('utf-8')
182
183 status, info = theconsumer.completeAuth(token, args)
184 if status is not consumer.SUCCESS:
185 # XXX: Should probably give some information to the user here.
186 request.log("OpenID auth failed: %s, %s" % (status, info))
187 return (None, False)
188 if info is None:
189 request.log("OpenID request denied or canceled.")
190 # Request denied at OpenID server.
191 return (None, False)
192 identityURL = info
193 theuser_id = userLookupByOpenID(request, identityURL)
194 User = lambda **kw: user.User(request, auth_method="openid",
195 **kw)
196 if theuser_id is not None:
197 theuser = User(id=theuser_id)
198 # XXX: There is some weirdness around the User.trusted
199 # attribute depending on which arguments you pass to the
200 # constructor. This may end up in us creating non-"trusted"
201 # users, whatever that means.
202 else:
203 if user.getUserId(request, identityURL):
204 # Okay, so we have someone with an authenticated OpenID,
205 # an account *named* that OpenID, but we're not at all
206 # sure that authorizes the user to access that account,
207 # because the account's "openid" field wasn't set.
208 # FIXME: Should explain to the user why they're not getting
209 # logged in and write some log messages and stuff.
210 request.log("OpenID auth for %r, but unsure what account"
211 "goes with it and can't create one." %
212 (identityURL,))
213 return (None, True)
214
215 # I'm not entirely sure what auth_attribs is for. But I think
216 # one of their effects is that if I put some things in there,
217 # the UserPrefs form won't force me to set them, which is
218 # behaviour I want here. Not sure if it's abusive.
219 theuser = User(auth_attribs=("password", "email"))
220 theuser.openid_url = identityURL
221 # I doubt I understand what I'm responsible for in new
222 # user creation... if I just make a user object here and
223 # return it, is that sufficient? Should I call
224 # create_or_update? Is there any of the new user logic
225 # in userform that I need to invoke here?
226 theuser.create_or_update(True)
227 request.log("Created new user %s for OpenID %r" % (theuser,
228 identityURL))
229 return (theuser, False)
230
231
232 def userLookupByOpenID(request, identityURL):
233 # This code is lifted right out of user.getUserId. Can it be generalized?
234 if not identityURL:
235 return None
236 cfg = request.cfg
237 try:
238 openid2id = cfg._openid2id
239 except AttributeError:
240 arena = 'user'
241 key = 'openid2id'
242 cache = caching.CacheEntry(request, arena, key)
243 try:
244 openid2id = pickle.loads(cache.content())
245 except (pickle.UnpicklingError, IOError, EOFError, ValueError):
246 openid2id = {}
247 cfg._openid2id = openid2id
248
249 id = openid2id.get(identityURL, None)
250 if id is None:
251 for userid in user.getUserList(request):
252 uopenid = user.User(request, id=userid).openid_url
253 openid2id[uopenid] = userid
254 arena = 'user'
255 key = 'openid2id'
256 cache = caching.CacheEntry(request, arena, key)
257 cache.update(pickle.dumps(openid2id, user.PICKLE_PROTOCOL))
258 id = openid2id.get(identityURL, None)
259 return id
260
261
262 def _getConsumer(request):
263 # I'm assuming that since you're using MoinMoin, you're probably
264 # okay with a file-based association database.
265 store = FileOpenIDStore(request.cfg.openid_assoc_dir)
266 return consumer.OpenIDConsumer(store)
267
268
269 from MoinMoin.multiconfig import DefaultConfig
270
271 def _(text): return text
272
273 class ConfigMixin:
274 """Things you must define in your Config class to enable Open ID.
275
276 One way to use this would be to define your configuration class like so::
277
278 from MoinMoin.multiconfig import DefaultConfig
279 from MoinMoin import oidauth
280 class Config(oidauth.ConfigMixin, DefaultConfig):
281 # ... your config values here ...
282
283 The defaults for most of the things here are sane, but you likely should
284 define L{openid_assoc_dir} with an absolute path.
285
286 @ivar openid_assoc_dir: A directory (like C{data_dir}) in which the
287 OpenID library will store its data.
288 @ivar auth: To use OpenID, this list of authentication methods must
289 include both the L{openid} function from the oidauth module and
290 the default L{MoinMoin.auth.moin_cookie<moin_cookie>} function.
291 Without the C{moin_cookie} function, you will have to re-authenticate
292 for I{every} request.
293 @ivar user_form_fields: For users to set their OpenID, this list must
294 include C{openid_url}.
295 @ivar user_form_defaults: Provide a default for the field defined in
296 C{user_form_fields}.
297 """
298
299 openid_assoc_dir = './openid/'
300 auth = [openid] + DefaultConfig.auth
301 user_form_fields = DefaultConfig.user_form_fields + [
302 ('openid_url', _('OpenID'), "text", "40",
303 _("(Your OpenID)")),
304 ]
305
306 user_form_defaults = DefaultConfig.user_form_defaults.copy()
307 user_form_defaults.update({
308 'openid_url': '',
309 })
310
311
312 __all__ = ['openid', 'ConfigMixin']
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.You are not allowed to attach a file to this page.