Launchpad itself

Merge lp:~salgado/launchpad/lp-as-openid-rp into lp:launchpad

lp-as-openid-rp
Merge into devel

Proposed by Guilherme Salgado on 2010-01-21

Status:	Merged
Approved by:	Gary Poster on 2010-01-29
Approved revision:	not available
Merged at revision:	not available
Proposed branch:	lp:~salgado/launchpad/lp-as-openid-rp
Merge into:	lp:launchpad
Diff against target:	1163 lines (+939/-0) 23 files modified BRANCH.TODO (+53/-0) configs/development/launchpad-lazr.conf (+4/-0) lib/canonical/config/schema-lazr.conf (+8/-0) lib/canonical/launchpad/browser/launchpad.py (+2/-0) lib/canonical/launchpad/configure.zcml (+1/-0) lib/canonical/launchpad/layers.py (+4/-0) lib/canonical/launchpad/systemhomes.py (+6/-0) lib/canonical/launchpad/webapp/servers.py (+16/-0) lib/lp/testopenid/adapters/openid.py (+32/-0) lib/lp/testopenid/browser/configure.zcml (+82/-0) lib/lp/testopenid/browser/server.py (+285/-0) lib/lp/testopenid/configure.zcml (+28/-0) lib/lp/testopenid/interfaces/server.py (+29/-0) lib/lp/testopenid/stories/basics.txt (+163/-0) lib/lp/testopenid/stories/logging-in.txt (+64/-0) lib/lp/testopenid/stories/tests.py (+22/-0) lib/lp/testopenid/templates/application-index.pt (+5/-0) lib/lp/testopenid/templates/application-xrds.pt (+14/-0) lib/lp/testopenid/templates/auth.pt (+18/-0) lib/lp/testopenid/templates/persistentidentity-index.pt (+14/-0) lib/lp/testopenid/templates/persistentidentity-xrds.pt (+14/-0) lib/lp/testopenid/testing/helpers.py (+74/-0) utilities/rocketfuel-setup (+1/-0)
To merge this branch:	bzr merge lp:~salgado/launchpad/lp-as-openid-rp
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Gary Poster (community)	code	2010-01-21	Approve on 2010-01-29
Canonical Launchpad Engineering		2010-01-21	Pending
Review via email: mp+17842@code.launchpad.net

Revision history for this message

Guilherme Salgado (salgado) wrote on 2010-01-21:

This branch adds a new vhost (testopenid) which serves an OpenID
provider that is only enabled when devmode is on. The primary use of
this will be to allow we (developers) to log into launchpad.dev once it
becomes an OpenID RP.

This OpenID provider always requires the user to log in and doesn't ask
users whether or not they authorize the provider to send user details to
the site that's requesting it. The login is always required in order to
make it easier to authenticate as a different user, and the lack of an
authorization step is because it wouldn't make any sense here.

In order to try out the testopenid functionality, we need an openid
consumer, which is included (together with this branch) in
lp:~salgado/launchpad/lp-as-openid-rp-loom. To test it you just need to
go to launchpad.dev/+login-openid

BRANCH.TODO has a bunch of random notes and TODO items for myself; it
will be erased before I land this branch or else a test will fail.

Revision history for this message

Gary Poster (gary) wrote on 2010-01-26:

Thank you, Guilherme, this is a great step forward.

I didn't get too far on this today. Hopefully I'll have some time tomorrow: I'll resume on line 336, and actually try the server out on my system, per your instructions.

I only have one trivial comment so far. In lib/lp/testopenid/browser/configure.zcml I had a harder time reading it than I needed to because you switched back and forth from relative and absolute syntaxes. Here's an example:

279 + <browser:page
280 + for="..interfaces.server.ITestOpenIDApplication"
281 + class="lp.testopenid.browser.server.TestOpenIDView"
282 + permission="zope.Public"
283 + name="+openid"
284 + />
285 + <browser:page
286 + for="..interfaces.server.ITestOpenIDApplication"
287 + class=".server.TestOpenIDIndexView"
288 + permission="zope.Public"
289 + name="+index"
290 + />

Unless I misread it, the "server" module in lines 281 and 287 are the same, which is not as obvious as it could be. I don't care whether you choose relative or absolute, but sticking with one, particularly for the same module within the same zcml file, would help readability. It seems you mostly use relative, so I'd be inclined to standardize on that.

(I also hate browser:page directives because of the class mixin magic they do, but I won't choose you as the target for that rant. What you have done has precedence in Launchpad and is fine.)

Revision history for this message

Gary Poster (gary) wrote on 2010-01-29:

merge-conditional

As I said before, this is a great branch. I just a have a few comments. I've given them all to you on IRC, but I'll summarize here.

- I had trouble getting the loom branch to work. We eventually had success with lp:~salgado/launchpad/lp-as-openid-rp-for-ec2 after I manually updated my /etc/hosts (I had not run your revised rocketfuel-setup) and you handled the fact that I had pycurl installed in my system Python.

- lib/lp/testopenid/browser/server.py : PersistentIdentityView should be in __all__

- OpenIDMixin class in lib/lp/testopenid/browser/server.py, the openid_parameters property: I'd like a comment as to why ascii is OK (spec or the fact that this is just a test implementation).

- The docstrings are so nice in lib/lp/testopenid/browser/server.py that when I don't see them I miss them: getSession, renderOpenIDResponse, TestOpenIDLoginView, OpenIDMixin. Consider that a nice-to-have, not a must-have, but it is already so close.

- I'd prefer to be super-explicit in the first para of lib/lp/testopenid/stories/basics.txt : add a sentence specifying that "It is only started for development and testing." If you disagree that's fine though.

- For new doctest files we are supposed to be using ReST.

