[7193] | 1 | ## $Id: authentication.py 13182 2015-07-22 04:51:54Z henrik $ |
---|
| 2 | ## |
---|
| 3 | ## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann |
---|
| 4 | ## This program is free software; you can redistribute it and/or modify |
---|
| 5 | ## it under the terms of the GNU General Public License as published by |
---|
| 6 | ## the Free Software Foundation; either version 2 of the License, or |
---|
| 7 | ## (at your option) any later version. |
---|
| 8 | ## |
---|
| 9 | ## This program is distributed in the hope that it will be useful, |
---|
| 10 | ## but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 11 | ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 12 | ## GNU General Public License for more details. |
---|
| 13 | ## |
---|
| 14 | ## You should have received a copy of the GNU General Public License |
---|
| 15 | ## along with this program; if not, write to the Free Software |
---|
| 16 | ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
---|
| 17 | ## |
---|
[7819] | 18 | """Authentication for Kofa. |
---|
[4073] | 19 | """ |
---|
| 20 | import grok |
---|
[10055] | 21 | import time |
---|
[7169] | 22 | from zope.event import notify |
---|
[5900] | 23 | from zope.component import getUtility, getUtilitiesFor |
---|
[8973] | 24 | from zope.component.interfaces import IFactory |
---|
[10055] | 25 | from zope.interface import Interface, implementedBy |
---|
[8756] | 26 | from zope.schema import getFields |
---|
[7169] | 27 | from zope.securitypolicy.interfaces import ( |
---|
| 28 | IPrincipalRoleMap, IPrincipalRoleManager) |
---|
[7233] | 29 | from zope.pluggableauth.factories import Principal |
---|
[6610] | 30 | from zope.pluggableauth.plugins.session import SessionCredentialsPlugin |
---|
| 31 | from zope.pluggableauth.interfaces import ( |
---|
[7233] | 32 | ICredentialsPlugin, IAuthenticatorPlugin, |
---|
| 33 | IAuthenticatedPrincipalFactory, AuthenticatedPrincipalCreated) |
---|
| 34 | from zope.publisher.interfaces import IRequest |
---|
[6610] | 35 | from zope.password.interfaces import IPasswordManager |
---|
[4129] | 36 | from zope.securitypolicy.principalrole import principalRoleManager |
---|
[7811] | 37 | from waeup.kofa.interfaces import (ILocalRoleSetEvent, |
---|
[7233] | 38 | IUserAccount, IAuthPluginUtility, IPasswordValidator, |
---|
[8973] | 39 | IKofaPrincipal, IKofaPrincipalInfo, IKofaPluggable, |
---|
[10055] | 40 | IBatchProcessor, IGNORE_MARKER, IFailedLoginInfo) |
---|
[8973] | 41 | from waeup.kofa.utils.batching import BatchProcessor |
---|
[12190] | 42 | from waeup.kofa.permissions import get_all_roles |
---|
[4073] | 43 | |
---|
| 44 | def setup_authentication(pau): |
---|
| 45 | """Set up plugguble authentication utility. |
---|
| 46 | |
---|
| 47 | Sets up an IAuthenticatorPlugin and |
---|
| 48 | ICredentialsPlugin (for the authentication mechanism) |
---|
[5900] | 49 | |
---|
| 50 | Then looks for any external utilities that want to modify the PAU. |
---|
[4073] | 51 | """ |
---|
[6661] | 52 | pau.credentialsPlugins = ('No Challenge if Authenticated', 'credentials') |
---|
[6672] | 53 | pau.authenticatorPlugins = ('users',) |
---|
[4073] | 54 | |
---|
[5900] | 55 | # Give any third-party code and subpackages a chance to modify the PAU |
---|
| 56 | auth_plugin_utilities = getUtilitiesFor(IAuthPluginUtility) |
