Context navigation

source: main/waeup.kofa/branches/uli-fix-zc-async/src/waeup/kofa/authentication.py @ 17952

Last change on this file since 17952 was 15302, checked in by Henrik Bettermann, 6 years ago
Enable strict password validation.
Property svn:keywords set to `Id`
File size: 23.4 KB

Line
1	## $Id: authentication.py 15302 2019-01-18 09:46:41Z henrik $
2	##
3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4	## This program is free software; you can redistribute it and/or modify
5	## it under the terms of the GNU General Public License as published by
6	## the Free Software Foundation; either version 2 of the License, or
7	## (at your option) any later version.
8	##
9	## This program is distributed in the hope that it will be useful,
10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12	## GNU General Public License for more details.
13	##
14	## You should have received a copy of the GNU General Public License
15	## along with this program; if not, write to the Free Software
16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	##
18	"""Authentication for Kofa.
19	"""
20	import grok
21	import time
22	import re
23	from zope.i18n import translate
24	from zope.event import notify
25	from zope.component import getUtility, getUtilitiesFor
26	from zope.component.interfaces import IFactory
27	from zope.interface import Interface, implementedBy
28	from zope.schema import getFields
29	from zope.securitypolicy.interfaces import (
30	IPrincipalRoleMap, IPrincipalRoleManager)
31	from zope.pluggableauth.factories import Principal
32	from zope.pluggableauth.plugins.session import SessionCredentialsPlugin
33	from zope.pluggableauth.plugins.httpplugins import (
34	HTTPBasicAuthCredentialsPlugin)
35	from zope.pluggableauth.interfaces import (
36	ICredentialsPlugin, IAuthenticatorPlugin, IAuthenticatedPrincipalFactory,
37	AuthenticatedPrincipalCreated)
38	from zope.publisher.interfaces import IRequest
39	from zope.password.interfaces import IPasswordManager
40	from zope.securitypolicy.principalrole import principalRoleManager
41	from waeup.kofa.interfaces import (
42	ILocalRoleSetEvent, IUserAccount, IAuthPluginUtility, IPasswordValidator,
43	IKofaPrincipal, IKofaPrincipalInfo, IKofaPluggable, IBatchProcessor,
44	IGNORE_MARKER, IFailedLoginInfo)
45	from waeup.kofa.utils.batching import BatchProcessor
46	from waeup.kofa.permissions import get_all_roles
47	from waeup.kofa.interfaces import MessageFactory as _
48
49
50	def setup_authentication(pau):
51	"""Set up plugguble authentication utility.
52
53	Sets up an IAuthenticatorPlugin and
54	ICredentialsPlugin (for the authentication mechanism)
55
56	Then looks for any external utilities that want to modify the PAU.
57	"""
58	pau.credentialsPlugins = (
59	'No Challenge if Authenticated',
60	'xmlrpc-credentials',
61	'credentials')
62	pau.authenticatorPlugins = ('users',)
63
64	# Give any third-party code and subpackages a chance to modify the PAU
65	auth_plugin_utilities = getUtilitiesFor(IAuthPluginUtility)
66	for name, util in auth_plugin_utilities:
67	util.register(pau)
68
69
70	def get_principal_role_manager():
71	"""Get a role manager for principals.
72
73	If we are currently 'in a site', return the role manager for the
74	portal or the global rolemanager else.
75	"""
76	portal = grok.getSite()
77	if portal is not None:
78	return IPrincipalRoleManager(portal)
79	return principalRoleManager
80
81
82	class KofaSessionCredentialsPlugin(
83	grok.GlobalUtility, SessionCredentialsPlugin):
84	"""Session plugin that picks usernames/passwords from fields in webforms.
85	"""
86	grok.provides(ICredentialsPlugin)
87	grok.name('credentials')
88
89	loginpagename = 'login'
90	loginfield = 'form.login'
91	passwordfield = 'form.password'
92
93
94	class KofaXMLRPCCredentialsPlugin(
95	grok.GlobalUtility, HTTPBasicAuthCredentialsPlugin):
96	"""Plugin that picks useranams/passwords from basic-auth headers.