Thank you again!

review: Approve (code)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Barki Mustapha

Celso Providelo

Christian Reis

Christy Awad

Colin Watson

Guilherme Salgado

Harpianto,ANDI

James Troup

John A Meinel

Kevin bush

Launchpad code reviewers

Launchpad code reviewers from Canonical

Matthew Tanner

Maximiliano Bertacchini

Oguz Ersoz

Simon Brakhane

Ubuntu-BR DevOps

William Grant

alhawiti

api.ng

pedro cavazos

todaioan

wenjingwen

to status/vote changes:

Tzaddi

Tzaddi Belding

Launchpad itself

Merge lp:~salgado/launchpad/lp-as-openid-rp into lp:launchpad

Commit message

Description of the change

Preview Diff

Subscribers

 === modified file 'BRANCH.TODO'
 --- BRANCH.TODO	2010-02-09 03:16:27 +0000
 +++ BRANCH.TODO	2010-02-17 15:49:22 +0000
@@ -2,3 +2,56 @@
  # landing. There is a test to ensure it is empty in trunk. If there is
  # stuff still here when you are ready to land, the items should probably
  # be converted to bugs so they can be scheduled.
++
++* Do we want to change c-i-p to use a separate cookie so that logging into
++login.lp.net doesn't cause you to end up logged into lp.net or should we just
++wait for ISD to roll a rebranded version of login.u.c on login.lp.net, which
++will probably use separate cookies.
++ - Apart from not being trivial to change the cookie name for a given vhost
++   we also need to worry about making sure the new cookie (which is supposed
++   to be valid only for login.lp.net) is not valid for all other vhosts, which
++   would normally happen thanks to LaunchpadCookieClientIdManager.
++
++* We still rely heavily on the Account table and expect all users to have an
++Account. We need to fix that if we're going to copy the Account table into the
++main replication set and stop using the one from the auth set.  If we fix
++that, though, the Account table won't be necessary so there'll be no point in
++copying it.  *I'm not sure this is feasible.*
++
++* As discussed with Francis, it's not worth porting the team-restricted login
++stuff to the new system, so we'll drop it.
++
++* Functionality needed in the callback view:
++ - reactivate accounts when credentials belong to a deactivated profile
++ - create Person entries when the credentials don't exist in our db
++ - forbid to log suspended accounts in. btw, I guess we're going to copy the
++   AccountStatus table to the main db.
++
++    # To test all this I'll just have to monkey patch
++    # OpenIDCallbackView.openid_response to return my hand-crafted
++    # openid response.
++
++* Some tests use anon_browser.open() on protected pages so that they get
++reidrected to +login and can show how the protected page works when the user
++is not logged in, including the preserved query string. If we want to keep
++doing that in these tests, we'll need an OpenID provider accessible to the
++test suite. One option would be to include a crippled version of the one in
++c-i-p in our tree, to be used only in tests.
++(lib/canonical/launchpad/pagetests/oauth/authorize-token.txt is one of the
++tests that rely on +login)
++
++* Does not work for /people/+me, because when the OpenID provider sends the
++user back to /people/+me/+openid-callback, there's a redirect to
++/~person/+openid-callback, which causes the openid dance to fail: *
++<openid.consumer.consumer.FailureResponse id=None message="return_to does not
++match return URL. Expected 'https://launchpad.dev/%7Ename16/+openid-callback',
++got
++u'https://launchpad.dev/people/+me/+openid-callback?janrain_nonce=2009-12-23T14%3A47%3A47ZsgdbOJ'">
++  I think this is a general problem with OpenID and login.lp.net because when
++you log into login.lp.net and is sent to the callback page (in lp.net), that
++page will see you as logged in, regardless of the openid response, because the
++cookie is shared, and that causes /people/+me/+openid-callback to redirect to
++/~name16/+openid-callback, which causes the error above.
++  One way around this is to always use /+openid-callback as the return_to URL,
++and include a lp_redirect_to URL in the query string, where LP will send the
++user to, once the openid dance is completed.
 === modified file 'configs/development/launchpad-lazr.conf'
 --- configs/development/launchpad-lazr.conf	2010-01-22 04:01:17 +0000
 +++ configs/development/launchpad-lazr.conf	2010-02-17 15:49:22 +0000
@@ -124,6 +124,7 @@
  public_host: keyserver.launchpad.dev
  [launchpad]
++enable_test_openid_provider: True
  code_domain: code.launchpad.dev
  default_batch_size: 5
  max_attachment_size: 2097152
@@ -277,6 +278,9 @@
  [vhost.openid]
  hostname: openid.launchpad.dev
++[vhost.testopenid]
++hostname: testopenid.dev
++
  [vhost.ubuntu_openid]
  hostname: ubuntu-openid.launchpad.dev
 === modified file 'lib/canonical/config/schema-lazr.conf'
 --- lib/canonical/config/schema-lazr.conf	2010-01-22 04:01:17 +0000
 +++ lib/canonical/config/schema-lazr.conf	2010-02-17 15:49:22 +0000
@@ -884,6 +884,11 @@
  storm_cache: generational
  storm_cache_size: 10000
++# Whether or not to enable a test OpenID provider on the testopenid vhost.
++# It's a test provider, not meant to be enabled on production.
++# datatype: boolean
++enable_test_openid_provider: False
++
  # Assume the slave database is lagged if it takes more than this many
  # milliseconds to calculate this information from the Slony-I tables.
  # datatype: integer
@@ -1839,6 +1844,9 @@
  [vhost.openid]
++[vhost.testopenid]
++
++
  [vhost.ubuntu_openid]
 === modified file 'lib/canonical/launchpad/browser/launchpad.py'
 --- lib/canonical/launchpad/browser/launchpad.py	2010-02-02 17:12:29 +0000
 +++ lib/canonical/launchpad/browser/launchpad.py	2010-02-17 15:49:22 +0000
@@ -96,6 +96,7 @@
      ITranslationGroupSet)
  from lp.translations.interfaces.translationimportqueue import (
      ITranslationImportQueue)
++from lp.testopenid.interfaces.server import ITestOpenIDApplication
  from canonical.launchpad.webapp import (
      LaunchpadFormView, LaunchpadView, Link, Navigation,
@@ -565,6 +566,7 @@
          'token': ILoginTokenSet,
          '+groups': ITranslationGroupSet,
          'translations': IRosettaApplication,
++        'testopenid': ITestOpenIDApplication,
          'questions': IQuestionSet,
          '+rpconfig': IOpenIDRPConfigSet,
