pvl-hosts: pvl/login/server.py@5100b359906c (annotated)

348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	1	# encoding: utf-8
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	2
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	3	import datetime
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	4	import urlparse
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	5	import werkzeug
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	6	import werkzeug.urls
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	7
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	8	import pvl.login.auth
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	9	import pvl.web
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	10	import pvl.web.response
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	11
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	12	from pvl.login import pubtkt
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	13	from pvl.web import urls
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	14	from pvl.web import html5 as html
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	15
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	16	import logging; log = logging.getLogger('pvl.login.server')
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	17
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	18	class Handler (pvl.web.Handler) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	19	# Bootstrap
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	20	DOCTYPE = 'html'
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	21	HTML_XMLNS = None
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	22	HTML_LANG = 'en'
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	23	CSS = (
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	24	'//netdna.bootstrapcdn.com/bootstrap/3.0.3/css/bootstrap.min.css',
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	25	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	26	JS = (
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	27	'//code.jquery.com/jquery.js',
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	28	'//netdna.bootstrapcdn.com/bootstrap/3.0.3/js/bootstrap.min.js',
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	29	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	30
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	31	STYLE = """
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	32	body {
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	33	padding-top: 2em;
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	34	text-align: center;
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	35	}
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	36
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	37	.container {
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	38	padding: 2em 1em;
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	39	text-align: left;
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	40	}
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	41	"""
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	42
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	43	def redirect (self, url, *params) :
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	44	return pvl.web.response.redirect(self.url(url, *params))
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	45
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	46	pubtkt = None
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	47	invalid_pubtkt = None
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	48	valid_pubtkt = None
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	49
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	50	def init (self) :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	51	self.alerts = []
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	52
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	53	def alert (self, type, alert, icon=None) :
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	54	log.info(u"%s: %s", type, alert)
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	55
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	56	self.alerts.append((type, icon, unicode(alert)))
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	57
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	58	def process_cookie (self) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	59	"""
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	60	Reverse the urlencoding used for the cookie...
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	61	"""
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	62
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	63	log.debug("cookies: %s", self.request.cookies)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	64
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	65	cookie = self.request.cookies.get(self.app.cookie_name)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	66
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	67	if not cookie :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	68	return
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	69
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	70	log.debug("cookie %s=%s", self.app.cookie_name, cookie)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	71
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	72	cookie = werkzeug.urls.url_unquote(cookie)
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	73
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	74	log.debug("cookie decoded: %s", cookie)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	75
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	76	if not cookie :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	77	return
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	78
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	79	try :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	80	self.pubtkt = self.app.load(cookie)
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	81
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	82	except pubtkt.ParseError as ex :
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	83	self.alert('danger', ex, icon='compare')
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	84
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	85	except pubtkt.VerifyError as ex :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	86	self.alert('danger', ex, icon='warning-sign')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	87
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	88	self.invalid_pubtkt = ex.pubtkt
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	89
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	90	except pubtkt.ExpiredError as ex :
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	91	self.alert('warning', ex, icon='clock')
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	92
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	93	# store it anyways, but not as valid
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	94	self.pubtkt = ex.pubtkt
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	95
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	96	else :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	97	# it's a parsed, verified and valid pubtkt
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	98	self.valid_pubtkt = self.pubtkt
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	99
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	100	return self.pubtkt
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	101
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	102	def process_back (self) :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	103	self.server = None
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	104	self.back = urlparse.urlunparse((self.app.login_scheme, self.app.login_server, '/', '', '', ''))
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	105
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	106	back = self.request.args.get('back')
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	107
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	108	if back :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	109	url = urlparse.urlparse(back, self.app.login_scheme)
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	110
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	111	if not self.app.login_scheme :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	112	scheme = url.scheme
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	113
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	114	elif url.scheme == self.app.login_scheme :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	115	scheme = url.scheme
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	116
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	117	else :
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	118	self.alert('info', "Using SSL for application URL", icon='lock')
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	119	scheme = self.app.login_scheme
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	120
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	121	if url.hostname :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	122	self.server = self.app.check_server(url.hostname)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	123	else :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	124	self.server = self.app.login_server
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	125
