6 files changed, 116 insertions, 25 deletions

diff --git a/okupy/openid/urls.py b/okupy/openid/urls.py
index f408d48..1b5372f 100644
--- a/okupy/openid/urls.py
+++ b/okupy/openid/urls.py
@@ -9,6 +9,7 @@ openid_urlpatterns = patterns('',
     url(r'^login/$', views.login, name='openid.login'),
     url(r'^logout/$', views.logout, name='openid.logout'),
     url(r'^endpoint/$', views.endpoint, name='openid.endpoint'),
+    url(r'^auth-site/$', views.auth_site, name='openid.auth_site'),
     # temporary view used to test openid
     url(r'^~test/$', views.test_user),
 )
diff --git a/okupy/openid/views.py b/okupy/openid/views.py
index 1cf4250..993a6ac 100644
--- a/okupy/openid/views.py
+++ b/okupy/openid/views.py
@@ -9,6 +9,7 @@ from django.http import HttpResponse
 from django.shortcuts import redirect, render
 from django.views.decorators.csrf import csrf_exempt
 
+from django.contrib.auth.decorators import login_required
 import django.contrib.auth.views as auth_views
 
 # XXX: temporary solution
@@ -29,17 +30,31 @@ def logout(request):
 def index(request):
     return render(request, 'openid/index.html')
 
-class endpoint_url:
-    @classmethod
-    def __str__(cls):
-        return urljoin(settings.OPENID_REFERENCE_URL_PREFIX, reverse(endpoint))
+def endpoint_url():
+    return urljoin(settings.OPENID_REFERENCE_URL_PREFIX, reverse(endpoint))
 
 def test_user(request):
     return render(request, 'openid/user.html',
             {
-                'endpoint': endpoint_url
+                'endpoint': endpoint_url()
             })
 
+def render_openid_response(request, oresp, srv):
+    try:
+        eresp = srv.encodeResponse(oresp)
+    except EncodingError as e:
+        # XXX: do we want some different heading for it?
+        return render(request, 'openid/endpoint.html',
+                {
+                    'error': str(e)
+                }, status = 500)
+
+    dresp = HttpResponse(eresp.body, status = eresp.code)
+    for h, v in eresp.headers.items():
+        dresp[h] = v
+
+    return dresp
+
 @csrf_exempt
 def endpoint(request):
     if request.method == 'POST':
@@ -48,35 +63,60 @@ def endpoint(request):
         req = request.GET
 
     store = DjangoDBOpenIDStore()
-    srv = Server(store, endpoint_url)
+    srv = Server(store, endpoint_url())
 
     try:
         oreq = srv.decodeRequest(req)
     except ProtocolError as e:
+        # XXX: we are supposed to send some error to the caller
         return render(request, 'openid/endpoint.html',
                 {
                     'error': str(e)
-                })
+                }, status = 400)
 
     if oreq is None:
         return render(request, 'openid/endpoint.html')
 
     if isinstance(oreq, CheckIDRequest):
-        oresp = oreq.answer(False)
+        # immediate requests not supported yet, so immediately
+        # reject them.
+        if oreq.immediate:
+            oresp = oreq.answer(False)
+        else:
+            request.session['openid_request'] = oreq
+            return redirect(auth_site)
     else:
         oresp = srv.handleRequest(oreq)
 