---|
[5901] | 57 | for name, util in auth_plugin_utilities: |
---|
[5900] | 58 | util.register(pau) |
---|
| 59 | |
---|
[6673] | 60 | def get_principal_role_manager(): |
---|
| 61 | """Get a role manager for principals. |
---|
| 62 | |
---|
| 63 | If we are currently 'in a site', return the role manager for the |
---|
| 64 | portal or the global rolemanager else. |
---|
| 65 | """ |
---|
| 66 | portal = grok.getSite() |
---|
| 67 | if portal is not None: |
---|
| 68 | return IPrincipalRoleManager(portal) |
---|
| 69 | return principalRoleManager |
---|
| 70 | |
---|
[7819] | 71 | class KofaSessionCredentialsPlugin(grok.GlobalUtility, |
---|
[4073] | 72 | SessionCredentialsPlugin): |
---|
| 73 | grok.provides(ICredentialsPlugin) |
---|
| 74 | grok.name('credentials') |
---|
| 75 | |
---|
| 76 | loginpagename = 'login' |
---|
| 77 | loginfield = 'form.login' |
---|
| 78 | passwordfield = 'form.password' |
---|
| 79 | |
---|
[7819] | 80 | class KofaPrincipalInfo(object): |
---|
| 81 | """An implementation of IKofaPrincipalInfo. |
---|
[4073] | 82 | |
---|
[7819] | 83 | A Kofa principal info is created with id, login, title, description, |
---|
[8757] | 84 | phone, email, public_name and user_type. |
---|
[7233] | 85 | """ |
---|
[7819] | 86 | grok.implements(IKofaPrincipalInfo) |
---|
[7233] | 87 | |
---|
[10055] | 88 | def __init__(self, id, title, description, email, phone, public_name, |
---|
| 89 | user_type): |
---|
[4073] | 90 | self.id = id |
---|
| 91 | self.title = title |
---|
| 92 | self.description = description |
---|
[7233] | 93 | self.email = email |
---|
| 94 | self.phone = phone |
---|
[8757] | 95 | self.public_name = public_name |
---|
[7240] | 96 | self.user_type = user_type |
---|
[4073] | 97 | self.credentialsPlugin = None |
---|
| 98 | self.authenticatorPlugin = None |
---|
| 99 | |
---|
[10055] | 100 | def __eq__(self, obj): |
---|
| 101 | default = object() |
---|
| 102 | result = [] |
---|
| 103 | for name in ('id', 'title', 'description', 'email', 'phone', |
---|
| 104 | 'public_name', 'user_type', 'credentialsPlugin', |
---|
| 105 | 'authenticatorPlugin'): |
---|
| 106 | result.append( |
---|
| 107 | getattr(self, name) == getattr(obj, name, default)) |
---|
| 108 | return False not in result |
---|
| 109 | |
---|
[7819] | 110 | class KofaPrincipal(Principal): |
---|
[7233] | 111 | """A portal principal. |
---|
| 112 | |
---|
[10055] | 113 | Kofa principals provide an extra `email`, `phone`, `public_name` |
---|
| 114 | and `user_type` attribute extending ordinary principals. |
---|
[7233] | 115 | """ |
---|
| 116 | |
---|
[7819] | 117 | grok.implements(IKofaPrincipal) |
---|
[7233] | 118 | |
---|
| 119 | def __init__(self, id, title=u'', description=u'', email=u'', |
---|
[8757] | 120 | phone=None, public_name=u'', user_type=u'', prefix=None): |
---|
[7233] | 121 | self.id = id |
---|
[7239] | 122 | if prefix is not None: |
---|
| 123 | self.id = '%s.%s' % (prefix, self.id) |
---|
[7233] | 124 | self.title = title |
---|
| 125 | self.description = description |
---|
| 126 | self.groups = [] |
---|
| 127 | self.email = email |
---|
| 128 | self.phone = phone |
---|
[8757] | 129 | self.public_name = public_name |
---|
[7240] | 130 | self.user_type = user_type |
---|
[7233] | 131 | |
---|
| 132 | def __repr__(self): |
---|
[7819] | 133 | return 'KofaPrincipal(%r)' % self.id |
