Merged in lp:~mhall119/django-openid-auth/django-yubikey-auth

5ad6e9b6 · Anthony Lenton · fe78850c · ee6c5a83 · 5ad6e9b6 · 5ad6e9b6
Commit 5ad6e9b6 authored Aug 24, 2011 by Anthony Lenton
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 2 deletions

README.txt
+9 -0

django_openid_auth/auth.py
+7 -1

django_openid_auth/tests/__init__.py
+3 -0

django_openid_auth/tests/test_views.py
+0 -0

django_openid_auth/views.py
+9 -1

No files found.
--- a/README.txt
+++ b/README.txt
@@ -145,3 +145,12 @@ If you must have a valid, unique nickname in order to create a user accont, add 
 This will cause an OpenID login attempt to fail if the provider does not return a 'nickname' (username) for the user, or if the nickname conflicts with an existing user with a different openid identiy url.
 Without this setting, logins without a nickname will be given the username 'openiduser', and upon conflicts with existing username, an incrementing number will be appended to the username until it is unique.
+== Require Physical Multi-Factor Authentication ==
+If your users should use a physical multi-factor authentication method, such as RSA tokens or YubiKey, add the following setting:
+        OPENID_PHYSICAL_MULTIFACTOR_REQUIRED = True
+If the user's OpenID provider supports the PAPE extension and provides the Physical Multifactor authentication policy, this will
+cause the OpenID login to fail if the user does not provide valid physical authentication to the provider.
--- a/django_openid_auth/auth.py
+++ b/django_openid_auth/auth.py
@@ -33,7 +33,7 @@ __metaclass__ = type
 from django.conf import settings
 from django.contrib.auth.models import User, Group
 from openid.consumer.consumer import SUCCESS
-from openid.extensions import ax, sreg
+from openid.extensions import ax, sreg, pape
 from django_openid_auth import teams
 from django_openid_auth.models import UserOpenID
@@ -88,6 +88,12 @@ class OpenIDBackend:
            details = self._extract_user_details(openid_response)
            self.update_user_details(user, details, openid_response)
+        if getattr(settings, 'OPENID_PHYSICAL_MULTIFACTOR_REQUIRED', False):
+            pape_response = pape.Response.fromSuccessResponse(openid_response)
+            if pape_response is None or \
+               pape.AUTH_MULTI_FACTOR_PHYSICAL not in pape_response.auth_policies:
+                return None
        teams_response = teams.TeamsResponse.fromSuccessResponse(
            openid_response)
        if teams_response:

--- a/django_openid_auth/tests/__init__.py
+++ b/django_openid_auth/tests/__init__.py
@@ -27,6 +27,9 @@
 # POSSIBILITY OF SUCH DAMAGE.
 import unittest
+from test_views import *
+from test_store import *
+from test_auth import *
 def suite():

--- a/django_openid_auth/tests/test_views.py
+++ b/django_openid_auth/tests/test_views.py
--- a/django_openid_auth/views.py
+++ b/django_openid_auth/views.py
@@ -48,7 +48,7 @@ except ImportError:
 from openid.consumer.consumer import (
    Consumer, SUCCESS, CANCEL, FAILURE)
 from openid.consumer.discover import DiscoveryFailure
-from openid.extensions import sreg, ax
+from openid.extensions import sreg, ax, pape
 from django_openid_auth import teams
 from django_openid_auth.auth import (
@@ -212,6 +212,14 @@ def login_begin(request, template_name='openid/login.html',
        openid_request.addExtension(
            sreg.SRegRequest(optional=sreg_optional_fields,
                required=sreg_required_fields))
+    if getattr(settings, 'OPENID_PHYSICAL_MULTIFACTOR_REQUIRED', False):
+        preferred_auth = [
+            pape.AUTH_MULTI_FACTOR_PHYSICAL,
+        ]
+        pape_request = pape.Request(preferred_auth_policies=preferred_auth)
+        openid_request.addExtension(pape_request)
    # Request team info
    teams_mapping_auto = getattr(settings, 'OPENID_LAUNCHPAD_TEAMS_MAPPING_AUTO', False)