support for login page with both idp and password

extra/modules/root.ptl

@@ -4,6 +4,9 @@ from quixote.html import htmltext
 from quixote.util import StaticDirectory
 
 import os
+import urlparse
+
+import lasso
 
 import wcs
 import wcs.root
@@ -37,6 +40,9 @@ from saml2 import Saml2Directory
 
 OldRootDirectory = wcs.root.RootDirectory
 
+import qommon.ident.password
+import qommon.ident.idp
+
 
 class FormsRootDirectory(wcs.forms.root.RootDirectory):
 
@@ -443,16 +449,79 @@ class AlternateLoginDirectory(OldLoginDirectory):
         get_logger().info('login')
         ident_methods = get_cfg('identification', {}).get('methods', [])
 
-        # don't display authentication system choice
-        if len(ident_methods) != 1:
-            ident_methods = ['password']
+        print 'ident_methods:', ident_methods
 
-        method = ident_methods[0]
-        try:
-            return qommon.ident.login(method)
-        except KeyError:
-            get_logger().error('failed to login with method %s' % method)
-            return errors.TraversalError()
+        if len(ident_methods) > 1 and 'idp' in ident_methods:
+            # if there is more than one identification method, and there is a
+            # possibility of SSO, if we got there as a consequence of an access
+            # unauthorized url on admin/ or backoffice/, then idp auth method
+            # is chosen forcefully.
+            after_url = get_session().after_url
+            if after_url:
+                after_path = urlparse.urlparse(after_url)[2]
+                if after_path.startswith(str('/admin')) or \
+                        after_path.startswith(str('/backoffice')):
+                    ident_methods = ['idp']
+
+        print 'TWICE: ident_methods:', ident_methods
+
+        # don't display authentication system choice
+        if len(ident_methods) == 1:
+            method = ident_methods[0]
+            try:
+                return qommon.ident.login(method)
+            except KeyError:
+                get_logger().error('failed to login with method %s' % method)
+                return errors.TraversalError()
+
+        if sorted(ident_methods) == ['idp', 'password']:
+            identities_cfg = get_cfg('identities', {})
+            form = Form(enctype = 'multipart/form-data', id = 'login-form', use_tokens = False)
+            if identities_cfg.get('email-as-username', False):
+                form.add(StringWidget, 'username', title = _('Email'), size=25, required=True)
+            else:
+                form.add(StringWidget, 'username', title = _('Username'), size=25, required=True)
+            form.add(PasswordWidget, 'password', title = _('Password'), size=25, required=True)
+            form.add_submit('submit', _('Connect'))
+            if form.is_submitted() and not form.has_errors():
+                tmp = qommon.ident.password.MethodDirectory().login_submit(form)
+                if not form.has_errors():
+                    return tmp
+
+            '<div id="login-password">'
+            get_session().display_message()
+            form.render()
+
+            '<p><a href="/ident/password/forgotten">%s</a></p>' % _('Forgotten password ?')
+
+            '</div>'
+
+            # XXX: this part only supports a single IdP
+            '<div id="login-sso">'
+            TextsDirectory.get_html_text('aq-sso-text')
+            form = Form(enctype='multipart/form-data', action = '/ident/idp/login')
+            form.add_hidden('method', 'idp')
+            for kidp, idp in get_cfg('idp', {}).items():
+                p = lasso.Provider(lasso.PROVIDER_ROLE_IDP,
+                        misc.get_abs_path(idp['metadata']),
+                        misc.get_abs_path(idp.get('publickey')), None)
+                form.add_hidden('idp', p.providerId)
+                break
+            form.add_submit('submit', _('Connect'))
+            
+            form.render()
+            '</div>'
+
+            get_request().environ['REQUEST_METHOD'] = 'GET'
+
+            """<script type="text/javascript">
+              document.getElementById('login-form')['username'].focus();
+            </script>"""
+
+            # XXX : GET BACK TO THIS LATER : LIEN POUR AUTH SAML
+
+        else:
+            return OldLoginDirectory._q_index(self)
 
 
 class AlternateRootDirectory(OldRootDirectory):
@@ -764,4 +833,7 @@ TextsDirectory.register('aq-editor-info', N_('Editor Informations'))
 TextsDirectory.register('aq-accessibility', N_('Accessibility Statement'))
 TextsDirectory.register('aq-contact', N_('Contact Information'))
 TextsDirectory.register('aq-help', N_('Help'))
-
+TextsDirectory.register('aq-sso-text',  N_('Connecting with Identity Provider'),
+        default = N_('''<h3>Connecting with Identity Provider</h3>
+<p>You can also use your identity provider to connect.
+</p>'''))

theme/wcs.css

@@ -886,3 +886,54 @@ div#main-content form div.page h3,
 div#main-content div.dataview div.page h3 {
 	margin: 0 -8px 1em -8px;
 }
+
+div#login-sso,
+div#login-password {
+	border: 1px solid #888;
+	-moz-border-radius: 10px;
+	-webkit-border-radius: 10px;
+	padding: 0 15px;
+	margin: 0 auto;
+	width: 23em;
+	margin-bottom: 2em;
+}
+
+div#login-sso div.buttons,
+div#login-password div.buttons {
+	text-align: right;
+}
+
+div#login-sso div.buttons input,
+div#login-password div.buttons input {
+	margin: 0;
+	background: white url(login-button-bg.png) bottom left repeat-x;
+	padding: 2px 10px;
+	-moz-border-radius: 8px;
+	-webkit-border-radius: 8px;
+	color: #222;
+}
+
+div#login-password div.PasswordWidget div.content,
+div#login-password div.StringWidget div.content {
+	text-align: right;
+	margin-right: 3em;
+}
+
+div#login-password p {
+	margin-bottom: 1em;
+}
+
+div#login-sso {
+	background: white url(keyring.png) 5px 5px no-repeat;
+	min-height: 70px;
+}
+
+div#login-sso h3 {
+	font-size: 110%;
+}
+
+div#login-sso h3,
+div#login-sso p {
+	margin: 5px 0 0 60px;
+	text-align: justify;
+}