97
98	As XMLRPC requests send/post their authentication credentials in HTTP
99	basic-auth headers, we need a plugin that can handle this.
100
101	This plugin, however, does no challenging. If a user does not provide
102	basic-auth infos, we will not ask for some. This is correct as we plan to
103	communicate with machines.
104
105	This plugin is planned to be used in "PluggableAuthenitications" registered
106	with `University` instances.
107	"""
108	grok.provides(ICredentialsPlugin)
109	grok.name('xmlrpc-credentials')
110
111	def challenge(self, request):
112	"""XMLRPC is for machines. No need to challenge.
113	"""
114	return False
115
116	def logout(self, request):
117	"""Basic auth does not provide any logout possibility.
118	"""
119	return False
120
121
122	class KofaPrincipalInfo(object):
123	"""An implementation of IKofaPrincipalInfo.
124
125	A Kofa principal info is created with id, login, title, description,
126	phone, email, public_name and user_type.
127	"""
128	grok.implements(IKofaPrincipalInfo)
129
130	def __init__(self, id, title, description, email, phone, public_name,
131	user_type):
132	self.id = id
133	self.title = title
134	self.description = description
135	self.email = email
136	self.phone = phone
137	self.public_name = public_name
138	self.user_type = user_type
139	self.credentialsPlugin = None
140	self.authenticatorPlugin = None
141
142	def __eq__(self, obj):
143	default = object()
144	result = []
145	for name in ('id', 'title', 'description', 'email', 'phone',
146	'public_name', 'user_type', 'credentialsPlugin',
147	'authenticatorPlugin'):
148	result.append(
149	getattr(self, name) == getattr(obj, name, default))
150	return False not in result
151
152
153	class KofaPrincipal(Principal):
154	"""A portal principal.
155
156	Kofa principals provide an extra `email`, `phone`, `public_name`
157	and `user_type` attribute extending ordinary principals.
158	"""
159
160	grok.implements(IKofaPrincipal)
161
162	def __init__(self, id, title=u'', description=u'', email=u'',
163	phone=None, public_name=u'', user_type=u'', prefix=None):
164	self.id = id
165	if prefix is not None:
166	self.id = '%s.%s' % (prefix, self.id)
167	self.title = title
168	self.description = description
169	self.groups = []
170	self.email = email
171	self.phone = phone
172	self.public_name = public_name
173	self.user_type = user_type
174
175	def __repr__(self):
176	return 'KofaPrincipal(%r)' % self.id
177
178
179	class AuthenticatedKofaPrincipalFactory(grok.MultiAdapter):
180	"""Creates 'authenticated' Kofa principals.
181
182	Adapts (principal info, request) to a KofaPrincipal instance.
183
184	This adapter is used by the standard PAU to transform
185	KofaPrincipalInfos into KofaPrincipal instances.
186	"""
187	grok.adapts(IKofaPrincipalInfo, IRequest)
188	grok.implements(IAuthenticatedPrincipalFactory)
189
190	def __init__(self, info, request):
191	self.info = info
192	self.request = request
193
194	def __call__(self, authentication):
195	principal = KofaPrincipal(
196	self.info.id,
197	self.info.title,
198	self.info.description,
199	self.info.email,
200	self.info.phone,
201	self.info.public_name,
202	self.info.user_type,
203	authentication.prefix,
204	)
205	notify(
206	AuthenticatedPrincipalCreated(
207	authentication, principal, self.info, self.request))
208	return principal
209
210
211	class FailedLoginInfo(grok.Model):
212	grok.implements(IFailedLoginInfo)
213
214	def __init__(self, num=0, last=None):
215	self.num = num
216	self.last = last
217	return
218
219	def as_tuple(self):
220	return (self.num, self.last)
221
222	def set_values(self, num=0, last=None):
223	self.num, self.last = num, last
224	self._p_changed = True
225	pass
226
227	def increase(self):
228	self.set_values(num=self.num + 1, last=time.time())
229	pass
230
231	def reset(self):
232	self.set_values(num=0, last=None)
233	pass
234
235
236	class Account(grok.Model):
237	"""Kofa user accounts store infos about a user.