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	126	self.back = urlparse.urlunparse((scheme, self.server, url.path, url.params, url.query, url.fragment))
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	127
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	128	def render_alerts (self) :
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	129	for type, icon, alert in self.alerts :
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	130	yield html.div(class_='alert alert-{type}'.format(type=type))(
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	131	html.span(class_='glyphicon glyphicon-{glyphicon}'.format(glyphicon=icon)) if icon else None,
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	132	alert
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	133	)
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	134
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	135
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	136
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	137	class Index (Handler) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	138	TITLE = u"Päivölä Network Login"
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	139
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	140	STYLE = Handler.STYLE + """
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	141	.pubtkt {
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	142	width: 30em;
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	143	margin: 1em auto;
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	144	}
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	145
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	146	.pubtkt form {
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	147	display: inline;
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	148	}
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	149
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	150	.pubtkt .panel-heading {
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	151	line-height: 20px;
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	152	}
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	153
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	154	.pubtkt .panel-body .glyphicon {
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	155	width: 1em;
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	156	float: left;
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	157	line-height: 20px;
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	158	}
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	159
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	160	.pubtkt .panel-body .progress {
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	161	margin-bottom: 0;
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	162	margin-left: 2em;
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	163	}
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	164	"""
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	165
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	166	JS = Handler.JS + (
e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	167	'/static/pubtkt-expire.js',
e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	168	)
e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	169
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	170	def process (self) :
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	171	self.process_cookie()
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	172
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	173	if not self.pubtkt :
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	174	return self.redirect(Login)
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	175
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	176	def render_valid (self, valid) :
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	177	seconds = valid.seconds + valid.days * (24 * 60 * 60)
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	178
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	179	minutes, seconds = divmod(seconds, 60)
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	180	hours, minutes = divmod(minutes, 60)
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	181
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	182	return "%2d:%02d:%02d" % (hours, minutes, seconds)
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	183
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	184	def render_status (self, pubtkt) :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	185	valid = pubtkt.valid()
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	186	grace = pubtkt.grace()
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	187
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	188	if grace :
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	189	return 'warning'
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	190	elif valid :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	191	return 'success'
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	192	else :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	193	return 'danger'
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	194
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	195	def render_pubtkt_valid (self, pubtkt) :
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	196	"""
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	197	Yield HTML for ticket validity.
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	198	"""
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	199
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	200
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	201	lifetime = self.app.login_valid
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	202	valid = pubtkt.valid()
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	203	grace = pubtkt.grace()
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	204	grace_period = pubtkt.grace_period()
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	205	remaining = pubtkt.remaining()
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	206
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	207	if valid :
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	208	progress = float(valid.seconds) / float(lifetime.seconds)
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	209	else :
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	210	progress = None
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	211
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	212	if grace :
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	213	title = "Remaining renewal period"
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	214	label = "{grace} (Renew)".format(grace=self.render_valid(grace))
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	215	status = 'warning'
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	216	elif valid :
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	217	title = "Remaining validity period"
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	218	label = "{valid}".format(valid=self.render_valid(valid))
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	219	status = 'success'
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	220	else :
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	221	title = "Expired"
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	222	label = "Expired"
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	223	status = 'danger'
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	224
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	225	if progress :
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	226	return html.div(class_='panel-body', title=title)(
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	227	html.span(class_='glyphicon glyphicon-time'),
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	228	html.div(class_='progress pubtkt-progress',
e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	229	data_start=valid.seconds,
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	230	data_refresh=grace_period.seconds if remaining else None,
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	231	data_end=lifetime.seconds,
e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	232	)(
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	233	html.div(class_='progress-bar progress-bar-{status}'.format(status=status),
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	234	role='progressbar',
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	235	style='width: {pp:.0f}%'.format(pp=progress*100),
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	236	)(
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	237	html.span(class_='pubtkt-progress-label')(label)
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	238	)
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	239	)
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	240	)
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	241	else :
365 e9e3d1580d36 pvl.login: animated expire progress Tero Marttila <terom@paivola.fi> parents: 360 diff changeset	242	return None # html.p(label)
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	243
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	244	def render_pubtkt_fields (self, pubtkt) :
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	245	"""
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	246	Yield (glyphicon, text) to render as fields for ticket.
