1
# IVLE - Informatics Virtual Learning Environment
2
# Copyright (C) 2007-2008 The University of Melbourne
4
# This program is free software; you can redistribute it and/or modify
5
# it under the terms of the GNU General Public License as published by
6
# the Free Software Foundation; either version 2 of the License, or
7
# (at your option) any later version.
9
# This program is distributed in the hope that it will be useful,
10
# but WITHOUT ANY WARRANTY; without even the implied warranty of
11
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12
# GNU General Public License for more details.
14
# You should have received a copy of the GNU General Public License
15
# along with this program; if not, write to the Free Software
16
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18
# Module: authenticate
22
# Provides a mechanism for authenticating a username and password, and
23
# returning a yes/no response.
25
# Has a plugin interface for authentication modules.
26
# An authentication module is a Python module with an "auth" function,
27
# which accepts 3 positional arguments.
28
# plugin_module.auth(dbconn, login, password, user)
29
# dbconn is an open connection to the IVLE database.
30
# login and password are required strings, password is cleartext.
31
# user is a User object or None.
32
# If it's a User object, it must return the same object if it returns a user.
33
# This object should describe the user logging in.
34
# It may be None if the user is not known to this DB.
35
# Returns either a User object or None, or raises an AuthError.
36
# Returning a User object implies success, and also gives details about the
37
# user if none were known to the DB (such details will be written to the DB).
38
# Returning None implies a soft failure, and that another auth method should
40
# Raising an AuthError implies a hard failure, with an appropriate error
41
# message. No more auth will be done.
43
from autherror import AuthError
51
def authenticate(login, password):
52
"""Determines whether a particular login/password combination is
53
valid. The password is in cleartext.
55
Returns a User object containing the user's details on success.
56
Raises an AuthError containing an appropriate error message on failure.
58
The User returned is guaranteed to be in the IVLE database.
59
This could be from reading or writing to the DB. If authenticate can't
60
find the user in the DB, it may get user data from some other source
61
(such as LDAP) and actually write it to the DB before returning.
63
# WARNING: Both username and password may contain any characters, and must
64
# be sanitized within this function.
65
# (Not SQL-sanitized, just sanitized to our particular constraints).
66
# TODO Sanitize username
68
# Spawn a DB object just for making this call.
69
# (This should not spawn a DB connection on each page reload, only when
70
# there is no session object to begin with).
71
dbconn = common.db.DB()
74
user = dbconn.get_user(login)
75
except common.db.DBException:
76
# If our attempt to get the named user from the db fails,
77
# then set user to None.
78
# We may still auth (eg. by pulling details from elsewhere and writing
82
for modname, m in auth_modules:
83
# May raise an AuthError - allow to propagate
84
auth_result = m(dbconn, login, password, user)
85
if auth_result is None:
86
# Can't auth with this module; try another
88
elif auth_result == False:
90
elif isinstance(auth_result, common.user.User):
91
if user is not None and auth_result is not user:
92
# If user is not None, then it must return the same user
93
raise AuthError("Internal error: "
94
"Bad authentication module %s (changed user)"
97
# We just got ourselves some user details from an external
98
# source. Put them in the DB.
99
dbconn.create_user(auth_result)
103
raise AuthError("Internal error: "
104
"Bad authentication module %s (bad return type)"
106
# No auths checked out; fail.
111
def simple_db_auth(dbconn, login, password, user):
113
A plugin auth function, as described above.
114
This one just authenticates against the local database.
115
Returns None if the password in the DB is NULL, indicating that another
116
auth method should be used.
117
Raises an AuthError if mismatched, indicating failure to auth.
120
# The login doesn't exist. Therefore return None so we can try other
121
# means of authentication.
123
auth_result = dbconn.user_authenticate(login, password)
124
# auth_result is either True, False (fail) or None (try another)
125
if auth_result is None:
132
# Allow imports to get files from this directory.
133
# Get the directory that this module (authenticate) is in
134
authpath = os.path.split(sys.modules[__name__].__file__)[0]
136
sys.path.append(authpath)
138
# Create a global variable "auth_modules", a list of (name, function object)s.
139
# This list consists of simple_db_auth, plus the "auth" functions of all the
140
# plugin auth modules.
142
auth_modules = [("simple_db_auth", simple_db_auth)]
143
for modname in conf.auth_modules.split(','):
145
mod = __import__(modname)
147
raise AuthError("Internal error: Can't import auth module %s"
150
# If auth_modules is "", we may get an empty string - ignore
154
except AttributeError:
155
raise AuthError("Internal error: Auth module %s has no 'auth' "
156
"function" % repr(modname))
157
auth_modules.append((modname, authfunc))