Mercurial > hg > OKFNAnnotator

annotate AuthTokenGenerator.py @ 8:93c835b645af

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
nicer logging.
author casties
date Fri, 09 Nov 2012 18:12:47 +0100
parents 279473355e9b
children 41f264620073
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
c33668e282fa first checkin.
casties
parents:
diff changeset
1 from OFS.SimpleItem import SimpleItem
c33668e282fa first checkin.
casties
parents:
diff changeset
2 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
c33668e282fa first checkin.
casties
parents:
diff changeset
3 from OFS.PropertyManager import PropertyManager
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
4 from AccessControl import getSecurityManager
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
5 from zExceptions import Unauthorized
7
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
6 from Acquisition import aq_chain
0
c33668e282fa first checkin.
casties
parents:
diff changeset
7
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
8 import logging
0
c33668e282fa first checkin.
casties
parents:
diff changeset
9 import datetime
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
10 import jwt
0
c33668e282fa first checkin.
casties
parents:
diff changeset
11
c33668e282fa first checkin.
casties
parents:
diff changeset
12
c33668e282fa first checkin.
casties
parents:
diff changeset
13 ZERO = datetime.timedelta(0)
c33668e282fa first checkin.
casties
parents:
diff changeset
14 class Utc(datetime.tzinfo):
c33668e282fa first checkin.
casties
parents:
diff changeset
15 def utcoffset(self, dt):
c33668e282fa first checkin.
casties
parents:
diff changeset
16 return ZERO
c33668e282fa first checkin.
casties
parents:
diff changeset
17
c33668e282fa first checkin.
casties
parents:
diff changeset
18 def tzname(self, dt):
c33668e282fa first checkin.
casties
parents:
diff changeset
19 return "UTC"
c33668e282fa first checkin.
casties
parents:
diff changeset
20
c33668e282fa first checkin.
casties
parents:
diff changeset
21 def dst(self, dt):
c33668e282fa first checkin.
casties
parents:
diff changeset
22 return ZERO
c33668e282fa first checkin.
casties
parents:
diff changeset
23 UTC = Utc()
c33668e282fa first checkin.
casties
parents:
diff changeset
24
c33668e282fa first checkin.
casties
parents:
diff changeset
25
c33668e282fa first checkin.
casties
parents:
diff changeset
26 class AuthTokenGenerator(SimpleItem, PropertyManager):
c33668e282fa first checkin.
casties
parents:
diff changeset
27 """Generator of auth tokens for OKFN Annotator"""
c33668e282fa first checkin.
casties
parents:
diff changeset
28
c33668e282fa first checkin.
casties
parents:
diff changeset
29 meta_type = 'AuthTokenGenerator'
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
30 _properties = ({'id':'consumer_key', 'type': 'string', 'mode': 'w'},
0
c33668e282fa first checkin.
casties
parents:
diff changeset
31 {'id':'consumer_secret', 'type': 'string', 'mode': 'w'},
c33668e282fa first checkin.
casties
parents:
diff changeset
32 )
c33668e282fa first checkin.
casties
parents:
diff changeset
33
c33668e282fa first checkin.
casties
parents:
diff changeset
34 manage_options = PropertyManager.manage_options + SimpleItem.manage_options
c33668e282fa first checkin.
casties
parents:
diff changeset
35
c33668e282fa first checkin.
casties
parents:
diff changeset
36 # Only change this if you're sure you know what you're doing
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
37 tokenTtl = 86400
0
c33668e282fa first checkin.
casties
parents:
diff changeset
38
c33668e282fa first checkin.
casties
parents:
diff changeset
39 def __init__(self, id, consumerKey=None, consumerSecret=None):
c33668e282fa first checkin.
casties
parents:
diff changeset
40 """init document viewer"""
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
41 self.id = id
0
c33668e282fa first checkin.
casties
parents:
diff changeset
42 self.consumer_key = consumerKey
c33668e282fa first checkin.
casties
parents:
diff changeset
43 self.consumer_secret = consumerSecret
c33668e282fa first checkin.
casties
parents:
diff changeset
44
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
45 def index_html(self, user='anonymous'):
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
46 """returns authentication token for user (Zope style)"""
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
47 if self._user_allowed(user=user):
0
c33668e282fa first checkin.
casties
parents:
diff changeset
48 token = self._generate_token(user)
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
49 # set CORS headers
0
c33668e282fa first checkin.
