~azzar1/unity/add-show-desktop-key

Viewing changes to www/auth/authenticate.py

Committer: mattgiuca
Date: 2008-02-19 08:26:11 UTC
Revision ID: svn-v3-trunk0:2b9c9e99-6f39-0410-b283-7f802c844ae2:trunk:509

common.db: Rewrote user_authenticate to return 3 values (True, false, None)
    Now returns False if the password did not match, None if the password
    field is NULL (None implying a soft failure, with the possibility of
    validating against LDAP or something else).

auth.authenticate: Rewrote this module with a new plugin interface
    (as discussed with Tom Conway). Allows successive modules to try to
    authenticate the user.
    Changed the authenticate function interface: Now raises an AuthError
    when auth fails, instead of returning None.

dispatch.login: Handle new auth interface (exception catch).
    Auth is now able to provide an error message, in the exception.
    The exception message is displayed as an error to the user.

files modified:
lib/common/db.py

www/auth/authenticate.py

www/dispatch/login.py

Show diffs side-by-side

added added

removed removed

www/auth/authenticate.py

# Module: authenticate

# Author: Matt Giuca

# Date: 1/2/2008

# Date: 19/2/2008

# Provides a mechanism for authenticating a username and password, and

# returning a yes/no response.

# Has a plugin interface for authentication modules.

# An authentication module is a callable object which accepts 3 positional

# arguments.

# plugin_auth_func(dbconn, login, password, user)

# dbconn is an open connection to the IVLE database.

# login and password are required strings, password is cleartext.

# user is a User object or None.

# If it's a User object, it must return the same object if it returns a user.

# This object should describe the user logging in.

# It may be None if the user is not known to this DB.

# Returns either a User object or None, or raises an AuthError.

# Returning a User object implies success, and also gives details about the

# user if none were known to the DB (such details will be written to the DB).

# Returning None implies a soft failure, and that another auth method should

# be found.

# Raising an AuthError implies a hard failure, with an appropriate error

# message. No more auth will be done.

import common.db

def authenticate(username, password):

"""Determines whether a particular username/password combination is

import common.user

class AuthError(Exception):

def __init__(self, message="Invalid username or password."):

self.message = message

self.args = (message,)

def authenticate(login, password):

"""Determines whether a particular login/password combination is

valid. The password is in cleartext.

Returns None if failed to authenticate.

Returns a User object containing the user's details on success.

Raises an AuthError containing an appropriate error message on failure.

The User returned is guaranteed to be in the IVLE database.

This could be from reading or writing to the DB. If authenticate can't

find the user in the DB, it may get user data from some other source

(such as LDAP) and actually write it to the DB before returning.

"""

# TODO.

# Just authenticate against the DB at the moment.

# Later we will provide other auth options such as LDAP.

# WARNING: Both username and password may contain any characters, and must

# be sanitized within this function.

# (Not SQL-sanitized, just sanitized to our particular constraints).

# TODO Sanitize username

# Spawn a DB object just for making this call.

# (This should not spawn a DB connection on each page reload, only when

# there is no session object to begin with).

dbconn = common.db.DB()

user = dbconn.get_user(login)

try:

if not dbconn.user_authenticate(username, password):

return None

return dbconn.get_user(username)

for m in auth_modules:

# May raise an AuthError - allow to propagate

auth_result = m(dbconn, login, password, user)

if auth_result is None:

# Can't auth with this module; try another

pass

elif auth_result == False:

return None

elif isinstance(auth_result, common.user.User):

if user is not None and auth_result is not user:

# If user is not None, then it must return the same user

raise AuthError("Internal error: "

"Bad authentication module (changed user)")

if user is None:

# We just got ourselves some user details from an external

# source. Put them in the DB.

# TODO: Write user to DB

pass

return auth_result

else:

raise AuthError("Internal error: "

"Bad authentication module (bad return type)")

# No auths checked out; fail.

raise AuthError()

finally:

dbconn.close()

100

101

def simple_db_auth(dbconn, login, password, user):

102

"""

103

A plugin auth function, as described above.

104

This one just authenticates against the local database.

105

Returns None if the password in the DB is NULL, indicating that another

106

auth method should be used.

107

Raises an AuthError if mismatched, indicating failure to auth.

108

"""

109

auth_result = dbconn.user_authenticate(login, password)

110

# auth_result is either True, False (fail) or None (try another)

111

if auth_result is None:

112

return None

113

elif auth_result:

114

return user

115

else:

116

raise AuthError()

117

118

# List of auth plugin modules, in the order to try them

119

auth_modules = [

120

simple_db_auth,

121

]

Older »