Mercurial > hg > OKFNAnnotator
comparison AuthTokenGenerator.py @ 9:41f264620073 default tip
adds user's groups from LDAP to generated token.
| author | casties |
|---|---|
| date | Thu, 12 Feb 2015 19:46:55 +0100 |
| parents | 93c835b645af |
| children |
comparison
equal
deleted
inserted
replaced
| 8:93c835b645af | 9:41f264620073 |
|---|---|
| 42 self.consumer_key = consumerKey | 42 self.consumer_key = consumerKey |
| 43 self.consumer_secret = consumerSecret | 43 self.consumer_secret = consumerSecret |
| 44 | 44 |
| 45 def index_html(self, user='anonymous'): | 45 def index_html(self, user='anonymous'): |
| 46 """returns authentication token for user (Zope style)""" | 46 """returns authentication token for user (Zope style)""" |
| 47 if self._user_allowed(user=user): | 47 zUser = self._allowed_user(user=user) |
| 48 token = self._generate_token(user) | 48 logging.debug("allowed user: %s"%repr(zUser)) |
| 49 if zUser: | |
| 50 token = self._generate_token(zUser) | |
| 49 # set CORS headers | 51 # set CORS headers |
| 50 origin = self.REQUEST.getHeader("Origin", None) | 52 origin = self.REQUEST.getHeader("Origin", None) |
| 51 if origin is not None: | 53 if origin is not None: |
| 52 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) | 54 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) |
| 53 else: | 55 else: |
| 68 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) | 70 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) |
| 69 else: | 71 else: |
| 70 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*") | 72 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*") |
| 71 | 73 |
| 72 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") | 74 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") |
| 73 if self._user_allowed(user=user, password=password): | 75 zUser = self._allowed_user(user=user, password=password) |
| 74 token = self._generate_token(user) | 76 logging.debug("allowed user: %s"%repr(zUser)) |
| 77 if zUser: | |
| 78 token = self._generate_token(zUser) | |
| 75 logging.debug("token for user %s: %s"%(user, token)) | 79 logging.debug("token for user %s: %s"%(user, token)) |
| 76 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain") | 80 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain") |
| 77 return token | 81 return token |
| 78 else: | 82 else: |
| 79 self.REQUEST.RESPONSE.setStatus('Unauthorized') | 83 self.REQUEST.RESPONSE.setStatus('Unauthorized') |
| 80 return "Please Authenticate!" | 84 return "Please Authenticate!" |
| 81 | 85 |
| 82 def _user_allowed(self, user=None, password=None): | 86 def _allowed_user(self, user=None, password=None): |
| 83 # check the login | 87 # check the login |
| 84 if user == 'anonymous': | 88 if user == 'anonymous': |
| 85 # everybody can be anonymous | 89 # everybody can be anonymous |
| 86 return user | 90 return user |
| 87 | 91 |
| 88 # get logged in user from Zope | 92 # get logged in user from Zope |
| 89 authuser = getSecurityManager().getUser() | 93 authuser = getSecurityManager().getUser() |
| 90 authname = authuser.getUserName() | 94 authname = authuser.getUserName() |
| 91 if authname == user: | 95 if authname == user: |
| 92 # user is logged in | 96 # user is logged in |
| 93 return authname | 97 return authuser |
| 94 | 98 |
| 95 if password: | 99 if password: |
| 96 logging.debug("trying password for token for user %s"%user) | 100 logging.debug("trying password for token for user %s"%user) |
| 97 # try all user folders in aq_chain | 101 # try all user folders in aq_chain |
| 98 authuser = None | 102 authuser = None |
| 105 if authuser is not None: | 109 if authuser is not None: |
| 106 return authuser | 110 return authuser |
| 107 | 111 |
| 108 return None | 112 return None |
| 109 | 113 |
| 110 def _generate_token(self, user_id): | 114 def _generate_token(self, user): |
| 111 #return JSON-token | 115 #return JSON-token |
| 112 issue_time = datetime.datetime.now(UTC).replace(microsecond=0) | 116 issue_time = datetime.datetime.now(UTC).replace(microsecond=0) |
| 117 if isinstance(user, basestring): | |
| 118 # not a real User object | |
| 119 user_id = user | |
| 120 else: | |
| 121 user_id = user.getUserName() | |
| 122 | |
| 123 payload = { | |
| 124 'consumerKey':self.consumer_key, | |
| 125 'userId':user_id, | |
| 126 'issuedAt':issue_time.isoformat(), | |
| 127 'ttl':self.tokenTtl} | |
| 113 | 128 |
| 114 return jwt.encode({ | 129 if hasattr(user, '_getLDAPGroups'): |
| 115 'consumerKey': self.consumer_key, | 130 # add groups from LDAP |
| 116 'userId': user_id, | 131 groups = user._getLDAPGroups() |
| 117 'issuedAt': issue_time.isoformat(), | 132 payload['memberOf'] = groups |
| 118 'ttl': self.tokenTtl | 133 |
| 119 }, self.consumer_secret) | 134 logging.debug("token payload=%s"%repr(payload)) |
| 135 return jwt.encode(payload, self.consumer_secret) | |
| 120 | 136 |
| 121 | 137 |
| 122 def manage_addAuthTokenGeneratorForm(self): | 138 def manage_addAuthTokenGeneratorForm(self): |
| 123 """form for adding AuthTokenGenerator""" | 139 """form for adding AuthTokenGenerator""" |
| 124 pt = PageTemplateFile("zpt/manage_addAuthTokenGenerator", globals()).__of__(self) | 140 pt = PageTemplateFile("zpt/manage_addAuthTokenGenerator", globals()).__of__(self) |