casties
parents:
diff changeset
50 origin = self.REQUEST.getHeader("Origin", None)
c33668e282fa first checkin.
casties
parents:
diff changeset
51 if origin is not None:
c33668e282fa first checkin.
casties
parents:
diff changeset
52 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin)
c33668e282fa first checkin.
casties
parents:
diff changeset
53 else:
c33668e282fa first checkin.
casties
parents:
diff changeset
54 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*")
c33668e282fa first checkin.
casties
parents:
diff changeset
55
c33668e282fa first checkin.
casties
parents:
diff changeset
56 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
57 logging.debug("token for user %s: %s"%(user, token))
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
58 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain")
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
59 return token
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
60 else:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
61 raise Unauthorized
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
62
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
63 def getLoginToken(self, user='anonymous', password=None):
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
64 """returns authentication token or error code"""
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
65 # set CORS headers
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
66 origin = self.REQUEST.getHeader("Origin", None)
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
67 if origin is not None:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
68 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin)
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
69 else:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
70 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*")
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
71
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
72 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
73 if self._user_allowed(user=user, password=password):
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
74 token = self._generate_token(user)
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
75 logging.debug("token for user %s: %s"%(user, token))
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
76 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain")
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
77 return token
0
c33668e282fa first checkin.
casties
parents:
diff changeset
78 else:
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
79 self.REQUEST.RESPONSE.setStatus('Unauthorized')
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
80 return "Please Authenticate!"
0
c33668e282fa first checkin.
casties
parents:
diff changeset
81
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
82 def _user_allowed(self, user=None, password=None):
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
83 # check the login
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
84 if user == 'anonymous':
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
85 # everybody can be anonymous
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
86 return user
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
87
8
93c835b645af nicer logging.
casties
parents: 7
diff changeset
88 # get logged in user from Zope
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
89 authuser = getSecurityManager().getUser()
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
90 authname = authuser.getUserName()
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
91 if authname == user:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
92 # user is logged in
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
93 return authname
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
94
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
95 if password:
8
93c835b645af nicer logging.
casties
parents: 7
diff changeset
96 logging.debug("trying password for token for user %s"%user)
7
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
97 # try all user folders in aq_chain
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
98 authuser = None
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
99 userfolder = None
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
100 for ctx in aq_chain(self):
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
101 new_uf = getattr(ctx, 'acl_users', None)
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
102 if new_uf != userfolder:
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
103 userfolder = new_uf
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
104 authuser = userfolder.authenticate(user, password, None)
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
105 if authuser is not None:
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
106 return authuser
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
107
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
108 return None
0
c33668e282fa first checkin.
casties
parents:
diff changeset
109
c33668e282fa first checkin.
casties
parents:
diff changeset
110 def _generate_token(self, user_id):
c33668e282fa first checkin.
casties
parents:
diff changeset
111 #return JSON-token
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
112 issue_time = datetime.datetime.now(UTC).replace(microsecond=0)
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
113
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
114 return jwt.encode({
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
115 'consumerKey': self.consumer_key,
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
116 'userId': user_id,
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
117 'issuedAt': issue_time.isoformat(),
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
118 'ttl': self.tokenTtl
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
119 }, self.consumer_secret)
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
120
0
c33668e282fa first checkin.
casties
parents:
diff changeset
121
c33668e282fa first checkin.
casties
parents:
diff changeset
122 def manage_addAuthTokenGeneratorForm(self):
c33668e282fa first checkin.
casties
parents:
diff changeset
123 """form for adding AuthTokenGenerator"""
c33668e282fa first checkin.
casties
parents:
diff changeset
124 pt = PageTemplateFile("zpt/manage_addAuthTokenGenerator", globals()).__of__(self)
c33668e282fa first checkin.
casties
parents:
diff changeset
125 return pt()
c33668e282fa first checkin.
casties
parents:
diff changeset
126
c33668e282fa first checkin.
casties
parents:
diff changeset
127 def manage_addAuthTokenGenerator(context, id, consumerKey=None, consumerSecret=None):
c33668e282fa first checkin.
casties
parents:
diff changeset
128 """ """
c33668e282fa first checkin.
casties
parents:
diff changeset
129 context._setObject(id, AuthTokenGenerator(id, consumerKey=consumerKey, consumerSecret=consumerSecret))
c33668e282fa first checkin.
casties
parents:
diff changeset
130 return "AuthTokenGenerator Installed: %s" % id