#!/usr/bin/env python """ Simple example for an OpenID consumer. Once you understand this example you'll know the basics of OpenID and using the Python OpenID library. You can then move on to more robust examples, and integrating OpenID into your application. """ from __future__ import unicode_literals import cgi import cgitb import optparse import sys from Cookie import SimpleCookie import six from six.moves.BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer from six.moves.urllib.parse import parse_qsl, urljoin, urlparse def quoteattr(s): qs = cgi.escape(s, 1) return '"%s"' % (qs,) try: import openid except ImportError: sys.stderr.write(""" Failed to import the OpenID library. In order to use this example, you must either install the library (see INSTALL in the root of the distribution) or else add the library to python's import path (the PYTHONPATH environment variable). For more information, see the README in the root of the library distribution.""") sys.exit(1) else: del openid from openid.consumer import consumer from openid.extensions import pape, sreg from openid.fetchers import Urllib2Fetcher, setDefaultFetcher from openid.oidutil import appendArgs from openid.store import filestore, memstore from openid.store.nonce import make_nonce_salt # Used with an OpenID provider affiliate program. OPENID_PROVIDER_NAME = 'MyOpenID' OPENID_PROVIDER_URL = 'https://www.myopenid.com/affiliate_signup?affiliate_id=39' class OpenIDHTTPServer(HTTPServer): """http server that contains a reference to an OpenID consumer and knows its base URL. """ def __init__(self, store, *args, **kwargs): HTTPServer.__init__(self, *args, **kwargs) self.sessions = {} self.store = store if self.server_port != 80: self.base_url = ('http://%s:%s/' % (self.server_name, self.server_port)) else: self.base_url = 'http://%s/' % (self.server_name,) class OpenIDRequestHandler(BaseHTTPRequestHandler): """Request handler that knows how to verify an OpenID identity.""" SESSION_COOKIE_NAME = 'pyoidconsexsid' session = None def getConsumer(self, stateless=False): if stateless: store = None else: store = self.server.store return consumer.Consumer(self.getSession(), store) def getSession(self): """Return the existing session or a new session""" if self.session is not None: return self.session # Get value of cookie header that was sent cookie_str = self.headers.get('Cookie') if cookie_str: cookie_obj = SimpleCookie(cookie_str) sid_morsel = cookie_obj.get(self.SESSION_COOKIE_NAME, None) if sid_morsel is not None: sid = sid_morsel.value else: sid = None else: sid = None # If a session id was not set, create a new one if sid is None: # Pure pragmatism: Use function for nonce salt to generate session ID. sid = make_nonce_salt(16) session = None else: session = self.server.sessions.get(sid) # If no session exists for this session ID, create one if session is None: session = self.server.sessions[sid] = {} session['id'] = sid self.session = session return session def setSessionCookie(self): sid = self.getSession()['id'] session_cookie = '%s=%s;' % (self.SESSION_COOKIE_NAME, sid) self.send_header('Set-Cookie', session_cookie) def do_GET(self): """Dispatching logic. There are three paths defined: / - Display an empty form asking for an identity URL to verify /verify - Handle form submission, initiating OpenID verification /process - Handle a redirect from an OpenID server Any other path gets a 404 response. This function also parses the query parameters. If an exception occurs in this function, a traceback is written to the requesting browser. """ try: self.parsed_uri = urlparse(self.path) self.query = {} for k, v in parse_qsl(self.parsed_uri[4]): self.query[k] = v.decode('utf-8') path = self.parsed_uri[2] if path == '/': self.render() elif path == '/verify': self.doVerify() elif path == '/process': self.doProcess() elif path == '/affiliate': self.doAffiliate() else: self.notFound() except Exception: self.send_response(500) self.send_header('Content-type', 'text/html') self.setSessionCookie() self.end_headers() self.wfile.write(cgitb.html(sys.exc_info(), context=10)) def doVerify(self): """Process the form submission, initating OpenID verification. """ # First, make sure that the user entered something openid_url = self.query.get('openid_identifier') if not openid_url: self.render('Enter an OpenID Identifier to verify.', css_class='error', form_contents=openid_url) return immediate = 'immediate' in self.query use_sreg = 'use_sreg' in