# HG changeset patch # User casties # Date 1423766815 -3600 # Node ID 41f26462007308a6640b46728d5a8976f3878f89 # Parent 93c835b645af293e5d906e993e96aa56535a7a09 adds user's groups from LDAP to generated token. diff -r 93c835b645af -r 41f264620073 AuthTokenGenerator.py --- a/AuthTokenGenerator.py Fri Nov 09 18:12:47 2012 +0100 +++ b/AuthTokenGenerator.py Thu Feb 12 19:46:55 2015 +0100 @@ -44,8 +44,10 @@ def index_html(self, user='anonymous'): """returns authentication token for user (Zope style)""" - if self._user_allowed(user=user): - token = self._generate_token(user) + zUser = self._allowed_user(user=user) + logging.debug("allowed user: %s"%repr(zUser)) + if zUser: + token = self._generate_token(zUser) # set CORS headers origin = self.REQUEST.getHeader("Origin", None) if origin is not None: @@ -70,8 +72,10 @@ self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*") self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") - if self._user_allowed(user=user, password=password): - token = self._generate_token(user) + zUser = self._allowed_user(user=user, password=password) + logging.debug("allowed user: %s"%repr(zUser)) + if zUser: + token = self._generate_token(zUser) logging.debug("token for user %s: %s"%(user, token)) self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain") return token @@ -79,7 +83,7 @@ self.REQUEST.RESPONSE.setStatus('Unauthorized') return "Please Authenticate!" - def _user_allowed(self, user=None, password=None): + def _allowed_user(self, user=None, password=None): # check the login if user == 'anonymous': # everybody can be anonymous @@ -90,7 +94,7 @@ authname = authuser.getUserName() if authname == user: # user is logged in - return authname + return authuser if password: logging.debug("trying password for token for user %s"%user) @@ -107,16 +111,28 @@ return None - def _generate_token(self, user_id): + def _generate_token(self, user): #return JSON-token issue_time = datetime.datetime.now(UTC).replace(microsecond=0) + if isinstance(user, basestring): + # not a real User object + user_id = user + else: + user_id = user.getUserName() + + payload = { + 'consumerKey':self.consumer_key, + 'userId':user_id, + 'issuedAt':issue_time.isoformat(), + 'ttl':self.tokenTtl} - return jwt.encode({ - 'consumerKey': self.consumer_key, - 'userId': user_id, - 'issuedAt': issue_time.isoformat(), - 'ttl': self.tokenTtl - }, self.consumer_secret) + if hasattr(user, '_getLDAPGroups'): + # add groups from LDAP + groups = user._getLDAPGroups() + payload['memberOf'] = groups + + logging.debug("token payload=%s"%repr(payload)) + return jwt.encode(payload, self.consumer_secret) def manage_addAuthTokenGeneratorForm(self):