summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick Uiterwijk <puiterwijk@redhat.com>2014-12-05 12:28:21 -0500
committerPatrick Uiterwijk <puiterwijk@redhat.com>2014-12-05 15:44:17 -0500
commita7232b6ff6edfcbe36dd44fc0419a71099fda4cb (patch)
tree784e6dea9bb5bc6c3224d7b7b9a8f33833a2d011
parent6b37bf2965a5c66cbe0f2a1def92a815170c4ce3 (diff)
downloadipsilon-a7232b6ff6edfcbe36dd44fc0419a71099fda4cb.tar.gz
ipsilon-a7232b6ff6edfcbe36dd44fc0419a71099fda4cb.tar.xz
ipsilon-a7232b6ff6edfcbe36dd44fc0419a71099fda4cb.zip
Add OpenIDStore to store associations and nonces
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com>
-rwxr-xr-xipsilon/providers/openid/store.py80
-rwxr-xr-xipsilon/providers/openidp.py11
2 files changed, 88 insertions, 3 deletions
diff --git a/ipsilon/providers/openid/store.py b/ipsilon/providers/openid/store.py
new file mode 100755
index 0000000..9b426bc
--- /dev/null
+++ b/ipsilon/providers/openid/store.py
@@ -0,0 +1,80 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2014 Ipsilon project Contributors, for licensee see COPYING
+
+from ipsilon.util.data import Store
+
+from openid import oidutil
+from openid.association import Association
+from openid.store.nonce import SKEW as NonceSKEW
+from openid.store.interface import OpenIDStore as OpenIDStoreInterface
+
+from time import time
+
+class OpenIDStore(Store, OpenIDStoreInterface):
+ def __init__(self, database_url):
+ Store.__init__(self, database_url=database_url)
+
+ def storeAssociation(self, server_url, assoc):
+ iden = '%s-%s' % (server_url, assoc.handle)
+ datum = {'secret': oidutil.toBase64(assoc.secret),
+ 'issued': str(assoc.issued),
+ 'lifetime': str(assoc.lifetime),
+ 'assoc_type': assoc.assoc_type}
+
+ data = {iden: datum}
+ self.save_unique_data('association', data)
+
+ def getAssociation(self, server_url, handle=None):
+ iden = '%s-%s' % (server_url, handle)
+ data = self.get_unique_data('association', iden)
+
+ if len(data) < 1:
+ return None
+
+ datum = data[iden]
+ assoc = Association(handle,
+ oidutil.fromBase64(datum['secret']),
+ int(datum['issued']),
+ int(datum['lifetime']),
+ datum['assoc_type'])
+
+ if assoc.expiresIn == 0:
+ self.del_unique_data('association', iden)
+ return None
+
+ return assoc
+
+ def removeAssociation(self, server_url, handle):
+ iden = '%s-%s' % (server_url, handle)
+ self.del_unique_data('association', iden)
+
+ def useNonce(self, server_url, timestamp, salt):
+ if abs(timestamp - time()) > NonceSKEW:
+ return False
+
+ iden = '%s-%s-%s' % (server_url, timestamp, salt)
+ data = self.get_unique_data('nonce', iden)
+
+ if len(data) > 0:
+ # This server_url, timestamp, salt combination is already seen
+ return False
+
+ datum = {'timestamp': timestamp}
+ data = {iden: datum}
+ self.save_unique_data('nonce', data)
+
+ return True
+
+ def cleanupNonces(self):
+ nonces = self.get_unique_data('nonce')
+ for iden in nonces:
+ if nonces[iden]['timestamp'] < (time() - NonceSKEW):
+ self.del_unique_data('nonce', iden)
+
+ def cleanupAssociations(self):
+ assocs = self.get_unique_data('association')
+ for iden in assocs:
+ if ((int(assocs[iden]['issued']) + int(assocs[iden]['lifetime']))
+ < time()):
+ self.del_unique_data('association', iden)
diff --git a/ipsilon/providers/openidp.py b/ipsilon/providers/openidp.py
index 7b53f78..08890a2 100755
--- a/ipsilon/providers/openidp.py
+++ b/ipsilon/providers/openidp.py
@@ -5,6 +5,7 @@
from __future__ import absolute_import
from ipsilon.providers.common import ProviderBase
+from ipsilon.providers.openid.store import OpenIDStore
from ipsilon.providers.openid.auth import OpenID
from ipsilon.providers.openid.extensions.common import LoadExtensions
from ipsilon.util.plugin import PluginObject
@@ -12,8 +13,6 @@ from ipsilon.util import config as pconfig
from ipsilon.info.common import InfoMapping
from openid.server.server import Server
-# TODO: Move this to the database
-from openid.store.memstore import MemoryStore
class IdpProvider(ProviderBase):
@@ -33,6 +32,10 @@ Provides OpenID 2.0 authentication infrastructure. """
self.new_config(
self.name,
pconfig.String(
+ 'database url',
+ 'Database URL for OpenID temp storage',
+ 'openid.sqlite'),
+ pconfig.String(
'default email domain',
'Used for users missing the email property.',
'example.com'),
@@ -96,7 +99,9 @@ Provides OpenID 2.0 authentication infrastructure. """
return self.page
def init_idp(self):
- self.server = Server(MemoryStore(), op_endpoint=self.endpoint_url)
+ self.server = Server(
+ OpenIDStore(self.get_config_value('database url')),
+ op_endpoint=self.endpoint_url)
# Expose OpenID presence in the root
headers = self._root.default_headers