Mercurial > hg > OKFNAnnotator

annotate AuthTokenGenerator.py @ 9:41f264620073 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
adds user's groups from LDAP to generated token.
author casties
date Thu, 12 Feb 2015 19:46:55 +0100
parents 93c835b645af
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
c33668e282fa first checkin.
casties
parents:
diff changeset
1 from OFS.SimpleItem import SimpleItem
c33668e282fa first checkin.
casties
parents:
diff changeset
2 from Products.PageTemplates.PageTemplateFile import PageTemplateFile
c33668e282fa first checkin.
casties
parents:
diff changeset
3 from OFS.PropertyManager import PropertyManager
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
4 from AccessControl import getSecurityManager
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
5 from zExceptions import Unauthorized
7
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
6 from Acquisition import aq_chain
0
c33668e282fa first checkin.
casties
parents:
diff changeset
7
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
8 import logging
0
c33668e282fa first checkin.
casties
parents:
diff changeset
9 import datetime
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
10 import jwt
0
c33668e282fa first checkin.
casties
parents:
diff changeset
11
c33668e282fa first checkin.
casties
parents:
diff changeset
12
c33668e282fa first checkin.
casties
parents:
diff changeset
13 ZERO = datetime.timedelta(0)
c33668e282fa first checkin.
casties
parents:
diff changeset
14 class Utc(datetime.tzinfo):
c33668e282fa first checkin.
casties
parents:
diff changeset
15 def utcoffset(self, dt):
c33668e282fa first checkin.
casties
parents:
diff changeset
16 return ZERO
c33668e282fa first checkin.
casties
parents:
diff changeset
17
c33668e282fa first checkin.
casties
parents:
diff changeset
18 def tzname(self, dt):
c33668e282fa first checkin.
casties
parents:
diff changeset
19 return "UTC"
c33668e282fa first checkin.
casties
parents:
diff changeset
20
c33668e282fa first checkin.
casties
parents:
diff changeset
21 def dst(self, dt):
c33668e282fa first checkin.
casties
parents:
diff changeset
22 return ZERO
c33668e282fa first checkin.
casties
parents:
diff changeset
23 UTC = Utc()
c33668e282fa first checkin.
casties
parents:
diff changeset
24
c33668e282fa first checkin.
casties
parents:
diff changeset
25
c33668e282fa first checkin.
casties
parents:
diff changeset
26 class AuthTokenGenerator(SimpleItem, PropertyManager):
c33668e282fa first checkin.
casties
parents:
diff changeset
27 """Generator of auth tokens for OKFN Annotator"""
c33668e282fa first checkin.
casties
parents:
diff changeset
28
c33668e282fa first checkin.
casties
parents:
diff changeset
29 meta_type = 'AuthTokenGenerator'
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
30 _properties = ({'id':'consumer_key', 'type': 'string', 'mode': 'w'},
0
c33668e282fa first checkin.
casties
parents:
diff changeset
31 {'id':'consumer_secret', 'type': 'string', 'mode': 'w'},
c33668e282fa first checkin.
casties
parents:
diff changeset
32 )
c33668e282fa first checkin.
casties
parents:
diff changeset
33
c33668e282fa first checkin.
casties
parents:
diff changeset
34 manage_options = PropertyManager.manage_options + SimpleItem.manage_options
c33668e282fa first checkin.
casties
parents:
diff changeset
35
c33668e282fa first checkin.
casties
parents:
diff changeset
36 # Only change this if you're sure you know what you're doing
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
37 tokenTtl = 86400
0
c33668e282fa first checkin.
casties
parents:
diff changeset
38
c33668e282fa first checkin.
casties
parents:
diff changeset
39 def __init__(self, id, consumerKey=None, consumerSecret=None):
c33668e282fa first checkin.
casties
parents:
diff changeset
40 """init document viewer"""
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
41 self.id = id
0
c33668e282fa first checkin.
casties
parents:
diff changeset
42 self.consumer_key = consumerKey
c33668e282fa first checkin.
casties
parents:
diff changeset
43 self.consumer_secret = consumerSecret
c33668e282fa first checkin.
casties
parents:
diff changeset
44
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
45 def index_html(self, user='anonymous'):
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
46 """returns authentication token for user (Zope style)"""
9
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
47 zUser = self._allowed_user(user=user)
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
48 logging.debug("allowed user: %s"%repr(zUser))
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
49 if zUser:
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
50 token = self._generate_token(zUser)
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
51 # set CORS headers
0
c33668e282fa first checkin.
casties
parents:
diff changeset
52 origin = self.REQUEST.getHeader("Origin", None)
c33668e282fa first checkin.
casties
parents:
diff changeset
53 if origin is not None:
c33668e282fa first checkin.
casties
parents:
diff changeset
54 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin)
c33668e282fa first checkin.
casties
parents:
diff changeset
55 else:
c33668e282fa first checkin.
casties
parents:
diff changeset
56 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*")
c33668e282fa first checkin.
