Changeset 7240 for main/waeup.sirp/trunk/src/waeup/sirp/applicants/authentication.py

Timestamp:

30 Nov 2011, 23:13:26 (13 years ago)

Author:

Henrik Bettermann

Message:

Rebuild applicants package (1st part). Applicants now have an applicant_id and a password and can use the regular login page to enter the portal.

Add user_type attribute to SIRPPrincipal objects.

Add some permissions in students package.

Some tests are still missing and will be re-added soon.

File:

• main/waeup.sirp/trunk/src/waeup/sirp/applicants/authentication.py (modified) (3 diffs)

main/waeup.sirp/trunk/src/waeup/sirp/applicants/authentication.py

@@ -1 +1 @@
 ## $Id$
-##
+## 
 ## Copyright (C) 2011 Uli Fouquet & Henrik Bettermann
 ## This program is free software; you can redistribute it and/or modify
@@ -6 +6 @@
 ## the Free Software Foundation; either version 2 of the License, or
 ## (at your option) any later version.
-##
+## 
 ## This program is distributed in the hope that it will be useful,
 ## but WITHOUT ANY WARRANTY; without even the implied warranty of
 ## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 ## GNU General Public License for more details.
-##
+## 
 ## You should have received a copy of the GNU General Public License
 ## along with this program; if not, write to the Free Software
 ## Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
 ##
-"""Special authentication for applicants.
-
-   XXX: This is work in progress, experimental code! Don't do that at home!
+"""
+Authenticate applicants.
 """
 import grok
-from zope.event import notify
-from zope.pluggableauth.factories import Principal
+from zope.component import getUtility
+from zope.password.interfaces import IPasswordManager
 from zope.pluggableauth.interfaces import (
-    ICredentialsPlugin, IAuthenticatorPlugin,
-    IAuthenticatedPrincipalFactory, AuthenticatedPrincipalCreated)
-from zope.pluggableauth.plugins.session import SessionCredentialsPlugin
-from zope.publisher.interfaces import IRequest
+    IAuthenticatorPlugin, ICredentialsPlugin)
+from zope.pluggableauth.plugins.session import (
+    SessionCredentialsPlugin, SessionCredentials)
 from zope.publisher.interfaces.http import IHTTPRequest
 from zope.session.interfaces import ISession
-from waeup.sirp.accesscodes import get_access_code
-from waeup.sirp.applicants.interfaces import (
-    IApplicantPrincipalInfo, IApplicantPrincipal, IApplicantSessionCredentials,
-    )
-from waeup.sirp.applicants import get_applicant_data
-from waeup.sirp.interfaces import IAuthPluginUtility
+from waeup.sirp.authentication import SIRPPrincipalInfo, get_principal_role_manager
+from waeup.sirp.interfaces import (
+    IAuthPluginUtility, IUserAccount, IPasswordValidator)
+from waeup.sirp.applicants.interfaces import IApplicant
+from waeup.sirp.students.authentication import (
+    StudentAccount, StudentsAuthenticatorPlugin)
 
+class ApplicantAccount(StudentAccount):
+    """An adapter to turn applicant objects into accounts on-the-fly.
+    """
+    grok.context(IApplicant)
+    grok.implements(IUserAccount)
 
-class ApplicantPrincipalInfo(object):
-    """Infos about an applicant principal.
-    """
-    grok.implements(IApplicantPrincipalInfo)
+    @property
+    def name(self):
+        return self.context.applicant_id
 
-    def __init__(self, access_code):
-        self.id = principal_id(access_code)
-        self.title = u'Applicant'
-        self.description = u'An Applicant'
-        self.credentialsPlugin = None
-        self.authenticatorPlugin = None
-        self.access_code = access_code
+    @property
+    def title(self):
+        return self.context.fullname
 
-class ApplicantPrincipal(Principal):
-    """An applicant principal.
+    @property
+    def user_type(self):
+        return u'applicant'
 
-    Applicant principals provide an extra `access_code` and `reg_no`
-    attribute extending ordinary principals.
-    """
-
-    grok.implements(IApplicantPrincipal)
-
-    def __init__(self, access_code, prefix=None):
-        self.id = principal_id(access_code)
-        if prefix is not None:
-            self.id = '%s.%s' % (prefix, self.id)
-        self.title = u'Applicant'
-        self.description = u'An applicant'
-        self.groups = []
-        self.access_code = access_code
-
-    def __repr__(self):
-        return 'ApplicantPrincipal(%r)' % self.id
-
-class AuthenticatedApplicantPrincipalFactory(grok.MultiAdapter):
-    """Creates 'authenticated' applicant principals.
-
-    Adapts (principal info, request) to an ApplicantPrincipal instance.
-
-    This adapter is used by the standard PAU to transform
-    PrincipalInfos into Principal instances.
-    """
-    grok.adapts(IApplicantPrincipalInfo, IRequest)
-    grok.implements(IAuthenticatedPrincipalFactory)
-
-    def __init__(self, info, request):
-        self.info = info
-        self.request = request
-
-    def __call__(self, authentication):
-        principal = ApplicantPrincipal(
-            self.info.access_code,
-            authentication.prefix,
-            )
-        notify(
-            AuthenticatedPrincipalCreated(
-                authentication, principal, self.info, self.request))
-        return principal
-
-
-#
-# Credentials plugins and related....
-#
-
-class ApplicantCredentials(object):
-    """Credentials class for ordinary applicants.
-    """
-    grok.implements(IApplicantSessionCredentials)
-
-    def __init__(self, access_code):
-        self.access_code = access_code
-
-    def getAccessCode(self):
-        """Get the access code.
-        """
-        return self.access_code
-
-    def getLogin(self):
-        """Stay compatible with non-applicant authenticators.
-        """
-        return None
-
-    def getPassword(self):
-        """Stay compatible with non-applicant authenticators.
-        """
-        return None
-
-class WAeUPApplicantCredentialsPlugin(grok.GlobalUtility,
-                                      SessionCredentialsPlugin):
-    """A credentials plugin that scans requests for applicant credentials.
-    """
-    grok.provides(ICredentialsPlugin)
-    grok.name('applicant_credentials')
-
-    loginpagename = 'login'
-    accesscode_prefix_field = 'form.ac_prefix'
-    accesscode_series_field = 'form.ac_series'
-    accesscode_number_field = 'form.ac_number'
-
-    def extractCredentials(self, request):
-        """Extracts credentials from a session if they exist.
-        """
-        if not IHTTPRequest.providedBy(request):
-            return None
-        session = ISession(request)
-        sessionData = session.get(
-            'zope.pluggableauth.browserplugins')
-        access_code_prefix = request.get(self.accesscode_prefix_field, None)
-        access_code_series = request.get(self.accesscode_series_field, None)
-        access_code_no = request.get(self.accesscode_number_field, None)
-        access_code = '%s-%s-%s' % (
-            access_code_prefix, access_code_series, access_code_no)
-        if None in [access_code_prefix, access_code_series, access_code_no]:
-            access_code = None
-        credentials = None
-
-        if access_code:
-            credentials = ApplicantCredentials(access_code)
-        elif not sessionData:
-            return None
-        sessionData = session[
-            'zope.pluggableauth.browserplugins']
-        if credentials:
-            sessionData['credentials'] = credentials
-        else:
-            credentials = sessionData.get('credentials', None)
-        if not credentials:
-            return None
-        if not IApplicantSessionCredentials.providedBy(credentials):
-            # If credentials were stored in session from another
-            # credentials plugin then we cannot make assumptions about
-            # its structure.
-            return None
-        return {'accesscode': credentials.getAccessCode()}
-
-
-
-class ApplicantsAuthenticatorPlugin(grok.GlobalUtility):
-    """Authenticate applicants.
-    """
+class ApplicantsAuthenticatorPlugin(StudentsAuthenticatorPlugin):
+    grok.implements(IAuthenticatorPlugin)
     grok.provides(IAuthenticatorPlugin)
     grok.name('applicants')
 
-    def authenticateCredentials(self, credentials):
-        """Validate the given `credentials`
+    def getAccount(self, login):
+        """Look up a applicant identified by `login`. Returns an account.
 
-        Credentials for applicants have to be passed as a regular
-        dictionary with a key ``accesscode``. This access code is the
-        password and username of an applicant.
+        First we split the login name into the container part and
+        the application number part. Then we simply look up the key under which
+        the applicant is stored in the respective applicants cointainer of
+        the portal.
 
-        Returns a :class:`ApplicantPrincipalInfo` in case of
-        successful validation, ``None`` else.
+        Returns not an applicant but an account object adapted from any
+        applicant found.
 
-        Credentials are not valid if:
-
-        - The passed accesscode does not exist (i.e. was not generated
-          by the :mod:`waeup.sirp.accesscode` module).
-
-        or
-
-        - the accesscode was disabled
-
-        or
-
-        - the accesscode was already used and a dataset for this
-          applicant was already generated with a different accesscode
-          (currently impossible, as applicant datasets are indexed by
-          accesscode)
-
-        or
-
-        - a dataset for the applicant already exists with an
-          accesscode set and this accesscode does not match the given
-          one.
-
+        If no such applicant exists, ``None`` is returned.
         """
-        if not isinstance(credentials, dict):
+        site = grok.getSite()
+        if site is None:
             return None
-        accesscode = credentials.get('accesscode', None)
-        if accesscode is None:
+        applicantsroot = site.get('applicants', None)
+        if applicantsroot is None:
             return None
-        applicant_data = get_applicant_data(accesscode)
-        ac = get_access_code(accesscode) # Get the real access code object
-        appl_ac = getattr(applicant_data, 'access_code', None)
-        if ac is None:
+        try:
+            container, application_number = login.split('_')
+        except ValueError:
             return None
-        if ac.state == 'disabled':
+        applicantscontainer = applicantsroot.get(container,None)
+        if applicantscontainer is None:
             return None
-        if ac.state == 'used' and appl_ac != ac.representation:
+        applicant = applicantscontainer.get(application_number, None)
+        if applicant is None:
             return None
-        # If the following fails we have a catalog error. Bad enough
-        # to pull emergency break.
-        assert appl_ac is None or appl_ac == ac.representation
-        return ApplicantPrincipalInfo(accesscode)
-
-    def principalInfo(self, id):
-        """Returns an IPrincipalInfo object for the specified principal id.
-
-        This method is used by the stadard PAU to lookup for instance
-        groups. If a principal belongs to a group, the group is looked
-        up by the id.  Currently we always return ``None``,
-        indicating, that the principal could not be found. This also
-        means, that is has no effect if applicant users belong to a
-        certain group. They can not gain extra-permissions this way.
-        """
-        return None
+        return IUserAccount(applicant)
 
 class ApplicantsAuthenticatorSetup(grok.GlobalUtility):
-    """A global utility that sets up any PAU passed.
+    """Register or unregister applicant authentication for a PAU.
 
-    The methods of this utility are called during setup of a new site
-    (`University`) instance and after the regular authentication
-    systems (regular users, officers, etc.) were set up.
+    This piece is called when a new site is created.
     """
     grok.implements(IAuthPluginUtility)
@@ -256 +98 @@
 
     def register(self, pau):
-        """Register our local applicants specific PAU components.
-
-        Applicants provide their own authentication system resulting
-        in a specialized credentials plugin and a specialized
-        authenticator plugin.
-
-        Here we tell a given PAU that these plugins exist and should
-        be consulted when trying to authenticate a user.
-
-        We stack our local plugins at end of the plugin list, so that
-        other authentication mechanisms (the normal user
-        authentication for instance) have precedence and to avoid
-        "account-shadowing".
-        """
-        # The local credentials plugin is registered under the name
-        # 'applicant_credentials' (see above).
-        plugins = list(pau.credentialsPlugins) + ['applicant_credentials']
-        pau.credentialsPlugins = tuple(plugins)
-        # The local authenticator plugin is registered under the name
-        # 'applicants' (subject to change?)
-        plugins = list(pau.authenticatorPlugins) + ['applicants']
+        plugins = list(pau.authenticatorPlugins)
+        plugins.append('applicants')
         pau.authenticatorPlugins = tuple(plugins)
         return pau
 
     def unregister(self, pau):
-        """Unregister applicant specific authentication components from PAU.
-        """
-        pau.credentialsPlugins = tuple(
-            [x for x in list(pau.credentialsPlugins)
-             if x != 'applicant_credentials'])
-        pau.authenticatorPlugins = tuple(
-            [x for x in list(pau.authenticatorPlugins)
-             if x != 'applicants'])
+        plugins = [x for x in pau.authenticatorPlugins
+                   if x != 'applicants']
+        pau.authenticatorPlugins = tuple(plugins)
         return pau
-
-
-def principal_id(access_code):
-    """Get a principal ID for applicants.
-
-    We need unique principal ids for appliants. As access codes must
-    be unique we simply return them.
-    """
-    return access_code