---|
[7233] | 134 | |
---|
[7819] | 135 | class AuthenticatedKofaPrincipalFactory(grok.MultiAdapter): |
---|
| 136 | """Creates 'authenticated' Kofa principals. |
---|
[7233] | 137 | |
---|
[7819] | 138 | Adapts (principal info, request) to a KofaPrincipal instance. |
---|
[7233] | 139 | |
---|
| 140 | This adapter is used by the standard PAU to transform |
---|
[7819] | 141 | KofaPrincipalInfos into KofaPrincipal instances. |
---|
[7233] | 142 | """ |
---|
[7819] | 143 | grok.adapts(IKofaPrincipalInfo, IRequest) |
---|
[7233] | 144 | grok.implements(IAuthenticatedPrincipalFactory) |
---|
| 145 | |
---|
| 146 | def __init__(self, info, request): |
---|
| 147 | self.info = info |
---|
| 148 | self.request = request |
---|
| 149 | |
---|
| 150 | def __call__(self, authentication): |
---|
[7819] | 151 | principal = KofaPrincipal( |
---|
[7233] | 152 | self.info.id, |
---|
| 153 | self.info.title, |
---|
| 154 | self.info.description, |
---|
| 155 | self.info.email, |
---|
| 156 | self.info.phone, |
---|
[8757] | 157 | self.info.public_name, |
---|
[7240] | 158 | self.info.user_type, |
---|
[7239] | 159 | authentication.prefix, |
---|
[7233] | 160 | ) |
---|
| 161 | notify( |
---|
| 162 | AuthenticatedPrincipalCreated( |
---|
| 163 | authentication, principal, self.info, self.request)) |
---|
| 164 | return principal |
---|
| 165 | |
---|
[10055] | 166 | class FailedLoginInfo(grok.Model): |
---|
| 167 | grok.implements(IFailedLoginInfo) |
---|
| 168 | |
---|
| 169 | def __init__(self, num=0, last=None): |
---|
| 170 | self.num = num |
---|
| 171 | self.last = last |
---|
| 172 | return |
---|
| 173 | |
---|
| 174 | def as_tuple(self): |
---|
| 175 | return (self.num, self.last) |
---|
| 176 | |
---|
| 177 | def set_values(self, num=0, last=None): |
---|
| 178 | self.num, self.last = num, last |
---|
| 179 | self._p_changed = True |
---|
| 180 | pass |
---|
| 181 | |
---|
| 182 | def increase(self): |
---|
| 183 | self.set_values(num=self.num + 1, last=time.time()) |
---|
| 184 | pass |
---|
| 185 | |
---|
| 186 | def reset(self): |
---|
| 187 | self.set_values(num=0, last=None) |
---|
| 188 | pass |
---|
| 189 | |
---|
[4073] | 190 | class Account(grok.Model): |
---|
[10055] | 191 | """Kofa user accounts store infos about a user. |
---|
| 192 | |
---|
| 193 | Beside the usual data and an (encrypted) password, accounts also |
---|
| 194 | have a persistent attribute `failed_logins` which is an instance |
---|
| 195 | of `waeup.kofa.authentication.FailedLoginInfo`. |
---|
| 196 | |
---|
| 197 | This attribute can be manipulated directly (set new value, |
---|
| 198 | increase values, or reset). |
---|
| 199 | """ |
---|
[4109] | 200 | grok.implements(IUserAccount) |
---|
[4129] | 201 | |
---|
[4125] | 202 | def __init__(self, name, password, title=None, description=None, |
---|
[8756] | 203 | email=None, phone=None, public_name=None, roles = []): |
---|
[4073] | 204 | self.name = name |
---|
[4087] | 205 | if title is None: |
---|
| 206 | title = name |
---|
| 207 | self.title = title |
---|
| 208 | self.description = description |
---|
[7221] | 209 | self.email = email |
---|
[7233] | 210 | self.phone = phone |
---|
[8756] | 211 | self.public_name = public_name |
---|
[12926] | 212 | self.suspended = False |
---|
[4073] | 213 | self.setPassword(password) |
---|