          # These three have been renamed, and no redirects done, as the old
 === modified file 'lib/canonical/launchpad/configure.zcml'
 --- lib/canonical/launchpad/configure.zcml	2010-02-02 17:12:29 +0000
 +++ lib/canonical/launchpad/configure.zcml	2010-02-17 15:49:22 +0000
@@ -26,6 +26,7 @@
    <include package="lp.code" />
    <include package="lp.soyuz" />
    <include package="lp.translations" />
++  <include package="lp.testopenid" />
    <include package="lp.blueprints" />
    <include package="lp.services.comments" />
 === modified file 'lib/canonical/launchpad/layers.py'
 --- lib/canonical/launchpad/layers.py	2009-10-21 18:33:11 +0000
 +++ lib/canonical/launchpad/layers.py	2010-02-17 15:49:22 +0000
@@ -57,6 +57,10 @@
      """
++class TestOpenIDLayer(LaunchpadLayer):
++    """The `TestOpenIDLayer` layer."""
++
++
  class PageTestLayer(LaunchpadLayer):
      """The `PageTestLayer` layer. (need to register a 404 view for this and
      for the debug page too.  and make the debugview a base class in the
 === modified file 'lib/canonical/launchpad/systemhomes.py'
 --- lib/canonical/launchpad/systemhomes.py	2010-02-10 23:14:56 +0000
 +++ lib/canonical/launchpad/systemhomes.py	2010-02-17 15:49:22 +0000
@@ -12,6 +12,7 @@
      'MaloneApplication',
      'PrivateMaloneApplication',
      'RosettaApplication',
++    'TestOpenIDApplication',
+     ]
  __metaclass__ = type
@@ -31,6 +32,7 @@
      IMailingListApplication, IMaloneApplication,
      IPrivateMaloneApplication, IProductSet, IRosettaApplication,
      IWebServiceApplication)
++from lp.testopenid.interfaces.server import ITestOpenIDApplication
  from lp.translations.interfaces.translationgroup import ITranslationGroupSet
  from lp.translations.interfaces.translationsoverview import (
      ITranslationsOverview)
@@ -382,3 +384,7 @@
          wadl = super(WebServiceApplication, self).toWADL()
          self.__class__.cached_wadl = wadl
          return wadl
++
++
++class TestOpenIDApplication:
++    implements(ITestOpenIDApplication)
 === modified file 'lib/canonical/launchpad/webapp/servers.py'
 --- lib/canonical/launchpad/webapp/servers.py	2009-12-16 19:59:45 +0000
 +++ lib/canonical/launchpad/webapp/servers.py	2010-02-17 15:49:22 +0000
@@ -45,6 +45,7 @@
  from lazr.restful.publisher import (
      WebServicePublicationMixin, WebServiceRequestTraversal)
++from lp.testopenid.interfaces.server import ITestOpenIDApplication
  from canonical.launchpad.interfaces.launchpad import (
      IFeedsApplication, IPrivateApplication, IWebServiceApplication)
  from canonical.launchpad.interfaces.oauth import (
@@ -1121,6 +1122,17 @@
      """Request type for a launchpad feed."""
      implements(canonical.launchpad.layers.FeedsLayer)
++
++# ---- testopenid
++
++class TestOpenIDBrowserRequest(LaunchpadBrowserRequest):
++    implements(canonical.launchpad.layers.TestOpenIDLayer)
++
++
++class TestOpenIDBrowserPublication(LaunchpadBrowserPublication):
++    root_object_interface = ITestOpenIDApplication
++
++
  # ---- web service
  class WebServicePublication(WebServicePublicationMixin,
@@ -1442,6 +1454,10 @@
              'xmlrpc', PublicXMLRPCRequest, PublicXMLRPCPublication)
+         ]
++    if config.launchpad.enable_test_openid_provider:
++        factories.append(VHRP('testopenid', TestOpenIDBrowserRequest,
++                              TestOpenIDBrowserPublication))
++
      # We may also have a private XML-RPC server.
      private_port = None
      for server in config.servers:
 === added directory 'lib/lp/testopenid'
 === added file 'lib/lp/testopenid/__init__.py'
 === added directory 'lib/lp/testopenid/adapters'
 === added file 'lib/lp/testopenid/adapters/__init__.py'
 === added file 'lib/lp/testopenid/adapters/openid.py'
 --- lib/lp/testopenid/adapters/openid.py	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/adapters/openid.py	2010-02-17 15:49:22 +0000
@@ -0,0 +1,32 @@
++# Copyright 2010 Canonical Ltd.  This software is licensed under the
++# GNU Affero General Public License version 3 (see the file LICENSE).
++
++"""TestOpenID adapters and helpers."""
++
++__metaclass__ = type
++
++__all__ = [
++    'TestOpenIDPersistentIdentity',
++    ]
++
++from zope.component import adapts
++from zope.interface import implements
++
++from canonical.launchpad.interfaces.account import IAccount
++from canonical.launchpad.webapp.vhosts import allvhosts
++
++from lp.services.openid.adapters.openid import OpenIDPersistentIdentity
++from lp.testopenid.interfaces.server import ITestOpenIDPersistentIdentity
++
++
++class TestOpenIDPersistentIdentity(OpenIDPersistentIdentity):
++    """See `IOpenIDPersistentIdentity`."""
++
++    adapts(IAccount)
++    implements(ITestOpenIDPersistentIdentity)
++
++    @property
++    def openid_identity_url(self):
++        """See `IOpenIDPersistentIdentity`."""
++        identity_root_url = allvhosts.configs['testopenid'].rooturl
++        return identity_root_url + self.openid_identifier.encode('ascii')
 === added directory 'lib/lp/testopenid/browser'
 === added file 'lib/lp/testopenid/browser/__init__.py'
 === added file 'lib/lp/testopenid/browser/configure.zcml'
 --- lib/lp/testopenid/browser/configure.zcml	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/browser/configure.zcml	2010-02-17 15:49:22 +0000
@@ -0,0 +1,82 @@
++<!-- Copyright 2009 Canonical Ltd.  This software is licensed under the
++     GNU Affero General Public License version 3 (see the file LICENSE).
++-->
++
++<configure
++    xmlns="http://namespaces.zope.org/zope"
++    xmlns:browser="http://namespaces.zope.org/browser"
++    xmlns:i18n="http://namespaces.zope.org/i18n"
++    i18n_domain="launchpad">
++
++    <browser:navigation
++        module=".server"
++        classes="TestOpenIDApplicationNavigation"
++        />
++
++    <adapter
++        provides="canonical.launchpad.webapp.interfaces.ICanonicalUrlData"
++        for="..interfaces.server.ITestOpenIDApplication"
++        factory=".server.TestOpenIDRootUrlData"
++        />
++
++    <browser:defaultView
++        for="..interfaces.server.ITestOpenIDApplication"
++        name="+index"
++        />
++
++    <browser:page
++        for="..interfaces.server.ITestOpenIDApplication"
++        class=".server.TestOpenIDView"
++        permission="zope.Public"
++        name="+openid"
++        />
++    <browser:page
