source: main/waeup.cas/trunk/waeup/cas/authenticators.py @ 10517

Last change on this file since 10517 was 10517, checked in by Henrik Bettermann, 11 years ago

Define private _create_user method which can be reused for applicants.
File size: 8.5 KB
Line 
1"""Components that do the real authentication stuff.
2"""
3import re
4import sys
5from pkg_resources import iter_entry_points
6try:
7    import xmlrpclib                     # Python 2.x
8except ImportError:                      # pragma: no cover
9    import xmlrpc.client as xmlrpclib    # Python 3.x
10
11
12def get_all_authenticators():
13    """Get all authenticators registered via entry points.
14
15    To create an own authenticator, in the ``setup.py`` of your
16    package add a block like this::
17
18        entry_points='''
19           [waeup.cas.authenticators]
20           myname = my.pkg.my.module:MyAuthenticator
21           '''
22
23    where ``my.pkg.my.module`` must be a module importable at runtime
24    and ``MyAuthenticator`` must be some Authenticator class defined
25    in this module.
26
27    ``myname`` can be chosen as you like, but must not clash with
28    other ``waeup.cas.authenticators``. The name should contain ASCII
29    letters and numbers only, and start with a letter.
30    """
31    return dict(
32        [(x.name, x.load())
33         for x in iter_entry_points(group='waeup.cas.authenticators')])
34
35
36def get_authenticator(local_conf):
37    """Get an `Authenticator` configured by ``local_conf``.
38
39    `local_conf` must be a dictionary of settings.
40
41    An authenticator is identified by its entry-point name which must
42    be given as value of the ``auth`` key.
43
44    It is created passing all keys/values where key starts with
45    ``auth_``.
46
47    Returns a dict of remaining keys/values in `local_conf` with the
48    value of ``auth`` key replaced by an authenticator instance.
49    """
50    gen_opts, auth_opts = filter_auth_opts(local_conf)
51    if 'auth' in local_conf:
52        auth_dict = get_all_authenticators()
53        factory = auth_dict.get(local_conf['auth'])  # get authenticator
54        auth = factory(**auth_opts)
55        gen_opts.update(auth=auth)
56    return gen_opts
57
58
59def filter_auth_opts(local_conf):
60    """Filter out auth-related opts in `local_conf`, a dict.
61
62    Returns two dicts ``(<GENERAL_OPTS>, <AUTHENTICATOR_OPTS>)``
63    containing the general options and authenticator related options.
64
65    This is designed to work with typical paste.deploy config files
66    like this::
67
68      [foo]
69      foo = bar
70      auth = foo
71      auth_opt1 = bar
72
73    All settings not starting with `auth_` are put into the general
74    opts dict, while other are put into the authenticator opts dict.
75    """
76    auth_opts = {}
77    general_opts = {}
78    for name, value in local_conf.items():
79        if name.startswith('auth_'):
80            auth_opts[name] = value
81        else:
82            general_opts[name] = value
83    return general_opts, auth_opts
84
85
86class Authenticator(object):
87
88    #: The name of an authenticator
89    name = 'basic'
90
91    def __init__(self, **kw):
92        pass
93
94
95class DummyAuthenticator(Authenticator):
96    """A dummy authenticator for tests.
97
98    This authenticator does no real authentication. It simply approves
99    credentials ``('bird', 'bebop')`` and denies all other.
100    """
101
102    name = 'dummy'
103
104    def check_credentials(self, username='', password=''):
105        """If username is ``'bird'`` and password ``'bebop'`` check
106        will succeed.
107
108        Returns a tuple ``(<STATUS>, <REASON>)`` with ``<STATUS>``
109        being a boolean and ``<REASON>`` being a string giving the
110        reason why login failed (if so) or an empty string.
111        """
112        reason = ''
113        result = username == 'bird' and password == 'bebop'
114        if not result:
115            reason = 'Invalid username or password.'
116        return result, reason
117
118
119#: Regular expression matching a starting university marker like
120#: the string 'MA-' in 'MA-M121212' or 'MA-' in 'MA-APP-13123'
121RE_SCHOOL_MARKER = re.compile('^[^\-]+-')
122
123
124class KofaAuthenticator(Authenticator):
125    """Authenticate against a running Kofa instance.
