Context navigation

source: main/waeup.kofa/trunk/src/waeup/kofa/authentication.py @ 9418

Last change on this file since 9418 was 9313, checked in by Henrik Bettermann, 12 years ago
Also site (global) roles must be unset when removin a user.
Property svn:keywords set to `Id`
File size: 16.4 KB

Rev	Line
[7193]	1	## $Id: authentication.py 9313 2012-10-08 09:16:59Z henrik $
	2	##
	3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
	4	## This program is free software; you can redistribute it and/or modify
	5	## it under the terms of the GNU General Public License as published by
	6	## the Free Software Foundation; either version 2 of the License, or
	7	## (at your option) any later version.
	8	##
	9	## This program is distributed in the hope that it will be useful,
	10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	## GNU General Public License for more details.
	13	##
	14	## You should have received a copy of the GNU General Public License
	15	## along with this program; if not, write to the Free Software
	16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17	##
[7819]	18	"""Authentication for Kofa.
[4073]	19	"""
	20	import grok
[7169]	21	from zope.event import notify
[5900]	22	from zope.component import getUtility, getUtilitiesFor
[8973]	23	from zope.component.interfaces import IFactory
[7169]	24	from zope.interface import Interface
[8756]	25	from zope.schema import getFields
[7169]	26	from zope.securitypolicy.interfaces import (
	27	IPrincipalRoleMap, IPrincipalRoleManager)
[7233]	28	from zope.pluggableauth.factories import Principal
[6610]	29	from zope.pluggableauth.plugins.session import SessionCredentialsPlugin
	30	from zope.pluggableauth.interfaces import (
[7233]	31	ICredentialsPlugin, IAuthenticatorPlugin,
	32	IAuthenticatedPrincipalFactory, AuthenticatedPrincipalCreated)
	33	from zope.publisher.interfaces import IRequest
[6610]	34	from zope.password.interfaces import IPasswordManager
[4129]	35	from zope.securitypolicy.principalrole import principalRoleManager
[7811]	36	from waeup.kofa.interfaces import (ILocalRoleSetEvent,
[7233]	37	IUserAccount, IAuthPluginUtility, IPasswordValidator,
[8973]	38	IKofaPrincipal, IKofaPrincipalInfo, IKofaPluggable,
[9312]	39	IBatchProcessor, IGNORE_MARKER)
[8973]	40	from waeup.kofa.utils.batching import BatchProcessor
[4073]	41
	42	def setup_authentication(pau):
	43	"""Set up plugguble authentication utility.
	44
	45	Sets up an IAuthenticatorPlugin and
	46	ICredentialsPlugin (for the authentication mechanism)
[5900]	47
	48	Then looks for any external utilities that want to modify the PAU.
[4073]	49	"""
[6661]	50	pau.credentialsPlugins = ('No Challenge if Authenticated', 'credentials')
[6672]	51	pau.authenticatorPlugins = ('users',)
[4073]	52
[5900]	53	# Give any third-party code and subpackages a chance to modify the PAU
	54	auth_plugin_utilities = getUtilitiesFor(IAuthPluginUtility)
[5901]	55	for name, util in auth_plugin_utilities:
[5900]	56	util.register(pau)
	57
[6673]	58	def get_principal_role_manager():
	59	"""Get a role manager for principals.
	60
	61	If we are currently 'in a site', return the role manager for the
	62	portal or the global rolemanager else.
	63	"""
	64	portal = grok.getSite()
	65	if portal is not None:
	66	return IPrincipalRoleManager(portal)
	67	return principalRoleManager
	68
[7819]	69	class KofaSessionCredentialsPlugin(grok.GlobalUtility,
[4073]	70	SessionCredentialsPlugin):
	71	grok.provides(ICredentialsPlugin)
	72	grok.name('credentials')
	73
	74	loginpagename = 'login'
	75	loginfield = 'form.login'
	76	passwordfield = 'form.password'
	77
[7819]	78	class KofaPrincipalInfo(object):
	79	"""An implementation of IKofaPrincipalInfo.