++        for="..interfaces.server.ITestOpenIDApplication"
++        class=".server.TestOpenIDIndexView"
++        permission="zope.Public"
++        name="+index"
++        />
++    <browser:page
++        for="..interfaces.server.ITestOpenIDApplication"
++        class=".server.TestOpenIDLoginView"
++        permission="zope.Public"
++        name="+auth"
++        />
++
++    <browser:url
++        for="..interfaces.server.ITestOpenIDPersistentIdentity"
++        path_expression="string:${openid_identifier}"
++        parent_utility="..interfaces.server.ITestOpenIDApplication"
++        />
++
++    <browser:defaultView
++        for="..interfaces.server.ITestOpenIDPersistentIdentity"
++        name="+index"
++        />
++
++    <browser:page
++        for="..interfaces.server.ITestOpenIDPersistentIdentity"
++        name="+index"
++        template="../templates/persistentidentity-index.pt"
++        permission="zope.Public"
++        class=".server.PersistentIdentityView"
++        />
++
++    <browser:page
++        name=""
++        for="..interfaces.server.ITestOpenIDApplication"
++        class="canonical.launchpad.browser.launchpad.LaunchpadImageFolder"
++        permission="zope.Public"
++        layer="canonical.launchpad.layers.TestOpenIDLayer"
++        />
++
++    <!-- A simple view used by the page tests. -->
++    <browser:page
++        for="..interfaces.server.ITestOpenIDApplication"
++        name="+echo"
++        permission="zope.Public"
++        class="..testing.helpers.EchoView"
++        layer="canonical.launchpad.layers.PageTestLayer"
++        />
++
++</configure>
 === added file 'lib/lp/testopenid/browser/server.py'
 --- lib/lp/testopenid/browser/server.py	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/browser/server.py	2010-02-17 15:49:22 +0000
@@ -0,0 +1,285 @@
++# Copyright 2010 Canonical Ltd.  All rights reserved.
++
++"""Test OpenID server."""
++
++__metaclass__ = type
++__all__ = [
++    'PersistentIdentityView',
++    'TestOpenIDApplicationNavigation',
++    'TestOpenIDIndexView'
++    'TestOpenIDLoginView',
++    'TestOpenIDRootUrlData',
++    'TestOpenIDView',
++    ]
++
++from datetime import timedelta
++
++from z3c.ptcompat import ViewPageTemplateFile
++from zope.app.security.interfaces import IUnauthenticatedPrincipal
++from zope.component import getUtility
++from zope.interface import implements
++from zope.security.proxy import isinstance as zisinstance
++from zope.session.interfaces import ISession
++
++from openid.server.server import CheckIDRequest, Server
++from openid.store.memstore import MemoryStore
++
++from canonical.cachedproperty import cachedproperty
++from canonical.launchpad import _
++from canonical.launchpad.interfaces.account import AccountStatus, IAccountSet
++from canonical.launchpad.webapp import (
++    action, LaunchpadFormView, LaunchpadView)
++from canonical.launchpad.webapp.interfaces import (
++    ICanonicalUrlData, IPlacelessLoginSource, UnexpectedFormData)
++from canonical.launchpad.webapp.login import (
++    allowUnauthenticatedSession, logInPrincipal, logoutPerson)
++from canonical.launchpad.webapp.publisher import Navigation, stepthrough
++from canonical.launchpad.webapp.url import urlappend
++from canonical.launchpad.webapp.vhosts import allvhosts
++
++from lp.services.openid.browser.openiddiscovery import (
++    XRDSContentNegotiationMixin)
++from lp.testopenid.interfaces.server import (
++    ITestOpenIDApplication, ITestOpenIDLoginForm,
++    ITestOpenIDPersistentIdentity)
++
++
++OPENID_REQUEST_SESSION_KEY = 'testopenid.request'
++SESSION_PKG_KEY = 'TestOpenID'
++SERVER_URL = urlappend(allvhosts.configs['testopenid'].rooturl, '+openid')
++openid_store = MemoryStore()
++
++
++class TestOpenIDRootUrlData:
++    """`ICanonicalUrlData` for the test OpenID provider."""
++
++    implements(ICanonicalUrlData)
++
++    path = ''
++    inside = None
++    rootsite = 'testopenid'
++
++    def __init__(self, context):
++        self.context = context
++
++
++class TestOpenIDApplicationNavigation(Navigation):
++    """Navigation for `ITestOpenIDApplication`"""
++    usedfor = ITestOpenIDApplication
++
++    @stepthrough('+id')
++    def traverse_id(self, name):
++        """Traverse to persistent OpenID identity URLs."""
++        try:
++            account = getUtility(IAccountSet).getByOpenIDIdentifier(name)
++        except LookupError:
++            account = None
++        if account is None or account.status != AccountStatus.ACTIVE:
++            return None
++        return ITestOpenIDPersistentIdentity(account)
++
++
++class TestOpenIDXRDSContentNegotiationMixin(XRDSContentNegotiationMixin):
++    """Custom XRDSContentNegotiationMixin that overrides openid_server_url."""
++
++    @property
++    def openid_server_url(self):
++        """The OpenID Server endpoint URL for Launchpad."""
++        return SERVER_URL
++
++
++class TestOpenIDIndexView(
++        TestOpenIDXRDSContentNegotiationMixin, LaunchpadView):
++    template = ViewPageTemplateFile("../templates/application-index.pt")
++    xrds_template = ViewPageTemplateFile("../templates/application-xrds.pt")
++
++
++class OpenIDMixin:
++    """A mixin with OpenID helper methods."""
++
++    openid_request = None
++
++    def __init__(self, context, request):
++        super(OpenIDMixin, self).__init__(context, request)
++        self.server_url = SERVER_URL
++        self.openid_server = Server(openid_store, self.server_url)
++
++    @property
++    def user_identity_url(self):
++        return ITestOpenIDPersistentIdentity(self.account).openid_identity_url
++
++    def isIdentityOwner(self):
++        """Return True if the user can authenticate as the given ID."""
++        assert self.account is not None, "user should be logged in by now."
++        return (self.openid_request.idSelect() or
++                self.openid_request.identity == self.user_identity_url)
++
++    @cachedproperty('_openid_parameters')
++    def openid_parameters(self):
++        """A dictionary of OpenID query parameters from request."""
++        query = {}
++        for key, value in self.request.form.items():
++            if key.startswith('openid.'):
++                # All OpenID query args are supposed to be ASCII.
++                query[key.encode('US-ASCII')] = value.encode('US-ASCII')
++        return query