[7636] | 214 | self.setSiteRolesForPrincipal(roles) |
---|
[10055] | 215 | |
---|
[6180] | 216 | # We don't want to share this dict with other accounts |
---|
| 217 | self._local_roles = dict() |
---|
[10055] | 218 | self.failed_logins = FailedLoginInfo() |
---|
[4073] | 219 | |
---|
| 220 | def setPassword(self, password): |
---|
[8343] | 221 | passwordmanager = getUtility(IPasswordManager, 'SSHA') |
---|
[4073] | 222 | self.password = passwordmanager.encodePassword(password) |
---|
| 223 | |
---|
| 224 | def checkPassword(self, password): |
---|
[8344] | 225 | if not isinstance(password, basestring): |
---|
| 226 | return False |
---|
| 227 | if not self.password: |
---|
| 228 | # unset/empty passwords do never match |
---|
| 229 | return False |
---|
[12926] | 230 | if self.suspended == True: |
---|
| 231 | return False |
---|
[8343] | 232 | passwordmanager = getUtility(IPasswordManager, 'SSHA') |
---|
[4073] | 233 | return passwordmanager.checkPassword(self.password, password) |
---|
| 234 | |
---|
[7177] | 235 | def getSiteRolesForPrincipal(self): |
---|
[6673] | 236 | prm = get_principal_role_manager() |
---|
[4129] | 237 | roles = [x[0] for x in prm.getRolesForPrincipal(self.name) |
---|
| 238 | if x[0].startswith('waeup.')] |
---|
| 239 | return roles |
---|
[5055] | 240 | |
---|
[7177] | 241 | def setSiteRolesForPrincipal(self, roles): |
---|
[6673] | 242 | prm = get_principal_role_manager() |
---|
[7177] | 243 | old_roles = self.getSiteRolesForPrincipal() |
---|
[7658] | 244 | if sorted(old_roles) == sorted(roles): |
---|
| 245 | return |
---|
[4129] | 246 | for role in old_roles: |
---|
| 247 | # Remove old roles, not to be set now... |
---|
| 248 | if role.startswith('waeup.') and role not in roles: |
---|
| 249 | prm.unsetRoleForPrincipal(role, self.name) |
---|
| 250 | for role in roles: |
---|
[7658] | 251 | # Convert role to ASCII string to be in line with the |
---|
| 252 | # event handler |
---|
| 253 | prm.assignRoleToPrincipal(str(role), self.name) |
---|
| 254 | return |
---|
[4129] | 255 | |
---|
[7177] | 256 | roles = property(getSiteRolesForPrincipal, setSiteRolesForPrincipal) |
---|
[4129] | 257 | |
---|
[6180] | 258 | def getLocalRoles(self): |
---|
| 259 | return self._local_roles |
---|
| 260 | |
---|
| 261 | def notifyLocalRoleChanged(self, obj, role_id, granted=True): |
---|
| 262 | objects = self._local_roles.get(role_id, []) |
---|
| 263 | if granted and obj not in objects: |
---|
| 264 | objects.append(obj) |
---|
| 265 | if not granted and obj in objects: |
---|
| 266 | objects.remove(obj) |
---|
| 267 | self._local_roles[role_id] = objects |
---|
| 268 | if len(objects) == 0: |
---|
| 269 | del self._local_roles[role_id] |
---|
[6182] | 270 | self._p_changed = True |
---|
[6180] | 271 | return |
---|
| 272 | |
---|
[4073] | 273 | class UserAuthenticatorPlugin(grok.GlobalUtility): |
---|
[6625] | 274 | grok.implements(IAuthenticatorPlugin) |
---|
[4073] | 275 | grok.provides(IAuthenticatorPlugin) |
---|
| 276 | grok.name('users') |
---|
| 277 | |
---|
| 278 | def authenticateCredentials(self, credentials): |
---|
| 279 | if not isinstance(credentials, dict): |
---|
| 280 | return None |
---|
| 281 | if not ('login' in credentials and 'password' in credentials): |
---|
| 282 | return None |
---|
| 283 | account = self.getAccount(credentials['login']) |
---|
