Add UI to use new SSL login methods to account and login page

* authentic/root.ptl: thie commit add a new button to the login page if SSL authentication is activated that provoke redirection to the /login_ssl URL handler with the HTTPS method. It also show a link on the user page (shown when logged in) to associate a certificate to your account if this function is activated. It also show the currently federated certificate. Actually only one certificate can be federated to an account and no function is implemented to defederate a certificate from your account.
2009-04-12 01:09:35 +00:00 · 2009-04-12 01:09:35 +00:00 · b4ec376bf1
parent c86d369c3d
commit b4ec376bf1
1 changed files with 28 additions and 4 deletions
--- a/authentic/root.ptl
+++ b/authentic/root.ptl
@ -140,17 +140,28 @@ class RootDirectory(Directory):
        identities_cfg = get_cfg('identities', {})
        branding_cfg = get_cfg('branding', {})
        passwords_cfg = get_cfg('passwords', {})
+        ssl_cfg = get_cfg('ssl', {})

        template.html_top(_('Account Management'))
        get_response().breadcrumb.append( ('', _('Account Management')) )
+        allow_certificate_federation = ssl_cfg.get('allow_certificate_federation', False)

        vars = {
            'can_change_password': str(passwords_cfg.get('can_change', False)),
            'creation_mode': identities_cfg.get('creation'),
            'identity_label': str(identity),
            'idp_sso_list': str(self.get_idp_sso_list()),
-            'federations_list': str(self.get_idp_federations_list(identity))
+            'federations_list': str(self.get_idp_federations_list(identity)),
        }
+        if allow_certificate_federation:
+            vars['allow_certificate_federation_url'] = htmltext('https://' + get_request().environ['HTTP_HOST'] + get_request().environ['SCRIPT_NAME'] + '/associate_certificate')
+            certificates = [ x for x in identity.accounts if isinstance(x, identities.CertificateAccount) ]
+            certificate_list = '<p>' + _('Certificates federated:') + '\n<ol>\n'
+            for x in certificates:
+                certificate_list = certificate_list + '<li>' + htmltext(x.dn or x.certificate_sha1) + '</li>\n'
+            certificate_list = certificate_list + '</ol>\n</p>\n'
+            if certificates:
+                vars['certificate_list'] = certificate_list

        return template.process_template(
                str(TextsDirectory.get_html_text('account')), vars)
@ -317,6 +328,7 @@ class RootDirectory(Directory):
        identities_cfg = get_cfg('identities', {})
        passwords_cfg = get_cfg('passwords', {})
        login_cfg = get_cfg('login', {})
+        ssl_cfg = get_cfg('ssl', {})

        form = Form(enctype="multipart/form-data", id = "login", use_tokens = False)
        if identities_cfg.get('email-as-username', False):
@ -339,6 +351,8 @@ class RootDirectory(Directory):
            form.add(SingleSelectWidget, "idp", title = _('Proxies request to'), options = options)

        form.add_submit('submit', _('Log in'))
+        if ssl_cfg.get('allow_ssl_login', False):
+            form.add_submit('ssl', _('Log in using SSL certificate'))
        if login_cfg.get('cancel_button') and get_session().lasso_login_dump:
            form.add_submit('cancel', _('Cancel'))

@ -369,6 +383,7 @@ class RootDirectory(Directory):
        identities_cfg = get_cfg('identities', {})
        passwords_cfg = get_cfg('passwords', {})
        branding_cfg = get_cfg('branding', {})
+        ssl_cfg = get_cfg('ssl', {})

        form = self.get_login_form()

@ -390,6 +405,9 @@ class RootDirectory(Directory):
            session.lasso_login_dump = None
            return self.liberty.sso_after_authentication(login, False)

+        if form.is_submitted() and form.get_submit() == 'ssl' and ssl_cfg.get('allow_ssl_login', False):
+            return redirect(get_request().environ['SCRIPT_NAME'] + '/login_ssl')
+
        authentication_failure = None
        if form.is_submitted() and not form.has_errors():
            try:
@ -438,7 +456,7 @@ class RootDirectory(Directory):
        # Find an identity
        identity = None

-        if ssl_client_s_dn:
+        if ssl_client_s_dn and ssl_client_verify == 'OK':
            id = ssl_client_s_dn
            dn_to_id_regexp = ssl_cfg.get('dn_to_id_regexp')
            if dn_to_id_regexp:
@ -510,7 +528,7 @@ class RootDirectory(Directory):
                session.store()
            return redirect('.')
        else:
-            raise errors.AccessForbiddenError()
+            raise errors.TraversalError()

    def more_login_text(self):
        pass # placeholder to be subclassed XXX: inoperant now
@ -993,7 +1011,7 @@ class RootDirectory(Directory):

 TextsDirectory.register('account',
        N_('Account Management'),
-        hint = N_('Available variables: identity_label, idp_sso_list, federations_list'),
+        hint = N_('Available variables: identity_label, idp_sso_list, federations_list, certificate_list, allow_certificate_federation'),
        default = N_('''\
 <h2 class="identity-title">[identity_label]</h2>

@ -1012,6 +1030,12 @@ TextsDirectory.register('account',
 [if-any federations_list]
 <p id="federations"><a href="federations">Federations</a></p>
 [end]
+[if-any allow_certificate_federation_url]
+<p><a href="[allow_certificate_federation_url]">Associate a certificate to this account<a/></p>
+[if-any certificate_list]
+[certificate_list]
+[end]
+[end]
 '''))

 TextsDirectory.register('register',