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	247	"""
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	248
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	249	if pubtkt.cip :
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	250	yield 'cloud', None, "Network address", pubtkt.cip
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	251
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	252	if pubtkt.udata :
370 184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	253	yield 'comment', None, "User data", pubtkt.udata
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	254
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	255	for token in pubtkt.tokens :
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	256	yield 'flag', None, "Access token", token
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	257
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	258	if pubtkt.bauth :
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	259	yield 'keys', None, "Authentication token", pubtkt.bauth
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	260
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	261	def render_pubtkt (self, pubtkt) :
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	262	status = self.render_status(pubtkt)
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	263	domain = self.app.login_domain
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	264
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	265	return html.div(class_='pubtkt panel panel-{status}'.format(status=status))(
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	266	html.div(class_='panel-heading')(
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	267	html.span(class_='glyphicon glyphicon-user'),
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	268	html.strong(pubtkt.uid),
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	269	html.span("@", domain),
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	270	),
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	271	self.render_pubtkt_valid(pubtkt),
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	272	html.ul(class_='list-group')(
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	273	html.li(class_='list-group-item {status}'.format(status=('alert-'+status if status else '')), title=title)(
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	274	html.span(class_='glyphicon glyphicon-{glyphicon}'.format(glyphicon=icon)) if icon else None,
360 1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	275	data,
1b33bed4a7c4 pimp out pubtkt panel on index page, although alignment is getting difficult Tero Marttila <terom@paivola.fi> parents: 359 diff changeset	276	) for icon, status, title, data in self.render_pubtkt_fields(pubtkt)
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	277	),
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	278	html.div(class_='panel-footer')(
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	279	#html.div(class_='btn-toolbar', role='toolbar')(
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	280	(
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	281	html.form(action=self.url(Login), method='post', class_='form-inline')(
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	282	html.button(type='submit', class_='btn btn-success')(
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	283	html.span(class_='glyphicon glyphicon-time'), "Renew"
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	284	)
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	285	)
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	286	) if pubtkt.valid() else (
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	287	html.form(action=self.url(Login), method='get', class_='form-inline')(
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	288	html.button(type='submit', class_='btn btn-info')(
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	289	html.span(class_='glyphicon glyphicon-log-in'), "Login"
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	290	)
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	291	),
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	292	),
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	293
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	294	html.form(action=self.url(Logout), method='post', class_='form-inline pull-right')(
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	295	html.button(type='submit', class_='btn btn-warning')(
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	296	html.span(class_='glyphicon glyphicon-log-out'), "Logout"
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	297	)
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	298	),
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	299	#),
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	300	),
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	301	)
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	302
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	303	def render (self) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	304	return html.div(class_='container')(
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	305	self.render_alerts(),
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	306	self.render_pubtkt(self.pubtkt) if self.pubtkt else None,
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	307	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	308
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	309	class Login (Handler) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	310	TITLE = "Login"
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	311
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	312	STYLE = Handler.STYLE + """
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	313	form#login {
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	314	max-width: 50%;
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	315	padding: 1em;
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	316	margin: 0 auto;
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	317	}
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	318
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	319	"""
369 e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	320
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	321	login_failure = None
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	322
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	323	def process (self) :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	324	self.process_cookie()
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	325
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	326	try :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	327	self.process_back()
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	328	except pubtkt.Error as ex :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	329	self.alert('danger', ex)
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	330
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	331	if self.pubtkt :
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	332	self.username = self.pubtkt.uid
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	333	else :
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	334	self.username = None
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	335
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	336	# update cookie?