self.query use_pape = 'use_pape' in self.query use_stateless = 'use_stateless' in self.query oidconsumer = self.getConsumer(stateless=use_stateless) try: request = oidconsumer.begin(openid_url) except consumer.DiscoveryFailure as exc: fetch_error_string = 'Error in discovery: %s' % ( cgi.escape(six.text_type(exc[0]))) self.render(fetch_error_string, css_class='error', form_contents=openid_url) else: if request is None: msg = 'No OpenID services found for %s' % ( cgi.escape(openid_url),) self.render(msg, css_class='error', form_contents=openid_url) else: # Then, ask the library to begin the authorization. # Here we find out the identity server that will verify the # user's identity, and get a token that allows us to # communicate securely with the identity server. if use_sreg: self.requestRegistrationData(request) if use_pape: self.requestPAPEDetails(request) trust_root = self.server.base_url return_to = self.buildURL('process') if request.shouldSendRedirect(): redirect_url = request.redirectURL( trust_root, return_to, immediate=immediate) self.send_response(302) self.send_header('Location', redirect_url) self.writeUserHeader() self.end_headers() else: form_html = request.htmlMarkup( trust_root, return_to, form_tag_attrs={'id': 'openid_message'}, immediate=immediate) self.wfile.write(form_html) def requestRegistrationData(self, request): sreg_request = sreg.SRegRequest( required=['nickname'], optional=['fullname', 'email']) request.addExtension(sreg_request) def requestPAPEDetails(self, request): pape_request = pape.Request([pape.AUTH_PHISHING_RESISTANT]) request.addExtension(pape_request) def doProcess(self): """Handle the redirect from the OpenID server. """ oidconsumer = self.getConsumer() # Ask the library to check the response that the server sent # us. Status is a code indicating the response type. info is # either None or a string containing more information about # the return type. url = 'http://' + self.headers.get('Host') + self.path info = oidconsumer.complete(self.query, url) sreg_resp = None pape_resp = None css_class = 'error' display_identifier = info.getDisplayIdentifier() if info.status == consumer.FAILURE and display_identifier: # In the case of failure, if info is non-None, it is the # URL that we were verifying. We include it in the error # message to help the user figure out what happened. fmt = "Verification of %s failed: %s" message = fmt % (cgi.escape(display_identifier), info.message) elif info.status == consumer.SUCCESS: # Success means that the transaction completed without # error. If info is None, it means that the user cancelled # the verification. css_class = 'alert' # This is a successful verification attempt. If this # was a real application, we would do our login, # comment posting, etc. here. fmt = "You have successfully verified %s as your identity." message = fmt % (cgi.escape(display_identifier),) sreg_resp = sreg.SRegResponse.fromSuccessResponse(info) pape_resp = pape.Response.fromSuccessResponse(info) if info.endpoint.canonicalID: # You should authorize i-name users by their canonicalID, # rather than their more human-friendly identifiers. That # way their account with you is not compromised if their # i-name registration expires and is bought by someone else. message += (" This is an i-name, and its persistent ID is %s" % (cgi.escape(info.endpoint.canonicalID),)) elif info.status == consumer.CANCEL: # cancelled message = 'Verification cancelled' elif info.status == consumer.SETUP_NEEDED: if info.setup_url: message = 'Setup needed' % ( quoteattr(info.setup_url),) else: # This means auth didn't succeed, but you're welcome to try # non-immediate mode. message = 'Setup needed' else: # Either we don't understand the code or there is no # openid_url included with the error. Give a generic # failure message. The library should supply debug # information in a log. message = 'Verification failed.' self.render(message, css_class, display_identifier, sreg_data=sreg_resp, pape_data=pape_resp) def doAffiliate(self): """Direct the user sign up with an affiliate OpenID provider.""" sreg_req = sreg.SRegRequest(['nickname'], ['fullname', 'email']) href = sreg_req.toMessage().toURL(OPENID_PROVIDER_URL) message = """Get an OpenID at %s""" % ( quoteattr(href), OPENID_PROVIDER_NAME) self.render(message) def renderSREG(self, sreg_data): if not sreg_data: self.wfile.write( '
No registration data was returned
') else: sreg_list = sorted(sreg_data.items()) self.wfile.write( '

