[7193] | 1 | ## $Id: authentication.py 7819 2012-03-08 22:28:46Z henrik $ |
---|
| 2 | ## |
---|
| 3 | ## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann |
---|
| 4 | ## This program is free software; you can redistribute it and/or modify |
---|
| 5 | ## it under the terms of the GNU General Public License as published by |
---|
| 6 | ## the Free Software Foundation; either version 2 of the License, or |
---|
| 7 | ## (at your option) any later version. |
---|
| 8 | ## |
---|
| 9 | ## This program is distributed in the hope that it will be useful, |
---|
| 10 | ## but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 11 | ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 12 | ## GNU General Public License for more details. |
---|
| 13 | ## |
---|
| 14 | ## You should have received a copy of the GNU General Public License |
---|
| 15 | ## along with this program; if not, write to the Free Software |
---|
| 16 | ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
---|
| 17 | ## |
---|
[7819] | 18 | """Authentication for Kofa. |
---|
[4073] | 19 | """ |
---|
| 20 | import grok |
---|
[7169] | 21 | from zope.event import notify |
---|
[5900] | 22 | from zope.component import getUtility, getUtilitiesFor |
---|
[7169] | 23 | from zope.interface import Interface |
---|
| 24 | from zope.securitypolicy.interfaces import ( |
---|
| 25 | IPrincipalRoleMap, IPrincipalRoleManager) |
---|
[7233] | 26 | from zope.pluggableauth.factories import Principal |
---|
[6610] | 27 | from zope.pluggableauth.plugins.session import SessionCredentialsPlugin |
---|
| 28 | from zope.pluggableauth.interfaces import ( |
---|
[7233] | 29 | ICredentialsPlugin, IAuthenticatorPlugin, |
---|
| 30 | IAuthenticatedPrincipalFactory, AuthenticatedPrincipalCreated) |
---|
| 31 | from zope.publisher.interfaces import IRequest |
---|
[6610] | 32 | from zope.password.interfaces import IPasswordManager |
---|
[4129] | 33 | from zope.securitypolicy.principalrole import principalRoleManager |
---|
[7811] | 34 | from waeup.kofa.interfaces import (ILocalRoleSetEvent, |
---|
[7233] | 35 | IUserAccount, IAuthPluginUtility, IPasswordValidator, |
---|
[7819] | 36 | IKofaPrincipal, IKofaPrincipalInfo) |
---|
[4073] | 37 | |
---|
| 38 | def setup_authentication(pau): |
---|
| 39 | """Set up plugguble authentication utility. |
---|
| 40 | |
---|
| 41 | Sets up an IAuthenticatorPlugin and |
---|
| 42 | ICredentialsPlugin (for the authentication mechanism) |
---|
[5900] | 43 | |
---|
| 44 | Then looks for any external utilities that want to modify the PAU. |
---|
[4073] | 45 | """ |
---|
[6661] | 46 | pau.credentialsPlugins = ('No Challenge if Authenticated', 'credentials') |
---|
[6672] | 47 | pau.authenticatorPlugins = ('users',) |
---|
[4073] | 48 | |
---|
[5900] | 49 | # Give any third-party code and subpackages a chance to modify the PAU |
---|
| 50 | auth_plugin_utilities = getUtilitiesFor(IAuthPluginUtility) |
---|
[5901] | 51 | for name, util in auth_plugin_utilities: |
---|
[5900] | 52 | util.register(pau) |
---|
| 53 | |
---|
[6673] | 54 | def get_principal_role_manager(): |
---|
| 55 | """Get a role manager for principals. |
---|
| 56 | |
---|
| 57 | If we are currently 'in a site', return the role manager for the |
---|
| 58 | portal or the global rolemanager else. |