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	337	set_pubtkt = None
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	338
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	339	if self.request.method == 'POST' :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	340	username = self.request.form.get('username')
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	341	password = self.request.form.get('password')
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	342
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	343	if username :
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	344	# preprocess
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	345	username = username.strip().lower()
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	346
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	347	if username and password :
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	348	self.username = username
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	349
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	350	try :
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	351	set_pubtkt = self.app.auth(username, password)
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	352
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	353	except pvl.login.auth.AuthError as ex :
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	354	self.alert('danger', "Internal authentication error, try again later?")
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	355
369 e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	356	else :
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	357	if not set_pubtkt :
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	358	self.alert('danger', "Invalid authentication credentials, try again.")
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	359
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	360	elif self.pubtkt and self.pubtkt.valid() :
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	361	# renew manually if valid
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	362	set_pubtkt = self.app.renew(self.pubtkt)
369 e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	363
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	364	# a POST request that does not modify state is a failure
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	365	if not set_pubtkt :
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	366	self.login_failure = True
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	367
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	368	elif 'renew' in self.request.args :
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	369	# renew automatically if in grace period
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	370	if self.pubtkt and self.pubtkt.grace() :
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	371	set_pubtkt = self.app.renew(self.pubtkt)
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	372
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	373	if set_pubtkt :
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	374	signed = self.app.sign(set_pubtkt)
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	375
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	376	self.pubtkt = set_pubtkt
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	377
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	378	# browsers and mod_pubtkt seem to be very particular about quoting ;'s in cookie values...
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	379	# this follows PHP's setcookie() encoding, without any quoting of the value..
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	380	cookie = '{cookie}={value}; Domain={domain}; Secure; HttpOnly'.format(
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	381	cookie = self.app.cookie_name,
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	382	value = werkzeug.urls.url_quote(signed),
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	383	domain = self.app.cookie_domain,
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	384	)
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	385
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	386	# redirect with cookie
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	387	response = pvl.web.response.redirect(self.back)
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	388	response.headers.add('Set-Cookie', cookie)
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	389
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	390	return response
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	391
369 e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	392	def status (self) :
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	393	if self.login_failure :
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	394	return 400
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	395	else :
e6d0e8a967ac pvl.login: ldap access (tokens) and userdata support Tero Marttila <terom@paivola.fi> parents: 367 diff changeset	396	return 200
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	397
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	398	def render (self) :
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	399	domain = self.app.login_domain
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	400
355 2daf32a118ff pvl.login: logout -> /login?logout=1 Tero Marttila <terom@paivola.fi> parents: 354 diff changeset	401	if 'logout' in self.request.args :
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	402	self.alert('info', "You have been logged out.", icon='log-out')
355 2daf32a118ff pvl.login: logout -> /login?logout=1 Tero Marttila <terom@paivola.fi> parents: 354 diff changeset	403
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	404	if self.pubtkt and self.pubtkt.valid() :
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	405	renew = True
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	406
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	407	# within validity period...
