Mercurial > hg > OKFNAnnotator
comparison AuthTokenGenerator.py @ 9:41f264620073 default tip
adds user's groups from LDAP to generated token.
author | casties |
---|---|
date | Thu, 12 Feb 2015 19:46:55 +0100 |
parents | 93c835b645af |
children |
comparison
equal
deleted
inserted
replaced
8:93c835b645af | 9:41f264620073 |
---|---|
42 self.consumer_key = consumerKey | 42 self.consumer_key = consumerKey |
43 self.consumer_secret = consumerSecret | 43 self.consumer_secret = consumerSecret |
44 | 44 |
45 def index_html(self, user='anonymous'): | 45 def index_html(self, user='anonymous'): |
46 """returns authentication token for user (Zope style)""" | 46 """returns authentication token for user (Zope style)""" |
47 if self._user_allowed(user=user): | 47 zUser = self._allowed_user(user=user) |
48 token = self._generate_token(user) | 48 logging.debug("allowed user: %s"%repr(zUser)) |
49 if zUser: | |
50 token = self._generate_token(zUser) | |
49 # set CORS headers | 51 # set CORS headers |
50 origin = self.REQUEST.getHeader("Origin", None) | 52 origin = self.REQUEST.getHeader("Origin", None) |
51 if origin is not None: | 53 if origin is not None: |
52 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) | 54 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) |
53 else: | 55 else: |
68 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) | 70 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) |
69 else: | 71 else: |
70 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*") | 72 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*") |
71 | 73 |
72 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") | 74 self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") |
73 if self._user_allowed(user=user, password=password): | 75 zUser = self._allowed_user(user=user, password=password) |
74 token = self._generate_token(user) | 76 logging.debug("allowed user: %s"%repr(zUser)) |
77 if zUser: | |
78 token = self._generate_token(zUser) | |
75 logging.debug("token for user %s: %s"%(user, token)) | 79 logging.debug("token for user %s: %s"%(user, token)) |
76 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain") | 80 self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain") |
77 return token | 81 return token |
78 else: | 82 else: |
79 self.REQUEST.RESPONSE.setStatus('Unauthorized') | 83 self.REQUEST.RESPONSE.setStatus('Unauthorized') |
80 return "Please Authenticate!" | 84 return "Please Authenticate!" |
81 | 85 |
82 def _user_allowed(self, user=None, password=None): | 86 def _allowed_user(self, user=None, password=None): |
83 # check the login | 87 # check the login |
84 if user == 'anonymous': | 88 if user == 'anonymous': |
85 # everybody can be anonymous | 89 # everybody can be anonymous |
86 return user | 90 return user |
87 | 91 |
88 # get logged in user from Zope | 92 # get logged in user from Zope |
89 authuser = getSecurityManager().getUser() | 93 authuser = getSecurityManager().getUser() |
90 authname = authuser.getUserName() | 94 authname = authuser.getUserName() |
91 if authname == user: | 95 if authname == user: |
92 # user is logged in | 96 # user is logged in |
93 return authname | 97 return authuser |
94 | 98 |
95 if password: | 99 if password: |
96 logging.debug("trying password for token for user %s"%user) | 100 logging.debug("trying password for token for user %s"%user) |
97 # try all user folders in aq_chain | 101 # try all user folders in aq_chain |
98 authuser = None | 102 authuser = None |
105 if authuser is not None: | 109 if authuser is not None: |
106 return authuser | 110 return authuser |
107 | 111 |
108 return None | 112 return None |
109 | 113 |
110 def _generate_token(self, user_id): | 114 def _generate_token(self, user): |
111 #return JSON-token | 115 #return JSON-token |
112 issue_time = datetime.datetime.now(UTC).replace(microsecond=0) | 116 issue_time = datetime.datetime.now(UTC).replace(microsecond=0) |
117 if isinstance(user, basestring): | |
118 # not a real User object | |
119 user_id = user | |
120 else: | |
121 user_id = user.getUserName() | |
122 | |
123 payload = { | |
124 'consumerKey':self.consumer_key, | |
125 'userId':user_id, | |
126 'issuedAt':issue_time.isoformat(), | |
127 'ttl':self.tokenTtl} | |
113 | 128 |
114 return jwt.encode({ | 129 if hasattr(user, '_getLDAPGroups'): |
115 'consumerKey': self.consumer_key, | 130 # add groups from LDAP |
116 'userId': user_id, | 131 groups = user._getLDAPGroups() |
117 'issuedAt': issue_time.isoformat(), | 132 payload['memberOf'] = groups |
118 'ttl': self.tokenTtl | 133 |
119 }, self.consumer_secret) | 134 logging.debug("token payload=%s"%repr(payload)) |
135 return jwt.encode(payload, self.consumer_secret) | |
120 | 136 |
121 | 137 |
122 def manage_addAuthTokenGeneratorForm(self): | 138 def manage_addAuthTokenGeneratorForm(self): |
123 """form for adding AuthTokenGenerator""" | 139 """form for adding AuthTokenGenerator""" |
124 pt = PageTemplateFile("zpt/manage_addAuthTokenGenerator", globals()).__of__(self) | 140 pt = PageTemplateFile("zpt/manage_addAuthTokenGenerator", globals()).__of__(self) |