a xd}@@sdZgdZddlmZddlZddlZdZdZdZdZ d Z e d Z d Z d ZGd ddeZGdddeZee_GdddeZee_dS)zAn implementation of the OpenID Provider Authentication Policy Extension 1.0, Draft 5 @see: http://openid.net/developers/specs/ @since: 2.1.0 )RequestResponsens_uriAUTH_PHISHING_RESISTANTAUTH_MULTI_FACTORAUTH_MULTI_FACTOR_PHYSICAL LEVELS_NIST LEVELS_JISA) ExtensionNz+http://specs.openid.net/extensions/pape/1.0zEhttp://schemas.openid.net/pape/policies/2007/06/multi-factor-physicalzstrict policies_struriZmax_auth_age_strr(aliasesrkeyrrrr:sB             zRequest.parseExtensionArgscCstt|jj|S)aGiven a list of authentication policy URIs that a provider supports, this method returns the subsequence of those types that are preferred by the relying party. @param supported_types: A sequence of authentication policy type URIs that are supported by a provider @returns: The sub-sequence of the supported types that are preferred by the relying party. This list will be ordered in the order that the types appear in the supported_types sequence, and may be empty if the provider does not prefer any of the supported authentication types. @returntype: [str] )listfilterr& __contains__)rZsupported_typesrrrpreferredTypess zRequest.preferredTypes)NNN)N)F)r!r"r#__doc__ns_aliasrr-r0r)r7r? classmethodr:rO __classcell__rrr*rr^s  ?rcsveZdZdZdZdfdd ZdddZdd Zd d Ze ed d Z ddZ ddZ dddZ ee Z ddZZS)rzA Provider Authentication Policy response, sent from a provider to a relying party @ivar auth_policies: List of authentication policies conformed to by this OpenID assertion, represented as policy URIs r$NcsZtt||r||_ng|_||_i|_|dur8i}|D]\}}|||q@dSr )r%rr auth_policies auth_time auth_levelsr setAuthLevel)rrTrUrVrIlevelr*rrr szResponse.__init__cCs|||||j|<dS)aSet the value for the given auth level type. @param level: string representation of an authentication level valid for level_uri @param alias: An optional namespace alias for the given auth level URI. May be omitted if the alias is not significant. The library will use a reasonable default for widely-used auth level types. N)rrV)r level_urirXrrrrrW0s zResponse.setAuthLevelcCs |j|S)aReturn the auth level for the specified auth level identifier @returns: A string that should map to the auth levels defined for the auth level type @raises KeyError: If the auth level type is not present in this message )rV)rrYrrr getAuthLevel>s zResponse.getAuthLevelcCs*zt|tWSty$YdS0dSr )rDrZrrrrrr_getNISTAuthLevelJs zResponse._getNISTAuthLevelz7Backward-compatibility accessor for the NIST auth level)doccCs*|tkrtd||jvr&|j|dS)aAdd a authentication policy to this response This method is intended to be used by the provider to add a policy that the provider conformed to when authenticating the user. @param policy_uri: The identifier for the preferred type of authentication. @see: http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-01.html#auth_policies z4To send no policies, do not set any on the response.N) AUTH_NONErrTr.r/rrrr0Ts  zResponse.addPolicyURIcCs:|}||j}|}|dur2||||SdSdS)a9Create a C{L{Response}} object from a successful OpenID library response (C{L{openid.consumer.consumer.SuccessResponse}}) response message @param success_response: A SuccessResponse from consumer.complete() @type success_response: C{L{openid.consumer.consumer.SuccessResponse}} @rtype: Response or None @returns: A provider authentication policy response from the data that was supplied with the C{id_res} response or None if the provider sent no signed PAPE response arguments. N)Z getSignedNSrr9r:)r;Zsuccess_responserr=r>rrrfromSuccessResponsees  zResponse.fromSuccessResponseFc Csb|d}|r|d}n|r(tdng}t|dkrR|rRt|vrRtd|fd|vrzd}|rlt|ntj|dd d d |D}||_|D]\}}| d r|d d} | drqz|d| f} Wn(t y|r|j | } nd} Yn0| dur|r*td| fq| | || q|d} | r^t | rP| |_n|r^tddS)aParse the provider authentication policy arguments into the internal state of this object @param args: unqualified provider authentication policy arguments @param strict: Whether to raise an exception when bad data is encountered @returns: None. The data is parsed into the internal fields of this object. rTr2zMissing auth_policiesz=Got some auth policies, as well as the special "none" URI: %rnonez0"none" used as a policy URI (see PAPE draft < 5)) stacklevelcSsg|]}|dtfvr|qS)r`)r]).0urrr sz/Response.parseExtensionArgs..z auth_level. Nzns.r3zUndefined auth level alias: %rrU#auth_time must be in RFC3339 format)rrCrElenr]warningswarnrTr startswithrr rWTIME_VALIDATORmatchrU) rr=r>rGrHrTmsgrKvalrrIrUrrrr:sT            zResponse.parseExtensionArgscCst|jdkrdti}ndd|ji}|jD]2\}}||}||d|f<t||d|f<q2|jdurt |jst d|j|d<|S) r1r rTr2r3z auth_level.%sNrgrU) rhrTr]r4rVr rr5rUrlrmrE)rr6Z level_typerXrrrrr7s     zResponse.getExtensionArgs)NNN)N)F)r!r"r#rPrQrrWrZr[propertyZnist_auth_levelr0r^r:rRr7rSrrr*rrs   Dr)rP__all__Zopenid.extensionr rirerrrrr]compilerlrrr rrrrrrs.  56L