---|
| 59 | """ |
---|
| 60 | portal = grok.getSite() |
---|
| 61 | if portal is not None: |
---|
| 62 | return IPrincipalRoleManager(portal) |
---|
| 63 | return principalRoleManager |
---|
| 64 | |
---|
[7819] | 65 | class KofaSessionCredentialsPlugin(grok.GlobalUtility, |
---|
[4073] | 66 | SessionCredentialsPlugin): |
---|
| 67 | grok.provides(ICredentialsPlugin) |
---|
| 68 | grok.name('credentials') |
---|
| 69 | |
---|
| 70 | loginpagename = 'login' |
---|
| 71 | loginfield = 'form.login' |
---|
| 72 | passwordfield = 'form.password' |
---|
| 73 | |
---|
[7819] | 74 | class KofaPrincipalInfo(object): |
---|
| 75 | """An implementation of IKofaPrincipalInfo. |
---|
[4073] | 76 | |
---|
[7819] | 77 | A Kofa principal info is created with id, login, title, description, |
---|
[7240] | 78 | phone, email and user_type. |
---|
[7233] | 79 | """ |
---|
[7819] | 80 | grok.implements(IKofaPrincipalInfo) |
---|
[7233] | 81 | |
---|
[7240] | 82 | def __init__(self, id, title, description, email, phone, user_type): |
---|
[4073] | 83 | self.id = id |
---|
| 84 | self.title = title |
---|
| 85 | self.description = description |
---|
[7233] | 86 | self.email = email |
---|
| 87 | self.phone = phone |
---|
[7240] | 88 | self.user_type = user_type |
---|
[4073] | 89 | self.credentialsPlugin = None |
---|
| 90 | self.authenticatorPlugin = None |
---|
| 91 | |
---|
[7819] | 92 | class KofaPrincipal(Principal): |
---|
[7233] | 93 | """A portal principal. |
---|
| 94 | |
---|
[7819] | 95 | Kofa principals provide an extra `email`, `phone` and `user_type` |
---|
[7233] | 96 | attribute extending ordinary principals. |
---|
| 97 | """ |
---|
| 98 | |
---|
[7819] | 99 | grok.implements(IKofaPrincipal) |
---|
[7233] | 100 | |
---|
| 101 | def __init__(self, id, title=u'', description=u'', email=u'', |
---|
[7240] | 102 | phone=None, user_type=u'', prefix=None): |
---|
[7233] | 103 | self.id = id |
---|
[7239] | 104 | if prefix is not None: |
---|
| 105 | self.id = '%s.%s' % (prefix, self.id) |
---|
[7233] | 106 | self.title = title |
---|
| 107 | self.description = description |
---|
| 108 | self.groups = [] |
---|
| 109 | self.email = email |
---|
| 110 | self.phone = phone |
---|
[7240] | 111 | self.user_type = user_type |
---|
[7233] | 112 | |
---|
| 113 | def __repr__(self): |
---|
[7819] | 114 | return 'KofaPrincipal(%r)' % self.id |
---|
[7233] | 115 | |
---|
[7819] | 116 | class AuthenticatedKofaPrincipalFactory(grok.MultiAdapter): |
---|
| 117 | """Creates 'authenticated' Kofa principals. |
---|
[7233] | 118 | |
---|
[7819] | 119 | Adapts (principal info, request) to a KofaPrincipal instance. |
---|
[7233] | 120 | |
---|
| 121 | This adapter is used by the standard PAU to transform |
---|
[7819] | 122 | KofaPrincipalInfos into KofaPrincipal instances. |
---|
[7233] | 123 | """ |
---|
[7819] | 124 | grok.adapts(IKofaPrincipalInfo, IRequest) |
---|
[7233] | 125 | grok.implements(IAuthenticatedPrincipalFactory) |
---|
| 126 | |
---|
| 127 | def __init__(self, info, request): |
---|
| 128 | self.info = info |
---|
| 129 | self.request = request |
---|
| 130 | |
---|
| 131 | def __call__(self, authentication): |
---|
[7819] | 132 | principal = KofaPrincipal( |
---|
[7233] | 133 | self.info.id, |
---|
| 134 | self.info.title, |
---|
