|
| 1 | +import logging |
| 2 | +from json import loads |
| 3 | + |
| 4 | +from pyramid.view import view_config |
| 5 | +from pyramid.authentication import AuthTktAuthenticationPolicy |
| 6 | +from pyramid.security import remember |
| 7 | +from pyramid.httpexceptions import HTTPBadRequest, HTTPFound, HTTPUnauthorized |
| 8 | + |
| 9 | +from c2cgeoportal_geoportal.resources import defaultgroupsfinder |
| 10 | + |
| 11 | +from duo_web import sign_request, verify_response |
| 12 | + |
| 13 | + |
| 14 | +LOG = logging.getLogger(__name__) |
| 15 | +logging.basicConfig(level=10) |
| 16 | + |
| 17 | +def includeme(config): |
| 18 | + config.add_route('login', '/login') |
| 19 | + config.add_view(login, route_name='login') |
| 20 | + config.add_route('duoweb_post_action', '/duoweb/post_action') |
| 21 | + config.add_view(duoweb_post_action, route_name='duoweb_post_action') |
| 22 | + |
| 23 | + |
| 24 | +def create_authentication(settings): |
| 25 | + timeout = settings.get("authtkt_timeout") |
| 26 | + timeout = None if timeout is None or timeout.lower() == "none" else int(timeout) |
| 27 | + reissue_time = settings.get("authtkt_reissue_time") |
| 28 | + reissue_time = None if reissue_time is None or reissue_time.lower() == "none" else int(reissue_time) |
| 29 | + max_age = settings.get("authtkt_max_age") |
| 30 | + max_age = None if max_age is None or max_age.lower() == "none" else int(max_age) |
| 31 | + http_only = settings.get("authtkt_http_only", "True") |
| 32 | + http_only = http_only.lower() in ("true", "yes", "1") |
| 33 | + secure = settings.get("authtkt_secure", "True") |
| 34 | + secure = secure.lower() in ("true", "yes", "1") |
| 35 | + samesite = settings.get("authtkt_samesite", "Lax") |
| 36 | + secret = settings.get("authtkt_secret") |
| 37 | + return DuoWebAuthenticationPolicy( |
| 38 | + secret, |
| 39 | + callback=defaultgroupsfinder, |
| 40 | + cookie_name=settings["authtkt_cookie_name"], |
| 41 | + samesite=None if samesite == "" else samesite, |
| 42 | + timeout=timeout, |
| 43 | + max_age=timeout, |
| 44 | + reissue_time=reissue_time, |
| 45 | + hashalg="sha512", |
| 46 | + http_only=http_only, |
| 47 | + secure=secure, |
| 48 | + ) |
| 49 | + |
| 50 | +class DuoWebAuthenticationPolicy(AuthTktAuthenticationPolicy): |
| 51 | + def authenticated_userid(self, request): |
| 52 | + userid = self.unauthenticated_userid(request) |
| 53 | + LOG.info('authenticated_userid: %s' % userid) |
| 54 | + if userid is not None: |
| 55 | + return userid |
| 56 | + |
| 57 | + |
| 58 | +@view_config(route_name='login', renderer='json') |
| 59 | +def login(request): |
| 60 | + login = request.params.get("login") |
| 61 | + password = request.params.get("password") |
| 62 | + if login is None or password is None: |
| 63 | + raise HTTPBadRequest() |
| 64 | + username = request.registry.validate_user(request, login, password) |
| 65 | + if username is None: |
| 66 | + raise HTTPUnauthorized() |
| 67 | + |
| 68 | + config = request.registry.settings.get('duo_web') |
| 69 | + return { |
| 70 | + 'sig_request': sign_request(**config, username=username), |
| 71 | + } |
| 72 | + |
| 73 | + |
| 74 | +@view_config(route_name='duoweb_post_action', renderer='json') |
| 75 | +def duoweb_post_action(request): |
| 76 | + body = loads(request.body, encoding=request.charset) |
| 77 | + sig_response = body.get('sig_response') |
| 78 | + config = request.registry.settings.get('duo_web') |
| 79 | + authenticated_username = verify_response(**config, sig_response=sig_response) |
| 80 | + if authenticated_username is not None: |
| 81 | + headers = remember(request, authenticated_username) |
| 82 | + return HTTPFound(request.route_url('loginuser'), headers=headers) |
| 83 | + else: |
| 84 | + raise HTTPUnauthorized() |
0 commit comments