source: main/waeup.cas/trunk/waeup/cas/authenticators.py @ 10522

Last change on this file since 10522 was 10522, checked in by Henrik Bettermann, 11 years ago

Be more verbose if credentials checking fails.

File size: 9.0 KB
Line 
1"""Components that do the real authentication stuff.
2"""
3import re
4import sys
5from pkg_resources import iter_entry_points
6try:
7    import xmlrpclib                     # Python 2.x
8except ImportError:                      # pragma: no cover
9    import xmlrpc.client as xmlrpclib    # Python 3.x
10
11
12def get_all_authenticators():
13    """Get all authenticators registered via entry points.
14
15    To create an own authenticator, in the ``setup.py`` of your
16    package add a block like this::
17
18        entry_points='''
19           [waeup.cas.authenticators]
20           myname = my.pkg.my.module:MyAuthenticator
21           '''
22
23    where ``my.pkg.my.module`` must be a module importable at runtime
24    and ``MyAuthenticator`` must be some Authenticator class defined
25    in this module.
26
27    ``myname`` can be chosen as you like, but must not clash with
28    other ``waeup.cas.authenticators``. The name should contain ASCII
29    letters and numbers only, and start with a letter.
30    """
31    return dict(
32        [(x.name, x.load())
33         for x in iter_entry_points(group='waeup.cas.authenticators')])
34
35
36def get_authenticator(local_conf):
37    """Get an `Authenticator` configured by ``local_conf``.
38
39    `local_conf` must be a dictionary of settings.
40
41    An authenticator is identified by its entry-point name which must
42    be given as value of the ``auth`` key.
43
44    It is created passing all keys/values where key starts with
45    ``auth_``.
46
47    Returns a dict of remaining keys/values in `local_conf` with the
48    value of ``auth`` key replaced by an authenticator instance.
49    """
50    gen_opts, auth_opts = filter_auth_opts(local_conf)
51    if 'auth' in local_conf:
52        auth_dict = get_all_authenticators()
53        factory = auth_dict.get(local_conf['auth'])  # get authenticator
54        auth = factory(**auth_opts)
55        gen_opts.update(auth=auth)
56    return gen_opts
57
58
59def filter_auth_opts(local_conf):
60    """Filter out auth-related opts in `local_conf`, a dict.
61
62    Returns two dicts ``(<GENERAL_OPTS>, <AUTHENTICATOR_OPTS>)``
63    containing the general options and authenticator related options.
64
65    This is designed to work with typical paste.deploy config files
66    like this::
67
68      [foo]
69      foo = bar
70      auth = foo
71      auth_opt1 = bar
72
73    All settings not starting with `auth_` are put into the general
74    opts dict, while other are put into the authenticator opts dict.
75    """
76    auth_opts = {}
77    general_opts = {}
78    for name, value in local_conf.items():
79        if name.startswith('auth_'):
80            auth_opts[name] = value
81        else:
82            general_opts[name] = value
83    return general_opts, auth_opts
84
85
86class Authenticator(object):
87
88    #: The name of an authenticator
89    name = 'basic'
90
91    def __init__(self, **kw):
92        pass
93
94
95class DummyAuthenticator(Authenticator):
96    """A dummy authenticator for tests.
97
98    This authenticator does no real authentication. It simply approves
99    credentials ``('bird', 'bebop')`` and denies all other.
100    """
101
102    name = 'dummy'
103
104    def check_credentials(self, username='', password=''):
105        """If username is ``'bird'`` and password ``'bebop'`` check
106        will succeed.
107
108        Returns a tuple ``(<STATUS>, <REASON>)`` with ``<STATUS>``
109        being a boolean and ``<REASON>`` being a string giving the
110        reason why login failed (if so) or an empty string.
111        """
112        reason = ''
113        result = username == 'bird' and password == 'bebop'
114        if not result:
115            reason = 'Invalid username or password.'
116        return result, reason
117
118
119#: Regular expression matching a starting university marker like
120#: the string 'MA-' in 'MA-M121212' or 'MA-' in 'MA-APP-13123'
121RE_SCHOOL_MARKER = re.compile('^[^\-]+-')
122
123
124class KofaAuthenticator(Authenticator):
125    """Authenticate against a running Kofa instance.
126    """
127
128    name = 'kofa1'
129
130    def __init__(self, auth_backends="{}"):
131        try:
132            self.backends = eval(auth_backends)
133        except:
134            raise ValueError('auth_backends must be a '
135                             'valid Python expression.')
136        self._check_options()
137
138    def _check_options(self):
139        if not isinstance(self.backends, dict):
140            raise ValueError('Backends must be configured as dicts.')
141        for key, val in self.backends.items():
142            if not isinstance(val, dict):
143                raise ValueError(
144                    'Backend %s: config must be a dict' % key)
145            if not 'url' in val:
146                raise ValueError(
147                    'Backend %s: config must contain an `url` key.' % key)
148            if not 'marker' in val:
149                self.backends[key]['marker'] = '.+'
150            try:
151                re.compile(self.backends[key]['marker'])
152            except:
153                raise ValueError(
154                    'Backend %s: marker must be a valid regular expr.:' % (
155                        key,))
156
157    def check_credentials(self, username='', password=''):
158        """Do the real check.
159        """
160        for backend_name, backend in self.backends.items():
161            if not re.match(backend['marker'], username):
162                continue
163            # remove school marker
164            username = RE_SCHOOL_MARKER.sub('', username)
165            proxy = xmlrpclib.ServerProxy(
166                backend['url'], allow_none=True)
167            valid = proxy.check_applicant_credentials(username, password)
168            if valid is None:
169                valid = proxy.check_student_credentials(username, password)
170            if valid is not None:
171                return (True, '')
172        return (False, 'Invalid username or password.')
173
174class KofaMoodleAuthenticator(KofaAuthenticator):
175    """Authenticate against a running Kofa instance and transfer
176    data to Moodle.
177
178    Configuration of Moodle:
179    1. Set 'passwordpolicy' to No
180    2. Create external web service 'Kofa' with the following functions:
181      core_user_create_users, core_user_get_users,
182      core_user_update_users, enrol_manual_enrol_users
183    3. Create token for the admin user (no special web service user needed)
184      and for service 'Kofa'
185    4. Enable and configure CAS server authentication.
186      CAS protocol version is 1.0. Moodle expects SSL/TLS protocol.
187    """
188
189    name = 'kofa_moodle1'
190
191    def _create_user(self, username, userdata, moodle):
192        try:
193            # Usernames in Moodle must not contain uppercase
194            # letters even if extendedusernamechars is set True.
195            # Usernames in Moodle are case insensitive.
196            # In other words, Moodle changes usernames from
197            # uppercase to lowercase when you login.
198            result = moodle.core_user_create_users([
199                {'username':username.lower(),
200                 'password':'dummy',
201                 'firstname':userdata['firstname'],
202                 'lastname':userdata['lastname'],
203                 'email':userdata['email']}])
204        except xmlrpclib.Fault:
205            faultstring = sys.exc_info()[1].faultString
206            if not 'Username already exists' in faultstring:
207                return (False, faultstring)
208        try:
209            result = moodle.core_user_get_users([
210                {'key':'username', 'value':username}])
211        except xmlrpclib.Fault:
212            faultstring = sys.exc_info()[1].faultString
213            return (False, faultstring)
214        user_id = result['users'][0]['id']
215        # Due to a lack of Moodle (Moodle requires an LDAP
216        # connection) the authentication method can't
217        # be set when the user is created. It must be updated
218        # after creation.
219        try:
220            result = moodle.core_user_update_users([
221                {'id':user_id,'auth':'cas'}])
222        except xmlrpclib.Fault:
223            faultstring = sys.exc_info()[1].faultString
224            return (False, faultstring)
225        return (True, '')
226
227    def check_credentials(self, username='', password=''):
228        """Do the real check.
229        """
230        for backend_name, backend in self.backends.items():
231            if not re.match(backend['marker'], username):
232                continue
233            # remove school marker
234            username = RE_SCHOOL_MARKER.sub('', username)
235            proxy = xmlrpclib.ServerProxy(
236                backend['url'], allow_none=True)
237            moodle = xmlrpclib.ServerProxy(
238                backend['moodle_url'], allow_none=True)
239            principal = proxy.check_applicant_credentials(username, password)
240            if principal is None:
241                principal = proxy.check_student_credentials(username, password)
242            if principal is None:
243                return (False, 'Invalid username or password')
244            if principal['type'] == 'student':
245                userdata = proxy.get_student_moodle_data(username)
246                return self._create_user(username, userdata, moodle)
247            if principal['type'] == 'applicant':
248                userdata = proxy.get_applicant_moodle_data(username)
249                return self._create_user(username, userdata, moodle)
250            return (False, 'User not eligible')
251        return (False, 'Invalid username or password')
252
Note: See TracBrowser for help on using the repository browser.