| 135 | self.info.description, |
---|
| 136 | self.info.email, |
---|
| 137 | self.info.phone, |
---|
[7240] | 138 | self.info.user_type, |
---|
[7239] | 139 | authentication.prefix, |
---|
[7233] | 140 | ) |
---|
| 141 | notify( |
---|
| 142 | AuthenticatedPrincipalCreated( |
---|
| 143 | authentication, principal, self.info, self.request)) |
---|
| 144 | return principal |
---|
| 145 | |
---|
[4073] | 146 | class Account(grok.Model): |
---|
[4109] | 147 | grok.implements(IUserAccount) |
---|
[4129] | 148 | |
---|
[6180] | 149 | _local_roles = dict() |
---|
| 150 | |
---|
[4125] | 151 | def __init__(self, name, password, title=None, description=None, |
---|
[7636] | 152 | email=None, phone=None, roles = []): |
---|
[4073] | 153 | self.name = name |
---|
[4087] | 154 | if title is None: |
---|
| 155 | title = name |
---|
| 156 | self.title = title |
---|
| 157 | self.description = description |
---|
[7221] | 158 | self.email = email |
---|
[7233] | 159 | self.phone = phone |
---|
[4073] | 160 | self.setPassword(password) |
---|
[7636] | 161 | self.setSiteRolesForPrincipal(roles) |
---|
[6180] | 162 | # We don't want to share this dict with other accounts |
---|
| 163 | self._local_roles = dict() |
---|
[4073] | 164 | |
---|
| 165 | def setPassword(self, password): |
---|
| 166 | passwordmanager = getUtility(IPasswordManager, 'SHA1') |
---|
| 167 | self.password = passwordmanager.encodePassword(password) |
---|
| 168 | |
---|
| 169 | def checkPassword(self, password): |
---|
| 170 | passwordmanager = getUtility(IPasswordManager, 'SHA1') |
---|
| 171 | return passwordmanager.checkPassword(self.password, password) |
---|
| 172 | |
---|
[7177] | 173 | def getSiteRolesForPrincipal(self): |
---|
[6673] | 174 | prm = get_principal_role_manager() |
---|
[4129] | 175 | roles = [x[0] for x in prm.getRolesForPrincipal(self.name) |
---|
| 176 | if x[0].startswith('waeup.')] |
---|
| 177 | return roles |
---|
[5055] | 178 | |
---|
[7177] | 179 | def setSiteRolesForPrincipal(self, roles): |
---|
[6673] | 180 | prm = get_principal_role_manager() |
---|
[7177] | 181 | old_roles = self.getSiteRolesForPrincipal() |
---|
[7658] | 182 | if sorted(old_roles) == sorted(roles): |
---|
| 183 | return |
---|
[4129] | 184 | for role in old_roles: |
---|
| 185 | # Remove old roles, not to be set now... |
---|
| 186 | if role.startswith('waeup.') and role not in roles: |
---|
| 187 | prm.unsetRoleForPrincipal(role, self.name) |
---|
| 188 | for role in roles: |
---|
[7658] | 189 | # Convert role to ASCII string to be in line with the |
---|
| 190 | # event handler |
---|
| 191 | prm.assignRoleToPrincipal(str(role), self.name) |
---|
| 192 | return |
---|
[4129] | 193 | |
---|
[7177] | 194 | roles = property(getSiteRolesForPrincipal, setSiteRolesForPrincipal) |
---|
[4129] | 195 | |
---|
[6180] | 196 | def getLocalRoles(self): |
---|
| 197 | return self._local_roles |
---|
| 198 | |
---|
| 199 | def notifyLocalRoleChanged(self, obj, role_id, granted=True): |
---|
| 200 | objects = self._local_roles.get(role_id, []) |
---|
| 201 | if granted and obj not in objects: |
---|
| 202 | objects.append(obj) |
---|
| 203 | if not granted and obj in objects: |
---|
| 204 | objects.remove(obj) |
---|
| 205 | self._local_roles[role_id] = objects |
---|
| 206 | if len(objects) == 0: |