++
++    def getSession(self):
++        """Get the session data container that stores the OpenID request."""
++        if IUnauthenticatedPrincipal.providedBy(self.request.principal):
++            # A dance to assert that we want to break the rules about no
++            # unauthenticated sessions. Only after this next line is it
++            # safe to set session values.
++            allowUnauthenticatedSession(
++                self.request, duration=timedelta(minutes=60))
++        return ISession(self.request)[SESSION_PKG_KEY]
++
++    def restoreRequestFromSession(self):
++        """Get the OpenIDRequest from our session."""
++        session = self.getSession()
++        try:
++            self._openid_parameters = session[OPENID_REQUEST_SESSION_KEY]
++        except KeyError:
++            raise UnexpectedFormData("No OpenID request in session")
++
++        # Decode the request parameters and create the request object.
++        self.openid_request = self.openid_server.decodeRequest(
++            self.openid_parameters)
++        assert zisinstance(self.openid_request, CheckIDRequest), (
++            'Invalid OpenIDRequest in session')
++
++    def saveRequestInSession(self):
++        """Save the OpenIDRequest in our session."""
++        query = self.openid_parameters
++        assert query.get('openid.mode') == 'checkid_setup', (
++            'Can only serialise checkid_setup OpenID requests')
++
++        session = self.getSession()
++        # If this was meant for use in production we'd have to use a nonce
++        # as the key when storing the openid request in the session, but as
++        # it's meant to run only on development instances we can simplify
++        # things a bit by storing the openid request using a well known key.
++        session[OPENID_REQUEST_SESSION_KEY] = query
++
++    def renderOpenIDResponse(self, openid_response):
++        """Return a web-suitable response constructed from openid_response."""
++        webresponse = self.openid_server.encodeResponse(openid_response)
++        response = self.request.response
++        response.setStatus(webresponse.code)
++        for header, value in webresponse.headers.items():
++            response.setHeader(header, value)
++        return webresponse.body
++
++    def createPositiveResponse(self):
++        """Create a positive assertion OpenIDResponse.
++
++        This method should be called to create the response to
++        successful checkid requests.
++
++        If the trust root for the request is in openid_sreg_trustroots,
++        then additional user information is included with the
++        response.
++        """
++        assert self.account is not None, (
++            'Must be logged in for positive OpenID response')
++        assert self.openid_request is not None, (
++            'No OpenID request to respond to.')
++
++        if not self.isIdentityOwner():
++            return self.createFailedResponse()
++
++        if self.openid_request.idSelect():
++            response = self.openid_request.answer(
++                True, identity=self.user_identity_url)
++        else:
++            response = self.openid_request.answer(True)
++
++        return response
++
++    def createFailedResponse(self):
++        """Create a failed assertion OpenIDResponse.
++
++        This method should be called to create the response to
++        unsuccessful checkid requests.
++        """
++        assert self.openid_request is not None, (
++            'No OpenID request to respond to.')
++        response = self.openid_request.answer(False, self.server_url)
++        return response
++
++
++class TestOpenIDView(OpenIDMixin, LaunchpadView):
++    """An OpenID Provider endpoint for Launchpad.
++
++    This class implements an OpenID endpoint using the python-openid
++    library.  In addition to the normal modes of operation, it also
++    implements the OpenID 2.0 identifier select mode.
++
++    Note that the checkid_immediate mode is not supported.
++    """
++
++    def render(self):
++        """Handle all OpenID requests and form submissions."""
++        # NB: Will be None if there are no parameters in the request.
++        self.openid_request = self.openid_server.decodeRequest(
++            self.openid_parameters)
++
++        if self.openid_request.mode == 'checkid_setup':
++            referer = self.request.get("HTTP_REFERER")
++            if referer:
++                self.request.response.setCookie("openid_referer", referer)
++
++            # Log the user out and present the login page so that they can
++            # authenticate as somebody else if they want.
++            logoutPerson(self.request)
++            return self.showLoginPage()
++        elif self.openid_request.mode == 'checkid_immediate':
++            raise UnexpectedFormData(
++                'We do not handle checkid_immediate requests.')
++        else:
++            return self.renderOpenIDResponse(
++                self.openid_server.handleRequest(self.openid_request))
++
++    def showLoginPage(self):
++        """Render the login dialog."""
++        self.saveRequestInSession()
++        return TestOpenIDLoginView(self.context, self.request)()
++
++
++class TestOpenIDLoginView(OpenIDMixin, LaunchpadFormView):
++    """A view for users to log into the OpenID provider."""
++
++    page_title = "Login"
++    schema = ITestOpenIDLoginForm
++    action_url = '+auth'
++    template = ViewPageTemplateFile("../templates/auth.pt")
++
++    def initialize(self):
++        self.restoreRequestFromSession()
++        super(TestOpenIDLoginView, self).initialize()
++
++    def validate(self, data):
++        """Check that the email address and password are valid for login."""
++        loginsource = getUtility(IPlacelessLoginSource)
++        principal = loginsource.getPrincipalByLogin(data['email'])
++        if principal is None or not principal.validate(data['password']):
++            self.addError(
++                _("Incorrect password for the provided email address."))
++
++    @action('Continue', name='continue')
++    def continue_action(self, action, data):
++        email = data['email']
++        principal = getUtility(IPlacelessLoginSource).getPrincipalByLogin(
++            email)