238
239	Beside the usual data and an (encrypted) password, accounts also
240	have a persistent attribute `failed_logins` which is an instance
241	of `waeup.kofa.authentication.FailedLoginInfo`.
242
243	This attribute can be manipulated directly (set new value,
244	increase values, or reset).
245	"""
246	grok.implements(IUserAccount)
247
248	def __init__(self, name, password, title=None, description=None,
249	email=None, phone=None, public_name=None, roles=[]):
250	self.name = name
251	if title is None:
252	title = name
253	self.title = title
254	self.description = description
255	self.email = email
256	self.phone = phone
257	self.public_name = public_name
258	self.suspended = False
259	self.setPassword(password)
260	self.setSiteRolesForPrincipal(roles)
261
262	# We don't want to share this dict with other accounts
263	self._local_roles = dict()
264	self.failed_logins = FailedLoginInfo()
265
266	def setPassword(self, password):
267	passwordmanager = getUtility(IPasswordManager, 'SSHA')
268	self.password = passwordmanager.encodePassword(password)
269
270	def checkPassword(self, password):
271	try:
272	blocker = grok.getSite()['configuration'].maintmode_enabled_by
273	if blocker and blocker != self.name:
274	return False
275	except (TypeError, KeyError): # in unit tests
276	pass
277	if not isinstance(password, basestring):
278	return False
279	if not self.password:
280	# unset/empty passwords do never match
281	return False
282	# Do not accept password if password is insecure.
283	validator = getUtility(IPasswordValidator)
284	if validator.validate_secure_password(password, password):
285	return False
286	if self.suspended:
287	return False
288	passwordmanager = getUtility(IPasswordManager, 'SSHA')
289	return passwordmanager.checkPassword(self.password, password)
290
291	def getSiteRolesForPrincipal(self):
292	prm = get_principal_role_manager()
293	roles = [x[0] for x in prm.getRolesForPrincipal(self.name)
294	if x[0].startswith('waeup.')]
295	return roles
296
297	def setSiteRolesForPrincipal(self, roles):
298	prm = get_principal_role_manager()
299	old_roles = self.getSiteRolesForPrincipal()
300	if sorted(old_roles) == sorted(roles):
301	return
302	for role in old_roles:
303	# Remove old roles, not to be set now...
304	if role.startswith('waeup.') and role not in roles:
305	prm.unsetRoleForPrincipal(role, self.name)
306	for role in roles:
307	# Convert role to ASCII string to be in line with the
308	# event handler
309	prm.assignRoleToPrincipal(str(role), self.name)
310	return
311
312	roles = property(getSiteRolesForPrincipal, setSiteRolesForPrincipal)
313
314	def getLocalRoles(self):
315	return self._local_roles
316
317	def notifyLocalRoleChanged(self, obj, role_id, granted=True):
318	objects = self._local_roles.get(role_id, [])
319	if granted and obj not in objects:
320	objects.append(obj)
321	if not granted and obj in objects:
322	objects.remove(obj)
323	self._local_roles[role_id] = objects
324	if len(objects) == 0:
325	del self._local_roles[role_id]
326	self._p_changed = True
327	return
328
329
330	class UserAuthenticatorPlugin(grok.GlobalUtility):
331	grok.implements(IAuthenticatorPlugin)
332	grok.provides(IAuthenticatorPlugin)
333	grok.name('users')
334
335	def authenticateCredentials(self, credentials):
336	if not isinstance(credentials, dict):
337	return None
338	if not ('login' in credentials and 'password' in credentials):
339	return None
340	account = self.getAccount(credentials['login'])
341	if account is None:
342	return None
343	# The following shows how 'time penalties' could be enforced
344	# on failed logins. First three failed logins are 'for
345	# free'. After that the user has to wait for 1, 2, 4, 8, 16,
346	# 32, ... seconds before a login can succeed.