| 284 | if account is None: |
---|
| 285 | return None |
---|
[10055] | 286 | # The following shows how 'time penalties' could be enforced |
---|
| 287 | # on failed logins. First three failed logins are 'for |
---|
| 288 | # free'. After that the user has to wait for 1, 2, 4, 8, 16, |
---|
| 289 | # 32, ... seconds before a login can succeed. |
---|
| 290 | # There are, however, some problems to discuss, before we |
---|
| 291 | # really use this in all authenticators. |
---|
| 292 | |
---|
| 293 | #num, last = account.failed_logins.as_tuple() |
---|
| 294 | #if (num > 2) and (time.time() < (last + 2**(num-3))): |
---|
| 295 | # # tried login while account still blocked due to previous |
---|
| 296 | # # login errors. |
---|
| 297 | # return None |
---|
[4073] | 298 | if not account.checkPassword(credentials['password']): |
---|
[10055] | 299 | #account.failed_logins.increase() |
---|
[4073] | 300 | return None |
---|
[7819] | 301 | return KofaPrincipalInfo( |
---|
[7315] | 302 | id=account.name, |
---|
| 303 | title=account.title, |
---|
| 304 | description=account.description, |
---|
| 305 | email=account.email, |
---|
| 306 | phone=account.phone, |
---|
[8757] | 307 | public_name=account.public_name, |
---|
[7315] | 308 | user_type=u'user') |
---|
[4073] | 309 | |
---|
| 310 | def principalInfo(self, id): |
---|
| 311 | account = self.getAccount(id) |
---|
| 312 | if account is None: |
---|
| 313 | return None |
---|
[7819] | 314 | return KofaPrincipalInfo( |
---|
[7315] | 315 | id=account.name, |
---|
| 316 | title=account.title, |
---|
| 317 | description=account.description, |
---|
| 318 | email=account.email, |
---|
| 319 | phone=account.phone, |
---|
[8757] | 320 | public_name=account.public_name, |
---|
[7315] | 321 | user_type=u'user') |
---|
[4073] | 322 | |
---|
| 323 | def getAccount(self, login): |
---|
[4087] | 324 | # ... look up the account object and return it ... |
---|
[7172] | 325 | userscontainer = self.getUsersContainer() |
---|
| 326 | if userscontainer is None: |
---|
[4087] | 327 | return |
---|
[7172] | 328 | return userscontainer.get(login, None) |
---|
[4087] | 329 | |
---|
| 330 | def addAccount(self, account): |
---|
[7172] | 331 | userscontainer = self.getUsersContainer() |
---|
| 332 | if userscontainer is None: |
---|
[4087] | 333 | return |
---|
| 334 | # XXX: complain if name already exists... |
---|
[7172] | 335 | userscontainer.addAccount(account) |
---|
[4087] | 336 | |
---|
[4091] | 337 | def addUser(self, name, password, title=None, description=None): |
---|
[7172] | 338 | userscontainer = self.getUsersContainer() |
---|
| 339 | if userscontainer is None: |
---|
[4091] | 340 | return |
---|
[7172] | 341 | userscontainer.addUser(name, password, title, description) |
---|
[5055] | 342 | |
---|
[7172] | 343 | def getUsersContainer(self): |
---|
[4087] | 344 | site = grok.getSite() |
---|
[4743] | 345 | return site['users'] |
---|
[6203] | 346 | |
---|
[7147] | 347 | class PasswordValidator(grok.GlobalUtility): |
---|
| 348 | |
---|
| 349 | grok.implements(IPasswordValidator) |
---|
| 350 | |
---|
| 351 | def validate_password(self, pw, pw_repeat): |
---|
| 352 | errors = [] |
---|
| 353 | if len(pw) < 3: |
---|
| 354 | errors.append('Password must have at least 3 chars.') |
---|
| 355 | if pw != pw_repeat: |
---|
| 356 | errors.append('Passwords do not match.') |
---|
| 357 | return errors |
---|
| 358 | |
---|
[7169] | 359 | class LocalRoleSetEvent(object): |
---|
| 360 | |
---|
| 361 | grok.implements(ILocalRoleSetEvent) |
---|
| 362 | |
---|
| 363 | def __init__(self, object, role_id, principal_id, granted=True): |
---|
| 364 | self.object = object |
---|
| 365 | self.role_id = role_id |
---|
| 366 | self.principal_id = principal_id |
---|
| 367 | self.granted = granted |
---|
| 368 | |
---|
[6203] | 369 | @grok.subscribe(IUserAccount, grok.IObjectRemovedEvent) |
---|
[6839] | 370 | def handle_account_removed(account, event): |
---|
[9313] | 371 | """When an account is removed, local and global roles might |
---|
| 372 | have to be deleted. |
---|
[6203] | 373 | """ |
---|
| 374 | local_roles = account.getLocalRoles() |
---|
| 375 | principal = account.name |
---|
[9313] | 376 | |
---|
[6203] | 377 | for role_id, object_list in local_roles.items(): |
---|
| 378 | for object in object_list: |
---|
| 379 | try: |
---|
| 380 | role_manager = IPrincipalRoleManager(object) |
---|
| 381 | except TypeError: |
---|
[9313] | 382 | # No Account object, no role manager, no local roles to remove |
---|
[6203] | 383 | continue |
---|
| 384 | role_manager.unsetRoleForPrincipal(role_id, principal) |
---|
[9313] | 385 | role_manager = IPrincipalRoleManager(grok.getSite()) |
---|
| 386 | roles = account.getSiteRolesForPrincipal() |
---|
| 387 | for role_id in roles: |
---|
| 388 | role_manager.unsetRoleForPrincipal(role_id, principal) |
---|
[6203] | 389 | return |
---|
[7169] | 390 | |
---|
| 391 | @grok.subscribe(IUserAccount, grok.IObjectAddedEvent) |
---|
| 392 | def handle_account_added(account, event): |
---|
| 393 | """When an account is added, the local owner role and the global |
---|
[7185] | 394 | AcademicsOfficer role must be set. |
---|
[7169] | 395 | """ |
---|
[7173] | 396 | # We set the local Owner role |
---|
| 397 | role_manager_account = IPrincipalRoleManager(account) |
---|
| 398 | role_manager_account.assignRoleToPrincipal( |
---|
[7169] | 399 | 'waeup.local.Owner', account.name) |
---|
[7185] | 400 | # We set the global AcademicsOfficer role |
---|
[7173] | 401 | site = grok.getSite() |
---|
| 402 | role_manager_site = IPrincipalRoleManager(site) |
---|
| 403 | role_manager_site.assignRoleToPrincipal( |
---|
[7185] | 404 | 'waeup.AcademicsOfficer', account.name) |
---|
[7173] | 405 | # Finally we have to notify the user account that the local role |
---|
[7169] | 406 | # of the same object has changed |
---|
| 407 | notify(LocalRoleSetEvent( |
---|
| 408 | account, 'waeup.local.Owner', account.name, granted=True)) |
---|
| 409 | return |
---|
| 410 | |
---|
| 411 | @grok.subscribe(Interface, ILocalRoleSetEvent) |
---|
| 412 | def handle_local_role_changed(obj, event): |
---|
| 413 | site = grok.getSite() |
---|
| 414 | if site is None: |
---|
| 415 | return |
---|
| 416 | users = site.get('users', None) |
---|
| 417 | if users is None: |
---|
| 418 | return |
---|
| 419 | if event.principal_id not in users.keys(): |
---|
| 420 | return |
---|
| 421 | user = users[event.principal_id] |
---|
| 422 | user.notifyLocalRoleChanged(event.object, event.role_id, event.granted) |
---|
| 423 | return |
---|
| 424 | |
---|
| 425 | @grok.subscribe(Interface, grok.IObjectRemovedEvent) |
---|
| 426 | def handle_local_roles_on_obj_removed(obj, event): |
