~azzar1/unity/add-show-desktop-key : contents of www/auth/authenticate.py at revision 800

~azzar1/unity/add-show-desktop-key : (revision 800)

# IVLE - Informatics Virtual Learning Environment
# Copyright (C) 2007-2008 The University of Melbourne
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

# Module: authenticate
# Author: Matt Giuca
# Date:   19/2/2008

# Provides a mechanism for authenticating a username and password, and
# returning a yes/no response.

# Has a plugin interface for authentication modules.
# An authentication module is a Python module with an "auth" function,
# which accepts 3 positional arguments.
# plugin_module.auth(dbconn, login, password, user)
# dbconn is an open connection to the IVLE database.
# login and password are required strings, password is cleartext.
# user is a User object or None.
# If it's a User object, it must return the same object if it returns a user.
# This object should describe the user logging in.
# It may be None if the user is not known to this DB.
# Returns either a User object or None, or raises an AuthError.
# Returning a User object implies success, and also gives details about the
# user if none were known to the DB (such details will be written to the DB).
# Returning None implies a soft failure, and that another auth method should
# be found.
# Raising an AuthError implies a hard failure, with an appropriate error
# message. No more auth will be done.

from autherror import AuthError
import conf
import common.db
import common.user

import sys
import os

def authenticate(login, password):
    """Determines whether a particular login/password combination is
    valid. The password is in cleartext.

    Returns a User object containing the user's details on success.
    Raises an AuthError containing an appropriate error message on failure.

    The User returned is guaranteed to be in the IVLE database.
    This could be from reading or writing to the DB. If authenticate can't
    find the user in the DB, it may get user data from some other source
    (such as LDAP) and actually write it to the DB before returning.
    """
    # WARNING: Both username and password may contain any characters, and must
    # be sanitized within this function.
    # (Not SQL-sanitized, just sanitized to our particular constraints).
    # TODO Sanitize username

    # Spawn a DB object just for making this call.
    # (This should not spawn a DB connection on each page reload, only when
    # there is no session object to begin with).
    dbconn = common.db.DB()

    try:
        user = dbconn.get_user(login)
    except common.db.DBException:
        # If our attempt to get the named user from the db fails,
        # then set user to None.
        # We may still auth (eg. by pulling details from elsewhere and writing
        # to DB).
        user = None
    try:
        for modname, m in auth_modules:
            # May raise an AuthError - allow to propagate
            auth_result = m(dbconn, login, password, user)
            if auth_result is None:
                # Can't auth with this module; try another
                pass
            elif auth_result == False:
                return None
            elif isinstance(auth_result, common.user.User):
                if user is not None and auth_result is not user:
                    # If user is not None, then it must return the same user
                    raise AuthError("Internal error: "
                        "Bad authentication module %s (changed user)"
                        % repr(modname))
                elif user is None:
                    # We just got ourselves some user details from an external
                    # source. Put them in the DB.
                    dbconn.create_user(auth_result)
                    pass
                return auth_result
            else:
                raise AuthError("Internal error: "
                    "Bad authentication module %s (bad return type)"
                    % repr(modname))
        # No auths checked out; fail.
        raise AuthError()
    finally:
        dbconn.close()

def simple_db_auth(dbconn, login, password, user):
    """
    A plugin auth function, as described above.
    This one just authenticates against the local database.
    Returns None if the password in the DB is NULL, indicating that another
    auth method should be used.
    Raises an AuthError if mismatched, indicating failure to auth.
    """
    if user is None:
        # The login doesn't exist. Therefore return None so we can try other
        # means of authentication.
        return None
    auth_result = dbconn.user_authenticate(login, password)
    # auth_result is either True, False (fail) or None (try another)
    if auth_result is None:
        return None
    elif auth_result:
        return user
    else:
        raise AuthError()

# Allow imports to get files from this directory.
# Get the directory that this module (authenticate) is in
authpath = os.path.split(sys.modules[__name__].__file__)[0]
# Add it to sys.path
sys.path.append(authpath)

# Create a global variable "auth_modules", a list of (name, function object)s.
# This list consists of simple_db_auth, plus the "auth" functions of all the
# plugin auth modules.

auth_modules = [("simple_db_auth", simple_db_auth)]
for modname in conf.auth_modules.split(','):
    try:
        mod = __import__(modname)
    except ImportError:
        raise AuthError("Internal error: Can't import auth module %s"
            % repr(modname))
    except ValueError:
        # If auth_modules is "", we may get an empty string - ignore
        continue
    try:
        authfunc = mod.auth
    except AttributeError:
        raise AuthError("Internal error: Auth module %s has no 'auth' "
            "function" % repr(modname))
    auth_modules.append((modname, authfunc))

124 by mattgiuca dispatch/request: Added new fields: method and username.	1	# IVLE - Informatics Virtual Learning Environment
	2	# Copyright (C) 2007-2008 The University of Melbourne
	3	#
	4	# This program is free software; you can redistribute it and/or modify
	5	# it under the terms of the GNU General Public License as published by
	6	# the Free Software Foundation; either version 2 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	17
	18	# Module: authenticate
	19	# Author: Matt Giuca
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	20	# Date: 19/2/2008
124 by mattgiuca dispatch/request: Added new fields: method and username.	21
	22	# Provides a mechanism for authenticating a username and password, and
	23	# returning a yes/no response.
	24
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	25	# Has a plugin interface for authentication modules.
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	26	# An authentication module is a Python module with an "auth" function,
	27	# which accepts 3 positional arguments.
	28	# plugin_module.auth(dbconn, login, password, user)
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	29	# dbconn is an open connection to the IVLE database.
	30	# login and password are required strings, password is cleartext.
	31	# user is a User object or None.
	32	# If it's a User object, it must return the same object if it returns a user.
	33	# This object should describe the user logging in.
	34	# It may be None if the user is not known to this DB.
	35	# Returns either a User object or None, or raises an AuthError.
	36	# Returning a User object implies success, and also gives details about the
	37	# user if none were known to the DB (such details will be written to the DB).
	38	# Returning None implies a soft failure, and that another auth method should
	39	# be found.
	40	# Raising an AuthError implies a hard failure, with an appropriate error
	41	# message. No more auth will be done.
	42
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	43	from autherror import AuthError
510 by mattgiuca setup.py: Added 2 new config options for the LDAP authentication server.	44	import conf
376 by mattgiuca auth/authenticate: Replaced dummy code (which always auths) with a call to the	45	import common.db
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	46	import common.user
	47
533 by mattgiuca auth/authenticate: Much done!	48	import sys
	49	import os
	50
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	51	def authenticate(login, password):
	52	"""Determines whether a particular login/password combination is
376 by mattgiuca auth/authenticate: Replaced dummy code (which always auths) with a call to the	53	valid. The password is in cleartext.
	54
500 by mattgiuca db: get_user and get_users now return User objects instead of dictionaries.	55	Returns a User object containing the user's details on success.
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	56	Raises an AuthError containing an appropriate error message on failure.
	57
	58	The User returned is guaranteed to be in the IVLE database.
	59	This could be from reading or writing to the DB. If authenticate can't
	60	find the user in the DB, it may get user data from some other source
	61	(such as LDAP) and actually write it to the DB before returning.
376 by mattgiuca auth/authenticate: Replaced dummy code (which always auths) with a call to the	62	"""
124 by mattgiuca dispatch/request: Added new fields: method and username.	63	# WARNING: Both username and password may contain any characters, and must
	64	# be sanitized within this function.
376 by mattgiuca auth/authenticate: Replaced dummy code (which always auths) with a call to the	65	# (Not SQL-sanitized, just sanitized to our particular constraints).
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	66	# TODO Sanitize username
376 by mattgiuca auth/authenticate: Replaced dummy code (which always auths) with a call to the	67
	68	# Spawn a DB object just for making this call.
	69	# (This should not spawn a DB connection on each page reload, only when
	70	# there is no session object to begin with).
	71	dbconn = common.db.DB()
522 by drtomc Add quite a lot of stuff to get usrmgt happening.	72
376 by mattgiuca auth/authenticate: Replaced dummy code (which always auths) with a call to the	73	try:
522 by drtomc Add quite a lot of stuff to get usrmgt happening.	74	user = dbconn.get_user(login)
533 by mattgiuca auth/authenticate: Much done!	75	except common.db.DBException:
	76	# If our attempt to get the named user from the db fails,
	77	# then set user to None.
	78	# We may still auth (eg. by pulling details from elsewhere and writing
	79	# to DB).
	80	user = None
	81	try:
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	82	for modname, m in auth_modules:
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	83	# May raise an AuthError - allow to propagate
	84	auth_result = m(dbconn, login, password, user)
	85	if auth_result is None:
	86	# Can't auth with this module; try another
	87	pass
	88	elif auth_result == False:
	89	return None
	90	elif isinstance(auth_result, common.user.User):
	91	if user is not None and auth_result is not user:
	92	# If user is not None, then it must return the same user
	93	raise AuthError("Internal error: "
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	94	"Bad authentication module %s (changed user)"
	95	% repr(modname))
522 by drtomc Add quite a lot of stuff to get usrmgt happening.	96	elif user is None:
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	97	# We just got ourselves some user details from an external
	98	# source. Put them in the DB.
533 by mattgiuca auth/authenticate: Much done!	99	dbconn.create_user(auth_result)
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	100	pass
	101	return auth_result
	102	else:
	103	raise AuthError("Internal error: "
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	104	"Bad authentication module %s (bad return type)"
	105	% repr(modname))
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	106	# No auths checked out; fail.
	107	raise AuthError()
376 by mattgiuca auth/authenticate: Replaced dummy code (which always auths) with a call to the	108	finally:
	109	dbconn.close()
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	110
	111	def simple_db_auth(dbconn, login, password, user):
	112	"""
	113	A plugin auth function, as described above.
	114	This one just authenticates against the local database.
	115	Returns None if the password in the DB is NULL, indicating that another
	116	auth method should be used.
	117	Raises an AuthError if mismatched, indicating failure to auth.
	118	"""
533 by mattgiuca auth/authenticate: Much done!	119	if user is None:
	120	# The login doesn't exist. Therefore return None so we can try other
	121	# means of authentication.
	122	return None
509 by mattgiuca common.db: Rewrote user_authenticate to return 3 values (True, false, None)	123	auth_result = dbconn.user_authenticate(login, password)
	124	# auth_result is either True, False (fail) or None (try another)
	125	if auth_result is None:
	126	return None
	127	elif auth_result:
	128	return user
	129	else:
	130	raise AuthError()
	131
533 by mattgiuca auth/authenticate: Much done!	132	# Allow imports to get files from this directory.
	133	# Get the directory that this module (authenticate) is in
	134	authpath = os.path.split(sys.modules[__name__].__file__)[0]
	135	# Add it to sys.path
	136	sys.path.append(authpath)
	137
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	138	# Create a global variable "auth_modules", a list of (name, function object)s.
	139	# This list consists of simple_db_auth, plus the "auth" functions of all the
	140	# plugin auth modules.
510 by mattgiuca setup.py: Added 2 new config options for the LDAP authentication server.	141
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	142	auth_modules = [("simple_db_auth", simple_db_auth)]
	143	for modname in conf.auth_modules.split(','):
	144	try:
	145	mod = __import__(modname)
	146	except ImportError:
	147	raise AuthError("Internal error: Can't import auth module %s"
	148	% repr(modname))
758 by mattgiuca authenticate.py: Bugfix - Exception if no additional auth modules are given	149	except ValueError:
	150	# If auth_modules is "", we may get an empty string - ignore
	151	continue
531 by mattgiuca www/auth: Split authenticate.py into 3 modules: autherror and ldap_auth.	152	try:
	153	authfunc = mod.auth
	154	except AttributeError:
	155	raise AuthError("Internal error: Auth module %s has no 'auth' "
	156	"function" % repr(modname))
	157	auth_modules.append((modname, authfunc))