changeset 9:41f264620073 default tip

adds user's groups from LDAP to generated token.
author casties
date Thu, 12 Feb 2015 19:46:55 +0100
parents 93c835b645af
children
files AuthTokenGenerator.py
diffstat 1 files changed, 29 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/AuthTokenGenerator.py	Fri Nov 09 18:12:47 2012 +0100
+++ b/AuthTokenGenerator.py	Thu Feb 12 19:46:55 2015 +0100
@@ -44,8 +44,10 @@
 
     def index_html(self, user='anonymous'):
         """returns authentication token for user (Zope style)"""
-        if self._user_allowed(user=user):
-            token = self._generate_token(user)
+        zUser = self._allowed_user(user=user)
+        logging.debug("allowed user: %s"%repr(zUser))
+        if zUser:
+            token = self._generate_token(zUser)
             # set CORS headers
             origin = self.REQUEST.getHeader("Origin", None)
             if origin is not None:
@@ -70,8 +72,10 @@
             self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*")
 
         self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true")
-        if self._user_allowed(user=user, password=password):
-            token = self._generate_token(user)
+        zUser = self._allowed_user(user=user, password=password)
+        logging.debug("allowed user: %s"%repr(zUser))
+        if zUser:
+            token = self._generate_token(zUser)
             logging.debug("token for user %s: %s"%(user, token))
             self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain")
             return token
@@ -79,7 +83,7 @@
             self.REQUEST.RESPONSE.setStatus('Unauthorized')
             return "Please Authenticate!"
 
-    def _user_allowed(self, user=None, password=None):
+    def _allowed_user(self, user=None, password=None):
         # check the login
         if user == 'anonymous':
             # everybody can be anonymous
@@ -90,7 +94,7 @@
         authname = authuser.getUserName()
         if authname == user:
             # user is logged in
-            return authname
+            return authuser
         
         if password:
             logging.debug("trying password for token for user %s"%user)
@@ -107,16 +111,28 @@
             
         return None
 
-    def _generate_token(self, user_id):
+    def _generate_token(self, user):
         #return JSON-token
         issue_time = datetime.datetime.now(UTC).replace(microsecond=0)
+        if isinstance(user, basestring):
+            # not a real User object
+            user_id = user
+        else:
+            user_id = user.getUserName()
+            
+        payload = {
+            'consumerKey':self.consumer_key, 
+            'userId':user_id, 
+            'issuedAt':issue_time.isoformat(), 
+            'ttl':self.tokenTtl}
         
-        return jwt.encode({
-           'consumerKey': self.consumer_key,
-           'userId': user_id,
-           'issuedAt': issue_time.isoformat(),
-           'ttl': self.tokenTtl
-           }, self.consumer_secret)
+        if hasattr(user, '_getLDAPGroups'):
+            # add groups from LDAP
+            groups = user._getLDAPGroups()
+            payload['memberOf'] = groups
+            
+        logging.debug("token payload=%s"%repr(payload))
+        return jwt.encode(payload, self.consumer_secret)
         
 
 def manage_addAuthTokenGeneratorForm(self):