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	408	self.alert('info', "Login or renew ticket.", icon='log-in')
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	409
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	410	else :
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	411	renew = False
f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	412
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	413	return html.div(class_='container')(
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	414	html.form(action=self.url(back=self.back), method='POST', id='login')(
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	415	self.render_alerts(),
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	416
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	417	html.fieldset(
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	418	html.legend(
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	419	(
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	420	"Login @ ",
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	421	html.a(href=self.back)(self.server),
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	422	) if self.server else (
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	423	"Login"
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	424	)
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	425	),
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	426
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	427	html.div(class_='form-group')(
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	428	html.div(class_='input-group')(
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	429	html.label(for_='username', class_='sr-only')("Username"),
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	430	html.input(name='username', type='text', class_='form-control', placeholder="username", required=True, autofocus=(not self.username), value=self.username),
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	431	html.span(class_='input-group-addon')("@{domain}".format(domain=domain)),
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	432	),
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	433
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	434	html.label(for_='password', class_='sr-only')("Password"),
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	435	html.input(name='password', type='password', class_='form-control', placeholder="Password", required=(not renew), autofocus=bool(self.username)),
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	436	),
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	437
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	438	html.button(type='submit', class_='btn btn-primary')(
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	439	html.span(class_='glyphicon glyphicon-log-in'), "Login"
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	440	),
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	441
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	442	html.button(type='submit', class_='btn btn-success')(
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	443	html.span(class_='glyphicon glyphicon-time'), "Renew"
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	444	) if renew else None,
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	445	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	446	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	447	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	448
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	449	class Logout (Handler) :
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	450	TITLE = "Logout"
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	451
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	452	def process (self) :
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	453	self.process_cookie()
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	454
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	455	if not self.pubtkt :
355 2daf32a118ff pvl.login: logout -> /login?logout=1 Tero Marttila <terom@paivola.fi> parents: 354 diff changeset	456	return self.redirect(Login)
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	457
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	458	if self.request.method == 'POST' :
355 2daf32a118ff pvl.login: logout -> /login?logout=1 Tero Marttila <terom@paivola.fi> parents: 354 diff changeset	459	response = pvl.web.response.redirect(self.url(Login, logout=1))
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	460
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	461	response.set_cookie(self.app.cookie_name, '',
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	462	expires = 0,
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	463	domain = self.app.cookie_domain,
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	464	secure = self.app.cookie_secure,
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	465	httponly = self.app.cookie_httponly,
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	466	)
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	467
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	468	return response
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	469
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	470	def render (self) :
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	471	return html.div(class_='container')(
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	472	html.form(action=self.url(), method='post')(
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	473	self.render_alerts(),
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	474
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	475	html.fieldset(
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	476	html.legend("Logout {pubtkt.uid}".format(pubtkt=self.pubtkt)),
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	477
359 70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	478	html.button(type='submit', class_='btn btn-warning')(
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	479	html.span(class_='glyphicon glyphicon-log-out'), "Logout"
70bcd6f1fa4a pvl.login.server: iconify everything Tero Marttila <terom@paivola.fi> parents: 357 diff changeset	480	),
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	481	)
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	482	)
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	483	)
1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	484
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	485	class SSL (Handler) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	486	TITLE = "SSL"
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	487
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	488	OUT = 'tmp/spkac'
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	489
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	490	def render_cert (self) :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	491	return html.div(class_='container')(
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	492	self.render_alerts(),
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	493	html.div(class_='alert alert-success')(
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	494	"Your new SSL client cert has been signed, and should shortly be installed within your browser."
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	495	)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	496	)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	497
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	498	def respond_cert (self, cert) :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	499	"""
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	500	Generate a response for a signed cert, showing the user an informational page, and redirecting to the cert itself..
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	501	"""
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	502
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	503	location = self.url(SSL, cert=cert)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	504
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	505	return pvl.web.Response(
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	506	self.render_html(
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	507	body = self.render_cert(),
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	508	extrahead = html.meta(http_equiv='refresh', content='0;{location}'.format(location=location)),
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	509	),
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	510	status = 200,
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	511	#headers = {
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	512	# 'Location': location
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	513	#},
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	514	mimetype = 'text/html',
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	515	)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	516
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	517	def process_spkac (self, spkac) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	518	log.info("SPKAC: %s", spkac)
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	519
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	520	try :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	521	cert = self.app.ssl_sign(self.pubtkt, spkac)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	522	except pvl.login.ssl.Error as ex :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	523	self.alert('danger', ex)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	524	return
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	525
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	526	log.info("Redirecting to client cert: %s", cert)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	527	return self.respond_cert(cert)
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	528
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	529	def process_cert (self, cert) :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	530	"""
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	531	Return user cert as download.