++        logInPrincipal(self.request, principal, email)
++        # Update the attribute holding the cached user.
++        self._account = principal.account
++        return self.renderOpenIDResponse(self.createPositiveResponse())
++
++
++class PersistentIdentityView(
++        TestOpenIDXRDSContentNegotiationMixin, LaunchpadView):
++    """Render the OpenID identity page."""
++
++    xrds_template = ViewPageTemplateFile(
++        "../templates/persistentidentity-xrds.pt")
 === added file 'lib/lp/testopenid/configure.zcml'
 --- lib/lp/testopenid/configure.zcml	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/configure.zcml	2010-02-17 15:49:22 +0000
@@ -0,0 +1,28 @@
++<!-- Copyright 2009 Canonical Ltd.  This software is licensed under the
++     GNU Affero General Public License version 3 (see the file LICENSE).
++-->
++
++<configure
++    xmlns="http://namespaces.zope.org/zope"
++    xmlns:browser="http://namespaces.zope.org/browser"
++    xmlns:i18n="http://namespaces.zope.org/i18n"
++    i18n_domain="launchpad">
++
++    <securedutility
++        class="canonical.launchpad.systemhomes.TestOpenIDApplication"
++        provides="lp.testopenid.interfaces.server.ITestOpenIDApplication">
++      <allow interface="lp.testopenid.interfaces.server.ITestOpenIDApplication"/>
++    </securedutility>
++
++    <class class=".adapters.openid.TestOpenIDPersistentIdentity">
++      <allow interface=".interfaces.server.ITestOpenIDPersistentIdentity" />
++    </class>
++
++    <adapter
++      factory=".adapters.openid.TestOpenIDPersistentIdentity"
++      provides=".interfaces.server.ITestOpenIDPersistentIdentity" />
++      />
++
++    <include package=".browser"/>
++
++</configure>
 === added directory 'lib/lp/testopenid/interfaces'
 === added file 'lib/lp/testopenid/interfaces/__init__.py'
 === added file 'lib/lp/testopenid/interfaces/server.py'
 --- lib/lp/testopenid/interfaces/server.py	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/interfaces/server.py	2010-02-17 15:49:22 +0000
@@ -0,0 +1,29 @@
++# Copyright 2010 Canonical Ltd.  All rights reserved.
++
++__metaclass__ = type
++__all__ = [
++    'ITestOpenIDApplication',
++    'ITestOpenIDLoginForm',
++    'ITestOpenIDPersistentIdentity',
++    ]
++
++from zope.interface import Interface
++from zope.schema import TextLine
++
++from canonical.launchpad.fields import PasswordField
++from canonical.launchpad.webapp.interfaces import ILaunchpadApplication
++
++from lp.services.openid.interfaces.openid import IOpenIDPersistentIdentity
++
++
++class ITestOpenIDApplication(ILaunchpadApplication):
++    """Launchpad's testing OpenID application root."""
++
++
++class ITestOpenIDLoginForm(Interface):
++    email = TextLine(title=u'What is your e-mail address?', required=True)
++    password = PasswordField(title=u'Password', required=True)
++
++
++class ITestOpenIDPersistentIdentity(IOpenIDPersistentIdentity):
++    """Marker interface for IOpenIDPersistentIdentity on testopenid."""
 === added directory 'lib/lp/testopenid/stories'
 === added file 'lib/lp/testopenid/stories/__init__.py'
 === added file 'lib/lp/testopenid/stories/basics.txt'
 --- lib/lp/testopenid/stories/basics.txt	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/stories/basics.txt	2010-02-17 15:49:22 +0000
@@ -0,0 +1,163 @@
++====================
++Test OpenID provider
++====================
++
++Introduction
++============
++
++Launchpad provides an OpenID provider (under the testopenid.dev
++vhost) for testing purposes and for developers to be able to log into their
++development instances.  This provider is only available for development and
++testing.
++
++We are going to fake a consumer for these examples. In order to ensure
++that the consumer is being fed the correct replies, we use a view that
++renders the parameters in the response in an easily testable format.
++
++    >>> anon_browser.open('http://testopenid.dev/+echo?foo=bar')
++    >>> print anon_browser.contents
++    Request method: GET
++    foo:bar
++
++
++associate Mode
++==============
++
++Establish a shared secret between Consumer and Identity Provider.
++
++After determining the URL of the OpenID server, the next thing a consumer
++needs to do is associate with the server and get a shared secret via a
++POST request.
++
++    >>> from urllib import urlencode
++    >>> anon_browser.open(
++    ...     'http://testopenid.dev/+openid', data=urlencode({
++    ...         'openid.mode': 'associate',
++    ...         'openid.assoc_type': 'HMAC-SHA1'}))
++    >>> print anon_browser.headers
++    Status: 200 Ok
++    ...
++    Content-Type: text/plain
++    ...
++    >>> print anon_browser.contents
++    assoc_handle:{HMAC-SHA1}{...}{...}
++    assoc_type:HMAC-SHA1
++    expires_in:1209...
++    mac_key:...
++    <BLANKLINE>
++
++Get the association handle, which we will need for later tests.
++
++    >>> import re
++    >>> [assoc_handle] = re.findall('assoc_handle:(.*)', anon_browser.contents)
++
++
++checkid_setup Mode
++==================
++
++When we go to the OpenID setup URL, we are presented with a login
++form.  By entering an email address and password, we are directed back
++to the consumer, completing the OpenID request:
++
++    >>> args = urlencode({
++    ...     'openid.mode': 'checkid_setup',
++    ...     'openid.identity': 'http://testopenid.dev/+id/mark_oid',
++    ...     'openid.assoc_handle': assoc_handle,
++    ...     'openid.return_to': 'http://testopenid.dev/+echo',
++    ...     })
++    >>> user_browser.open('http://testopenid.dev/+openid?%s' % args)
++    >>> print user_browser.url
++    http://testopenid.dev/+openid?...
++    >>> print user_browser.title
++    Login
++    >>> user_browser.getControl(name='field.email').value = 'mark@example.com'
++    >>> user_browser.getControl(name='field.password').value = 'test'
++    >>> user_browser.getControl('Continue').click()
++
++    >>> print user_browser.url
++    http://testopenid.dev/+echo?...
++    >>> print user_browser.contents
++    Request method: GET
++    openid.assoc_handle:...
++    openid.identity:http://testopenid.dev/+id/mark_oid
++    openid.mode:id_res...
++    openid.op_endpoint:http://testopenid.dev/+openid
++    openid.response_nonce:...
++    openid.return_to:http://testopenid.dev/+echo
++    openid.sig:...
++    openid.signed:...
++    <BLANKLINE>