---|
| 207 | del self._local_roles[role_id] |
---|
[6182] | 208 | self._p_changed = True |
---|
[6180] | 209 | return |
---|
| 210 | |
---|
[4073] | 211 | class UserAuthenticatorPlugin(grok.GlobalUtility): |
---|
[6625] | 212 | grok.implements(IAuthenticatorPlugin) |
---|
[4073] | 213 | grok.provides(IAuthenticatorPlugin) |
---|
| 214 | grok.name('users') |
---|
| 215 | |
---|
| 216 | def authenticateCredentials(self, credentials): |
---|
| 217 | if not isinstance(credentials, dict): |
---|
| 218 | return None |
---|
| 219 | if not ('login' in credentials and 'password' in credentials): |
---|
| 220 | return None |
---|
| 221 | account = self.getAccount(credentials['login']) |
---|
| 222 | if account is None: |
---|
| 223 | return None |
---|
| 224 | if not account.checkPassword(credentials['password']): |
---|
| 225 | return None |
---|
[7819] | 226 | return KofaPrincipalInfo( |
---|
[7315] | 227 | id=account.name, |
---|
| 228 | title=account.title, |
---|
| 229 | description=account.description, |
---|
| 230 | email=account.email, |
---|
| 231 | phone=account.phone, |
---|
| 232 | user_type=u'user') |
---|
[4073] | 233 | |
---|
| 234 | def principalInfo(self, id): |
---|
| 235 | account = self.getAccount(id) |
---|
| 236 | if account is None: |
---|
| 237 | return None |
---|
[7819] | 238 | return KofaPrincipalInfo( |
---|
[7315] | 239 | id=account.name, |
---|
| 240 | title=account.title, |
---|
| 241 | description=account.description, |
---|
| 242 | email=account.email, |
---|
| 243 | phone=account.phone, |
---|
| 244 | user_type=u'user') |
---|
[4073] | 245 | |
---|
| 246 | def getAccount(self, login): |
---|
[4087] | 247 | # ... look up the account object and return it ... |
---|
[7172] | 248 | userscontainer = self.getUsersContainer() |
---|
| 249 | if userscontainer is None: |
---|
[4087] | 250 | return |
---|
[7172] | 251 | return userscontainer.get(login, None) |
---|
[4087] | 252 | |
---|
| 253 | def addAccount(self, account): |
---|
[7172] | 254 | userscontainer = self.getUsersContainer() |
---|
| 255 | if userscontainer is None: |
---|
[4087] | 256 | return |
---|
| 257 | # XXX: complain if name already exists... |
---|
[7172] | 258 | userscontainer.addAccount(account) |
---|
[4087] | 259 | |
---|
[4091] | 260 | def addUser(self, name, password, title=None, description=None): |
---|
[7172] | 261 | userscontainer = self.getUsersContainer() |
---|
| 262 | if userscontainer is None: |
---|
[4091] | 263 | return |
---|
[7172] | 264 | userscontainer.addUser(name, password, title, description) |
---|
[5055] | 265 | |
---|
[7172] | 266 | def getUsersContainer(self): |
---|
[4087] | 267 | site = grok.getSite() |
---|
[4743] | 268 | return site['users'] |
---|
[6203] | 269 | |
---|
[7147] | 270 | class PasswordValidator(grok.GlobalUtility): |
---|
| 271 | |
---|
| 272 | grok.implements(IPasswordValidator) |
---|
| 273 | |
---|
| 274 | def validate_password(self, pw, pw_repeat): |
---|
| 275 | errors = [] |
---|
| 276 | if len(pw) < 3: |
---|
| 277 | errors.append('Password must have at least 3 chars.') |
---|
| 278 | if pw != pw_repeat: |
---|
| 279 | errors.append('Passwords do not match.') |
---|
| 280 | return errors |
---|
| 281 | |
---|
[7169] | 282 | class LocalRoleSetEvent(object): |
---|
| 283 | |
---|
| 284 | grok.implements(ILocalRoleSetEvent) |
---|
| 285 | |
---|
| 286 | def __init__(self, object, role_id, principal_id, granted=True): |
---|
| 287 | self.object = object |
---|
| 288 | self.role_id = role_id |
---|
| 289 | self.principal_id = principal_id |
---|
| 290 | self.granted = granted |
---|
| 291 | |
---|
[6203] | 292 | @grok.subscribe(IUserAccount, grok.IObjectRemovedEvent) |
---|
[6839] | 293 | def handle_account_removed(account, event): |
---|
[6203] | 294 | """When an account is removed, local roles might have to be deleted. |
---|
| 295 | """ |
---|
| 296 | local_roles = account.getLocalRoles() |
---|
| 297 | principal = account.name |
---|
| 298 | for role_id, object_list in local_roles.items(): |
---|
| 299 | for object in object_list: |
---|
| 300 | try: |
---|
| 301 | role_manager = IPrincipalRoleManager(object) |
---|
| 302 | except TypeError: |
---|
| 303 | # No role manager, no roles to remove |
---|
| 304 | continue |
---|
| 305 | role_manager.unsetRoleForPrincipal(role_id, principal) |
---|
| 306 | return |
---|
[7169] | 307 | |
---|
| 308 | @grok.subscribe(IUserAccount, grok.IObjectAddedEvent) |
---|
| 309 | def handle_account_added(account, event): |
---|
| 310 | """When an account is added, the local owner role and the global |
---|
[7185] | 311 | AcademicsOfficer role must be set. |
---|
[7169] | 312 | """ |
---|
[7173] | 313 | # We set the local Owner role |
---|
| 314 | role_manager_account = IPrincipalRoleManager(account) |
---|
| 315 | role_manager_account.assignRoleToPrincipal( |
---|
[7169] | 316 | 'waeup.local.Owner', account.name) |
---|
[7185] | 317 | # We set the global AcademicsOfficer role |
---|
[7173] | 318 | site = grok.getSite() |
---|
| 319 | role_manager_site = IPrincipalRoleManager(site) |
---|
| 320 | role_manager_site.assignRoleToPrincipal( |
---|
[7185] | 321 | 'waeup.AcademicsOfficer', account.name) |
---|
[7173] | 322 | # Finally we have to notify the user account that the local role |
---|
[7169] | 323 | # of the same object has changed |
---|
| 324 | notify(LocalRoleSetEvent( |
---|
| 325 | account, 'waeup.local.Owner', account.name, granted=True)) |
---|
| 326 | return |
---|
| 327 | |
---|
| 328 | @grok.subscribe(Interface, ILocalRoleSetEvent) |
---|
| 329 | def handle_local_role_changed(obj, event): |
---|
| 330 | site = grok.getSite() |
---|
| 331 | if site is None: |
---|
| 332 | return |
---|
| 333 | users = site.get('users', None) |
---|
| 334 | if users is None: |
---|
| 335 | return |
---|
| 336 | role_id = event.role_id |
---|
| 337 | if event.principal_id not in users.keys(): |
---|
| 338 | return |
---|
| 339 | user = users[event.principal_id] |
---|
| 340 | user.notifyLocalRoleChanged(event.object, event.role_id, event.granted) |
---|
| 341 | return |
---|
| 342 | |
---|
| 343 | @grok.subscribe(Interface, grok.IObjectRemovedEvent) |
---|
| 344 | def handle_local_roles_on_obj_removed(obj, event): |
---|
| 345 | try: |
---|
| 346 | role_map = IPrincipalRoleMap(obj) |
---|
| 347 | except TypeError: |
---|
| 348 | # no map, no roles to remove |
---|
| 349 | return |
---|
| 350 | for local_role, user_name, setting in role_map.getPrincipalsAndRoles(): |
---|
| 351 | notify(LocalRoleSetEvent( |
---|
| 352 | obj, local_role, user_name, granted=False)) |
---|
[7315] | 353 | return |
---|