+    return render_openid_response(request, oresp, srv)
+
+@login_required
+def auth_site(request):
     try:
-        eresp = srv.encodeResponse(oresp)
-    except EncodingError as e:
-        # XXX: do we want some different heading for it?
-        return render(request, 'openid/endpoint.html',
+        oreq = request.session['openid_request']
+    except KeyError:
+        return render(request, 'openid/auth-site.html',
                 {
-                    'error': str(e)
-                })
-
-    dresp = HttpResponse(eresp.body, status = eresp.code)
-    for h, v in eresp.headers.items():
-        dresp[h] = v
-
-    return dresp
+                    'error': 'No OpenID request associated. The request may have expired.'
+                }, status = 400)
+
+    if request.POST:
+        if 'accept' in request.POST:
+            oresp = oreq.answer(True)
+        elif 'reject' in request.POST:
+            oresp = oreq.answer(False)
+        else:
+            return render(request, 'openid/auth-site.html',
+                    {
+                        'error': 'Invalid request submitted.'
+                    }, status = 400)
+
+        store = DjangoDBOpenIDStore()
+        srv = Server(store, endpoint_url())
+        del request.session['openid_request']
+        return render_openid_response(request, oresp, srv)
+
+    return render(request, 'openid/auth-site.html',
+            {
+                'request': oreq
+            })
diff --git a/okupy/settings/__init__.py b/okupy/settings/__init__.py
index 4ac21a4..c3decde 100644
--- a/okupy/settings/__init__.py
+++ b/okupy/settings/__init__.py
@@ -99,9 +99,9 @@ LOGGING = {
     }
 }
 
-LOGIN_URL = '/login/'
-LOGIN_REDIRECT_URL = '/'
-LOGOUT_URL = '/logout/'
+LOGIN_URL = '/openid/login/'
+LOGIN_REDIRECT_URL = '/openid/'
+LOGOUT_URL = '/openid/logout/'
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 
 # Custom authentication backend
diff --git a/okupy/static/openid/openid.css b/okupy/static/openid/openid.css
index bb56037..068fef3 100644
--- a/okupy/static/openid/openid.css
+++ b/okupy/static/openid/openid.css
@@ -50,7 +50,7 @@ h1 {
 	margin: 1em;
 }
 
-p, ol, ul, dl, table {
+p, ol, ul, dl, table, form {
 	margin: 1em;
 
 	text-align: justify;
@@ -67,3 +67,12 @@ pre {
 td {
 	padding: 0;
 }
+
+#trust {
+	text-align: center;
+}
+
+#trust input {
+	margin: .5em 1em;
+	width: 20%;
+}
diff --git a/okupy/templates/openid/auth-site.html b/okupy/templates/openid/auth-site.html
new file mode 100644
index 0000000..861e7f5
--- /dev/null
+++ b/okupy/templates/openid/auth-site.html
@@ -0,0 +1,42 @@
+{% extends "openid/template.html" %}
+
+{% block title %}Authenticate site :: identity.gentoo.org{% endblock %}
+
+{% block content %}
+	{% if error %}
+		<div class='wnd error'>
+			<h2>Error</h2>
+
+			<p>{{ error }}</p>
+		</div>
+	{% else %}
+		<div class='wnd'>
+			<h2>Authenticate site</h2>
+
+			<p>
+				Would you like to allow the following site to use your
+				listed identity?
+			</p>
+
+			<dl>
+				<dt>Trust root</dt>
+				<dd>{{ request.trust_root }}</dd>
+
+				<dt>Claimed identity</dt>
+				<dd>{{ request.claimed_id }}</dd>
+
+				<dt>Identity</dt>
+				<dd>{{ request.identity }}</dd>
+			</dl>
+
+			<form id="trust" action="" method="POST">
+				{% csrf_token %}
+
+				<input type='submit' name='accept' value='Yes' />
+				<input type='submit' name='reject' value='No' />
+			</form>
+		</div>
+	{% endif %}
+{% endblock %}
+
+{# vim:ft=htmldjango: #}
diff --git a/okupy/templates/openid/endpoint.html b/okupy/templates/openid/endpoint.html
index ac840d0..080854b 100644
--- a/okupy/templates/openid/endpoint.html
+++ b/okupy/templates/openid/endpoint.html
@@ -1,5 +1,4 @@
 {% extends "openid/template.html" %}
-{% load webdesign %}
 
 {% block title %}OpenID endpoint :: identity.gentoo.org{% endblock %}