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	532
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	533	Uses the application/x-x509-user-cert mimetype per
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	534	https://developer.mozilla.org/en-US/docs/NSS_Certificate_Download_Specification
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	535	"""
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	536
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	537	try :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	538	file = self.app.ssl_open(self.pubtkt, cert)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	539	except pvl.login.ssl.Error as ex :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	540	self.alert('danger', ex)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	541	return
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	542
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	543	log.info("Returning client cert: %s", file)
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	544
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	545	return pvl.web.Response(self.response_file(file), mimetype='application/x-x509-user-cert')
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	546
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	547	def process (self, cert=None) :
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	548	if not self.process_cookie() :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	549	return self.redirect(Login, back=self.url())
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	550
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	551	self.sslcert_dn = self.request.headers.get('X-Forwarded-SSL-DN')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	552
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	553	if cert :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	554	return self.process_cert(cert)
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	555
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	556	if self.request.method == 'POST' :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	557	spkac = self.request.form.get('spkac')
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	558
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	559	if spkac:
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	560	return self.process_spkac(spkac)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	561
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	562	def render (self) :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	563	if self.sslcert_dn :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	564	self.alert('info', "You are currently using a client SSL cert: {self.sslcert_dn}".format(self=self))
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	565
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	566	return html.div(class_='container')(
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	567	html.form(action=self.url(), method='post')(
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	568	self.render_alerts(),
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	569	html.fieldset(
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	570	html.legend("SSL Login"),
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	571
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	572	html.keygen(name='spkac', challenge='foo', keytype='RSA'),
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	573
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	574	html.button(type='submit', class_='btn')(
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	575	"Generate Certificate"
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	576	),
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	577	)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	578	)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	579	)
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	580
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	581	class LoginApplication (pvl.web.Application) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	582	URLS = urls.Map((
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	583	urls.rule('/', Index),
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	584	urls.rule('/login', Login),
350 1ca04394c314 pvl.login.server: logout Tero Marttila <terom@paivola.fi> parents: 349 diff changeset	585	urls.rule('/logout', Logout),
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	586
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	587	# proto
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	588	urls.rule('/ssl', SSL),
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	589	urls.rule('/ssl/<cert>', SSL),
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	590	))
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	591
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	592	PUBLIC_KEY = 'etc/login/public.pem'
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	593	PRIVATE_KEY = 'etc/login/private.pem'
349 3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	594
3c20473d0bdc pvl.login: pimp out form with domain, and iconized panel for ticket Tero Marttila <terom@paivola.fi> parents: 348 diff changeset	595	login_domain = 'test.paivola.fi'
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	596	login_server = 'login.test.paivola.fi'
370 184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	597	login_valid = datetime.timedelta(minutes=60)
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	598	login_grace = datetime.timedelta(minutes=15)
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	599	login_scheme = 'https'
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	600
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	601	cookie_name = 'auth_pubtkt'
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	602	cookie_domain = 'test.paivola.fi'
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	603	cookie_secure = True
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	604	cookie_httponly = True
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	605
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	606	def __init__ (self, auth, ssl=None, public_key=PUBLIC_KEY, private_key=PRIVATE_KEY, **opts) :
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	607	super(LoginApplication, self).__init__(**opts)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	608
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	609	self._auth = auth
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	610	self._ssl = ssl
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	611	self.server_keys = pubtkt.ServerKeys.config(
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	612	public_key = public_key,
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	613	private_key = private_key,
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	614	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	615
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	616	def check_server (self, server) :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	617	"""
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	618	Check that the given target server is valid.
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	619	"""
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	620
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	621	server = server.lower()
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	622
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	623	if server == self.login_domain or server.endswith('.' + self.login_domain) :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	624	return server
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	625	else :
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	626	raise pubtkt.ServerError("Target server is not covered by our authentication domain: {domain}".format(domain=self.login_domain))
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	627
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	628	def load (self, cookie) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	629	"""
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	630	Load a pubtkt from a cookie, and verify it.