347	# There are, however, some problems to discuss, before we
348	# really use this in all authenticators.
349
350	#num, last = account.failed_logins.as_tuple()
351	#if (num > 2) and (time.time() < (last + 2**(num-3))):
352	# # tried login while account still blocked due to previous
353	# # login errors.
354	# return None
355	if not account.checkPassword(credentials['password']):
356	#account.failed_logins.increase()
357	return None
358	return KofaPrincipalInfo(
359	id=account.name,
360	title=account.title,
361	description=account.description,
362	email=account.email,
363	phone=account.phone,
364	public_name=account.public_name,
365	user_type=u'user')
366
367	def principalInfo(self, id):
368	account = self.getAccount(id)
369	if account is None:
370	return None
371	return KofaPrincipalInfo(
372	id=account.name,
373	title=account.title,
374	description=account.description,
375	email=account.email,
376	phone=account.phone,
377	public_name=account.public_name,
378	user_type=u'user')
379
380	def getAccount(self, login):
381	# ... look up the account object and return it ...
382	userscontainer = self.getUsersContainer()
383	if userscontainer is None:
384	return
385	return userscontainer.get(login, None)
386
387	def addAccount(self, account):
388	userscontainer = self.getUsersContainer()
389	if userscontainer is None:
390	return
391	# XXX: complain if name already exists...
392	userscontainer.addAccount(account)
393
394	def addUser(self, name, password, title=None, description=None):
395	userscontainer = self.getUsersContainer()
396	if userscontainer is None:
397	return
398	userscontainer.addUser(name, password, title, description)
399
400	def getUsersContainer(self):
401	site = grok.getSite()
402	return site['users']
403
404
405	class PasswordValidator(grok.GlobalUtility):
406
407	grok.implements(IPasswordValidator)
408
409	def validate_password(self, pw, pw_repeat):
410	errors = []
411	if len(pw) < 6:
412	errors.append(translate(_(
413	'Password must have at least 6 characters.')))
414	if pw != pw_repeat:
415	errors.append(translate(_('Passwords do not match.')))
416	return errors
417
418	def validate_secure_password(self, pw, pw_repeat):
419	"""
420	^(?=.[A-Z])(?=.[a-z])(?=.*[0-9]).{8,}$
421
422	^ Start anchor
423	(?=.*[A-Z]) Ensure password has one uppercase letters.
424	(?=.*[0-9]) Ensure password has one digit.
425	(?=.*[a-z]) Ensure password has one lowercase letter.
426	.{8,} Ensure password is of length 8.
427	$ End anchor
428	"""
429	check_pw = re.compile(r"^(?=.[A-Z])(?=.[a-z])(?=.*[0-9]).{8,}$").match
430	errors = []
431	if not check_pw(pw):
432	errors.append(translate(_(
433	'Passwords must be at least 8 characters long, '
434	'must contain at least one uppercase letter, '
435	'one lowercase letter and one digit.')))
436	if pw != pw_repeat:
437	errors.append(translate(_('Passwords do not match.')))
438	return errors
439
440
441	class LocalRoleSetEvent(object):
442
443	grok.implements(ILocalRoleSetEvent)
444
445	def __init__(self, object, role_id, principal_id, granted=True):
446	self.object = object
447	self.role_id = role_id
448	self.principal_id = principal_id
449	self.granted = granted
450
451
452	@grok.subscribe(IUserAccount, grok.IObjectRemovedEvent)
453	def handle_account_removed(account, event):
454	"""When an account is removed, local and global roles might
455	have to be deleted.
