Mercurial > hg > OKFNAnnotator

changeset 9:41f264620073 default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
adds user's groups from LDAP to generated token.
author casties
date Thu, 12 Feb 2015 19:46:55 +0100
parents 93c835b645af
children
files AuthTokenGenerator.py
diffstat 1 files changed, 29 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/AuthTokenGenerator.py	Fri Nov 09 18:12:47 2012 +0100
+++ b/AuthTokenGenerator.py	Thu Feb 12 19:46:55 2015 +0100
@@ -44,8 +44,10 @@
 
     def index_html(self, user='anonymous'):
         """returns authentication token for user (Zope style)"""
-        if self._user_allowed(user=user):
-            token = self._generate_token(user)
+        zUser = self._allowed_user(user=user)
+        logging.debug("allowed user: %s"%repr(zUser))
+        if zUser:
+            token = self._generate_token(zUser)
             # set CORS headers
             origin = self.REQUEST.getHeader("Origin", None)
             if origin is not None:
@@ -70,8 +72,10 @@
             self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*")
 
         self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
-        if self._user_allowed(user=user, password=password):
-            token = self._generate_token(user)
+        zUser = self._allowed_user(user=user, password=password)
+        logging.debug("allowed user: %s"%repr(zUser))
+        if zUser:
+            token = self._generate_token(zUser)
             logging.debug("token for user %s: %s"%(user, token))
             self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain")
             return token
@@ -79,7 +83,7 @@
             self.REQUEST.RESPONSE.setStatus('Unauthorized')
             return "Please Authenticate!"
 
-    def _user_allowed(self, user=None, password=None):
+    def _allowed_user(self, user=None, password=None):
         # check the login
         if user == 'anonymous':
             # everybody can be anonymous
@@ -90,7 +94,7 @@
         authname = authuser.getUserName()
         if authname == user:
             # user is logged in
-            return authname
+            return authuser
         
         if password:
             logging.debug("trying password for token for user %s"%user)
@@ -107,16 +111,28 @@
             
         return None
 
-    def _generate_token(self, user_id):
+    def _generate_token(self, user):
         #return JSON-token
         issue_time = datetime.datetime.now(UTC).replace(microsecond=0)
+        if isinstance(user, basestring):
+            # not a real User object
+            user_id = user
+        else:
+            user_id = user.getUserName()
+            
+        payload = {
+            'consumerKey':self.consumer_key, 
+            'userId':user_id, 
+            'issuedAt':issue_time.isoformat(), 
+            'ttl':self.tokenTtl}
         
-        return jwt.encode({
-           'consumerKey': self.consumer_key,
-           'userId': user_id,
-           'issuedAt': issue_time.isoformat(),
-           'ttl': self.tokenTtl
-           }, self.consumer_secret)
+        if hasattr(user, '_getLDAPGroups'):
+            # add groups from LDAP
+            groups = user._getLDAPGroups()
+            payload['memberOf'] = groups
+            
+        logging.debug("token payload=%s"%repr(payload))
+        return jwt.encode(payload, self.consumer_secret)
         
 
 def manage_addAuthTokenGeneratorForm(self):