++
++We will record the signature from this response to use in the next test:
++
++    >>> [sig] = re.findall('sig:(.*)', user_browser.contents)
++
++
++check_authentication Mode
++=========================
++
++Ask an Identity Provider if a message is valid. For dumb, stateless
++Consumers or when verifying an invalidate_handle response.
++
++If an association handle is stateful (genereted using the associate Mode),
++check_authentication will fail.
++
++    >>> args = urlencode({
++    ...     'openid.mode': 'check_authentication',
++    ...     'openid.assoc_handle': assoc_handle,
++    ...     'openid.sig': sig,
++    ...     'openid.signed':  'return_to,mode,identity',
++    ...     'openid.identity':
++    ...         'http://testopenid.dev/+id/mark_oid',
++    ...     'openid.return_to': 'http://testopenid.dev/+echo',
++    ...     })
++    >>> user_browser.open('http://testopenid.dev/+openid?%s' % args)
++    >>> print user_browser.contents
++    is_valid:false
++    <BLANKLINE>
++
++If we are a dumb consumer though, we must invoke the check_authentication
++mode, passing back the association handle, signature and values of all
++fields that were signed.
++
++    >>> args = urlencode({
++    ...     'openid.mode': 'checkid_setup',
++    ...     'openid.identity':
++    ...         'http://testopenid.dev/+id/mark_oid',
++    ...     'openid.return_to': 'http://testopenid.dev/+echo',
++    ...     })
++    >>> user_browser.open('http://testopenid.dev/+openid?%s' % args)
++    >>> user_browser.getControl(name='field.email').value = 'mark@example.com'
++    >>> user_browser.getControl(name='field.password').value = 'test'
++    >>> user_browser.getControl('Continue').click()
++    >>> print user_browser.contents
++    Request method: GET
++    openid.assoc_handle:...
++    openid.identity:http://testopenid.dev/+id/mark_oid
++    openid.mode:id_res
++    openid.op_endpoint:http://testopenid.dev/+openid
++    openid.response_nonce:...
++    openid.return_to:http://testopenid.dev/+echo
++    openid.sig:...
++    openid.signed:...
++    <BLANKLINE>
++
++    >>> fields = dict(line.split(':', 1)
++    ...               for line in user_browser.contents.splitlines()[1:]
++    ...               if line.startswith('openid.'))
++    >>> signed = ['openid.' + name
++    ...           for name in fields['openid.signed'].split(',')]
++    >>> message = dict((key, value) for (key, value) in fields.items()
++    ...                if key in signed)
++    >>> message.update({
++    ...     'openid.mode': 'check_authentication',
++    ...     'openid.assoc_handle': fields['openid.assoc_handle'],
++    ...     'openid.sig': fields['openid.sig'],
++    ...     'openid.signed': fields['openid.signed'],
++    ...     })
++
++    >>> args = urlencode(message)
++    >>> user_browser.open('http://testopenid.dev/+openid', args)
++    >>> print user_browser.contents
++    is_valid:true
++    <BLANKLINE>
 === added file 'lib/lp/testopenid/stories/logging-in.txt'
 --- lib/lp/testopenid/stories/logging-in.txt	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/stories/logging-in.txt	2010-02-17 15:49:22 +0000
@@ -0,0 +1,64 @@
++========================================
++Logging in using the TestOpenID provider
++========================================
++
++A user with an existing account may log into Launchpad using the OpenID
++provider available on testopenid.dev.
++
++First we will set up the helper view that lets us test the final
++portion of the authentication process:
++
++    >>> from openid.consumer.consumer import Consumer
++    >>> from openid.fetchers import setDefaultFetcher
++    >>> from openid.store.memstore import MemoryStore
++    >>> from lp.testopenid.testing.helpers import (
++    ...     complete_from_browser, make_identifier_select_endpoint,
++    ...     PublisherFetcher)
++    >>> setDefaultFetcher(PublisherFetcher())
++
++The authentication process is started by the relying party issuing a
++checkid_setup request, sending the user to Launchpad:
++
++    >>> openid_store = MemoryStore()
++    >>> consumer = Consumer(session={}, store=openid_store)
++
++    >>> request = consumer.beginWithoutDiscovery(
++    ...     make_identifier_select_endpoint())
++    >>> browser.open(request.redirectURL(
++    ...     'http://testopenid.dev/',
++    ...     'http://testopenid.dev/+echo'))
++
++At this point, the user is presented with a login form:
++
++    >>> print browser.title
++    Login
++
++As the user already has an account, they can enter their email address and
++password.  If the password does not match the given email address, an error is
++shown:
++
++    >>> browser.getControl(name='field.email').value = 'mark@example.com'
++    >>> browser.getControl(name='field.password').value = 'not the password'
++    >>> browser.getControl('Continue').click()
++    >>> print browser.title
++    Login
++    >>> for tag in find_tags_by_class(browser.contents, 'error'):
++    ...     print extract_text(tag)
++    There is 1 error.
++    Incorrect password for the provided email address.
++
++If the email address and password match, the user is logged in and returned to
++the relying party, with the user's identity URL:
++
++    >>> browser.getControl(name='field.password').value = 'test'
++    >>> browser.getControl('Continue').click()
++    >>> print browser.url
++    http://testopenid.dev/+echo?...
++    >>> info = complete_from_browser(consumer, browser)
++    >>> print info.status
++    success
++    >>> print info.endpoint.claimed_id
++    http://testopenid.dev/+id/mark_oid
++
++    # Clean up the changes we did to the openid module.
++    >>> setDefaultFetcher(None)
 === added file 'lib/lp/testopenid/stories/tests.py'
 --- lib/lp/testopenid/stories/tests.py	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/stories/tests.py	2010-02-17 15:49:22 +0000
@@ -0,0 +1,22 @@
++# Copyright 2004-2008 Canonical Ltd.  All rights reserved.
++
++import os
++import unittest
++
++from canonical.launchpad.testing.pages import PageTestSuite
++
++
++here = os.path.dirname(os.path.realpath(__file__))
++
++
++def test_suite():
++    stories = sorted(
++        dir for dir in os.listdir(here)
++        if not dir.startswith('.') and os.path.isdir(os.path.join(here, dir)))
++
++    suite = unittest.TestSuite()