[4073]	80
[7819]	81	A Kofa principal info is created with id, login, title, description,
[8757]	82	phone, email, public_name and user_type.
[7233]	83	"""
[7819]	84	grok.implements(IKofaPrincipalInfo)
[7233]	85
[8757]	86	def __init__(self, id, title, description, email, phone, public_name, user_type):
[4073]	87	self.id = id
	88	self.title = title
	89	self.description = description
[7233]	90	self.email = email
	91	self.phone = phone
[8757]	92	self.public_name = public_name
[7240]	93	self.user_type = user_type
[4073]	94	self.credentialsPlugin = None
	95	self.authenticatorPlugin = None
	96
[7819]	97	class KofaPrincipal(Principal):
[7233]	98	"""A portal principal.
	99
[8757]	100	Kofa principals provide an extra `email`, `phone`, `public_name` and `user_type`
[7233]	101	attribute extending ordinary principals.
	102	"""
	103
[7819]	104	grok.implements(IKofaPrincipal)
[7233]	105
	106	def __init__(self, id, title=u'', description=u'', email=u'',
[8757]	107	phone=None, public_name=u'', user_type=u'', prefix=None):
[7233]	108	self.id = id
[7239]	109	if prefix is not None:
	110	self.id = '%s.%s' % (prefix, self.id)
[7233]	111	self.title = title
	112	self.description = description
	113	self.groups = []
	114	self.email = email
	115	self.phone = phone
[8757]	116	self.public_name = public_name
[7240]	117	self.user_type = user_type
[7233]	118
	119	def __repr__(self):
[7819]	120	return 'KofaPrincipal(%r)' % self.id
[7233]	121
[7819]	122	class AuthenticatedKofaPrincipalFactory(grok.MultiAdapter):
	123	"""Creates 'authenticated' Kofa principals.
[7233]	124
[7819]	125	Adapts (principal info, request) to a KofaPrincipal instance.
[7233]	126
	127	This adapter is used by the standard PAU to transform
[7819]	128	KofaPrincipalInfos into KofaPrincipal instances.
[7233]	129	"""
[7819]	130	grok.adapts(IKofaPrincipalInfo, IRequest)
[7233]	131	grok.implements(IAuthenticatedPrincipalFactory)
	132
	133	def __init__(self, info, request):
	134	self.info = info
	135	self.request = request
	136
	137	def __call__(self, authentication):
[7819]	138	principal = KofaPrincipal(
[7233]	139	self.info.id,
	140	self.info.title,
	141	self.info.description,
	142	self.info.email,
	143	self.info.phone,
[8757]	144	self.info.public_name,
[7240]	145	self.info.user_type,
[7239]	146	authentication.prefix,
[7233]	147	)
	148	notify(
	149	AuthenticatedPrincipalCreated(
	150	authentication, principal, self.info, self.request))
	151	return principal
	152
[4073]	153	class Account(grok.Model):
[4109]	154	grok.implements(IUserAccount)
[4129]	155
[6180]	156	_local_roles = dict()
	157
[4125]	158	def __init__(self, name, password, title=None, description=None,
[8756]	159	email=None, phone=None, public_name=None, roles = []):
[4073]	160	self.name = name
[4087]	161	if title is None:
	162	title = name
	163	self.title = title
	164	self.description = description
[7221]	165	self.email = email
[7233]	166	self.phone = phone
[8756]	167	self.public_name = public_name
[4073]	168	self.setPassword(password)
[7636]	169	self.setSiteRolesForPrincipal(roles)
[6180]	170	# We don't want to share this dict with other accounts
	171	self._local_roles = dict()
[4073]	172
	173	def setPassword(self, password):
[8343]	174	passwordmanager = getUtility(IPasswordManager, 'SSHA')
[4073]	175	self.password = passwordmanager.encodePassword(password)
	176
	177	def checkPassword(self, password):
[8344]	178	if not isinstance(password, basestring):
	179	return False
	180	if not self.password:
	181	# unset/empty passwords do never match
	182	return False
[8343]	183	passwordmanager = getUtility(IPasswordManager, 'SSHA')
[4073]	184	return passwordmanager.checkPassword(self.password, password)
	185
[7177]	186	def getSiteRolesForPrincipal(self):
[6673]	187	prm = get_principal_role_manager()
[4129]	188	roles = [x[0] for x in prm.getRolesForPrincipal(self.name)
	189	if x[0].startswith('waeup.')]
