Context navigation

authentication.py @ 17952

Last change on this file since 17952 was 14670, checked in by uli, 8 years ago

Add IKofaPluggable to update local PAU.

The new plugin enables updating of sites that have
yet no XMLRPC authentication enabled.

The plugin can be removed after updating all sites.

New sites (university-instances) do not need this
plugin at all.

Property svn:keywords set to Id

File size: 22.2 KB

Line
1	## $Id: authentication.py 14670 2017-04-06 12:20:41Z uli $
2	##
3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
4	## This program is free software; you can redistribute it and/or modify
5	## it under the terms of the GNU General Public License as published by
6	## the Free Software Foundation; either version 2 of the License, or
7	## (at your option) any later version.
8	##
9	## This program is distributed in the hope that it will be useful,
10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12	## GNU General Public License for more details.
13	##
14	## You should have received a copy of the GNU General Public License
15	## along with this program; if not, write to the Free Software
16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
17	##
18	"""Authentication for Kofa.
19	"""
20	import grok
21	import time
22	from zope.event import notify
23	from zope.component import getUtility, getUtilitiesFor
24	from zope.component.interfaces import IFactory
25	from zope.interface import Interface, implementedBy
26	from zope.schema import getFields
27	from zope.securitypolicy.interfaces import (
28	IPrincipalRoleMap, IPrincipalRoleManager)
29	from zope.pluggableauth.factories import Principal
30	from zope.pluggableauth.plugins.session import SessionCredentialsPlugin
31	from zope.pluggableauth.plugins.httpplugins import (
32	HTTPBasicAuthCredentialsPlugin)
33	from zope.pluggableauth.interfaces import (
34	ICredentialsPlugin, IAuthenticatorPlugin, IAuthenticatedPrincipalFactory,
35	AuthenticatedPrincipalCreated)
36	from zope.publisher.interfaces import IRequest
37	from zope.password.interfaces import IPasswordManager
38	from zope.securitypolicy.principalrole import principalRoleManager
39	from waeup.kofa.interfaces import (
40	ILocalRoleSetEvent, IUserAccount, IAuthPluginUtility, IPasswordValidator,
41	IKofaPrincipal, IKofaPrincipalInfo, IKofaPluggable, IBatchProcessor,
42	IGNORE_MARKER, IFailedLoginInfo)
43	from waeup.kofa.utils.batching import BatchProcessor
44	from waeup.kofa.permissions import get_all_roles
45
46
47	def setup_authentication(pau):
48	"""Set up plugguble authentication utility.
49
50	Sets up an IAuthenticatorPlugin and
51	ICredentialsPlugin (for the authentication mechanism)
52
53	Then looks for any external utilities that want to modify the PAU.
54	"""
55	pau.credentialsPlugins = (
56	'No Challenge if Authenticated',
57	'xmlrpc-credentials',
58	'credentials')
59	pau.authenticatorPlugins = ('users',)
60
61	# Give any third-party code and subpackages a chance to modify the PAU
62	auth_plugin_utilities = getUtilitiesFor(IAuthPluginUtility)
63	for name, util in auth_plugin_utilities:
64	util.register(pau)
65
66
67	def get_principal_role_manager():
68	"""Get a role manager for principals.
69
70	If we are currently 'in a site', return the role manager for the
71	portal or the global rolemanager else.
72	"""
73	portal = grok.getSite()
74	if portal is not None:
75	return IPrincipalRoleManager(portal)
76	return principalRoleManager
77
78
79	class KofaSessionCredentialsPlugin(
80	grok.GlobalUtility, SessionCredentialsPlugin):
81	"""Session plugin that picks usernames/passwords from fields in webforms.
82	"""
83	grok.provides(ICredentialsPlugin)
84	grok.name('credentials')
85
86	loginpagename = 'login'
87	loginfield = 'form.login'
88	passwordfield = 'form.password'
89
90
91	class KofaXMLRPCCredentialsPlugin(
92	grok.GlobalUtility, HTTPBasicAuthCredentialsPlugin):
93	"""Plugin that picks useranams/passwords from basic-auth headers.
94
95	As XMLRPC requests send/post their authentication credentials in HTTP
96	basic-auth headers, we need a plugin that can handle this.
97
98	This plugin, however, does no challenging. If a user does not provide
99	basic-auth infos, we will not ask for some. This is correct as we plan to
100	communicate with machines.
101
102	This plugin is planned to be used in "PluggableAuthenitications" registered
103	with `University` instances.
104	"""
105	grok.provides(ICredentialsPlugin)
106	grok.name('xmlrpc-credentials')
107
108	def challenge(self, request):
109	"""XMLRPC is for machines. No need to challenge.
110	"""
111	return False
112
113	def logout(self, request):
114	"""Basic auth does not provide any logout possibility.
115	"""
116	return False
117
118
119	class KofaPrincipalInfo(object):
120	"""An implementation of IKofaPrincipalInfo.
121
122	A Kofa principal info is created with id, login, title, description,
123	phone, email, public_name and user_type.
124	"""
125	grok.implements(IKofaPrincipalInfo)
126
127	def __init__(self, id, title, description, email, phone, public_name,
128	user_type):
129	self.id = id
130	self.title = title
131	self.description = description
132	self.email = email
133	self.phone = phone
134	self.public_name = public_name
135	self.user_type = user_type
136	self.credentialsPlugin = None
137	self.authenticatorPlugin = None
138
139	def __eq__(self, obj):
140	default = object()
141	result = []
142	for name in ('id', 'title', 'description', 'email', 'phone',
143	'public_name', 'user_type', 'credentialsPlugin',
144	'authenticatorPlugin'):
145	result.append(
146	getattr(self, name) == getattr(obj, name, default))
147	return False not in result
148
149
150	class KofaPrincipal(Principal):
151	"""A portal principal.
152
153	Kofa principals provide an extra `email`, `phone`, `public_name`
154	and `user_type` attribute extending ordinary principals.
155	"""
156
157	grok.implements(IKofaPrincipal)
158
159	def __init__(self, id, title=u'', description=u'', email=u'',
160	phone=None, public_name=u'', user_type=u'', prefix=None):
161	self.id = id
162	if prefix is not None:
163	self.id = '%s.%s' % (prefix, self.id)
164	self.title = title
165	self.description = description
166	self.groups = []
167	self.email = email
168	self.phone = phone
169	self.public_name = public_name
170	self.user_type = user_type
171
172	def __repr__(self):
173	return 'KofaPrincipal(%r)' % self.id
174
175
176	class AuthenticatedKofaPrincipalFactory(grok.MultiAdapter):
177	"""Creates 'authenticated' Kofa principals.
178
179	Adapts (principal info, request) to a KofaPrincipal instance.
180
181	This adapter is used by the standard PAU to transform
182	KofaPrincipalInfos into KofaPrincipal instances.
183	"""
184	grok.adapts(IKofaPrincipalInfo, IRequest)
185	grok.implements(IAuthenticatedPrincipalFactory)
186
187	def __init__(self, info, request):
188	self.info = info
189	self.request = request
190
191	def __call__(self, authentication):
192	principal = KofaPrincipal(
193	self.info.id,
194	self.info.title,
195	self.info.description,
196	self.info.email,
197	self.info.phone,
198	self.info.public_name,
199	self.info.user_type,
200	authentication.prefix,
201	)
202	notify(
203	AuthenticatedPrincipalCreated(
204	authentication, principal, self.info, self.request))
205	return principal
206
207
208	class FailedLoginInfo(grok.Model):
209	grok.implements(IFailedLoginInfo)
210
211	def __init__(self, num=0, last=None):
212	self.num = num
213	self.last = last
214	return
215
216	def as_tuple(self):
217	return (self.num, self.last)
218
219	def set_values(self, num=0, last=None):
220	self.num, self.last = num, last
221	self._p_changed = True
222	pass
223
224	def increase(self):
225	self.set_values(num=self.num + 1, last=time.time())
226	pass
227
228	def reset(self):
229	self.set_values(num=0, last=None)
230	pass
231
232
233	class Account(grok.Model):
234	"""Kofa user accounts store infos about a user.
235
236	Beside the usual data and an (encrypted) password, accounts also
237	have a persistent attribute `failed_logins` which is an instance
238	of `waeup.kofa.authentication.FailedLoginInfo`.
239
240	This attribute can be manipulated directly (set new value,
241	increase values, or reset).
242	"""
243	grok.implements(IUserAccount)
244
245	def __init__(self, name, password, title=None, description=None,
246	email=None, phone=None, public_name=None, roles=[]):
247	self.name = name
248	if title is None:
249	title = name
250	self.title = title
251	self.description = description
252	self.email = email
253	self.phone = phone
254	self.public_name = public_name
255	self.suspended = False
256	self.setPassword(password)
257	self.setSiteRolesForPrincipal(roles)
258
259	# We don't want to share this dict with other accounts
260	self._local_roles = dict()
261	self.failed_logins = FailedLoginInfo()
262
263	def setPassword(self, password):
264	passwordmanager = getUtility(IPasswordManager, 'SSHA')
265	self.password = passwordmanager.encodePassword(password)
266
267	def checkPassword(self, password):
268	try:
269	blocker = grok.getSite()['configuration'].maintmode_enabled_by
270	if blocker and blocker != self.name:
271	return False
272	except (TypeError, KeyError): # in unit tests
273	pass
274	if not isinstance(password, basestring):
275	return False
276	if not self.password:
277	# unset/empty passwords do never match
278	return False
279	if self.suspended:
280	return False
281	passwordmanager = getUtility(IPasswordManager, 'SSHA')
282	return passwordmanager.checkPassword(self.password, password)
283
284	def getSiteRolesForPrincipal(self):
285	prm = get_principal_role_manager()
286	roles = [x[0] for x in prm.getRolesForPrincipal(self.name)
287	if x[0].startswith('waeup.')]
288	return roles
289
290	def setSiteRolesForPrincipal(self, roles):
291	prm = get_principal_role_manager()
292	old_roles = self.getSiteRolesForPrincipal()
293	if sorted(old_roles) == sorted(roles):
294	return
295	for role in old_roles:
296	# Remove old roles, not to be set now...
297	if role.startswith('waeup.') and role not in roles:
298	prm.unsetRoleForPrincipal(role, self.name)
299	for role in roles:
300	# Convert role to ASCII string to be in line with the
301	# event handler
302	prm.assignRoleToPrincipal(str(role), self.name)
303	return
304
305	roles = property(getSiteRolesForPrincipal, setSiteRolesForPrincipal)
306
307	def getLocalRoles(self):
308	return self._local_roles
309
310	def notifyLocalRoleChanged(self, obj, role_id, granted=True):
311	objects = self._local_roles.get(role_id, [])
312	if granted and obj not in objects:
313	objects.append(obj)
314	if not granted and obj in objects:
315	objects.remove(obj)
316	self._local_roles[role_id] = objects
317	if len(objects) == 0:
318	del self._local_roles[role_id]
319	self._p_changed = True
320	return
321
322
323	class UserAuthenticatorPlugin(grok.GlobalUtility):
324	grok.implements(IAuthenticatorPlugin)
325	grok.provides(IAuthenticatorPlugin)
326	grok.name('users')
327
328	def authenticateCredentials(self, credentials):
329	if not isinstance(credentials, dict):
330	return None
331	if not ('login' in credentials and 'password' in credentials):
332	return None
333	account = self.getAccount(credentials['login'])
334	if account is None:
335	return None
336	# The following shows how 'time penalties' could be enforced
337	# on failed logins. First three failed logins are 'for
338	# free'. After that the user has to wait for 1, 2, 4, 8, 16,
339	# 32, ... seconds before a login can succeed.
340	# There are, however, some problems to discuss, before we
341	# really use this in all authenticators.
342
343	#num, last = account.failed_logins.as_tuple()
344	#if (num > 2) and (time.time() < (last + 2**(num-3))):
345	# # tried login while account still blocked due to previous
346	# # login errors.
347	# return None
348	if not account.checkPassword(credentials['password']):
349	#account.failed_logins.increase()
350	return None
351	return KofaPrincipalInfo(
352	id=account.name,
353	title=account.title,
354	description=account.description,
355	email=account.email,
356	phone=account.phone,
357	public_name=account.public_name,
358	user_type=u'user')
359
360	def principalInfo(self, id):
361	account = self.getAccount(id)
362	if account is None:
363	return None
364	return KofaPrincipalInfo(
365	id=account.name,
366	title=account.title,
367	description=account.description,
368	email=account.email,
369	phone=account.phone,
370	public_name=account.public_name,
371	user_type=u'user')
372
373	def getAccount(self, login):
374	# ... look up the account object and return it ...
375	userscontainer = self.getUsersContainer()
376	if userscontainer is None:
377	return
378	return userscontainer.get(login, None)
379
380	def addAccount(self, account):
381	userscontainer = self.getUsersContainer()
382	if userscontainer is None:
383	return
384	# XXX: complain if name already exists...
385	userscontainer.addAccount(account)
386
387	def addUser(self, name, password, title=None, description=None):
388	userscontainer = self.getUsersContainer()
389	if userscontainer is None:
390	return
391	userscontainer.addUser(name, password, title, description)