126    """
127
128    name = 'kofa1'
129
130    def __init__(self, auth_backends="{}"):
131        try:
132            self.backends = eval(auth_backends)
133        except:
134            raise ValueError('auth_backends must be a '
135                             'valid Python expression.')
136        self._check_options()
137
138    def _check_options(self):
139        if not isinstance(self.backends, dict):
140            raise ValueError('Backends must be configured as dicts.')
141        for key, val in self.backends.items():
142            if not isinstance(val, dict):
143                raise ValueError(
144                    'Backend %s: config must be a dict' % key)
145            if not 'url' in val:
146                raise ValueError(
147                    'Backend %s: config must contain an `url` key.' % key)
148            if not 'marker' in val:
149                self.backends[key]['marker'] = '.+'
150            try:
151                re.compile(self.backends[key]['marker'])
152            except:
153                raise ValueError(
154                    'Backend %s: marker must be a valid regular expr.:' % (
155                        key,))
156
157    def check_credentials(self, username='', password=''):
158        """Do the real check.
159        """
160        for backend_name, backend in self.backends.items():
161            if not re.match(backend['marker'], username):
162                continue
163            # remove school marker
164            username = RE_SCHOOL_MARKER.sub('', username)
165            proxy = xmlrpclib.ServerProxy(
166                backend['url'], allow_none=True)
167            valid = proxy.check_applicant_credentials(username, password)
168            if valid is None:
169                valid = proxy.check_student_credentials(username, password)
170            if valid is not None:
171                return (True, '')
172        return (False, 'Invalid username or password.')
173
174class KofaMoodleAuthenticator(KofaAuthenticator):
175    """Authenticate against a running Kofa instance and transfer
176    data to Moodle.
177
178    Configuration of Moodle:
179    1. Set 'passwordpolicy' to No
180    2. Create external web service 'Kofa' with the following functions:
181      core_user_create_users, core_user_get_users,
182      core_user_update_users, enrol_manual_enrol_users
183    3. Create token for the admin user (no special web service user needed)
184      and for service 'Kofa'
185    4. Enable and configure CAS server authentication.
186      CAS protocol version is 1.0. Moodle expects SSL/TLS protocol.
187    """
188
189    name = 'kofa_moodle1'
190
191    def _create_user(self, username, userdata, moodle):
192        try:
193            # Usernames in Moodle must not contain uppercase
194            # letters even if extendedusernamechars is set True.
195            result = moodle.core_user_create_users([
196                {'username':username.lower(),
197                 'password':'dummy',
198                 'firstname':userdata['firstname'],
199                 'lastname':userdata['lastname'],
200                 'email':userdata['email']}])
201        except xmlrpclib.Fault:
202            faultstring = sys.exc_info()[1].faultString
203            if not 'Username already exists' in faultstring:
204                return (False, faultstring)
205        try:
206            result = moodle.core_user_get_users([
207                {'key':'username', 'value':username}])
208        except xmlrpclib.Fault:
209            faultstring = sys.exc_info()[1].faultString
210            return (False, faultstring)
211        user_id = result['users'][0]['id']
212        # Due to a lack of Moodle (Moodle requires an LDAP
213        # connection) the authentication method can't
214        # be set when the user is created. It must be updated
215        # after creation.
216        try:
217            result = moodle.core_user_update_users([
218                {'id':user_id,'auth':'cas'}])
219        except xmlrpclib.Fault:
220            faultstring = sys.exc_info()[1].faultString
221            return (False, faultstring)
222        return (True, '')
223
224    def check_credentials(self, username='', password=''):
225        """Do the real check.
226        """
227        for backend_name, backend in self.backends.items():
228            if not re.match(backend['marker'], username):
229                continue
230            # remove school marker
231            username = RE_SCHOOL_MARKER.sub('', username)
232            proxy = xmlrpclib.ServerProxy(
233                backend['url'], allow_none=True)
234            moodle = xmlrpclib.ServerProxy(
235                backend['moodle_url'], allow_none=True)
236            principal = proxy.check_applicant_credentials(username, password)
237            if principal is None:
238                principal = proxy.check_student_credentials(username, password)
239            if principal is not None:
240                if principal['type'] == 'student':
241                    userdata = proxy.get_student_moodle_data(username)
242                    return self._create_user(username, userdata, moodle)
243        return (False, 'Invalid username or password.')
Note: See TracBrowser for help on using the repository browser.