	190	return roles
[5055]	191
[7177]	192	def setSiteRolesForPrincipal(self, roles):
[6673]	193	prm = get_principal_role_manager()
[7177]	194	old_roles = self.getSiteRolesForPrincipal()
[7658]	195	if sorted(old_roles) == sorted(roles):
	196	return
[4129]	197	for role in old_roles:
	198	# Remove old roles, not to be set now...
	199	if role.startswith('waeup.') and role not in roles:
	200	prm.unsetRoleForPrincipal(role, self.name)
	201	for role in roles:
[7658]	202	# Convert role to ASCII string to be in line with the
	203	# event handler
	204	prm.assignRoleToPrincipal(str(role), self.name)
	205	return
[4129]	206
[7177]	207	roles = property(getSiteRolesForPrincipal, setSiteRolesForPrincipal)
[4129]	208
[6180]	209	def getLocalRoles(self):
	210	return self._local_roles
	211
	212	def notifyLocalRoleChanged(self, obj, role_id, granted=True):
	213	objects = self._local_roles.get(role_id, [])
	214	if granted and obj not in objects:
	215	objects.append(obj)
	216	if not granted and obj in objects:
	217	objects.remove(obj)
	218	self._local_roles[role_id] = objects
	219	if len(objects) == 0:
	220	del self._local_roles[role_id]
[6182]	221	self._p_changed = True
[6180]	222	return
	223
[4073]	224	class UserAuthenticatorPlugin(grok.GlobalUtility):
[6625]	225	grok.implements(IAuthenticatorPlugin)
[4073]	226	grok.provides(IAuthenticatorPlugin)
	227	grok.name('users')
	228
	229	def authenticateCredentials(self, credentials):
	230	if not isinstance(credentials, dict):
	231	return None
	232	if not ('login' in credentials and 'password' in credentials):
	233	return None
	234	account = self.getAccount(credentials['login'])
	235	if account is None:
	236	return None
	237	if not account.checkPassword(credentials['password']):
	238	return None
[7819]	239	return KofaPrincipalInfo(
[7315]	240	id=account.name,
	241	title=account.title,
	242	description=account.description,
	243	email=account.email,
	244	phone=account.phone,
[8757]	245	public_name=account.public_name,
[7315]	246	user_type=u'user')
[4073]	247
	248	def principalInfo(self, id):
	249	account = self.getAccount(id)
	250	if account is None:
	251	return None
[7819]	252	return KofaPrincipalInfo(
[7315]	253	id=account.name,
	254	title=account.title,
	255	description=account.description,
	256	email=account.email,
	257	phone=account.phone,
[8757]	258	public_name=account.public_name,
[7315]	259	user_type=u'user')
[4073]	260
	261	def getAccount(self, login):
[4087]	262	# ... look up the account object and return it ...
[7172]	263	userscontainer = self.getUsersContainer()
	264	if userscontainer is None:
[4087]	265	return
[7172]	266	return userscontainer.get(login, None)
[4087]	267
	268	def addAccount(self, account):
[7172]	269	userscontainer = self.getUsersContainer()
	270	if userscontainer is None:
[4087]	271	return
	272	# XXX: complain if name already exists...
[7172]	273	userscontainer.addAccount(account)
[4087]	274
[4091]	275	def addUser(self, name, password, title=None, description=None):
[7172]	276	userscontainer = self.getUsersContainer()
	277	if userscontainer is None:
[4091]	278	return
[7172]	279	userscontainer.addUser(name, password, title, description)
[5055]	280
[7172]	281	def getUsersContainer(self):
[4087]	282	site = grok.getSite()
[4743]	283	return site['users']
[6203]	284
[7147]	285	class PasswordValidator(grok.GlobalUtility):
	286
	287	grok.implements(IPasswordValidator)
	288
	289	def validate_password(self, pw, pw_repeat):
	290	errors = []
	291	if len(pw) < 3:
	292	errors.append('Password must have at least 3 chars.')
	293	if pw != pw_repeat:
	294	errors.append('Passwords do not match.')
	295	return errors
	296
[7169]	297	class LocalRoleSetEvent(object):
	298
	299	grok.implements(ILocalRoleSetEvent)
	300
	301	def __init__(self, object, role_id, principal_id, granted=True):
	302	self.object = object
	303	self.role_id = role_id
	304	self.principal_id = principal_id
	305	self.granted = granted
	306
[6203]	307	@grok.subscribe(IUserAccount, grok.IObjectRemovedEvent)
[6839]	308	def handle_account_removed(account, event):
[9313]	309	"""When an account is removed, local and global roles might
	310	have to be deleted.
[6203]	311	"""
	312	local_roles = account.getLocalRoles()
	313	principal = account.name
[9313]	314
[6203]	315	for role_id, object_list in local_roles.items():
	316	for object in object_list:
	317	try:
	318	role_manager = IPrincipalRoleManager(object)
	319	except TypeError:
[9313]	320	# No Account object, no role manager, no local roles to remove
[6203]	321	continue
	322	role_manager.unsetRoleForPrincipal(role_id, principal)
[9313]	323	role_manager = IPrincipalRoleManager(grok.getSite())
	324	roles = account.getSiteRolesForPrincipal()
	325	for role_id in roles:
	326	role_manager.unsetRoleForPrincipal(role_id, principal)
[6203]	327	return
[7169]	328
	329	@grok.subscribe(IUserAccount, grok.IObjectAddedEvent)
	330	def handle_account_added(account, event):
	331	"""When an account is added, the local owner role and the global
[7185]	332	AcademicsOfficer role must be set.
[7169]	333	"""
[7173]	334	# We set the local Owner role
	335	role_manager_account = IPrincipalRoleManager(account)
	336	role_manager_account.assignRoleToPrincipal(
[7169]	337	'waeup.local.Owner', account.name)
[7185]	338	# We set the global AcademicsOfficer role
[7173]	339	site = grok.getSite()
	340	role_manager_site = IPrincipalRoleManager(site)
	341	role_manager_site.assignRoleToPrincipal(
[7185]	342	'waeup.AcademicsOfficer', account.name)
[7173]	343	# Finally we have to notify the user account that the local role
[7169]	344	# of the same object has changed
	345	notify(LocalRoleSetEvent(
	346	account, 'waeup.local.Owner', account.name, granted=True))
	347	return
	348
	349	@grok.subscribe(Interface, ILocalRoleSetEvent)
	350	def handle_local_role_changed(obj, event):
	351	site = grok.getSite()
	352	if site is None:
	353	return
	354	users = site.get('users', None)
	355	if users is None:
	356	return
	357	if event.principal_id not in users.keys():
	358	return
	359	user = users[event.principal_id]
	360	user.notifyLocalRoleChanged(event.object, event.role_id, event.granted)
	361	return
	362
	363	@grok.subscribe(Interface, grok.IObjectRemovedEvent)
	364	def handle_local_roles_on_obj_removed(obj, event):
	365	try:
	366	role_map = IPrincipalRoleMap(obj)
	367	except TypeError:
	368	# no map, no roles to remove
	369	return
	370	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
	371	notify(LocalRoleSetEvent(
	372	obj, local_role, user_name, granted=False))
[7315]	373	return
[8756]	374
[8973]	375	class UserAccountFactory(grok.GlobalUtility):
	376	"""A factory for user accounts.