456	"""
457	local_roles = account.getLocalRoles()
458	principal = account.name
459
460	for role_id, object_list in local_roles.items():
461	for object in object_list:
462	try:
463	role_manager = IPrincipalRoleManager(object)
464	except TypeError:
465	# No Account object, no role manager, no local roles to remove
466	continue
467	role_manager.unsetRoleForPrincipal(role_id, principal)
468	role_manager = IPrincipalRoleManager(grok.getSite())
469	roles = account.getSiteRolesForPrincipal()
470	for role_id in roles:
471	role_manager.unsetRoleForPrincipal(role_id, principal)
472	return
473
474
475	@grok.subscribe(IUserAccount, grok.IObjectAddedEvent)
476	def handle_account_added(account, event):
477	"""When an account is added, the local owner role and the global
478	AcademicsOfficer role must be set.
479	"""
480	# We set the local Owner role
481	role_manager_account = IPrincipalRoleManager(account)
482	role_manager_account.assignRoleToPrincipal(
483	'waeup.local.Owner', account.name)
484	# We set the global AcademicsOfficer role
485	site = grok.getSite()
486	role_manager_site = IPrincipalRoleManager(site)
487	role_manager_site.assignRoleToPrincipal(
488	'waeup.AcademicsOfficer', account.name)
489	# Finally we have to notify the user account that the local role
490	# of the same object has changed
491	notify(LocalRoleSetEvent(
492	account, 'waeup.local.Owner', account.name, granted=True))
493	return
494
495
496	@grok.subscribe(Interface, ILocalRoleSetEvent)
497	def handle_local_role_changed(obj, event):
498	site = grok.getSite()
499	if site is None:
500	return
501	users = site.get('users', None)
502	if users is None:
503	return
504	if event.principal_id not in users.keys():
505	return
506	user = users[event.principal_id]
507	user.notifyLocalRoleChanged(event.object, event.role_id, event.granted)
508	return
509
510
511	@grok.subscribe(Interface, grok.IObjectRemovedEvent)
512	def handle_local_roles_on_obj_removed(obj, event):
513	try:
514	role_map = IPrincipalRoleMap(obj)
515	except TypeError:
516	# no map, no roles to remove
517	return
518	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
519	notify(LocalRoleSetEvent(
520	obj, local_role, user_name, granted=False))
521	return
522
523
524	class UserAccountFactory(grok.GlobalUtility):
525	"""A factory for user accounts.
526
527	This factory is only needed for imports.
528	"""
529	grok.implements(IFactory)
530	grok.name(u'waeup.UserAccount')
531	title = u"Create a user.",
532	description = u"This factory instantiates new user account instances."
533
534	def __call__(self, args, *kw):
535	return Account(name=None, password='')
536
537	def getInterfaces(self):
538	return implementedBy(Account)
539
540
541	class UserProcessor(BatchProcessor):
542	"""The User Processor processes user accounts, i.e. `Account` objects in
543	the ``users`` container.
544
545	The `roles` columns must contain Python list
546	expressions like ``['waeup.PortalManager', 'waeup.ImportManager']``.
547
548	The processor does not import local roles. These can be imported
549	by means of batch processors in the academic section.
550	"""
551	grok.implements(IBatchProcessor)
552	grok.provides(IBatchProcessor)
553	grok.context(Interface)
554	util_name = 'userprocessor'
555	grok.name(util_name)
556
557	name = u'User Processor'
558	iface = IUserAccount
559
560	location_fields = ['name', ]
561	factory_name = 'waeup.UserAccount'
562
563	mode = None
564
565	def parentsExist(self, row, site):
566	return 'users' in site.keys()
567
568	def entryExists(self, row, site):
569	return row['name'] in site['users'].keys()
570
571	def getParent(self, row, site):
572	return site['users']
573
574	def getEntry(self, row, site):
575	if not self.entryExists(row, site):
576	return None
577	parent = self.getParent(row, site)
578	return parent.get(row['name'])
579
580	def addEntry(self, obj, row, site):
581	parent = self.getParent(row, site)
582	parent.addAccount(obj)
583	return
584
585	def delEntry(self, row, site):
586	user = self.getEntry(row, site)
587	if user is not None:
588	parent = self.getParent(row, site)
589	grok.getSite().logger.info(
590	'%s - %s - User removed' % (self.name, row['name']))
591	del parent[user.name]
592	pass
593
594	def updateEntry(self, obj, row, site, filename):
595	"""Update obj to the values given in row.
