diff options
author | Michał Górny <mgorny@gentoo.org> | 2013-08-12 11:12:21 +0200 |
---|---|---|
committer | Michał Górny <mgorny@gentoo.org> | 2013-08-12 16:07:52 +0200 |
commit | 2eb2728b23fef8d35822ff7f0efb9d0d11a5e74f (patch) | |
tree | 060493d72fbeca5f922a2c0233a4c77d8ba9e4ae /okupy/accounts | |
parent | SSL auth: authenticate directly into session. (diff) | |
download | identity.gentoo.org-2eb2728b23fef8d35822ff7f0efb9d0d11a5e74f.tar.gz identity.gentoo.org-2eb2728b23fef8d35822ff7f0efb9d0d11a5e74f.tar.bz2 identity.gentoo.org-2eb2728b23fef8d35822ff7f0efb9d0d11a5e74f.zip |
Move SSL verification into a dedicated backend.
Diffstat (limited to 'okupy/accounts')
-rw-r--r-- | okupy/accounts/views.py | 35 |
1 files changed, 7 insertions, 28 deletions
diff --git a/okupy/accounts/views.py b/okupy/accounts/views.py index 6afff0d..9b069b6 100644 --- a/okupy/accounts/views.py +++ b/okupy/accounts/views.py @@ -23,7 +23,6 @@ from openid.extensions.sreg import SRegRequest, SRegResponse from openid.server.server import (Server, ProtocolError, EncodingError, CheckIDRequest, ENCODE_URL, ENCODE_KVFORM, ENCODE_HTML_FORM) -from OpenSSL.crypto import load_certificate, FILETYPE_PEM from passlib.hash import ldap_md5_crypt from urlparse import urljoin, urlparse, parse_qsl @@ -201,34 +200,14 @@ def ssl_auth(request): next_uri = ssl_auth_form.cleaned_data['login_uri'] - cert_verify = request.META['SSL_CLIENT_VERIFY'] - if cert_verify == 'SUCCESS': - cert = load_certificate(FILETYPE_PEM, - request.META['SSL_CLIENT_RAW_CERT']) - dn = cert.get_subject().get_components() - - # note: field may occur multiple times - for k, v in dn: - if k == 'emailAddress': - try: - u = LDAPUser.objects.get(email__contains=v) - except LDAPUser.DoesNotExist: - pass - else: - user = authenticate(username=u.username, ext_authed=True) - _login(request, user) - init_otp(request) - if request.user.is_verified(): # OTP disabled - next_uri = ssl_auth_form.cleaned_data['next'] - break - else: - messages.error(request, 'E-mail does not match any of the users') + user = authenticate(request=request) + if user and user.is_active: + _login(request, user) + init_otp(request) + if request.user.is_verified(): # OTP disabled + next_uri = ssl_auth_form.cleaned_data['next'] else: - if cert_verify == 'NONE': - error = 'No certificate provided' - else: - error = 'Certificate verification failed' - messages.error(request, error) + messages.error(request, 'Certificate authentication failed') # so, django will always start a new session for us. we need to copy # the data to the original session and preferably flush the new one. |