18
18
# Module: authenticate
19
19
# Author: Matt Giuca
22
22
# Provides a mechanism for authenticating a username and password, and
23
23
# returning a yes/no response.
25
# Has a plugin interface for authentication modules.
26
# An authentication module is a callable object which accepts 3 positional
28
# plugin_auth_func(dbconn, login, password, user)
29
# dbconn is an open connection to the IVLE database.
30
# login and password are required strings, password is cleartext.
31
# user is a User object or None.
32
# If it's a User object, it must return the same object if it returns a user.
33
# This object should describe the user logging in.
34
# It may be None if the user is not known to this DB.
35
# Returns either a User object or None, or raises an AuthError.
36
# Returning a User object implies success, and also gives details about the
37
# user if none were known to the DB (such details will be written to the DB).
38
# Returning None implies a soft failure, and that another auth method should
40
# Raising an AuthError implies a hard failure, with an appropriate error
41
# message. No more auth will be done.
48
class AuthError(Exception):
49
def __init__(self, message="Invalid username or password."):
50
self.message = message
51
self.args = (message,)
53
def authenticate(login, password):
54
"""Determines whether a particular login/password combination is
27
def authenticate(username, password):
28
"""Determines whether a particular username/password combination is
55
29
valid. The password is in cleartext.
57
Returns a User object containing the user's details on success.
58
Raises an AuthError containing an appropriate error message on failure.
60
The User returned is guaranteed to be in the IVLE database.
61
This could be from reading or writing to the DB. If authenticate can't
62
find the user in the DB, it may get user data from some other source
63
(such as LDAP) and actually write it to the DB before returning.
31
Returns None if failed to authenticate.
32
Returns a dictionary containing the user's login fields (including
33
"login", "nick" and "fullname") on success.
37
# Just authenticate against the DB at the moment.
38
# Later we will provide other auth options such as LDAP.
65
40
# WARNING: Both username and password may contain any characters, and must
66
41
# be sanitized within this function.
67
42
# (Not SQL-sanitized, just sanitized to our particular constraints).
68
# TODO Sanitize username
70
44
# Spawn a DB object just for making this call.
71
45
# (This should not spawn a DB connection on each page reload, only when
72
46
# there is no session object to begin with).
73
47
dbconn = common.db.DB()
74
user = dbconn.get_user(login)
76
for m in auth_modules:
77
# May raise an AuthError - allow to propagate
78
auth_result = m(dbconn, login, password, user)
79
if auth_result is None:
80
# Can't auth with this module; try another
82
elif auth_result == False:
84
elif isinstance(auth_result, common.user.User):
85
if user is not None and auth_result is not user:
86
# If user is not None, then it must return the same user
87
raise AuthError("Internal error: "
88
"Bad authentication module (changed user)")
90
# We just got ourselves some user details from an external
91
# source. Put them in the DB.
92
# TODO: Write user to DB
96
raise AuthError("Internal error: "
97
"Bad authentication module (bad return type)")
98
# No auths checked out; fail.
49
if not dbconn.user_authenticate(username, password):
51
return dbconn.get_user(username)
103
def simple_db_auth(dbconn, login, password, user):
105
A plugin auth function, as described above.
106
This one just authenticates against the local database.
107
Returns None if the password in the DB is NULL, indicating that another
108
auth method should be used.
109
Raises an AuthError if mismatched, indicating failure to auth.
111
auth_result = dbconn.user_authenticate(login, password)
112
# auth_result is either True, False (fail) or None (try another)
113
if auth_result is None:
120
def ldap_auth(dbconn, login, password, user):
122
A plugin auth function, as described above.
123
This one authenticates against an LDAP server.
124
Returns user if successful. Raises AuthError if unsuccessful.
125
Also raises AuthError if the LDAP server had an unexpected error.
128
l = ldap.initialize(conf.ldap_url)
129
# ldap_format_string contains a "%s" to put the login name
130
l.simple_bind_s(conf.ldap_format_string % login, password)
131
except ldap.INVALID_CREDENTIALS:
133
except Exception, msg:
134
raise AuthError("Internal error (LDAP auth): %s" % repr(msg))
135
# Got here - Must have successfully authenticated with LDAP
138
# List of auth plugin modules, in the order to try them
added
removed
www/auth/authenticate.py