---|
| 427 | try: |
---|
| 428 | role_map = IPrincipalRoleMap(obj) |
---|
| 429 | except TypeError: |
---|
| 430 | # no map, no roles to remove |
---|
| 431 | return |
---|
| 432 | for local_role, user_name, setting in role_map.getPrincipalsAndRoles(): |
---|
| 433 | notify(LocalRoleSetEvent( |
---|
| 434 | obj, local_role, user_name, granted=False)) |
---|
[7315] | 435 | return |
---|
[8756] | 436 | |
---|
[8973] | 437 | class UserAccountFactory(grok.GlobalUtility): |
---|
| 438 | """A factory for user accounts. |
---|
| 439 | |
---|
| 440 | This factory is only needed for imports. |
---|
| 441 | """ |
---|
| 442 | grok.implements(IFactory) |
---|
| 443 | grok.name(u'waeup.UserAccount') |
---|
| 444 | title = u"Create a user.", |
---|
| 445 | description = u"This factory instantiates new user account instances." |
---|
| 446 | |
---|
| 447 | def __call__(self, *args, **kw): |
---|
| 448 | return Account(name=None, password='') |
---|
| 449 | |
---|
| 450 | def getInterfaces(self): |
---|
| 451 | return implementedBy(Account) |
---|
| 452 | |
---|
| 453 | class UserProcessor(BatchProcessor): |
---|
[12869] | 454 | """The User Processor processes user accounts, i.e. `Account` objects in the |
---|
| 455 | ``users`` container. |
---|
| 456 | |
---|
| 457 | The `roles` columns must contain Python list |
---|
| 458 | expressions like ``['waeup.PortalManager', 'waeup.ImportManager']``. |
---|
| 459 | |
---|
| 460 | The processor does not import local roles. These can be imported |
---|
| 461 | by means of batch processors in the academic section. |
---|
[8973] | 462 | """ |
---|
| 463 | grok.implements(IBatchProcessor) |
---|
| 464 | grok.provides(IBatchProcessor) |
---|
| 465 | grok.context(Interface) |
---|
| 466 | util_name = 'userprocessor' |
---|
| 467 | grok.name(util_name) |
---|
| 468 | |
---|
| 469 | name = u'User Processor' |
---|
| 470 | iface = IUserAccount |
---|
| 471 | |
---|
| 472 | location_fields = ['name',] |
---|
| 473 | factory_name = 'waeup.UserAccount' |
---|
| 474 | |
---|
| 475 | mode = None |
---|
| 476 | |
---|
| 477 | def parentsExist(self, row, site): |
---|
| 478 | return 'users' in site.keys() |
---|
| 479 | |
---|
| 480 | def entryExists(self, row, site): |
---|
| 481 | return row['name'] in site['users'].keys() |
---|
| 482 | |
---|
| 483 | def getParent(self, row, site): |
---|
| 484 | return site['users'] |
---|
| 485 | |
---|
| 486 | def getEntry(self, row, site): |
---|
| 487 | if not self.entryExists(row, site): |
---|
| 488 | return None |
---|
| 489 | parent = self.getParent(row, site) |
---|
| 490 | return parent.get(row['name']) |
---|
| 491 | |
---|
| 492 | def addEntry(self, obj, row, site): |
---|
| 493 | parent = self.getParent(row, site) |
---|
| 494 | parent.addAccount(obj) |
---|
| 495 | return |
---|
| 496 | |
---|
[13182] | 497 | def delEntry(self, row, site): |
---|
| 498 | user = self.getEntry(row, site) |
---|
| 499 | if user is not None: |
---|
| 500 | parent = self.getParent(row, site) |
---|
| 501 | grok.getSite().logger.info('%s - %s - User removed' |
---|
| 502 | % (self.name, row['name'])) |
---|
| 503 | del parent[user.name] |
---|
| 504 | pass |
---|
| 505 | |
---|
[9706] | 506 | def updateEntry(self, obj, row, site, filename): |
---|
[9312] | 507 | """Update obj to the values given in row. |
---|
