author | Tero Marttila <terom@paivola.fi> |
Sun, 07 Sep 2014 14:21:56 +0300 | |
changeset 424 | e77e967d59b0 |
parent 370 | 184917c7d4d4 |
permissions | -rw-r--r-- |
367
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
1 |
import ldap |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
2 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
3 |
import pvl.ldap.domain |
369
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
4 |
import pvl.users.group |
367
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
5 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
6 |
import logging; log = logging.getLogger('pvl.login.auth') |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
7 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
8 |
class AuthError (Exception) : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
9 |
def __init__ (self, error) : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
10 |
self.error = error |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
11 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
12 |
def __unicode__ (self) : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
13 |
return u"Authenticating against the backend failed: {self.error}".format(self=self) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
14 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
15 |
class LDAPAuth (object) : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
16 |
def __init__ (self, ldap) : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
17 |
self.ldap = ldap |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
18 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
19 |
def auth (self, username, password) : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
20 |
""" |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
21 |
Attempt to bind against LDAP with given user object and password. |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
22 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
23 |
Returns None if the user does not seem to exist, False on invalid auth, True on valid auth. |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
24 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
25 |
Raises AuthError. |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
26 |
""" |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
27 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
28 |
# search |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
29 |
try : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
30 |
user = self.ldap.users.get(username) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
31 |
except KeyError : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
32 |
log.info("%s: not found", username) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
33 |
return None |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
34 |
else : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
35 |
log.info("%s: %s", username, user) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
36 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
37 |
# bind |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
38 |
bind = self.bind(user, password) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
39 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
40 |
if bind : |
369
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
41 |
return user |
367
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
42 |
else : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
43 |
return False |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
44 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
45 |
def bind (self, user, password) : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
46 |
""" |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
47 |
Attempt to bind against LDAP with given user object and password. |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
48 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
49 |
Returns the bound connection, or |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
50 |
None - if the user does not seem toe xist |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
51 |
False - invalid auth |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
52 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
53 |
Raises AuthError. |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
54 |
""" |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
55 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
56 |
conn = self.ldap.open() |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
57 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
58 |
try : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
59 |
conn.bind(user.dn, password) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
60 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
61 |
except ldap.INVALID_CREDENTIALS as ex : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
62 |
log.info("%s: INVALID_CREDENTIALS", user) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
63 |
return False |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
64 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
65 |
except ldap.NO_SUCH_OBJECT as ex : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
66 |
log.info("%s: ldap.NO_SUCH_OBJECT", user) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
67 |
return None |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
68 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
69 |
except ldap.LDAPError as ex : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
70 |
log.exception("%s", user) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
71 |
raise AuthError(ex) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
72 |
|
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
73 |
else : |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
74 |
log.info("%s", user) |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
75 |
return conn |
e431a1b71006
pvl.login: implement LDAPAuth; fix Index pageprogress grace period refresh
Tero Marttila <terom@paivola.fi>
parents:
diff
changeset
|
76 |
|
369
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
77 |
def access (self, user) : |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
78 |
""" |
370
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
79 |
Yield a list of access control tokens for the given auth username. |
369
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
80 |
""" |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
81 |
|
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
82 |
yield pvl.users.group.Group.fromldap(self.ldap.users.group(user)) |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
83 |
|
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
84 |
for group in self.ldap.users.groups(user) : |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
85 |
yield pvl.users.group.Group.fromldap(group) |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
86 |
|
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
87 |
def userdata (self, user) : |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
88 |
""" |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
89 |
Yield arbitrary userdata for given auth state. |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
90 |
""" |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
91 |
|
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
92 |
return user.get('cn') |
e6d0e8a967ac
pvl.login: ldap access (tokens) and userdata support
Tero Marttila <terom@paivola.fi>
parents:
367
diff
changeset
|
93 |
|
370
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
94 |
def renew (self, username) : |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
95 |
""" |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
96 |
Re-lookup auth state for given username. |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
97 |
""" |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
98 |
|
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
99 |
try : |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
100 |
return self.ldap.users.get(username) |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
101 |
except KeyError : |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
102 |
return None |
184917c7d4d4
pvl.login: update access on renew
Tero Marttila <terom@paivola.fi>
parents:
369
diff
changeset
|
103 |