392
393	def getUsersContainer(self):
394	site = grok.getSite()
395	return site['users']
396
397
398	class PasswordValidator(grok.GlobalUtility):
399
400	grok.implements(IPasswordValidator)
401
402	def validate_password(self, pw, pw_repeat):
403	errors = []
404	if len(pw) < 3:
405	errors.append('Password must have at least 3 chars.')
406	if pw != pw_repeat:
407	errors.append('Passwords do not match.')
408	return errors
409
410
411	class LocalRoleSetEvent(object):
412
413	grok.implements(ILocalRoleSetEvent)
414
415	def __init__(self, object, role_id, principal_id, granted=True):
416	self.object = object
417	self.role_id = role_id
418	self.principal_id = principal_id
419	self.granted = granted
420
421
422	@grok.subscribe(IUserAccount, grok.IObjectRemovedEvent)
423	def handle_account_removed(account, event):
424	"""When an account is removed, local and global roles might
425	have to be deleted.
426	"""
427	local_roles = account.getLocalRoles()
428	principal = account.name
429
430	for role_id, object_list in local_roles.items():
431	for object in object_list:
432	try:
433	role_manager = IPrincipalRoleManager(object)
434	except TypeError:
435	# No Account object, no role manager, no local roles to remove
436	continue
437	role_manager.unsetRoleForPrincipal(role_id, principal)
438	role_manager = IPrincipalRoleManager(grok.getSite())
439	roles = account.getSiteRolesForPrincipal()
440	for role_id in roles:
441	role_manager.unsetRoleForPrincipal(role_id, principal)
442	return
443
444
445	@grok.subscribe(IUserAccount, grok.IObjectAddedEvent)
446	def handle_account_added(account, event):
447	"""When an account is added, the local owner role and the global
448	AcademicsOfficer role must be set.
449	"""
450	# We set the local Owner role
451	role_manager_account = IPrincipalRoleManager(account)
452	role_manager_account.assignRoleToPrincipal(
453	'waeup.local.Owner', account.name)
454	# We set the global AcademicsOfficer role
455	site = grok.getSite()
456	role_manager_site = IPrincipalRoleManager(site)
457	role_manager_site.assignRoleToPrincipal(
458	'waeup.AcademicsOfficer', account.name)
459	# Finally we have to notify the user account that the local role
460	# of the same object has changed
461	notify(LocalRoleSetEvent(
462	account, 'waeup.local.Owner', account.name, granted=True))
463	return
464
465
466	@grok.subscribe(Interface, ILocalRoleSetEvent)
467	def handle_local_role_changed(obj, event):
468	site = grok.getSite()
469	if site is None:
470	return
471	users = site.get('users', None)
472	if users is None:
473	return
474	if event.principal_id not in users.keys():
475	return
476	user = users[event.principal_id]
477	user.notifyLocalRoleChanged(event.object, event.role_id, event.granted)
478	return
479
480
481	@grok.subscribe(Interface, grok.IObjectRemovedEvent)
482	def handle_local_roles_on_obj_removed(obj, event):
483	try:
484	role_map = IPrincipalRoleMap(obj)
485	except TypeError:
486	# no map, no roles to remove
487	return
488	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
489	notify(LocalRoleSetEvent(
490	obj, local_role, user_name, granted=False))
491	return
492
493
494	class UserAccountFactory(grok.GlobalUtility):
495	"""A factory for user accounts.
496
497	This factory is only needed for imports.
498	"""
499	grok.implements(IFactory)
500	grok.name(u'waeup.UserAccount')
501	title = u"Create a user.",
502	description = u"This factory instantiates new user account instances."
503
504	def __call__(self, args, *kw):
505	return Account(name=None, password='')
506
507	def getInterfaces(self):
508	return implementedBy(Account)
509
510
511	class UserProcessor(BatchProcessor):
512	"""The User Processor processes user accounts, i.e. `Account` objects in
513	the ``users`` container.
514
515	The `roles` columns must contain Python list
516	expressions like ``['waeup.PortalManager', 'waeup.ImportManager']``.
517
518	The processor does not import local roles. These can be imported
519	by means of batch processors in the academic section.
520	"""
521	grok.implements(IBatchProcessor)
522	grok.provides(IBatchProcessor)
523	grok.context(Interface)
524	util_name = 'userprocessor'
525	grok.name(util_name)
526
527	name = u'User Processor'
528	iface = IUserAccount
529
530	location_fields = ['name', ]
531	factory_name = 'waeup.UserAccount'
532
533	mode = None
534
535	def parentsExist(self, row, site):