++    suite.addTest(PageTestSuite('.'))
++    for storydir in stories:
++        suite.addTest(PageTestSuite(storydir))
++
++    return suite
 === added directory 'lib/lp/testopenid/templates'
 === added file 'lib/lp/testopenid/templates/application-index.pt'
 --- lib/lp/testopenid/templates/application-index.pt	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/templates/application-index.pt	2010-02-17 15:49:22 +0000
@@ -0,0 +1,5 @@
++<html>
++  <body>
++    <h1>Test OpenID provider for launchpad.dev</h1>
++  </body>
++</html>
 === added file 'lib/lp/testopenid/templates/application-xrds.pt'
 --- lib/lp/testopenid/templates/application-xrds.pt	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/templates/application-xrds.pt	2010-02-17 15:49:22 +0000
@@ -0,0 +1,14 @@
++<?xml version="1.0"?>
++<xrds:XRDS
++    xmlns="xri://$xrd*($v*2.0)"
++    xmlns:xrds="xri://$xrds"
++    xmlns:tal="http://xml.zope.org/namespaces/tal">
++  <XRD>
++    <Service priority="0">
++      <Type>http://specs.openid.net/auth/2.0/server</Type>
++      <URI tal:content="view/openid_server_url">
++        https://login.launchpad.net/+openid
++      </URI>
++    </Service>
++  </XRD>
++</xrds:XRDS>
 === added file 'lib/lp/testopenid/templates/auth.pt'
 --- lib/lp/testopenid/templates/auth.pt	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/templates/auth.pt	2010-02-17 15:49:22 +0000
@@ -0,0 +1,18 @@
++<html
++  xmlns="http://www.w3.org/1999/xhtml"
++  xmlns:tal="http://xml.zope.org/namespaces/tal"
++  xmlns:metal="http://xml.zope.org/namespaces/metal"
++  xmlns:i18n="http://xml.zope.org/namespaces/i18n"
++  xml:lang="en"
++  lang="en"
++  dir="ltr"
++  metal:use-macro="view/macro:page/locationless"
++  i18n:domain="launchpad"
++>
++  <body>
++    <div metal:fill-slot="main">
++      <div metal:use-macro="context/@@launchpad_form/form" />
++    </div>
++  </body>
++</html>
++
 === added file 'lib/lp/testopenid/templates/persistentidentity-index.pt'
 --- lib/lp/testopenid/templates/persistentidentity-index.pt	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/templates/persistentidentity-index.pt	2010-02-17 15:49:22 +0000
@@ -0,0 +1,14 @@
++<html xmlns="http://www.w3.org/1999/xhtml"
++      xmlns:tal="http://xml.zope.org/namespaces/tal">
++  <head>
++    <link rel="openid.server"
++      tal:attributes="href view/openid_server_url" />
++  </head>
++  <body>
++    <h1>
++      OpenID Identity URL for
++      <tal:user content="context/account/displayname">Display Name</tal:user>
++    </h1>
++  </body>
++</html>
++
 === added file 'lib/lp/testopenid/templates/persistentidentity-xrds.pt'
 --- lib/lp/testopenid/templates/persistentidentity-xrds.pt	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/templates/persistentidentity-xrds.pt	2010-02-17 15:49:22 +0000
@@ -0,0 +1,14 @@
++<?xml version="1.0"?>
++<xrds:XRDS
++    xmlns="xri://$xrd*($v*2.0)"
++    xmlns:xrds="xri://$xrds"
++    xmlns:tal="http://xml.zope.org/namespaces/tal">
++  <XRD>
++    <Service priority="0">
++      <Type>http://specs.openid.net/auth/2.0/signon</Type>
++      <URI priority="0" tal:content="view/openid_server_url">
++        https://testopenid.dev/+openid
++      </URI>
++    </Service>
++  </XRD>
++</xrds:XRDS>
 === added directory 'lib/lp/testopenid/testing'
 === added file 'lib/lp/testopenid/testing/__init__.py'
 === added file 'lib/lp/testopenid/testing/helpers.py'
 --- lib/lp/testopenid/testing/helpers.py	1970-01-01 00:00:00 +0000
 +++ lib/lp/testopenid/testing/helpers.py	2010-02-17 15:49:22 +0000
@@ -0,0 +1,74 @@
++# Copyright 2010 Canonical Ltd.  All rights reserved.
++
++"""Helpers for TestOpenID page tests."""
++
++__metaclass__ = type
++__all__ = [
++    'complete_from_browser',
++    'EchoView',
++    'make_identifier_select_endpoint',
++    'PublisherFetcher',
++    ]
++
++from StringIO import StringIO
++import urllib2
++
++from zope.testbrowser.testing import PublisherHTTPHandler
++
++from openid import fetchers
++from openid.consumer.discover import (
++    OpenIDServiceEndpoint, OPENID_IDP_2_0_TYPE)
++
++from canonical.launchpad.webapp import LaunchpadView
++
++from lp.testopenid.browser.server import SERVER_URL
++
++
++class EchoView(LaunchpadView):
++    """A view which just echoes its form arguments in the response."""
++
++    def render(self):
++        out = StringIO()
++        print >> out, 'Request method: %s' % self.request.method
++        keys = sorted(self.request.form.keys())
++        for key in keys:
++            print >> out, '%s:%s' % (key, self.request.form[key])
++        return out.getvalue()
++
++
++class PublisherFetcher(fetchers.Urllib2Fetcher):
++    """An `HTTPFetcher` that passes requests on to the Zope publisher."""
++    def __init__(self):
++        super(PublisherFetcher, self).__init__()
++        self.opener = urllib2.build_opener(PublisherHTTPHandler)
++
++    def urlopen(self, request):
++        request.add_header('X-zope-handle-errors', True)
++        return self.opener.open(request)
++
++
++def complete_from_browser(consumer, browser):
++    """Complete OpenID request based on output of +echo.
++
++    :param consumer: an OpenID `Consumer` instance.
++    :param browser: a Zope testbrowser `Browser` instance.
++
++    This function parses the body of the +echo view into a set of query
++    arguments representing the OpenID response.
++    """
++    assert browser.contents.startswith('Request method'), (
++        "Browser contents does not look like it came from +echo")
++    # Skip the first line.
++    query = dict(line.split(':', 1)
++                 for line in browser.contents.splitlines()[1:])
++
++    response = consumer.complete(query, browser.url)
++    return response
++
++
++def make_identifier_select_endpoint():
++    """Create an endpoint for use in OpenID identifier select mode."""
++    endpoint = OpenIDServiceEndpoint()
++    endpoint.server_url = SERVER_URL
++    endpoint.type_uris = [OPENID_IDP_2_0_TYPE]
++    return endpoint
 === modified file 'utilities/rocketfuel-setup'
 --- utilities/rocketfuel-setup	2009-12-13 01:38:59 +0000
 +++ utilities/rocketfuel-setup	2010-02-17 15:49:22 +0000
@@ -136,6 +136,7 @@
      shipit.edubuntu.dev
      shipit.kubuntu.dev
      shipit.ubuntu.dev
++    testopenid.dev
      translations.launchpad.dev
      xmlrpc-private.launchpad.dev
      xmlrpc.launchpad.dev