Mercurial Mercurial > pvl-hosts / changeset
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | raw | help
pvl.login: ldap access (tokens) and userdata support
authorTero Marttila <terom@paivola.fi>
Mon, 13 Jan 2014 21:14:52 +0200
changeset 369 e6d0e8a967ac
parent 368 be42e2d38c77
child 370 184917c7d4d4
pvl.login: ldap access (tokens) and userdata support
pvl/login/auth.py file | annotate | diff | comparison | revisions
pvl/login/pubtkt.py file | annotate | diff | comparison | revisions
pvl/login/server.py file | annotate | diff | comparison | revisions 
--- a/pvl/login/auth.py	Mon Jan 13 21:14:30 2014 +0200
+++ b/pvl/login/auth.py	Mon Jan 13 21:14:52 2014 +0200
@@ -1,6 +1,7 @@
 import ldap
 
 import pvl.ldap.domain
+import pvl.users.group
 
 import logging; log = logging.getLogger('pvl.login.auth')
 
@@ -37,7 +38,7 @@
         bind = self.bind(user, password)
         
         if bind :
-            return True
+            return user
         else :
             return False
 
@@ -73,3 +74,20 @@
             log.info("%s", user)
             return conn
 
+    def access (self, user) :
+        """
+            Yield a list of access control tokens for the given auth state.
+        """
+        
+        yield pvl.users.group.Group.fromldap(self.ldap.users.group(user))
+
+        for group in self.ldap.users.groups(user) :
+            yield pvl.users.group.Group.fromldap(group)
+    
+    def userdata (self, user) :
+        """
+            Yield arbitrary userdata for given auth state.
+        """
+
+        return user.get('cn')
+
--- a/pvl/login/pubtkt.py	Mon Jan 13 21:14:30 2014 +0200
+++ b/pvl/login/pubtkt.py	Mon Jan 13 21:14:52 2014 +0200
@@ -183,7 +183,7 @@
             yield 'cip', self.cip
         
         if self.tokens :
-            yield 'tokens', ','.join(self.tokens)
+            yield 'tokens', ','.join(str(token) for token in self.tokens)
         
         if self.udata :
             yield 'udata', self.udata
--- a/pvl/login/server.py	Mon Jan 13 21:14:30 2014 +0200
+++ b/pvl/login/server.py	Mon Jan 13 21:14:52 2014 +0200
@@ -302,6 +302,9 @@
 }
 
     """
+    
+    login_failure = None
+
     def process (self) :
         self.process_cookie()
         
@@ -335,12 +338,17 @@
                 except pvl.login.auth.AuthError as ex :
                     self.alert('danger', "Internal authentication error, try again later?")
 
-                if not set_pubtkt :
-                    self.alert('danger', "Invalid authentication credentials, try again.")
+                else :
+                    if not set_pubtkt :
+                        self.alert('danger', "Invalid authentication credentials, try again.")
             
             elif self.pubtkt and self.pubtkt.valid() :
                 # renew manually if valid
                 set_pubtkt = self.app.renew(self.pubtkt)
+            
+            # a POST request that does not modify state is a failure
+            if not set_pubtkt :
+                self.login_failure = True
 
         elif 'renew' in self.request.args :
             # renew automatically if in grace period
@@ -365,6 +373,11 @@
 
             return response
 
+    def status (self) :
+        if self.login_failure :
+            return 400
+        else :
+            return 200
 
     def render (self) :
         domain = self.app.login_domain
@@ -512,9 +525,14 @@
         if not auth :
             return None
 
+        tokens = list(self._auth.access(auth))
+        udata = self._auth.userdata(auth)
+
         return pubtkt.PubTkt.new(username,
                 valid   = self.login_valid,
                 grace   = self.login_grace,
+                tokens  = tokens,
+                udata   = udata,
         )
 
     def sign (self, pubtkt) :
pvl-hosts