annotate MoinMoin/auth/sslclientcert.py @ 5952:f6a74810da73

updated CHANGES
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Sun, 10 Mar 2013 15:28:04 +0100
parents 62177a952833
children
rev   line source
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
1 # -*- coding: iso-8859-1 -*-
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
2 """
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
3 MoinMoin - SSL client certificate authentication
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
4
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
5 Currently not supported for Twisted web server, but only for web servers
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
6 setting SSL_CLIENT_* environment (e.g. Apache).
2286
01f05e74aa9c Big PEP8 and whitespace cleanup
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2009
diff changeset
7
1918
bb2e053067fb fixing copyright headers: remove umlauts (encoding troubles), make epydoc compatible, reformat
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1606
diff changeset
8 @copyright: 2003 Martin v. Loewis,
bb2e053067fb fixing copyright headers: remove umlauts (encoding troubles), make epydoc compatible, reformat
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1606
diff changeset
9 2006 MoinMoin:ThomasWaldmann
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
10 @license: GNU GPL, see COPYING for details.
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
11 """
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
12
1606
ae56d79ae076 http auth / ssl clientcert auth: correctly decode name/password/email to unicode (ported from 1.5)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 776
diff changeset
13 from MoinMoin import config, user
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
14 from MoinMoin.auth import BaseAuth
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
15
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
16 class SSLClientCertAuth(BaseAuth):
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
17 """ authenticate via SSL client certificate """
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
18
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
19 name = 'sslclientcert'
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
20
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
21 def __init__(self, authorities=None,
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
22 email_key=True, name_key=True,
4041
4a994a297ba3 replace cfg.user_autocreate setting by autocreate=<boolean> parameter of auth objects
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2338
diff changeset
23 use_email=False, use_name=False,
4a994a297ba3 replace cfg.user_autocreate setting by autocreate=<boolean> parameter of auth objects
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2338
diff changeset
24 autocreate=False):
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
25 self.use_email = use_email
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
26 self.authorities = authorities
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
27 self.email_key = email_key
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
28 self.name_key = name_key
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
29 self.use_email = use_email
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
30 self.use_name = use_name
4041
4a994a297ba3 replace cfg.user_autocreate setting by autocreate=<boolean> parameter of auth objects
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2338
diff changeset
31 self.autocreate = autocreate
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
32 BaseAuth.__init__(self)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
33
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
34 def request(self, request, user_obj, **kw):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
35 u = None
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
36 changed = False
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
37
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
38 env = request.environ
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
39 if env.get('SSL_CLIENT_VERIFY', 'FAILURE') == 'SUCCESS':
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
40
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
41 # check authority list if given
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
42 if self.authorities and env.get('SSL_CLIENT_I_DN_OU') in self.authorities:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
43 return user_obj, True
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
44
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
45 email_lower = None
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
46 if self.email_key:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
47 email = env.get('SSL_CLIENT_S_DN_Email', '').decode(config.charset)
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
48 email_lower = email.lower()
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
49 commonname_lower = None
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
50 if self.name_key:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
51 commonname = env.get('SSL_CLIENT_S_DN_CN', '').decode(config.charset)
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
52 commonname_lower = commonname.lower()
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
53 if email_lower or commonname_lower:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
54 for uid in user.getUserList(request):
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
55 u = user.User(request, uid,
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
56 auth_method=self.name, auth_attribs=())
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
57 if self.email_key and email_lower and u.email.lower() == email_lower:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
58 u.auth_attribs = ('email', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
59 if self.use_name and commonname_lower != u.name.lower():
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
60 u.name = commonname
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
61 changed = True
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
62 u.auth_attribs = ('email', 'name', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
63 break
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
64 if self.name_key and commonname_lower and u.name.lower() == commonname_lower:
776
ab9cd47eb066 teared auth code into single files, basic built-in moin_login method and also session handling code is still in auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents:
diff changeset
65 u.auth_attribs = ('name', 'password')
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
66 if self.use_email and email_lower != u.email.lower():
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
67 u.email = email
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
68 changed = True
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
69 u.auth_attribs = ('name', 'email', 'password')
4276
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
70 break
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
71 else:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
72 u = None
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
73 if u is None:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
74 # user wasn't found, so let's create a new user object
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
75 u = user.User(request, name=commonname_lower, auth_username=commonname_lower,
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
76 auth_method=self.name)
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
77 u.auth_attribs = ('name', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
78 if self.use_email:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
79 u.email = email
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
80 u.auth_attribs = ('name', 'email', 'password')
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
81 elif user_obj and user_obj.auth_method == self.name:
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
82 user_obj.valid = False
95decb0aeadd Remove special cases for removed request/server code
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 2338
diff changeset
83 return user_obj, False
4041
4a994a297ba3 replace cfg.user_autocreate setting by autocreate=<boolean> parameter of auth objects
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2338
diff changeset
84 if u and self.autocreate:
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
85 u.create_or_update(changed)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
86 if u and u.valid:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
87 return u, True
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
88 else:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1918
diff changeset
89 return user_obj, True