Canonical SSO provider

Merge lp:~michael.nelson/canonical-identity-provider/add_otp_form_field into lp:canonical-identity-provider/release

add_otp_form_field
Merge into trunk

Proposed by Michael Nelson on 2011-05-10

Status:	Merged
Approved by:	Michael Foord on 2011-05-11
Approved revision:	no longer in the source branch.
Merged at revision:	143
Proposed branch:	lp:~michael.nelson/canonical-identity-provider/add_otp_form_field
Merge into:	lp:canonical-identity-provider/release
Diff against target:	201 lines (+168/-3) 2 files modified identityprovider/fields.py (+63/-2) identityprovider/tests/test_fields.py (+105/-1)
To merge this branch:	bzr merge lp:~michael.nelson/canonical-identity-provider/add_otp_form_field
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Michael Foord (community)		2011-05-10	Approve on 2011-05-11
Review via email: mp+60507@code.launchpad.net

Commit message

[r=mfoord] Add a new django form field: OneTimePasswordField.

Description of the change

Overview
========

This branch provides a django form field, OneTimePasswordField, which when asked to clean its data by the framework, will:

1) Ensure the length of the otp is between 34-40, and if so,
2) Verify with an actual Yubikey server that the otp is valid.

If either of the above is not true, as per normal django fields, it raises a validation error. It's written to be plugged in to the LoginForm and the NewYubiKeyForm.

Test with:
$ .env/bin/python django_project/manage.py test identityprovider.tests.test_fields

Revision history for this message

Michael Foord (mfoord) wrote on 2011-05-11:

Great stuff.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Adrian John San migel

Alexsandr

Corey Russell SR

Damian

Danny Tamez

Diane Montana

Frederico Miranda

Magdalena Shneider

Maximiliano Bertacchini

Michael Nelson

Rick McMeen

William Grant

abdulhameed omair

alhawiti

fralogos32

marek duda

martin

to status/vote changes:

