version 1.2, 2006/07/05 12:38:21
|
version 1.3, 2007/03/01 19:17:10
|
Line 1
|
Line 1
|
"""User Folder Extension, tests now also ip number of the host where the original call comes from in case of redirects""" |
"""User Folder Extension, tests now also ip number of the host where the original connection |
|
comes from in case of proxies/rewrites""" |
|
|
import Globals |
import Globals |
from AccessControl.User import UserFolder |
from AccessControl.User import UserFolder |
|
from AccessControl import AuthEncoding |
from Globals import MessageDialog |
from Globals import MessageDialog |
import zLOG |
import logging |
import re |
import re |
|
import socket |
|
|
class IntranetUserFolder(UserFolder): |
class IntranetUserFolder(UserFolder): |
"""User folder for Intranet""" |
"""User folder for Intranet""" |
Line 12 class IntranetUserFolder(UserFolder):
|
Line 15 class IntranetUserFolder(UserFolder):
|
meta_type="IntranetUserFolder" |
meta_type="IntranetUserFolder" |
|
|
def authenticate(self, name, password, request): |
def authenticate(self, name, password, request): |
"""modified authenticate to use domainspecmath below""" |
"""modified authenticate to use domainspecmatch below""" |
#zLOG.LOG('IntranetUserFolder',zLOG.INFO,"authenticate %s, %s from %s"%(name,password,request['REMOTE_ADDR'])) |
#logging.debug("IntranetUserFolder: authenticate %s from %s"%(name,request['REMOTE_ADDR'])) |
|
|
emergency = self._emergency_user |
emergency = self._emergency_user |
if name is None: |
if name is None: |
Line 22 class IntranetUserFolder(UserFolder):
|
Line 25 class IntranetUserFolder(UserFolder):
|
user = emergency |
user = emergency |
else: |
else: |
user = self.getUser(name) |
user = self.getUser(name) |
if user is not None and user.authenticate(password, request): |
|
|
#logging.debug("IntranetUserFolder: user: %s"%repr(user)) |
|
|
|
if user is not None: |
|
pwd=user._getPassword() |
|
# check PW first (which may be empty) |
|
if AuthEncoding.pw_validate(pwd, password): |
domains = user.getDomains() |
domains = user.getDomains() |
|
#logging.debug("IntranetUserFolder: pw OK, domains: %s"%(repr(domains))) |
if self.domainSpecMatch(domains, request): |
if self.domainSpecMatch(domains, request): |
#zLOG.LOG('IntranetUserFolder',zLOG.INFO," as %s"%user) |
logging.debug("IntranetUserFolder: domain user %s"%user) |
return user |
return user |
|
#else: |
|
#logging.debug("IntranetUserFolder: pw not ok: '%s'"%password) |
|
#logging.debug("IntranetUserFolder: user has password: '%s'"%user._getPassword()) |
|
|
#zLOG.LOG('IntranetUserFolder',zLOG.INFO," failed!") |
logging.debug("IntranetUserFolder: authenticate failed here!") |
return None |
return None |
|
|
def domainSpecMatch(self, spec, request): |
def domainSpecMatch(self, spec, request): |
"""modified domainspecmatch to look at FORWARDED_FOR""" |
"""modified domainspecmatch to look at FORWARDED_FOR""" |
#zLOG.LOG('IntranetUserFolder',zLOG.INFO,"domainspecmatch %s, %s"%(self,spec)) |
#logging.debug("IntranetUserFolder: domainspecmatch %s, %s"%(self,spec)) |
host='' |
|
addr='' |
addr='' |
|
|
|
|
# Fast exit for the match-all case |
# Fast exit for the match-all case |
if len(spec) == 1 and spec[0] == '*': |
if len(spec) == 0 or (len(spec) == 1 and spec[0] == '*'): |
return 1 |
return 1 |
|
|
if request.has_key('REMOTE_HOST'): |
# start with getClientAddr |
host=request['REMOTE_HOST'] |
|
|
|
addr=request.getClientAddr() |
addr=request.getClientAddr() |
|
#logging.debug("IntranetUserFolder: getclientaddr: %s"%(addr)) |
#if request.has_key('REMOTE_ADDR'): |
#if request.has_key('REMOTE_ADDR'): |
# addr=request['REMOTE_ADDR'] |
# addr=request['REMOTE_ADDR'] |
|
|
if request.has_key('HTTP_X_FORWARDED_FOR'): |
# override with forwarded address if present |
|
if request.get('HTTP_X_FORWARDED_FOR', None): |
addr=request['HTTP_X_FORWARDED_FOR'] |
addr=request['HTTP_X_FORWARDED_FOR'] |
#zLOG.LOG('IntranetUserFolder',zLOG.INFO,"forwarded addr: %s"%(addr)) |
#logging.debug("IntranetUserFolder: forwarded addr: %s"%(addr)) |
|
|
# check for strange headers (may be fake) |
# check for strange headers (may be fake) |
if len(addr.split('.')) != 4: |
if len(addr.split('.')) != 4: |
zLOG.LOG('IntranetUserFolder',zLOG.WARNING,"invalid forward addr: %s"%(addr)) |
logging.warning("IntranetUserFolder: invalid forward addr: %s"%(addr)) |
return 0 |
return 0 |
|
|
if not host and not addr: |
|
return 0 |
|
|
|
if not host: |
|
try: host=socket.gethostbyaddr(addr)[0] |
|
except: pass |
|
if not addr: |
if not addr: |
try: addr=socket.gethostbyname(host) |
return 0 |
except: pass |
|
|
|
_host=host.split('.') |
|
_addr=addr.split('.') |
_addr=addr.split('.') |
_hlen=len(_host) |
#logging.debug("IntranetUserFolder: addr: %s , %s"%(repr(_addr), repr(_m), repr(_addr & _m))) |
_alen=len(_addr) |
|
|
|
#zLOG.LOG('IntranetUserFolder',zLOG.INFO,"host: %s, addr: %s"%(_host,_addr)) |
|
|
|
for ob in spec: |
for ob in spec: |
sz=len(ob) |
sz=len(ob) |
Line 93 class IntranetUserFolder(UserFolder):
|
Line 94 class IntranetUserFolder(UserFolder):
|
continue |
continue |
return 1 |
return 1 |
|
|
mo = host_match(ob) |
|
if mo is not None: |
|
if mo.end(0)==sz: |
|
if _hlen < _sz: |
|
continue |
|
elif _hlen > _sz: |
|
_item=_host[-_sz:] |
|
else: |
|
_item=_host |
|
fail=0 |
|
for i in range(_sz): |
|
h=_item[i] |
|
o=_ob[i] |
|
if (o != h) and (o != '*'): |
|
fail=1 |
|
break |
|
if fail: |
|
continue |
|
return 1 |
|
return 0 |
return 0 |
|
|
Globals.default__class_init__(IntranetUserFolder) |
Globals.default__class_init__(IntranetUserFolder) |
Line 135 def manage_addIntranetUserFolderForm(sel
|
Line 117 def manage_addIntranetUserFolderForm(sel
|
return manage_addIntranetUserFolder(self,REQUEST=self.REQUEST) |
return manage_addIntranetUserFolder(self,REQUEST=self.REQUEST) |
|
|
addr_match=re.compile(r'((\d{1,3}\.){1,3}\*)|((\d{1,3}\.){3}\d{1,3})').match |
addr_match=re.compile(r'((\d{1,3}\.){1,3}\*)|((\d{1,3}\.){3}\d{1,3})').match |
host_match=re.compile(r'(([\_0-9a-zA-Z\-]*\.)*[0-9a-zA-Z\-]*)').match |
|