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	631	"""
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	632
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	633	return pubtkt.PubTkt.load(cookie, self.server_keys.public)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	634
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	635	def auth (self, username, password) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	636	"""
370 184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	637	Perform authentication, returning a PubTkt (unsiigned) or None.
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	638
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	639	Raises auth.AuthError.
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	640	"""
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	641
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	642	auth = self._auth.auth(username, password)
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	643
367 e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	644	if not auth :
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	645	return None
e431a1b71006 pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh Tero Marttila <terom@paivola.fi> parents: 365 diff changeset	646
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	647	return pubtkt.PubTkt.new(username,
354 d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	648	valid = self.login_valid,
d46c8d3e3140 pvl.login: ui tweaks, alerts, back support Tero Marttila <terom@paivola.fi> parents: 351 diff changeset	649	grace = self.login_grace,
370 184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	650	tokens = list(self._auth.access(auth)),
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	651	udata = self._auth.userdata(auth),
348 089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	652	)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	653
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	654	def sign (self, pubtkt) :
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	655	"""
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	656	Create a cookie by signing the given pubtkt.
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	657	"""
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	658
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	659	return pubtkt.sign(self.server_keys.private)
089ec3eddc92 pvl.login: a pubtkt-based sso login server.. Tero Marttila <terom@paivola.fi> parents: diff changeset	660
351 147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	661	def renew (self, pubtkt) :
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	662	"""
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	663	Renew and re-sign the given pubtkt.
147f5e86b139 pvl.login: fix validity logic, implement renew Tero Marttila <terom@paivola.fi> parents: 350 diff changeset	664	"""
370 184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	665
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	666	auth = self._auth.renew(pubtkt.uid)
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	667
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	668	if not auth :
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	669	raise pubtkt.RenewError("Unable to re-authenticate")
357 f85050bad115 pvl.login.server: improved renewal handling, with manual renewal while valid, and automatic renewal within grace period Tero Marttila <terom@paivola.fi> parents: 355 diff changeset	670
370 184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	671	return pubtkt.update(
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	672	valid = self.login_valid,
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	673	grace = self.login_grace,
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	674	tokens = list(self._auth.access(auth)),
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	675	udata = self._auth.userdata(auth),
184917c7d4d4 pvl.login: update access on renew Tero Marttila <terom@paivola.fi> parents: 369 diff changeset	676	)
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	677
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	678	def ssl_sign (self, pubtkt, spkac) :
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	679	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	680	Generate a SSL client cert for the given user.
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	681
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	682	Returns the redirect token for downloading it.
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	683
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	684	Raises pvl.login.ssl.Error
373 6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	685	"""
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	686
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	687	if not self._ssl :
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	688	raise pvl.login.ssl.Error("No ssl CA available for signing")
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	689
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	690	return self._ssl.sign_user(pubtkt.uid, spkac,
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	691	userinfo = pubtkt.udata,
6beb06b59ee6 pvl.login: do not store invalid pubtkt's in self.pubtkt; implement a ssl client cert ca Tero Marttila <terom@paivola.fi> parents: 370 diff changeset	692	)
375 df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	693
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	694	def ssl_open (self, pubtkt, cert) :
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	695	"""
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	696	Open and return an SSL cert file.
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	697
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	698	Raises pvl.login.ssl.Error
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	699	"""
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	700
df3bf49634a1 pvl.login.server: separate redirect/refresh'd step for cert download to display html first; fix set-cookie quoting for werkzeug 0.9 Tero Marttila <terom@paivola.fi> parents: 373 diff changeset	701	return self._ssl.open_cert(pubtkt.uid, cert)

author	Tero Marttila <tero.marttila@aalto.fi>
	Tue, 24 Feb 2015 12:47:09 +0200
changeset 437	5100b359906c
parent 375	df3bf49634a1
permissions	-rw-r--r--