596	"""
597	changed = []
598	for key, value in row.items():
599	if key == 'roles':
600	# We cannot simply set the roles attribute here because
601	# we can't assure that the name attribute is set before
602	# the roles attribute is set.
603	continue
604	# Skip fields to be ignored.
605	if value == IGNORE_MARKER:
606	continue
607	if not hasattr(obj, key):
608	continue
609	setattr(obj, key, value)
610	changed.append('%s=%s' % (key, value))
611	roles = row.get('roles', IGNORE_MARKER)
612	if roles not in ('', IGNORE_MARKER):
613	evalvalue = eval(roles)
614	if isinstance(evalvalue, list):
615	setattr(obj, 'roles', evalvalue)
616	changed.append('roles=%s' % roles)
617	# Log actions...
618	items_changed = ', '.join(changed)
619	grok.getSite().logger.info(
620	'%s - %s - %s - updated: %s' % (
621	self.name, filename, row['name'], items_changed))
622	return
623
624	def checkConversion(self, row, mode='ignore'):
625	"""Validates all values in row.
626	"""
627	errs, inv_errs, conv_dict = super(
628	UserProcessor, self).checkConversion(row, mode=mode)
629	# We need to check if roles exist.
630	roles = row.get('roles', IGNORE_MARKER)
631	all_roles = [i[0] for i in get_all_roles()]
632	if roles not in ('', IGNORE_MARKER):
633	evalvalue = eval(roles)
634	for role in evalvalue:
635	if role not in all_roles:
636	errs.append(('roles', 'invalid role'))
637	return errs, inv_errs, conv_dict
638
639
640	class UsersPlugin(grok.GlobalUtility):
641	"""A plugin that updates users.
642	"""
643	grok.implements(IKofaPluggable)
644	grok.name('users')
645
646	deprecated_attributes = []
647
648	def setup(self, site, name, logger):
649	return
650
651	def update(self, site, name, logger):
652	users = site['users']
653	items = getFields(IUserAccount).items()
654	for user in users.values():
655	# Add new attributes
656	for i in items:
657	if not hasattr(user, i[0]):
658	setattr(user, i[0], i[1].missing_value)
659	logger.info(
660	'UsersPlugin: %s attribute %s added.' % (
661	user.name, i[0]))
662	if not hasattr(user, 'failed_logins'):
663	# add attribute `failed_logins`...
664	user.failed_logins = FailedLoginInfo()
665	logger.info(
666	'UsersPlugin: attribute failed_logins added.')
667	# Remove deprecated attributes
668	for i in self.deprecated_attributes:
669	try:
670	delattr(user, i)
671	logger.info(
672	'UsersPlugin: %s attribute %s deleted.' % (
673	user.name, i))
674	except AttributeError:
675	pass
676	return
677
678
679	class UpdatePAUPlugin(grok.GlobalUtility):
680	"""A plugin that updates a local PAU.
681
682	We insert an 'xmlrpc-credentials' PAU-plugin into a sites PAU if it is not
683	present already. There must be 'credentials' plugin registered already.
684
685	XXX: This Plugin fixes a shortcoming of waeup.kofa 1.5. Sites created or
686	updated afterwards do not need this plugin and it should be removed.
687	"""
688	grok.implements(IKofaPluggable)
689	grok.name('site-pluggable-auth')
690
691	def setup(self, site, name, logger):
692	return
693
694	def update(self, site, name, logger):
695	pau = site.getSiteManager()['PluggableAuthentication']
696	if 'xmlrpc-credentials' in pau.credentialsPlugins:
697	return
698	plugins = list(pau.credentialsPlugins)
699	plugins.insert(plugins.index('credentials'), 'xmlrpc-credentials')
700	pau.credentialsPlugins = tuple(plugins)

Note: See TracBrowser for help on using the repository browser.

Download in other formats: