From 25b8eaf83e681a9322cffe61aad5254bcbe0c917 Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 1 Aug 2014 08:15:49 -0400
Subject: [PATCH] Use helper cookie to remember the username

This makes the login page a lot more friendy
Available only over HTTPS
Max age set to 15 days

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 ipsilon/login/authform.py |  2 +-
 ipsilon/login/authkrb.py  |  2 +-
 ipsilon/login/authpam.py  |  2 +-
 ipsilon/login/authtest.py |  2 +-
 ipsilon/login/common.py   | 26 +++++++++++++++++++++++++-
 5 files changed, 29 insertions(+), 5 deletions(-)

diff --git a/ipsilon/login/authform.py b/ipsilon/login/authform.py
index c59e722..85b31bd 100755
--- a/ipsilon/login/authform.py
+++ b/ipsilon/login/authform.py
@@ -33,7 +33,7 @@ class Form(LoginFormBase):
         us.remote_login()
         user = us.get_user()
         if not user.is_anonymous:
-            return self.lm.auth_successful(user.name)
+            return self.lm.auth_successful(user.name, 'password')
         else:
             try:
                 error = cherrypy.request.headers['EXTERNAL_AUTH_ERROR']
diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py
index af659e7..d5ceaf3 100755
--- a/ipsilon/login/authkrb.py
+++ b/ipsilon/login/authkrb.py
@@ -40,7 +40,7 @@ class KrbAuth(LoginPageBase):
         # was set. Check the session has a user set already or error.
         if self.user and self.user.name:
             userdata = {'krb_principal_name': self.user.name}
-            return self.lm.auth_successful(self.user.name, userdata)
+            return self.lm.auth_successful(self.user.name, 'krb', userdata)
         else:
             return self.lm.auth_failed()
 
diff --git a/ipsilon/login/authpam.py b/ipsilon/login/authpam.py
index c88f0a0..58e07cf 100755
--- a/ipsilon/login/authpam.py
+++ b/ipsilon/login/authpam.py
@@ -49,7 +49,7 @@ class Pam(LoginFormBase):
         if username and password:
             user = self._authenticate(username, password)
             if user:
-                return self.lm.auth_successful(user)
+                return self.lm.auth_successful(user, 'password')
             else:
                 error = "Authentication failed"
                 cherrypy.log.error(error)
diff --git a/ipsilon/login/authtest.py b/ipsilon/login/authtest.py
index df826c8..8eae0b6 100755
--- a/ipsilon/login/authtest.py
+++ b/ipsilon/login/authtest.py
@@ -33,7 +33,7 @@ class TestAuth(LoginFormBase):
         if username and password:
             if password == 'ipsilon':
                 cherrypy.log("User %s successfully authenticated." % username)
-                return self.lm.auth_successful(username)
+                return self.lm.auth_successful(username, 'password')
             else:
                 cherrypy.log("User %s failed authentication." % username)
                 error = "Authentication failed"
diff --git a/ipsilon/login/common.py b/ipsilon/login/common.py
index b451550..9dbcc0f 100755
--- a/ipsilon/login/common.py
+++ b/ipsilon/login/common.py
@@ -25,6 +25,9 @@ from ipsilon.util.plugin import PluginInstaller
 import cherrypy
 
 
+USERNAME_COOKIE = 'ipsilon_default_username'
+
+
 class LoginManagerBase(PluginObject, Log):
 
     def __init__(self):
@@ -36,7 +39,7 @@ class LoginManagerBase(PluginObject, Log):
         base = cherrypy.config.get('base.mount', "")
         raise cherrypy.HTTPRedirect('%s/login/%s' % (base, path))
 
-    def auth_successful(self, username, userdata=None):
+    def auth_successful(self, username, auth_type=None, userdata=None):
         # save ref before calling UserSession login() as it
         # may regenerate the session
         session = UserSession()
@@ -44,8 +47,24 @@ class LoginManagerBase(PluginObject, Log):
         if not ref:
             ref = cherrypy.config.get('base.mount', "") + '/'
 
+        if auth_type:
+            if userdata:
+                userdata.update({'auth_type': auth_type})
+            else:
+                userdata = {'auth_type': auth_type}
+
         session.login(username, userdata)
 
+        # save username into a cookie if parent was form base auth
+        if auth_type == 'password':
+            cherrypy.response.cookie[USERNAME_COOKIE] = username
+            cherrypy.response.cookie[USERNAME_COOKIE]['path'] = \
+                cherrypy.config.get('base.mount', '/')
+            cherrypy.response.cookie[USERNAME_COOKIE]['secure'] = True
+            cherrypy.response.cookie[USERNAME_COOKIE]['httponly'] = True
+            # 15 days
+            cherrypy.response.cookie[USERNAME_COOKIE]['max-age'] = 1296000
+
         raise cherrypy.HTTPRedirect(ref)
 
     def auth_failed(self):
@@ -148,6 +167,10 @@ class LoginFormBase(LoginPageBase):
         if self.lm.next_login is not None:
             next_url = self.lm.next_login.path
 
+        username = ''
+        if USERNAME_COOKIE in cherrypy.request.cookie:
+            username = cherrypy.request.cookie[USERNAME_COOKIE].value
+
         context = {
             "title": 'Login',
             "action": '%s/%s' % (self.basepath, self.formpage),
@@ -156,6 +179,7 @@ class LoginFormBase(LoginPageBase):
             "password_text": self.lm.password_text,
             "description": self.lm.help_text,
             "next_url": next_url,
+            "username": username,
         }
         context.update(kwargs)
         return context
-- 
2.20.1