changeset 129:f0e84aeb51dc

sslclientcert auth method, untested imported from: moin--main--1.5--patch-131
author Thomas Waldmann <tw@waldmann-edv.de>
date Sat, 22 Oct 2005 21:55:25 +0000
parents 2fba84615be7
children d3a28c683d8f
files MoinMoin/auth.py docs/CHANGES
diffstat 2 files changed, 56 insertions(+), 15 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/auth.py	Sat Oct 22 19:48:26 2005 +0000
+++ b/MoinMoin/auth.py	Sat Oct 22 21:55:25 2005 +0000
@@ -7,7 +7,7 @@
 """
 
 import Cookie
-from MoinMoin.user import User
+from MoinMoin import user
 
 def moin_cookie(request):
     """ authenticate via the MOIN_ID cookie """
@@ -17,10 +17,9 @@
         # ignore invalid cookies, else user can't relogin
         cookie = None
     if cookie and cookie.has_key('MOIN_ID'):
-        user = User(request, id=cookie['MOIN_ID'].value)
-        if user.valid:
-            return user
-
+        u = user.User(request, id=cookie['MOIN_ID'].value)
+        if u.valid:
+            return u
     return None
 
 
@@ -36,12 +35,12 @@
 def http(request):
     """ authenticate via http basic/digest/ntlm auth """
     from MoinMoin.request import RequestTwisted
-    user = None
+    u = None
     # check if we are running Twisted
     if isinstance(request, RequestTwisted):
         username = request.twistd.getUser()
         password = request.twistd.getPassword()
-        user = User(request, auth_username=username, password=password)
+        u = user.User(request, auth_username=username, password=password)
 
     else:
         env = request.env
@@ -57,13 +56,52 @@
                 # this "normalizes" the login name from {meier, Meier, MEIER} to Meier
                 # put a comment sign in front of next line if you don't want that:
                 username = username.title()
-            user = User(request, auth_username=username)
+            u = user.User(request, auth_username=username)
 
     # XXX create (user? maybe should not happen here, but one layer higher to be
     # common for all auth methods
 
-    if user and user.valid:
-        return user
+    if u and u.valid:
+        return u
+    else:
+        return None
+
+def sslclientcert(request):
+    """ authenticate via SSL client certificate """
+    from MoinMoin.request import RequestTwisted
+    u = None
+    # check if we are running Twisted
+    if isinstance(request, RequestTwisted):
+        return u # not supported if we run twisted
+        # Addendum: this seems to need quite some twisted insight and coding.
+        # A pointer i got on #twisted: divmod's vertex.sslverify
+        # If you really need this, feel free to implement and test it and
+        # submit a patch if it works.
+    else:
+        env = request.env
+        if env.get('SSL_CLIENT_VERIFY', 'FAILURE') == 'SUCCESS':
+            # if we only want to accept some specific CA, do a check like:
+            # if env.get('SSL_CLIENT_I_DN_OU') == "http://www.cacert.org"
+            email = env.get('SSL_CLIENT_S_DN_Email', '')
+            email_lower = email.lower()
+            commonname = env.get('SSL_CLIENT_S_DN_CN', '')
+            commonname_lower = commonname.lower()
+            if email_lower or commonname_lower:
+                for uid in user.getUserList():
+                    u = user.User(request, uid)
+                    if email_lower and u.email.lower() == email_lower:
+                        break
+                    if commonname_lower and u.name.lower() == commonname_lower:
+                        break
+                else:
+                    u = None
+                #u = user.User(request, auth_username=username)
+
+    # XXX create (user? maybe should not happen here, but one layer higher to be
+    # common for all auth methods
+
+    if u and u.valid:
+        return u
     else:
         return None
 
@@ -89,17 +127,17 @@
             # show error message
             return None
         
-        user = User(request, name=username)
+        u = user.User(request, name=username)
         for key, value in account_data.iteritems():
             if key not in ["may", "id", "valid", "trusted"
                            "auth_username",
                            "name", "aliasname",
                            "enc_passwd"]:
-                setattr(user, key, value)
-        user.save()
-        request.user = user
+                setattr(u, key, value)
+        u.save()
+        request.user = u
         request.setCookie()
-        return user
+        return u
     else:
         pass
         # XXX redirect to homewiki
--- a/docs/CHANGES	Sat Oct 22 19:48:26 2005 +0000
+++ b/docs/CHANGES	Sat Oct 22 21:55:25 2005 +0000
@@ -73,6 +73,9 @@
            auth = [http, moin_cookie]
      * cfg.auth_http_enabled was removed, please use cfg.auth instead.
      * http auth now supports "Negotiate" scheme, too
+     * Added sslclientcert auth method (Apache: untested, Twisted: not
+       implemented, IIS: no idea). See MoinMoin/auth.py for details.
+       Submit a patch if you have improvements.
      * cfg.superuser is a list of unicode usernames. Currently it is not used
        by anything, but it will be used e.g. to enable software installation
        via the wiki.