| 508 | """ |
---|
| 509 | changed = [] |
---|
| 510 | for key, value in row.items(): |
---|
| 511 | if key == 'roles': |
---|
| 512 | # We cannot simply set the roles attribute here because |
---|
| 513 | # we can't assure that the name attribute is set before |
---|
| 514 | # the roles attribute is set. |
---|
| 515 | continue |
---|
| 516 | # Skip fields to be ignored. |
---|
| 517 | if value == IGNORE_MARKER: |
---|
| 518 | continue |
---|
| 519 | if not hasattr(obj, key): |
---|
| 520 | continue |
---|
| 521 | setattr(obj, key, value) |
---|
| 522 | changed.append('%s=%s' % (key, value)) |
---|
| 523 | roles = row.get('roles', IGNORE_MARKER) |
---|
| 524 | if roles not in ('', IGNORE_MARKER): |
---|
| 525 | evalvalue = eval(roles) |
---|
| 526 | if isinstance(evalvalue, list): |
---|
| 527 | setattr(obj, 'roles', evalvalue) |
---|
| 528 | changed.append('roles=%s' % roles) |
---|
| 529 | # Log actions... |
---|
| 530 | items_changed = ', '.join(changed) |
---|
[9706] | 531 | grok.getSite().logger.info('%s - %s - %s - updated: %s' |
---|
| 532 | % (self.name, filename, row['name'], items_changed)) |
---|
[9312] | 533 | return |
---|
[8973] | 534 | |
---|
[12190] | 535 | def checkConversion(self, row, mode='ignore'): |
---|
| 536 | """Validates all values in row. |
---|
| 537 | """ |
---|
| 538 | errs, inv_errs, conv_dict = super( |
---|
| 539 | UserProcessor, self).checkConversion(row, mode=mode) |
---|
| 540 | # We need to check if roles exist. |
---|
[13181] | 541 | roles = row.get('roles', IGNORE_MARKER) |
---|
[12190] | 542 | all_roles = [i[0] for i in get_all_roles()] |
---|
| 543 | if roles not in ('', IGNORE_MARKER): |
---|
| 544 | evalvalue = eval(roles) |
---|
| 545 | for role in evalvalue: |
---|
| 546 | if role not in all_roles: |
---|
| 547 | errs.append(('roles','invalid role')) |
---|
| 548 | return errs, inv_errs, conv_dict |
---|
| 549 | |
---|
[8756] | 550 | class UsersPlugin(grok.GlobalUtility): |
---|
| 551 | """A plugin that updates users. |
---|
| 552 | """ |
---|
| 553 | grok.implements(IKofaPluggable) |
---|
| 554 | grok.name('users') |
---|
| 555 | |
---|
| 556 | deprecated_attributes = [] |
---|
| 557 | |
---|
| 558 | def setup(self, site, name, logger): |
---|
| 559 | return |
---|
| 560 | |
---|
| 561 | def update(self, site, name, logger): |
---|
| 562 | users = site['users'] |
---|
| 563 | items = getFields(IUserAccount).items() |
---|
| 564 | for user in users.values(): |
---|
| 565 | # Add new attributes |
---|
| 566 | for i in items: |
---|
| 567 | if not hasattr(user,i[0]): |
---|
| 568 | setattr(user,i[0],i[1].missing_value) |
---|
| 569 | logger.info( |
---|
| 570 | 'UsersPlugin: %s attribute %s added.' % ( |
---|
| 571 | user.name,i[0])) |
---|
[10055] | 572 | if not hasattr(user, 'failed_logins'): |
---|
| 573 | # add attribute `failed_logins`... |
---|
| 574 | user.failed_logins = FailedLoginInfo() |
---|
| 575 | logger.info( |
---|
| 576 | 'UsersPlugin: attribute failed_logins added.') |
---|
[8756] | 577 | # Remove deprecated attributes |
---|
| 578 | for i in self.deprecated_attributes: |
---|
| 579 | try: |
---|
| 580 | delattr(user,i) |
---|
| 581 | logger.info( |
---|
| 582 | 'UsersPlugin: %s attribute %s deleted.' % ( |
---|
| 583 | user.name,i)) |
---|
| 584 | except AttributeError: |
---|
| 585 | pass |
---|
[10055] | 586 | return |
---|