	377
	378	This factory is only needed for imports.
	379	"""
	380	grok.implements(IFactory)
	381	grok.name(u'waeup.UserAccount')
	382	title = u"Create a user.",
	383	description = u"This factory instantiates new user account instances."
	384
	385	def __call__(self, args, *kw):
	386	return Account(name=None, password='')
	387
	388	def getInterfaces(self):
	389	return implementedBy(Account)
	390
	391	class UserProcessor(BatchProcessor):
	392	"""A batch processor for IUserAccount objects.
	393	"""
	394	grok.implements(IBatchProcessor)
	395	grok.provides(IBatchProcessor)
	396	grok.context(Interface)
	397	util_name = 'userprocessor'
	398	grok.name(util_name)
	399
	400	name = u'User Processor'
	401	iface = IUserAccount
	402
	403	location_fields = ['name',]
	404	factory_name = 'waeup.UserAccount'
	405
	406	mode = None
	407
	408	def parentsExist(self, row, site):
	409	return 'users' in site.keys()
	410
	411	def entryExists(self, row, site):
	412	return row['name'] in site['users'].keys()
	413
	414	def getParent(self, row, site):
	415	return site['users']
	416
	417	def getEntry(self, row, site):
	418	if not self.entryExists(row, site):
	419	return None
	420	parent = self.getParent(row, site)
	421	return parent.get(row['name'])
	422
	423	def addEntry(self, obj, row, site):
	424	parent = self.getParent(row, site)
	425	parent.addAccount(obj)
	426	return
	427
[9312]	428	def updateEntry(self, obj, row, site):
	429	"""Update obj to the values given in row.
	430	"""
	431	changed = []
	432	for key, value in row.items():
	433	if key == 'roles':
	434	# We cannot simply set the roles attribute here because
	435	# we can't assure that the name attribute is set before
	436	# the roles attribute is set.
	437	continue
	438	# Skip fields to be ignored.
	439	if value == IGNORE_MARKER:
	440	continue
	441	if not hasattr(obj, key):
	442	continue
	443	setattr(obj, key, value)
	444	changed.append('%s=%s' % (key, value))
	445	roles = row.get('roles', IGNORE_MARKER)
	446	if roles not in ('', IGNORE_MARKER):
	447	evalvalue = eval(roles)
	448	if isinstance(evalvalue, list):
	449	setattr(obj, 'roles', evalvalue)
	450	changed.append('roles=%s' % roles)
	451	# Log actions...
	452	items_changed = ', '.join(changed)
[9313]	453	grok.getSite().logger.info('%s - %s - updated: %s'
[9312]	454	% (self.name, row['name'], items_changed))
	455	return
[8973]	456
[8756]	457	class UsersPlugin(grok.GlobalUtility):
	458	"""A plugin that updates users.
	459	"""
	460
	461	grok.implements(IKofaPluggable)
	462	grok.name('users')
	463
	464	deprecated_attributes = []
	465
	466	def setup(self, site, name, logger):
	467	return
	468
	469	def update(self, site, name, logger):
	470	users = site['users']
	471	items = getFields(IUserAccount).items()
	472	for user in users.values():
	473	# Add new attributes
	474	for i in items:
	475	if not hasattr(user,i[0]):
	476	setattr(user,i[0],i[1].missing_value)
	477	logger.info(
	478	'UsersPlugin: %s attribute %s added.' % (
	479	user.name,i[0]))
	480	# Remove deprecated attributes
	481	for i in self.deprecated_attributes:
	482	try:
	483	delattr(user,i)
	484	logger.info(
	485	'UsersPlugin: %s attribute %s deleted.' % (
	486	user.name,i))
	487	except AttributeError:
	488	pass
	489	return

Note: See TracBrowser for help on using the repository browser.

Download in other formats: