Authors: | Luke Macken Toshio Kuratomi |
---|---|
Date: | 11 Dec 2009 |
This plugin provides authentication to the Fedora Account System using the repoze.who WSGI middleware. It is designed for use with TurboGears2 but it may be used with any repoze.who using application. Like TurboGears Identity Provider 2, faswho has builtin CSRF protection. This protection is implemented as a second piece of middleware and may be used with other repoze.who authentication schemes.
Setting up authentication against FAS in TurboGears2 is very easy. It requires one change to be made to app/config/app_cfg.py.
This function will take care of registering faswho as the authentication provider, enabling CSRF protection, switching tg.url() to use fedora.tg.tg2utils.url() instead, and allowing the _csrf_token parameter to be given to any URL.
This section needs to be made clearer so that apps like mirrormanager can be ported to use this.
Cross-site Request Forgery Protection.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
Module author: John (J5) Palmieri <johnp@redhat.com>
Module author: Luke Macken <lmacken@redhat.com>
New in version 0.3.17.
CSRF Protection WSGI Middleware.
A layer of WSGI middleware that is responsible for making sure authenticated requests originated from the user inside of the app’s domain and not a malicious website.
This middleware works with the repoze.who middleware, and requires that it is placed below repoze.who in the WSGI stack, since it relies upon repoze.who.identity to exist in the environ before it is called.
To utilize this middleware, you can just add it to your WSGI stack below the repoze.who middleware. Here is an example of utilizing the CSRFProtectionMiddleware within a TurboGears2 application. In your project/config/middleware.py, you would wrap your main application with the CSRFProtectionMiddleware, like so:
from fedora.wsgi.csrf import CSRFProtectionMiddleware
def make_app(global_conf, full_stack=True, **app_conf):
app = make_base_app(global_conf, wrap_app=CSRFProtectionMiddleware,
full_stack=full_stack, **app_conf)
=== From here on is broken ===
The moksha.api.widgets.moksha:MokshaGlobals widget then needs to be rendered in every page, which automatically handles injecting the CSRF token. This widget is registerd as a Moksha Global Resource, and Moksha’s default index template handles injecting this by default, but you can easily render Moksha’s global resource injection widget in your own applications template by doing the following in your master template:
${tmpl_context.moksha_global_resources()}
URLs can then be re-written using the moksha.csrf_rewrite_url function that is in the moksha.js library, which is automatically pulled in by the MokshaGlobals widget. Here is an example of adding the CSRF token to an ajax. This example also utilizes the moksha.filter_resources function to strip out any duplicate javascript files.
$.ajax({
url: moksha.csrf_rewrite_url('/widgets/%(id)s'),
success: function(data, status) {
var $panel = $('#%(id)s_panel');
var $stripped = moksha.filter_resources(data);
$panel.html($stripped);
}
});
Repoze.who CSRF Metadata Provider Plugin.
This metadata provider is called with an authenticated users identity automatically by repoze.who. It will then take the SHA1 hash of the users session cookie, and set it as the CSRF token in environ['repoze.who.identity']['_csrf_token'].
This plugin will also set CSRF_AUTH_STATE in the environ if the user has just authenticated during this request.
To enable this plugin in a TurboGears2 application, you can add the following to your project/config/app_cfg.py
from fedora.wsgi.csrf import CSRFMetadataProvider
base_config.sa_auth.mdproviders = [('csrfmd', CSRFMetadataProvider())]
Note: If you use the faswho plugin, this is turned on automatically.