Registration Data

' '' '' '') odd = ' class="odd"' for k, v in sreg_list: field_name = sreg.data_fields.get(k, k) value = cgi.escape(v.encode('UTF-8')) self.wfile.write( '' % (odd, field_name, value)) if odd: odd = '' else: odd = ' class="odd"' self.wfile.write('
FieldValue
%s%s
') def renderPAPE(self, pape_data): if not pape_data: self.wfile.write( '
No PAPE data was returned
') else: self.wfile.write('
Effective Auth Policies
') def buildURL(self, action, **query): """Build a URL relative to the server base_url, with the given query parameters added.""" base = urljoin(self.server.base_url, action) return appendArgs(base, query) def notFound(self): """Render a page with a 404 return code and a message.""" fmt = 'The path %s was not understood by this server.' msg = fmt % (self.path,) openid_url = self.query.get('openid_identifier') self.render(msg, 'error', openid_url, status=404) def render(self, message=None, css_class='alert', form_contents=None, status=200, title="Python OpenID Consumer Example", sreg_data=None, pape_data=None): """Render a page.""" self.send_response(status) self.pageHeader(title) if message: self.wfile.write("
" % (css_class,)) self.wfile.write(message) self.wfile.write("
") if sreg_data is not None: self.renderSREG(sreg_data) if pape_data is not None: self.renderPAPE(pape_data) self.pageFooter(form_contents) def pageHeader(self, title): """Render the page header""" self.setSessionCookie() self.wfile.write('''\ Content-type: text/html; charset=UTF-8 %s

%s

This example consumer uses the Python OpenID library. It just verifies that the identifier that you enter is your identifier.

''' % (title, title)) def pageFooter(self, form_contents): """Render the page footer""" if not form_contents: form_contents = '' self.wfile.write('''\
Identifier:
''' % (quoteattr(self.buildURL('verify')), quoteattr(form_contents))) def main(host, port, data_path, weak_ssl=False): # Instantiate OpenID consumer store and OpenID consumer. If you # were connecting to a database, you would create the database # connection and instantiate an appropriate store here. if data_path: store = filestore.FileOpenIDStore(data_path) else: store = memstore.MemoryStore() if weak_ssl: setDefaultFetcher(Urllib2Fetcher()) addr = (host, port) server = OpenIDHTTPServer(store, addr, OpenIDRequestHandler) print('Server running at:') print(server.base_url) server.serve_forever() if __name__ == '__main__': parser = optparse.OptionParser('Usage:\n %prog [options]') parser.add_option( '-d', '--data-path', dest='data_path', help='Data directory for storing OpenID consumer state. ' 'Setting this option implies using a "FileStore."') parser.add_option( '-p', '--port', dest='port', type='int', default=8001, help='Port on which to listen for HTTP requests. ' 'Defaults to port %default.') parser.add_option( '-s', '--host', dest='host', default='localhost', help='Host on which to listen for HTTP requests. ' 'Also used for generating URLs. Defaults to %default.') parser.add_option( '-w', '--weakssl', dest='weakssl', default=False, action='store_true', help='Skip ssl cert verification') options, args = parser.parse_args() if args: parser.error('Expected no arguments. Got %r' % args) host = options.host port = options.port data_path = options.data_path weak_ssl = options.weakssl main(host, port, data_path, weak_ssl)