casties
parents:
diff changeset
57
c33668e282fa first checkin.
casties
parents:
diff changeset
58 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
59 logging.debug("token for user %s: %s"%(user, token))
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
60 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain")
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
61 return token
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
62 else:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
63 raise Unauthorized
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
64
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
65 def getLoginToken(self, user='anonymous', password=None):
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
66 """returns authentication token or error code"""
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
67 # set CORS headers
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
68 origin = self.REQUEST.getHeader("Origin", None)
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
69 if origin is not None:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
70 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin)
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
71 else:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
72 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*")
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
73
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
74 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
9
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
75 zUser = self._allowed_user(user=user, password=password)
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
76 logging.debug("allowed user: %s"%repr(zUser))
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
77 if zUser:
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
78 token = self._generate_token(zUser)
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
79 logging.debug("token for user %s: %s"%(user, token))
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
80 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain")
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
81 return token
0
c33668e282fa first checkin.
casties
parents:
diff changeset
82 else:
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
83 self.REQUEST.RESPONSE.setStatus('Unauthorized')
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
84 return "Please Authenticate!"
0
c33668e282fa first checkin.
casties
parents:
diff changeset
85
9
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
86 def _allowed_user(self, user=None, password=None):
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
87 # check the login
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
88 if user == 'anonymous':
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
89 # everybody can be anonymous
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
90 return user
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
91
8
93c835b645af nicer logging.
casties
parents: 7
diff changeset
92 # get logged in user from Zope
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
93 authuser = getSecurityManager().getUser()
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
94 authname = authuser.getUserName()
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
95 if authname == user:
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
96 # user is logged in
9
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
97 return authuser
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
98
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
99 if password:
8
93c835b645af nicer logging.
casties
parents: 7
diff changeset
100 logging.debug("trying password for token for user %s"%user)
7
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
101 # try all user folders in aq_chain
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
102 authuser = None
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
103 userfolder = None
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
104 for ctx in aq_chain(self):
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
105 new_uf = getattr(ctx, 'acl_users', None)
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
106 if new_uf != userfolder:
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
107 userfolder = new_uf
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
108 authuser = userfolder.authenticate(user, password, None)
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
109 if authuser is not None:
279473355e9b authentication works with hierarchy of acl_users now.
root@tuxserve03.mpiwg-berlin.mpg.de
parents: 6
diff changeset
110 return authuser
6
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
111
17bbd5e80d15 method getLoginToken and real authentication support.
casties
parents: 2
diff changeset
112 return None
0
c33668e282fa first checkin.
casties
parents:
diff changeset
113
9
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
114 def _generate_token(self, user):
0
c33668e282fa first checkin.
casties
parents:
diff changeset
115 #return JSON-token
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
116 issue_time = datetime.datetime.now(UTC).replace(microsecond=0)
9
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
117 if isinstance(user, basestring):
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
118 # not a real User object
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
119 user_id = user
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
120 else:
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
121 user_id = user.getUserName()
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
122
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
123 payload = {
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
124 'consumerKey':self.consumer_key,
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
125 'userId':user_id,
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
126 'issuedAt':issue_time.isoformat(),
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
127 'ttl':self.tokenTtl}
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
128
9
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
129 if hasattr(user, '_getLDAPGroups'):
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
130 # add groups from LDAP
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
131 groups = user._getLDAPGroups()
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
132 payload['memberOf'] = groups
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
133
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
134 logging.debug("token payload=%s"%repr(payload))
41f264620073 adds user's groups from LDAP to generated token.
casties
parents: 8
diff changeset
135 return jwt.encode(payload, self.consumer_secret)
2
4c6c8835fc5c new version for new Annotator Auth API using PyJWT.
casties
parents: 0
diff changeset
136
0
c33668e282fa first checkin.
casties
parents:
diff changeset
137
c33668e282fa first checkin.
casties
parents:
diff changeset
138 def manage_addAuthTokenGeneratorForm(self):
c33668e282fa first checkin.
casties
parents:
diff changeset
139 """form for adding AuthTokenGenerator"""
c33668e282fa first checkin.
casties
parents:
diff changeset
140 pt = PageTemplateFile("zpt/manage_addAuthTokenGenerator", globals()).__of__(self)
c33668e282fa first checkin.
casties
parents:
diff changeset
141 return pt()
c33668e282fa first checkin.
casties
parents:
diff changeset
142
c33668e282fa first checkin.
casties
parents:
diff changeset
143 def manage_addAuthTokenGenerator(context, id, consumerKey=None, consumerSecret=None):
c33668e282fa first checkin.
casties
parents:
diff changeset
144 """ """
c33668e282fa first checkin.
casties
parents:
diff changeset
145 context._setObject(id, AuthTokenGenerator(id, consumerKey=consumerKey, consumerSecret=consumerSecret))
c33668e282fa first checkin.
casties
parents:
diff changeset
146 return "AuthTokenGenerator Installed: %s" % id