annotate MoinMoin/auth/sslclientcert.py @ 4276:95decb0aeadd

Remove special cases for removed request/server code
author Florian Krupicka <florian.krupicka@googlemail.com>
date Thu, 07 Aug 2008 00:16:53 +0200
parents b902f2397c68
children 62177a952833
rev   line source
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
1 # -*- coding: iso-8859-1 -*-
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
2 """
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
3 MoinMoin - SSL client certificate authentication
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
4
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
5 Currently not supported for Twisted web server, but only for web servers
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
6 setting SSL_CLIENT_* environment (e.g. Apache).
2286
01f05e74aa9c Big PEP8 and whitespace cleanup
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2009
diff changeset
7
1918
bb2e053067fb fixing copyright headers: remove umlauts (encoding troubles), make epydoc compatible, reformat
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1606
diff changeset
8 @copyright: 2003 Martin v. Loewis,
bb2e053067fb fixing copyright headers: remove umlauts (encoding troubles), make epydoc compatible, reformat
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1606
diff changeset
9 2006 MoinMoin:ThomasWaldmann
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
10 @license: GNU GPL, see COPYING for details.
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
11 """
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
12
1606
ae56d79ae076 http auth / ssl clientcert auth: correctly decode name/password/email to unicode (ported from 1.5)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 776
diff changeset
13 from MoinMoin import config, user
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
14 from MoinMoin.auth import BaseAuth
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
15
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
16 class SSLClientCertAuth(BaseAuth):
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
17 """ authenticate via SSL client certificate """
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
18
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
19 name = 'sslclientcert'
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
20
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
21 def __init__(self, authorities=None,
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
22 email_key=True, name_key=True,
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
23 use_email=False, use_name=False):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
24 self.use_email = use_email
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
25 self.authorities = authorities
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
26 self.email_key = email_key
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
27 self.name_key = name_key
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
28 self.use_email = use_email
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
29 self.use_name = use_name
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
30 BaseAuth.__init__(self)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
31
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
32 def request(self, request, user_obj, **kw):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
33 u = None
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
34 changed = False
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
35
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
36 env = request.environ
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
37 if env.get('SSL_CLIENT_VERIFY', 'FAILURE') == 'SUCCESS':
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
38
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
39 # check authority list if given
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
40 if self.authorities and env.get('SSL_CLIENT_I_DN_OU') in self.authorities:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
41 return user_obj, True
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
42
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
43 email_lower = None
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
44 if self.email_key:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
45 email = env.get('SSL_CLIENT_S_DN_Email', '').decode(config.charset)
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
46 email_lower = email.lower()
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
47 commonname_lower = None
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
48 if self.name_key:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
49 commonname = env.get('SSL_CLIENT_S_DN_CN', '').decode(config.charset)
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
50 commonname_lower = commonname.lower()
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
51 if email_lower or commonname_lower:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
52 for uid in user.getUserList(request):
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
53 u = user.User(request, uid,
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
54 auth_method=self.name, auth_attribs=())
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
55 if self.email_key and email_lower and u.email.lower() == email_lower:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
56 u.auth_attribs = ('email', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
57 if self.use_name and commonname_lower != u.name.lower():
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
58 u.name = commonname
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
59 changed = True
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
60 u.auth_attribs = ('email', 'name', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
61 break
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
62 if self.name_key and commonname_lower and u.name.lower() == commonname_lower:
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
63 u.auth_attribs = ('name', 'password')
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
64 if self.use_email and email_lower != u.email.lower():
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
65 u.email = email
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
66 changed = True
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
67 u.auth_attribs = ('name', 'email', 'password')
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
68 break
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
69 else:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
70 u = None
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
71 if u is None:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
72 # user wasn't found, so let's create a new user object
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
73 u = user.User(request, name=commonname_lower, auth_username=commonname_lower,
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
74 auth_method=self.name)
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
75 u.auth_attribs = ('name', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
76 if self.use_email:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
77 u.email = email
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
78 u.auth_attribs = ('name', 'email', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
79 elif user_obj and user_obj.auth_method == self.name:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
80 user_obj.valid = False
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
81 return user_obj, False
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
82 if u:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
83 u.create_or_update(changed)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
84 if u and u.valid:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
85 return u, True
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
86 else:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
87 return user_obj, True