"""openid.py: an openid library for web.py

Notes:

 - This will create a file called .openid_secret_key in the 

   current directory with your secret key in it. If someone 

   has access to this file they can log in as any user. And 

   if the app can't find this file for any reason (e.g. you 

   moved the app somewhere else) then each currently logged 

   in user will get logged out.

 - State must be maintained through the entire auth process 

   -- this means that if you have multiple web.py processes 

   serving one set of URLs or if you restart your app often 

   then log ins will fail. You have to replace sessions and 

   store for things to work.

 - We set cookies starting with "openid_".

"""

import os

import random

import hmac

import __init__ as web

import openid.consumer.consumer

import openid.store.memstore

sessions = {}

store = openid.store.memstore.MemoryStore()

def _secret():

    try:

        secret = file('.openid_secret_key').read()

    except IOError:

        # file doesn't exist

        secret = os.urandom(20)

        file('.openid_secret_key', 'w').write(secret)

    return secret

def _hmac(identity_url):

    return hmac.new(_secret(), identity_url).hexdigest()

def _random_session():

    n = random.random()

    while n in sessions:

        n = random.random()

    n = str(n)

    return n

def status():

    oid_hash = web.cookies().get('openid_identity_hash', '').split(',', 1)

    if len(oid_hash) > 1:

        oid_hash, identity_url = oid_hash

        if oid_hash == _hmac(identity_url):

            return identity_url

    return None

def form(openid_loc):

    oid = status()

    if oid:

        return '''

        <form method="post" action="%s">

          <img src="http://openid.net/login-bg.gif" alt="OpenID" />

          <strong>%s</strong>

          <input type="hidden" name="action" value="logout" />

          <input type="hidden" name="return_to" value="%s" />

          <button type="submit">log out</button>

        </form>''' % (openid_loc, oid, web.ctx.fullpath)

    else:

        return '''

        <form method="post" action="%s">

          <input type="text" name="openid" value="" 

            style="background: url(http://openid.net/login-bg.gif) no-repeat; padding-left: 18px; background-position: 0 50%%;" />

          <input type="hidden" name="return_to" value="%s" />

          <button type="submit">log in</button>

        </form>''' % (openid_loc, web.ctx.fullpath)

def logout():

    web.setcookie('openid_identity_hash', '', expires=-1)

class host:

    def POST(self):

        # unlike the usual scheme of things, the POST is actually called

        # first here

        i = web.input(return_to='/')

        if i.get('action') == 'logout':

            logout()

            return web.redirect(i.return_to)

        i = web.input('openid', return_to='/')

        n = _random_session()

        sessions[n] = {'webpy_return_to': i.return_to}

        c = openid.consumer.consumer.Consumer(sessions[n], store)

        a = c.begin(i.openid)

        f = a.redirectURL(web.ctx.home, web.ctx.home + web.ctx.fullpath)

        web.setcookie('openid_session_id', n)

        return web.redirect(f)

    def GET(self):

        n = web.cookies('openid_session_id').openid_session_id

        web.setcookie('openid_session_id', '', expires=-1)

        return_to = sessions[n]['webpy_return_to']

        c = openid.consumer.consumer.Consumer(sessions[n], store)

        a = c.complete(web.input(), web.ctx.home + web.ctx.fullpath)

        if a.status.lower() == 'success':

            web.setcookie('openid_identity_hash', _hmac(a.identity_url) + ',' + a.identity_url)

        del sessions[n]

        return web.redirect(return_to)