Harpianto,ANDI

rocket_69

 === modified file 'identityprovider/fields.py'
 --- identityprovider/fields.py	2010-04-21 15:29:24 +0000
 +++ identityprovider/fields.py	2011-05-10 15:41:18 +0000
@@ -1,12 +1,73 @@
  # Copyright 2010 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
--from django.forms import MultipleChoiceField
++import hashlib
++import urllib2
++from datetime import datetime
++
++from django import forms
++from django.conf import settings
++from django.utils.translation import ugettext as _
++
  from identityprovider.widgets import CommaSeparatedWidget
--class CommaSeparatedField(MultipleChoiceField):
++class CommaSeparatedField(forms.MultipleChoiceField):
      widget = CommaSeparatedWidget
      def clean(self, value):
          return ','.join(super(CommaSeparatedField, self).clean(value))
++
++
++class OneTimePasswordField(forms.CharField):
++    """A string of chars between 34 and 48 chars in length.
++
++    Note: we don't check the actual characters as different keyboard
++    layouts can create different otps, which should be handled by
++    the validation server.
++    """
++    def __init__(self, *args, **kwargs):
++        error_msg = _('The one-time password is invalid.')
++        kwargs['min_length'] = 34
++        kwargs['max_length'] = 48
++        kwargs['error_messages'] = {
++            'invalid': error_msg,
++            'max_length': error_msg,
++            'min_length': error_msg,
++            }
++        super(OneTimePasswordField, self).__init__(*args, **kwargs)
++
++    def request_otp_validation(self, otp):
++        # XXX Currently yubico's api verification replies with
++        # BACKEND_ERROR if the nonce is 40 chars long.
++        nonce = hashlib.sha1(str(datetime.now())).hexdigest()[:30]
++        url = settings.YUBICO_API_URL.format(
++                client_id=settings.YUBICO_CLIENT_ID, otp=otp, nonce=nonce)
++
++        try:
++            response = urllib2.urlopen(url)
++        except urllib2.URLError:
++            raise forms.ValidationError(
++                _('There was an error checking your one-time password.'))
++
++        return self.convert_response_to_dict(response.read())
++
++    def convert_response_to_dict(self, response):
++        response_lines = response.split()
++        response_dict = {}
++        for line in response_lines:
++            key, delim, val = line.partition('=')
++            response_dict[key] = val
++        return response_dict
++
++    def clean(self, otp):
++        otp = super(OneTimePasswordField, self).clean(otp)
++
++        # If the otp has the correct length, then test it against the
++        # server.
++        result = self.request_otp_validation(otp)
++
++        if result.get('status', None) == 'OK':
++            return otp
++
++        raise forms.ValidationError(_('The one-time password is invalid.'))
 === modified file 'identityprovider/tests/test_fields.py'
 --- identityprovider/tests/test_fields.py	2010-04-21 15:29:24 +0000
 +++ identityprovider/tests/test_fields.py	2011-05-10 15:41:18 +0000
@@ -1,8 +1,20 @@
  # Copyright 2010 Canonical Ltd.  This software is licensed under the
  # GNU Affero General Public License version 3 (see the file LICENSE).
++import urllib2
  from unittest import TestCase
--from identityprovider.fields import CommaSeparatedField
++
++from django import forms
++from django.conf import settings
++from mock import (
++    patch,
++    Mock,
++    )
++
++from identityprovider.fields import (
++    CommaSeparatedField,
++    OneTimePasswordField,
++    )
  class CommaSeparatedFieldTestCase(TestCase):
@@ -12,3 +24,95 @@
          field = CommaSeparatedField(choices=choices)
          value = field.clean(["1", "2", "3"])
          self.assertEquals(value, "1,2,3")
++
++
++class OneTimePaswordFieldTestCase(TestCase):
++
++    YUBIKEY_RESPONSE_REPLAY = (
++            'h=LnOtAtozUA1ZjDKlHaVUIQIxkJM=\r\n'
++            't=2011-05-10T11:57:11Z0777\r\n'
++            'otp=cccccccitngfckhffcuudlkhjkkbtjklvubibhghvdel\r\n'
++            'nonce=3df9ec99ef2796f6770a084c54883b\r\n'
++            'status=REPLAYED_OTP\r\n\r\n')
++
++    YUBIKEY_RESPONSE_OK = (
++            'h=LnOtAtozUA1ZjDKlHaVUIQIxkJM=\r\n'
++            't=2011-05-10T11:57:11Z0777\r\n'
++            'otp=cccccccitngfckhffcuudlkhjkkbtjklvubibhghvdel\r\n'
++            'nonce=3df9ec99ef2796f6770a084c54883b\r\n'
++            'status=OK\r\n\r\n')
++
++    def do_clean(self, value, mock=None):
++        otp_field = OneTimePasswordField()
++        mock = mock or Mock(return_value=dict(status='OK'))
++        otp_field.request_otp_validation = mock
++
++        return otp_field.clean(value)
++
++    def test_valid_chars_accepted(self):
++        good_otp = 'cccccccitngfckhffcuudlkhjkkbtjklvubibhghvdel'
++
++        self.assertEqual(good_otp, self.do_clean(good_otp))
++
++    def test_invalid_length_not_accepted(self):
++        less_than_34 = 'cmcccccitngflibeilnkcdhcutrjn'
++        more_than_48 = 'cccccccitngflibeilnkcdhcutrjnkbkbbejggfrvubcccccccc'
++
++        self.assertRaises(forms.ValidationError, self.do_clean, less_than_34)
++        self.assertRaises(forms.ValidationError, self.do_clean, more_than_48)
++
++    def test_server_validation_fail_raises_error(self):
++        otp_field = OneTimePasswordField()
++        good_otp = 'cccccccitngfckhffcuudlkhjkkbtjklvubibhghvdel'
++        # We want to check exactly what urlopen is called with.
++        mock_urlopen = Mock()
++        mock_urlopen.return_value.read.return_value = (
++            self.YUBIKEY_RESPONSE_REPLAY)
++
++        with patch('urllib2.urlopen', mock_urlopen):
++            self.assertRaises(
++                forms.ValidationError, otp_field.clean, good_otp)
++
++    def test_convert_response_to_dict(self):
++        otp_field = OneTimePasswordField()
++
++        result = otp_field.convert_response_to_dict(
++            self.YUBIKEY_RESPONSE_REPLAY)
++
++        self.assertEqual(dict(
++            h='LnOtAtozUA1ZjDKlHaVUIQIxkJM=', t='2011-05-10T11:57:11Z0777',
++            otp='cccccccitngfckhffcuudlkhjkkbtjklvubibhghvdel',
++            nonce='3df9ec99ef2796f6770a084c54883b',
++            status='REPLAYED_OTP'), result)
++
++    def test_urlopen_called_correctly(self):
++        otp_field = OneTimePasswordField()
++        otp = 'my_otp11111111111111111111111111111'
++        # Ensure we control what the nonce will be.
++        mock_sha1 = Mock()
++        mock_sha1.return_value.hexdigest.return_value = 'mock_nonce'
++        # We want to check exactly what urlopen is called with.
++        mock_urlopen = Mock()
++        mock_urlopen.return_value.read.return_value = (
++            self.YUBIKEY_RESPONSE_OK)
++
++        with patch('urllib2.urlopen', mock_urlopen):
++            with patch('hashlib.sha1', mock_sha1):
++                result = otp_field.clean(otp)
++
++        mock_urlopen.assert_called_with(
++            settings.YUBICO_API_URL.format(
++                otp=otp, client_id=settings.YUBICO_CLIENT_ID,
++                nonce='mock_nonce'))
++        self.assertEqual(otp, result)
++
++    def test_urlopen_exception(self):
++        # clean raises an appropriate validation error if urlopen raises
++        # a URLError.
++        otp_field = OneTimePasswordField()
++        otp = 'my_otp11111111111111111111111111111'
++        mock_urlopen = Mock(side_effect=urllib2.URLError('Bang!'))
++
++        with patch('urllib2.urlopen', mock_urlopen):
++            self.assertRaises(
++                forms.ValidationError, otp_field.clean, otp)