# Login application for demo SSO: using the repoze.who API.
|
from repoze.who.api import APIFactory
|
from repoze.who.config import WhoConfig
|
from webob import Request
|
|
LOGIN_FORM_TEMPLATE = """\
|
<html>
|
<head>
|
<title> Demo SSO Login </title>
|
</head>
|
<body>
|
<h1> Demo SSO Login </h1>
|
<p style="color: Red">%(message)s</p>
|
<form action="#" method="post">
|
<input type="hidden" name="came_from" value="%(came_from)s" />
|
<fieldset id="login_name_fs">
|
<label for="login_name">Login Name</label>
|
<input type="text" id="login_name" name="login_name" value="%(login_name)s" />
|
</fieldset>
|
<fieldset id="password_fs">
|
<label for="password">Login Name</label>
|
<input type="password" id="password" name="password" />
|
</fieldset>
|
<input type="submit" name="form.submitted" value="Log In" />
|
</form>
|
</body>
|
</html>
|
"""
|
|
MAX_AGE = '3600' # seconds
|
|
AUTH = {
|
'phred': 'y4bb3d4bb4d00',
|
'bharney': 'b3dr0ck',
|
}
|
|
# This config would normally be in a separate file: inlined here for
|
# didactic purposes.
|
WHO_CONFIG = """\
|
[plugin:auth_tkt]
|
# identification + authorization
|
use = repoze.who.plugins.auth_tkt:make_plugin
|
secret = s33kr1t
|
cookie_name = auth_cookie
|
secure = True
|
include_ip = True
|
digest_algo = sha512
|
|
[general]
|
request_classifier = repoze.who.classifiers:default_request_classifier
|
challenge_decider = repoze.who.classifiers:default_challenge_decider
|
remote_user_key = REMOTE_USER
|
|
[identifiers]
|
plugins =
|
auth_tkt
|
|
[authenticators]
|
plugins =
|
auth_tkt
|
|
[challengers]
|
plugins =
|
|
[mdproviders]
|
plugins =
|
"""
|
|
# oh emacs python-mode, you disappoint me """
|
|
api_factory = None
|
|
def _configure_api_factory():
|
global api_factory
|
if api_factory is None:
|
config = WhoConfig(here='/tmp') # XXX config file location
|
config.parse(WHO_CONFIG)
|
api_factory = APIFactory(identifiers=config.identifiers,
|
authenticators=config.authenticators,
|
challengers=config.challengers,
|
mdproviders=config.mdproviders,
|
request_classifier=config.request_classifier,
|
challenge_decider=config.challenge_decider,
|
)
|
return api_factory
|
|
def _validate(login_name, password):
|
# Your application's logic goes here
|
return AUTH.get(login_name) == password
|
|
def login(environ, start_response):
|
request = Request(environ)
|
message = ''
|
if 'form.submitted' in request.POST:
|
came_from = request.POST['came_from']
|
login_name = request.POST['login_name']
|
password = request.POST['password']
|
remote_addr = environ['REMOTE_ADDR']
|
tokens = userdata = ''
|
if _validate(login_name, password):
|
api = _configure_api_factory()(environ)
|
headers = [('Location', came_from)]
|
headers.extend(api.remember(login_name))
|
start_response('302 Found', headers)
|
return []
|
message = 'Authentication failed'
|
else:
|
came_from = request.GET.get('came_from')
|
login_name = ''
|
|
body = LOGIN_FORM_TEMPLATE % {'message': message,
|
'came_from': came_from,
|
'login_name': login_name,
|
}
|
start_response('200 OK', [])
|
return [body]
|
|
def main(global_config, **local_config):
|
return login
|