536	return 'users' in site.keys()
537
538	def entryExists(self, row, site):
539	return row['name'] in site['users'].keys()
540
541	def getParent(self, row, site):
542	return site['users']
543
544	def getEntry(self, row, site):
545	if not self.entryExists(row, site):
546	return None
547	parent = self.getParent(row, site)
548	return parent.get(row['name'])
549
550	def addEntry(self, obj, row, site):
551	parent = self.getParent(row, site)
552	parent.addAccount(obj)
553	return
554
555	def delEntry(self, row, site):
556	user = self.getEntry(row, site)
557	if user is not None:
558	parent = self.getParent(row, site)
559	grok.getSite().logger.info(
560	'%s - %s - User removed' % (self.name, row['name']))
561	del parent[user.name]
562	pass
563
564	def updateEntry(self, obj, row, site, filename):
565	"""Update obj to the values given in row.
566	"""
567	changed = []
568	for key, value in row.items():
569	if key == 'roles':
570	# We cannot simply set the roles attribute here because
571	# we can't assure that the name attribute is set before
572	# the roles attribute is set.
573	continue
574	# Skip fields to be ignored.
575	if value == IGNORE_MARKER:
576	continue
577	if not hasattr(obj, key):
578	continue
579	setattr(obj, key, value)
580	changed.append('%s=%s' % (key, value))
581	roles = row.get('roles', IGNORE_MARKER)
582	if roles not in ('', IGNORE_MARKER):
583	evalvalue = eval(roles)
584	if isinstance(evalvalue, list):
585	setattr(obj, 'roles', evalvalue)
586	changed.append('roles=%s' % roles)
587	# Log actions...
588	items_changed = ', '.join(changed)
589	grok.getSite().logger.info(
590	'%s - %s - %s - updated: %s' % (
591	self.name, filename, row['name'], items_changed))
592	return
593
594	def checkConversion(self, row, mode='ignore'):
595	"""Validates all values in row.
596	"""
597	errs, inv_errs, conv_dict = super(
598	UserProcessor, self).checkConversion(row, mode=mode)
599	# We need to check if roles exist.
600	roles = row.get('roles', IGNORE_MARKER)
601	all_roles = [i[0] for i in get_all_roles()]
602	if roles not in ('', IGNORE_MARKER):
603	evalvalue = eval(roles)
604	for role in evalvalue:
605	if role not in all_roles:
606	errs.append(('roles', 'invalid role'))
607	return errs, inv_errs, conv_dict
608
609
610	class UsersPlugin(grok.GlobalUtility):
611	"""A plugin that updates users.
612	"""
613	grok.implements(IKofaPluggable)
614	grok.name('users')
615
616	deprecated_attributes = []
617
618	def setup(self, site, name, logger):
619	return
620
621	def update(self, site, name, logger):
622	users = site['users']
623	items = getFields(IUserAccount).items()
624	for user in users.values():
625	# Add new attributes
626	for i in items:
627	if not hasattr(user, i[0]):
628	setattr(user, i[0], i[1].missing_value)
629	logger.info(
630	'UsersPlugin: %s attribute %s added.' % (
631	user.name, i[0]))
632	if not hasattr(user, 'failed_logins'):
633	# add attribute `failed_logins`...
634	user.failed_logins = FailedLoginInfo()
635	logger.info(
636	'UsersPlugin: attribute failed_logins added.')
637	# Remove deprecated attributes
638	for i in self.deprecated_attributes:
639	try:
640	delattr(user, i)
641	logger.info(
642	'UsersPlugin: %s attribute %s deleted.' % (
643	user.name, i))
644	except AttributeError:
645	pass
646	return
647
648
649	class UpdatePAUPlugin(grok.GlobalUtility):
650	"""A plugin that updates a local PAU.
651
652	We insert an 'xmlrpc-credentials' PAU-plugin into a sites PAU if it is not
653	present already. There must be 'credentials' plugin registered already.
654
655	XXX: This Plugin fixes a shortcoming of waeup.kofa 1.5. Sites created or
656	updated afterwards do not need this plugin and it should be removed.
657	"""
658	grok.implements(IKofaPluggable)
659	grok.name('site-pluggable-auth')
660
661	def setup(self, site, name, logger):
662	return
663
664	def update(self, site, name, logger):
665	pau = site.getSiteManager()['PluggableAuthentication']
666	if 'xmlrpc-credentials' in pau.credentialsPlugins:
667	return
668	plugins = list(pau.credentialsPlugins)
669	plugins.insert(plugins.index('credentials'), 'xmlrpc-credentials')
670	pau.credentialsPlugins = tuple(plugins)

Note: See TracBrowser for help on using the repository browser.

Context navigation

source: main/waeup.kofa/branches/uli-rm-bootstrap/src/waeup/kofa/authentication.py @ 17952

Download in other formats: