| 1 | from OFS.SimpleItem import SimpleItem |
|---|
| 2 | from Products.PageTemplates.PageTemplateFile import PageTemplateFile |
|---|
| 3 | from OFS.PropertyManager import PropertyManager |
|---|
| 4 | from AccessControl import getSecurityManager |
|---|
| 5 | from zExceptions import Unauthorized |
|---|
| 6 | |
|---|
| 7 | import logging |
|---|
| 8 | import datetime |
|---|
| 9 | import jwt |
|---|
| 10 | |
|---|
| 11 | |
|---|
| 12 | ZERO = datetime.timedelta(0) |
|---|
| 13 | class Utc(datetime.tzinfo): |
|---|
| 14 | def utcoffset(self, dt): |
|---|
| 15 | return ZERO |
|---|
| 16 | |
|---|
| 17 | def tzname(self, dt): |
|---|
| 18 | return "UTC" |
|---|
| 19 | |
|---|
| 20 | def dst(self, dt): |
|---|
| 21 | return ZERO |
|---|
| 22 | UTC = Utc() |
|---|
| 23 | |
|---|
| 24 | |
|---|
| 25 | class AuthTokenGenerator(SimpleItem, PropertyManager): |
|---|
| 26 | """Generator of auth tokens for OKFN Annotator""" |
|---|
| 27 | |
|---|
| 28 | meta_type = 'AuthTokenGenerator' |
|---|
| 29 | _properties = ({'id':'consumer_key', 'type': 'string', 'mode': 'w'}, |
|---|
| 30 | {'id':'consumer_secret', 'type': 'string', 'mode': 'w'}, |
|---|
| 31 | ) |
|---|
| 32 | |
|---|
| 33 | manage_options = PropertyManager.manage_options + SimpleItem.manage_options |
|---|
| 34 | |
|---|
| 35 | # Only change this if you're sure you know what you're doing |
|---|
| 36 | tokenTtl = 86400 |
|---|
| 37 | |
|---|
| 38 | def __init__(self, id, consumerKey=None, consumerSecret=None): |
|---|
| 39 | """init document viewer""" |
|---|
| 40 | self.id = id |
|---|
| 41 | self.consumer_key = consumerKey |
|---|
| 42 | self.consumer_secret = consumerSecret |
|---|
| 43 | |
|---|
| 44 | def index_html(self, user='anonymous'): |
|---|
| 45 | """returns authentication token for user (Zope style)""" |
|---|
| 46 | if self._user_allowed(user=user): |
|---|
| 47 | token = self._generate_token(user) |
|---|
| 48 | # set CORS headers |
|---|
| 49 | origin = self.REQUEST.getHeader("Origin", None) |
|---|
| 50 | if origin is not None: |
|---|
| 51 | self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) |
|---|
| 52 | else: |
|---|
| 53 | self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*") |
|---|
| 54 | |
|---|
| 55 | self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") |
|---|
| 56 | logging.debug("token for user %s: %s"%(user, token)) |
|---|
| 57 | self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain") |
|---|
| 58 | return token |
|---|
| 59 | else: |
|---|
| 60 | raise Unauthorized |
|---|
| 61 | |
|---|
| 62 | def getLoginToken(self, user='anonymous', password=None): |
|---|
| 63 | """returns authentication token or error code""" |
|---|
| 64 | # set CORS headers |
|---|
| 65 | origin = self.REQUEST.getHeader("Origin", None) |
|---|
| 66 | if origin is not None: |
|---|
| 67 | self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", origin) |
|---|
| 68 | else: |
|---|
| 69 | self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Origin", "*") |
|---|
| 70 | |
|---|
| 71 | self.REQUEST.RESPONSE.setHeader("Access-Control-Allow-Credentials", "true") |
|---|
| 72 | if self._user_allowed(user=user, password=password): |
|---|
| 73 | token = self._generate_token(user) |
|---|
| 74 | logging.debug("token for user %s: %s"%(user, token)) |
|---|
| 75 | self.REQUEST.RESPONSE.setHeader("Content-Type", "text/plain") |
|---|
| 76 | return token |
|---|
| 77 | else: |
|---|
| 78 | self.REQUEST.RESPONSE.setStatus('Unauthorized') |
|---|
| 79 | return "Please Authenticate!" |
|---|
| 80 | |
|---|
| 81 | |
|---|
| 82 | def _user_allowed(self, user=None, password=None): |
|---|
| 83 | # check the login |
|---|
| 84 | if user == 'anonymous': |
|---|
| 85 | # everybody can be anonymous |
|---|
| 86 | return user |
|---|
| 87 | |
|---|
| 88 | # get logged in user |
|---|
| 89 | authuser = getSecurityManager().getUser() |
|---|
| 90 | authname = authuser.getUserName() |
|---|
| 91 | logging.debug("token_allowed: user=%s authuser=%s username=%s"%(user, repr(authuser), repr(authname))) |
|---|
| 92 | if authname == user: |
|---|
| 93 | # user is logged in |
|---|
| 94 | return authname |
|---|
| 95 | |
|---|
| 96 | if password: |
|---|
| 97 | logging.debug("trying password") |
|---|
| 98 | # TODO: should we care about aquisition? |
|---|
| 99 | authuser = self.acl_users.authenticate(user, password, None) |
|---|
| 100 | return authuser |
|---|
| 101 | |
|---|
| 102 | return None |
|---|
| 103 | |
|---|
| 104 | def _generate_token(self, user_id): |
|---|
| 105 | #return JSON-token |
|---|
| 106 | issue_time = datetime.datetime.now(UTC).replace(microsecond=0) |
|---|
| 107 | |
|---|
| 108 | return jwt.encode({ |
|---|
| 109 | 'consumerKey': self.consumer_key, |
|---|
| 110 | 'userId': user_id, |
|---|
| 111 | 'issuedAt': issue_time.isoformat(), |
|---|
| 112 | 'ttl': self.tokenTtl |
|---|
| 113 | }, self.consumer_secret) |
|---|
| 114 | |
|---|
| 115 | |
|---|
| 116 | def manage_addAuthTokenGeneratorForm(self): |
|---|
| 117 | """form for adding AuthTokenGenerator""" |
|---|
| 118 | pt = PageTemplateFile("zpt/manage_addAuthTokenGenerator", globals()).__of__(self) |
|---|
| 119 | return pt() |
|---|
| 120 | |
|---|
| 121 | def manage_addAuthTokenGenerator(context, id, consumerKey=None, consumerSecret=None): |
|---|
| 122 | """ """ |
|---|
| 123 | context._setObject(id, AuthTokenGenerator(id, consumerKey=consumerKey, consumerSecret=consumerSecret)) |
|---|
| 124 | return "AuthTokenGenerator Installed: %s" % id |
|---|
