Context navigation

authentication.py @ 7259

Last change on this file since 7259 was 7240, checked in by Henrik Bettermann, 13 years ago

Rebuild applicants package (1st part). Applicants now have an applicant_id and a password and can use the regular login page to enter the portal.

Add user_type attribute to SIRPPrincipal objects.

Add some permissions in students package.

Some tests are still missing and will be re-added soon.

Property svn:keywords set to Id

File size: 12.1 KB

Rev	Line
[7193]	1	## $Id: authentication.py 7240 2011-11-30 23:13:26Z henrik $
	2	##
	3	## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
	4	## This program is free software; you can redistribute it and/or modify
	5	## it under the terms of the GNU General Public License as published by
	6	## the Free Software Foundation; either version 2 of the License, or
	7	## (at your option) any later version.
	8	##
	9	## This program is distributed in the hope that it will be useful,
	10	## but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	## GNU General Public License for more details.
	13	##
	14	## You should have received a copy of the GNU General Public License
	15	## along with this program; if not, write to the Free Software
	16	## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17	##
[4073]	18	"""Authentication for WAeUP portals.
	19	"""
	20	import grok
[7169]	21	from zope.event import notify
[5900]	22	from zope.component import getUtility, getUtilitiesFor
[7169]	23	from zope.interface import Interface
	24	from zope.securitypolicy.interfaces import (
	25	IPrincipalRoleMap, IPrincipalRoleManager)
[7233]	26	from zope.pluggableauth.factories import Principal
[6610]	27	from zope.pluggableauth.plugins.session import SessionCredentialsPlugin
	28	from zope.pluggableauth.interfaces import (
[7233]	29	ICredentialsPlugin, IAuthenticatorPlugin,
	30	IAuthenticatedPrincipalFactory, AuthenticatedPrincipalCreated)
	31	from zope.publisher.interfaces import IRequest
[6610]	32	from zope.password.interfaces import IPasswordManager
[4129]	33	from zope.securitypolicy.principalrole import principalRoleManager
[7169]	34	from waeup.sirp.interfaces import (ILocalRoleSetEvent,
[7233]	35	IUserAccount, IAuthPluginUtility, IPasswordValidator,
	36	ISIRPPrincipal, ISIRPPrincipalInfo)
[4073]	37
	38	def setup_authentication(pau):
	39	"""Set up plugguble authentication utility.
	40
	41	Sets up an IAuthenticatorPlugin and
	42	ICredentialsPlugin (for the authentication mechanism)
[5900]	43
	44	Then looks for any external utilities that want to modify the PAU.
[4073]	45	"""
[6661]	46	pau.credentialsPlugins = ('No Challenge if Authenticated', 'credentials')
[6672]	47	pau.authenticatorPlugins = ('users',)
[4073]	48
[5900]	49	# Give any third-party code and subpackages a chance to modify the PAU
	50	auth_plugin_utilities = getUtilitiesFor(IAuthPluginUtility)
[5901]	51	for name, util in auth_plugin_utilities:
[5900]	52	util.register(pau)
	53
[6673]	54	def get_principal_role_manager():
	55	"""Get a role manager for principals.
	56
	57	If we are currently 'in a site', return the role manager for the
	58	portal or the global rolemanager else.
	59	"""
	60	portal = grok.getSite()
	61	if portal is not None:
	62	return IPrincipalRoleManager(portal)
	63	return principalRoleManager
	64
[4073]	65	class WAeUPSessionCredentialsPlugin(grok.GlobalUtility,
	66	SessionCredentialsPlugin):
	67	grok.provides(ICredentialsPlugin)
	68	grok.name('credentials')
	69
	70	loginpagename = 'login'
	71	loginfield = 'form.login'
	72	passwordfield = 'form.password'
	73
[7233]	74	class SIRPPrincipalInfo(object):
	75	"""An implementation of ISIRPPrincipalInfo.
[4073]	76
[7233]	77	A SIRP principal info is created with id, login, title, description,
[7240]	78	phone, email and user_type.
[7233]	79	"""
	80	grok.implements(ISIRPPrincipalInfo)
	81
[7240]	82	def __init__(self, id, title, description, email, phone, user_type):
[4073]	83	self.id = id
	84	self.title = title
	85	self.description = description
[7233]	86	self.email = email
	87	self.phone = phone
[7240]	88	self.user_type = user_type
[4073]	89	self.credentialsPlugin = None
	90	self.authenticatorPlugin = None
	91
[7233]	92	class SIRPPrincipal(Principal):
	93	"""A portal principal.
	94
[7240]	95	SIRP principals provide an extra `email`, `phone` and `user_type`
[7233]	96	attribute extending ordinary principals.
	97	"""
	98
	99	grok.implements(ISIRPPrincipal)
	100
	101	def __init__(self, id, title=u'', description=u'', email=u'',
[7240]	102	phone=None, user_type=u'', prefix=None):
[7233]	103	self.id = id
[7239]	104	if prefix is not None:
	105	self.id = '%s.%s' % (prefix, self.id)
[7233]	106	self.title = title
	107	self.description = description
	108	self.groups = []
	109	self.email = email
	110	self.phone = phone
[7240]	111	self.user_type = user_type
[7233]	112
	113	def __repr__(self):
	114	return 'SIRPPrincipal(%r)' % self.id
	115
	116	class AuthenticatedSIRPPrincipalFactory(grok.MultiAdapter):
	117	"""Creates 'authenticated' SIRP principals.
	118
	119	Adapts (principal info, request) to a SIRPPrincipal instance.
	120
	121	This adapter is used by the standard PAU to transform
[7236]	122	SIRPPrincipalInfos into SIRPPrincipal instances.
[7233]	123	"""
	124	grok.adapts(ISIRPPrincipalInfo, IRequest)
	125	grok.implements(IAuthenticatedPrincipalFactory)
	126
	127	def __init__(self, info, request):
	128	self.info = info
	129	self.request = request
	130
	131	def __call__(self, authentication):
	132	principal = SIRPPrincipal(
	133	self.info.id,
	134	self.info.title,
	135	self.info.description,
	136	self.info.email,
	137	self.info.phone,
[7240]	138	self.info.user_type,
[7239]	139	authentication.prefix,
[7233]	140	)
	141	notify(
	142	AuthenticatedPrincipalCreated(
	143	authentication, principal, self.info, self.request))
	144	return principal
	145
[4073]	146	class Account(grok.Model):
[4109]	147	grok.implements(IUserAccount)
[4129]	148
[6180]	149	_local_roles = dict()
	150
[4125]	151	def __init__(self, name, password, title=None, description=None,
[7240]	152	email=None, phone=None, user_type=None, roles = []):
[4073]	153	self.name = name
[4087]	154	if title is None:
	155	title = name
[7197]	156	#if description is None:
	157	# description = title
[4087]	158	self.title = title
	159	self.description = description
[7221]	160	self.email = email
[7233]	161	self.phone = phone
[7240]	162	self.user_type = user_type
[4073]	163	self.setPassword(password)
[7177]	164	#self.setSiteRolesForPrincipal(roles)
[6180]	165	# We don't want to share this dict with other accounts
	166	self._local_roles = dict()
[4073]	167
	168	def setPassword(self, password):
	169	passwordmanager = getUtility(IPasswordManager, 'SHA1')
	170	self.password = passwordmanager.encodePassword(password)
	171
	172	def checkPassword(self, password):
	173	passwordmanager = getUtility(IPasswordManager, 'SHA1')
	174	return passwordmanager.checkPassword(self.password, password)
	175
[7177]	176	def getSiteRolesForPrincipal(self):
[6673]	177	prm = get_principal_role_manager()
[4129]	178	roles = [x[0] for x in prm.getRolesForPrincipal(self.name)
	179	if x[0].startswith('waeup.')]
	180	return roles
[5055]	181
[7177]	182	def setSiteRolesForPrincipal(self, roles):
[6673]	183	prm = get_principal_role_manager()
[7177]	184	old_roles = self.getSiteRolesForPrincipal()
[4129]	185	for role in old_roles:
	186	# Remove old roles, not to be set now...
	187	if role.startswith('waeup.') and role not in roles:
	188	prm.unsetRoleForPrincipal(role, self.name)
	189	for role in roles:
	190	prm.assignRoleToPrincipal(role, self.name)
	191
[7177]	192	roles = property(getSiteRolesForPrincipal, setSiteRolesForPrincipal)
[4129]	193
[6180]	194	def getLocalRoles(self):
	195	return self._local_roles
	196
	197	def notifyLocalRoleChanged(self, obj, role_id, granted=True):
	198	objects = self._local_roles.get(role_id, [])
	199	if granted and obj not in objects:
	200	objects.append(obj)
	201	if not granted and obj in objects:
	202	objects.remove(obj)
	203	self._local_roles[role_id] = objects
	204	if len(objects) == 0:
	205	del self._local_roles[role_id]
[6182]	206	self._p_changed = True
[6180]	207	return
	208
[4073]	209	class UserAuthenticatorPlugin(grok.GlobalUtility):
[6625]	210	grok.implements(IAuthenticatorPlugin)
[4073]	211	grok.provides(IAuthenticatorPlugin)
	212	grok.name('users')
	213
	214	def authenticateCredentials(self, credentials):
	215	if not isinstance(credentials, dict):
	216	return None
[7240]	217
[4073]	218	if not ('login' in credentials and 'password' in credentials):
	219	return None
	220	account = self.getAccount(credentials['login'])
	221	if account is None:
	222	return None
	223	if not account.checkPassword(credentials['password']):
	224	return None
[7233]	225	return SIRPPrincipalInfo(id=account.name,
[4612]	226	title=account.title,
[7233]	227	description=account.description,
	228	email=account.email,
[7240]	229	phone=account.phone,
	230	user_type=u'user')
[4073]	231
	232	def principalInfo(self, id):
	233	account = self.getAccount(id)
	234	if account is None:
	235	return None
[7233]	236	return SIRPPrincipalInfo(id=account.name,
[4612]	237	title=account.title,
[7233]	238	description=account.description,
	239	email=account.email,
[7240]	240	phone=account.phone,
	241	user_type=u'user')
[4073]	242
	243	def getAccount(self, login):
[4087]	244	# ... look up the account object and return it ...
[7172]	245	userscontainer = self.getUsersContainer()
	246	if userscontainer is None:
[4087]	247	return
[7172]	248	return userscontainer.get(login, None)
[4087]	249
	250	def addAccount(self, account):
[7172]	251	userscontainer = self.getUsersContainer()
	252	if userscontainer is None:
[4087]	253	return
	254	# XXX: complain if name already exists...
[7172]	255	userscontainer.addAccount(account)
[4087]	256
[4091]	257	def addUser(self, name, password, title=None, description=None):
[7172]	258	userscontainer = self.getUsersContainer()
	259	if userscontainer is None:
[4091]	260	return
[7172]	261	userscontainer.addUser(name, password, title, description)
[5055]	262
[7172]	263	def getUsersContainer(self):
[4087]	264	site = grok.getSite()
[4743]	265	return site['users']
[6203]	266
[7147]	267	class PasswordValidator(grok.GlobalUtility):
	268
	269	grok.implements(IPasswordValidator)
	270
	271	def validate_password(self, pw, pw_repeat):
	272	errors = []
	273	if len(pw) < 3:
	274	errors.append('Password must have at least 3 chars.')
	275	if pw != pw_repeat:
	276	errors.append('Passwords do not match.')
	277	return errors
	278
[7169]	279	class LocalRoleSetEvent(object):
	280
	281	grok.implements(ILocalRoleSetEvent)
	282
	283	def __init__(self, object, role_id, principal_id, granted=True):
	284	self.object = object
	285	self.role_id = role_id
	286	self.principal_id = principal_id
	287	self.granted = granted
	288
[6203]	289	@grok.subscribe(IUserAccount, grok.IObjectRemovedEvent)
[6839]	290	def handle_account_removed(account, event):
[6203]	291	"""When an account is removed, local roles might have to be deleted.
	292	"""
	293	local_roles = account.getLocalRoles()
	294	principal = account.name
	295	for role_id, object_list in local_roles.items():
	296	for object in object_list:
	297	try:
	298	role_manager = IPrincipalRoleManager(object)
	299	except TypeError:
	300	# No role manager, no roles to remove
	301	continue
	302	role_manager.unsetRoleForPrincipal(role_id, principal)
	303	return
[7169]	304
	305	@grok.subscribe(IUserAccount, grok.IObjectAddedEvent)
	306	def handle_account_added(account, event):
	307	"""When an account is added, the local owner role and the global
[7185]	308	AcademicsOfficer role must be set.
[7169]	309	"""
[7173]	310	# We set the local Owner role
	311	role_manager_account = IPrincipalRoleManager(account)
	312	role_manager_account.assignRoleToPrincipal(
[7169]	313	'waeup.local.Owner', account.name)
[7185]	314	# We set the global AcademicsOfficer role
[7173]	315	site = grok.getSite()
	316	role_manager_site = IPrincipalRoleManager(site)
	317	role_manager_site.assignRoleToPrincipal(
[7185]	318	'waeup.AcademicsOfficer', account.name)
[7173]	319	# Finally we have to notify the user account that the local role
[7169]	320	# of the same object has changed
	321	notify(LocalRoleSetEvent(
	322	account, 'waeup.local.Owner', account.name, granted=True))
	323	return
	324
	325	@grok.subscribe(Interface, ILocalRoleSetEvent)
	326	def handle_local_role_changed(obj, event):
	327	site = grok.getSite()
	328	if site is None:
	329	return
	330	users = site.get('users', None)
	331	if users is None:
	332	return
	333	role_id = event.role_id
	334	if event.principal_id not in users.keys():
	335	return
	336	user = users[event.principal_id]
	337	user.notifyLocalRoleChanged(event.object, event.role_id, event.granted)
	338	return
	339
	340	@grok.subscribe(Interface, grok.IObjectRemovedEvent)
	341	def handle_local_roles_on_obj_removed(obj, event):
	342	try:
	343	role_map = IPrincipalRoleMap(obj)
	344	except TypeError:
	345	# no map, no roles to remove
	346	return
	347	for local_role, user_name, setting in role_map.getPrincipalsAndRoles():
	348	notify(LocalRoleSetEvent(
	349	obj, local_role, user_name, granted=False))
	350	return

Note: See TracBrowser for help on using the repository browser.

Context navigation

source: main/waeup.sirp/trunk/src/waeup/sirp/authentication.py @ 7259

Download in other formats: