25
25
# Has a plugin interface for authentication modules.
26
26
# An authentication module is a Python module with an "auth" function,
27
27
# which accepts 3 positional arguments.
28
# plugin_module.auth(store, login, password, user)
29
# store is an open store connected to the IVLE database.
28
# plugin_module.auth(dbconn, login, password, user)
29
# dbconn is an open connection to the IVLE database.
30
30
# login and password are required strings, password is cleartext.
31
31
# user is a User object or None.
32
32
# If it's a User object, it must return the same object if it returns a user.
46
from ivle.auth import AuthError
46
from autherror import AuthError
49
def authenticate(config, store, login, password):
51
def authenticate(login, password):
50
52
"""Determines whether a particular login/password combination is
51
valid for the given database. The password is in cleartext.
53
valid. The password is in cleartext.
53
55
Returns a User object containing the user's details on success.
54
56
Raises an AuthError containing an appropriate error message on failure.
56
'store' is expected to be a storm.store.Store connected to the IVLE
57
database to which we should authenticate.
59
58
The User returned is guaranteed to be in the IVLE database.
60
59
This could be from reading or writing to the DB. If authenticate can't
61
60
find the user in the DB, it may get user data from some other source
69
68
# Spawn a DB object just for making this call.
70
69
# (This should not spawn a DB connection on each page reload, only when
71
70
# there is no session object to begin with).
73
user = ivle.database.User.get_by_login(store, login)
75
raise Exception(str(get_auth_modules(config)))
77
for modname, m in get_auth_modules(config):
78
# May raise an AuthError - allow to propagate
79
auth_result = m(store, login, password, user)
80
if auth_result is None:
81
# Can't auth with this module; try another
83
elif auth_result == False:
85
elif isinstance(auth_result, ivle.database.User):
86
if user is not None and auth_result is not user:
87
# If user is not None, then it must return the same user
74
user = dbconn.get_user(login)
75
except ivle.db.DBException:
76
# If our attempt to get the named user from the db fails,
77
# then set user to None.
78
# We may still auth (eg. by pulling details from elsewhere and writing
82
for modname, m in auth_modules:
83
# May raise an AuthError - allow to propagate
84
auth_result = m(dbconn, login, password, user)
85
if auth_result is None:
86
# Can't auth with this module; try another
88
elif auth_result == False:
90
elif isinstance(auth_result, ivle.user.User):
91
if user is not None and auth_result is not user:
92
# If user is not None, then it must return the same user
93
raise AuthError("Internal error: "
94
"Bad authentication module %s (changed user)"
97
# We just got ourselves some user details from an external
98
# source. Put them in the DB.
99
dbconn.create_user(auth_result)
88
103
raise AuthError("Internal error: "
89
"Bad authentication module %s (changed user)"
104
"Bad authentication module %s (bad return type)"
92
# We just got ourselves some user details from an external
93
# source. Put them in the DB.
94
store.add(auth_result)
96
# Don't allow login if it is expired or disabled.
97
if auth_result.state == 'disabled' or auth_result.account_expired:
98
raise AuthError("Account is not valid.")
102
raise AuthError("Internal error: "
103
"Bad authentication module %s (bad return type)"
105
# No auths checked out; fail.
108
def simple_db_auth(store, login, password, user):
106
# No auths checked out; fail.
111
def simple_db_auth(dbconn, login, password, user):
110
113
A plugin auth function, as described above.
111
114
This one just authenticates against the local database.
117
120
# The login doesn't exist. Therefore return None so we can try other
118
121
# means of authentication.
121
# They should always match, but it's best to be sure!
122
assert(user.login == login)
124
auth_result = user.authenticate(password)
123
auth_result = dbconn.user_authenticate(login, password)
125
124
# auth_result is either True, False (fail) or None (try another)
126
125
if auth_result is None:
131
130
raise AuthError()
133
def get_auth_modules(config):
134
"""Get the auth modules defined in the configuration.
136
Returns a list of (name, function object)s. This list consists of
137
simple_db_auth, plus the "auth" functions of all the plugin auth modules.
141
# Allow imports to get files from this directory.
142
# Get the directory that this module (authenticate) is in
143
authpath = os.path.split(sys.modules[__name__].__file__)[0]
145
sys.path.append(authpath)
147
auth_modules = [("simple_db_auth", simple_db_auth)]
148
for modname in config['auth']['modules']:
150
mod = __import__(modname)
152
raise AuthError("Internal error: Can't import auth module %s"
155
# If auth_modules is "", we may get an empty string - ignore
159
except AttributeError:
160
raise AuthError("Internal error: Auth module %s has no 'auth' "
161
"function" % repr(modname))
162
auth_modules.append((modname, authfunc))
164
# Restore the old path, without this directory in it.
132
# Allow imports to get files from this directory.
133
# Get the directory that this module (authenticate) is in
134
authpath = os.path.split(sys.modules[__name__].__file__)[0]
136
sys.path.append(authpath)
138
# Create a global variable "auth_modules", a list of (name, function object)s.
139
# This list consists of simple_db_auth, plus the "auth" functions of all the
140
# plugin auth modules.
142
auth_modules = [("simple_db_auth", simple_db_auth)]
143
for modname in ivle.conf.auth_modules.split(','):
145
mod = __import__(modname)
147
raise AuthError("Internal error: Can't import auth module %s"
150
# If auth_modules is "", we may get an empty string - ignore
154
except AttributeError:
155
raise AuthError("Internal error: Auth module %s has no 'auth' "
156
"function" % repr(modname))
157
auth_modules.append((modname, authfunc))