def set_project(cls, project_code):
'''This is kept here because everybody is used to using this'''
security = Environment.get_security()
# FIXME:
# Because it is possible to call this before one is
# logged in. This is required to see the login screen.
from pyasm.security import get_security_version
security_version = get_security_version()
if security_version != 1 and not project_code == 'admin':
key = {'code': project_code}
key2 = {'code': "*"}
keys = [key, key2]
if not security.check_access(
"project", keys, access="allow", default="deny"):
user = Environment.get_login()
if user:
user = user.get_value("login")
raise SecurityException(
"User [%s] is not permitted to view project [%s]" %
(user, project_code))
else:
raise SecurityException(
"Not permitted to view project [%s]" % (project_code))
from pyasm.security import Site
site = Site.get_site()
PROJECT_KEY = "Project:global:%s:" % site
Container.put(PROJECT_KEY, project_code)
def verify(self, login_name, password):
encrypted = hashlib.md5(password).hexdigest()
# get the login sobject from the database
self.login = Login.get_by_login(login_name, use_upn=True)
if not self.login:
raise SecurityException("Login/Password combination incorrect")
# encrypt and check the password
if encrypted != self.login.get_value("password"):
raise SecurityException("Login/Password combination incorrect")
return True
def verify(my, login_name, password):
#encrypted = md5.new(password).hexdigest()
encrypted = hashlib.md5(password).hexdigest()
# get the login sobject from the database
my.login = Login.get_by_login(login_name)
if not my.login:
raise SecurityException("Login/Password combination incorrect")
# encrypt and check the password
print encrypted
print my.login.get_value("password")
if encrypted != my.login.get_value("password"):
raise SecurityException("Login/Password combination incorrect")
return True
def authenticate(my, login, password):
# encrypt and check the password
#encrypted = md5.new(password).hexdigest()
encrypted = hashlib.md5(password).hexdigest()
if encrypted != login.get_value("password"):
raise SecurityException("Login/Password combination incorrect")
return True
def load_user_data(self, login_name, domain=None):
'''get user data from active directory'''
# get all of the tactic groups
self.tactic_groups = Search.eval("@SOBJECT(sthpw/login_group)")
# get the mappings
attrs_map = self.get_user_mapping()
group_attrs_map = self.get_group_mapping()
if self.ad_exists:
self.data = self.get_info_from_ad(login_name,
attrs_map,
domain=domain)
else:
#group_path = "%s/AD_group_export.ldif" % BASE_DIR
#self.group_data = self.get_info_from_file(login_name, group_attrs_map, group_path)
path = "%s/AD_user_export.ldif" % BASE_DIR
self.data = self.get_info_from_file(attrs_map, path)
if not self.data.get('sAMAccountName'):
raise SecurityException(
"Could not get info from Active Directory for login [%s]. You may have selected the wrong domain."
% login_name)
return self.data
def init(self):
self.search_type = "config/custom_script"
security = Environment.get_security()
if not security.check_access("builtin", "view_script_editor", "allow"):
raise SecurityException(
'You are not allowed to access this widget.')
def _do_login(self):
security = Environment.get_security()
require_password = Config.get_value("security", "api_require_password")
api_password = Config.get_value("security", "api_password")
site = Site.get()
allow_guest = site.allow_guest()
# the xmlrpc login can be overridden to not require a password
if require_password == "false" or (allow_guest and self.login_name == "guest"):
security.login_user_without_password(self.login_name, expiry="NULL")
elif api_password:
if api_password == self.password:
security.login_user_without_password(self.login_name, expiry="NULL")
else:
# if api password is incorrect, still try and authenticate with
# user's password
security.login_user(self.login_name, self.password, expiry="NULL")
elif self.login_name == "guest":
security.login_user_without_password(self.login_name)
else:
security.login_user(self.login_name, self.password, expiry="NULL")
if not security.is_logged_in():
raise SecurityException("Cannot login as user: %s." % self.login_name)
def _test_access_level(my):
security = Environment.get_security()
from pyasm.security import get_security_version
security_version = get_security_version()
projects = Search.eval('@SOBJECT(sthpw/project)')
if security_version >= 2:
for project in projects:
key = { "code": project.get_code() }
key2 = { "code": "*" }
keys = [key, key2]
default = "deny"
# other than sample3d, unittest as allowed above, a default low access level user
# should not see other projects
access = security.check_access("project", keys, "allow", default=default)
process_keys = [{'process': 'anim'}]
proc_access = security.check_access("process", process_keys, "allow")
my.assertEquals(proc_access, True)
if project.get_code() in ['sample3d','unittest']:
my.assertEquals(access, True)
else:
my.assertEquals(access, False)
else:
raise SecurityException('Please test with security version 2. Set it in your config file')
def _do_login(my):
security = Environment.get_security()
require_password = Config.get_value("security", "api_require_password")
api_password = Config.get_value("security", "api_password")
# the xmlrpc login can be overridden to not require a password
if require_password == "false":
security.login_user_without_password(my.login_name, expiry="NULL")
elif api_password:
if api_password == my.password:
security.login_user_without_password(my.login_name,
expiry="NULL")
else:
# if api password is incorrect, still try and authenticate with
# user's password
security.login_user(my.login_name, my.password, expiry="NULL")
else:
security.login_user(my.login_name, my.password, expiry="NULL")
if not security.is_logged_in():
raise SecurityException("Cannot login as user: %s." %
my.login_name)
def _do_login(my):
security = Environment.get_security()
ticket = security.login_with_ticket(my.ticket)
if not ticket:
raise SecurityException(
"Cannot login with key: %s. Session may have expired." %
my.ticket)
def get_info_from_ad(my, login_name, attrs_map, domain=None):
data = {}
if login_name == 'admin':
return data
"""
if login_name.find("\\") != -1:
domain, login_name = login_name.split("\\")
else:
domain = None
"""
python = Config.get_value('services', 'python')
if not python:
python = 'python'
try:
# get the info from a separate process
from subprocess import Popen, PIPE
if domain:
cmd = [
python,
"%s/ad_get_user_info.py" % BASE_DIR, '-d', domain, "-u",
login_name
]
else:
cmd = [
python,
"%s/ad_get_user_info.py" % BASE_DIR,
"-u",
login_name,
]
output = Popen(cmd, stdout=PIPE).communicate()[0]
import StringIO
output = StringIO.StringIO(output)
data = my.get_info_from_file(attrs_map, output)
# get the license type from active directory
license_type = data.get('tacticLicenseType')
if not license_type:
# TEST!!!! for MMS
# FIXME: this logic is questionable.
# if the user has no defined groups in Active Directory, then
# it should use the default license type.
if not my.groups:
license_type = my.get_default_license_type()
data['license_type'] = license_type
else:
data['license_type'] = "user"
except ADException:
raise SecurityException(
"Could not get info from Active Directory for login [%s]" %
login_name)
return data
def verify(self, login_name, password):
'''Method to authenticate the user with a given login name and a
given password
@params:
login_name: string value of the login. Note that the login will
contain a windows domain. ie: login_name = 'domain\foo'
passwod: string value of the password
'''
# This function must be override and must return True to authenticate
raise SecurityException("Custom Authenticate class must override verify method")
def _do_login(self):
allow_guest = Config.get_value("security", "allow_guest")
if allow_guest == 'true':
allow_guest = True
else:
allow_guest = False
security = Environment.get_security()
login = security.login_with_ticket(self.ticket, allow_guest=allow_guest)
if not login:
raise SecurityException("Cannot login with key: %s. Session may have expired." % self.ticket)
def verify(my, login_name, password):
path = Config.get_value("checkin", "ldap_path")
server = Config.get_value("checkin", "ldap_server")
assert path, server
path = path.replace("{login}", login_name)
import ldap
try:
l = ldap.open(server)
l.simple_bind_s(path, password)
return True
except:
raise SecurityException("Login/Password combination incorrect")
class ADAuthenticate(Authenticate):
'''Test authenticate mechanism which caches user info'''
def __init__(my):
my.ad_exists = True
if os.name != 'nt':
my.ad_exists = False
my.groups = set()
my.data = {}
my.tactic_groups = []
def get_mode(my):
return 'cache'
def verify(my, login_name, password):
if login_name.find("\\") != -1:
domain, base_login_name = login_name.split("\\")
else:
base_login_name = login_name
domain = None
# confirm that there is a domain present if required
require_domain = Config.get_value("active_directory", "require_domain")
domain_component = Config.get_value("active_directory","domain_component")
script_path = Config.get_value("active_directory","allow_script")
if script_path:
flag = False
try:
from tactic.command import PythonCmd
from pyasm.command import Command
kwargs = {'login' : login_name}
cmd = PythonCmd(script_path=script_path, **kwargs)
#flag = Command.execute_cmd(cmd)
flag = cmd.execute()
except Exception, e:
print e
raise
if flag != True:
return False
if require_domain == "true" and not domain:
raise SecurityException("Domain Selection Required")
# skip authentication if ad does not exist
if not my.ad_exists:
print "WARNING: Active directory does not exist ... skipping verify"
return True
ad_connect = ADConnect()
ad_connect.set_user(base_login_name)
ad_connect.set_password(password)
info = ad_connect.lookup()
try:
lookup_domain = info[1]
except:
lookup_domain = ''
# lookup domain takes prescedence
if lookup_domain:
domain = lookup_domain
#ad_connect.set_domain(lookup_domain)
elif domain:
pass
#ad_connect.set_domain(domain)
domain = "%s%s"%(domain,domain_component)
ad_connect.set_domain(domain)
#ad_connect.set_user(base_login_name)
#ad_connect.set_password(password)
is_logged_in = ad_connect.logon()
# preload data for further use later with original full login_name
if is_logged_in:
my.load_user_data(base_login_name, domain)
return is_logged_in
def get_info_from_file(my, attrs_map, path):
'''for testing purposes'''
data = {}
if type(path) in types.StringTypes:
f = open(path, 'r')
else:
f = path
lines = []
error_flag = False
error = ''
for line in f:
if line.startswith("ERROR") or line.startswith("WARNING"):
error_flag = True
error = line
print line
continue
if error_flag:
print line
continue
if line.strip() == '':
continue
if line.startswith(" "):
line = line.strip()
lines[-1].append(line)
else:
line = line.strip()
lines.append([line])
if error_flag:
raise SecurityException(error)
for line in lines:
line = "".join(line)
#print "line: ", line
name, value = line.split(": ", 1)
if name == 'memberOf':
my.handle_group(value)
continue
attr_name = attrs_map.get(name)
#print name
if not attr_name:
continue
data[attr_name] = value
# get the license type from active directory
license_type = data.get('license_type')
if not license_type:
# TEST!!!! for MMS
# FIXME: this logic is questionable.
# if the user has no defined groups in Active Directory, then
# it should use the default license type.
if not my.groups:
license_type = my.get_default_license_type()
data['license_type'] = license_type
else:
data['license_type'] = "user"
return data
def authenticate(my, login, password):
# This function must be override and must return True to authenticate
raise SecurityException("Must override authenticate method")
class ADAuthenticate(Authenticate):
'''Test authenticate mechanism which caches user info'''
def __init__(self):
self.ad_exists = True
if os.name != 'nt':
self.ad_exists = False
self.groups = set()
self.data = {}
self.tactic_groups = []
def get_mode(self):
return 'cache'
def verify(self, login_name, password):
if login_name.find("\\") != -1:
domain, base_login_name = login_name.split("\\")
else:
base_login_name = login_name
domain = None
# confirm that there is a domain present if required
require_domain = Config.get_value("active_directory", "require_domain")
domain_component = Config.get_value("active_directory",
"domain_component")
script_path = Config.get_value("active_directory", "allow_script")
if script_path:
flag = False
try:
from tactic.command import PythonCmd
from pyasm.command import Command
kwargs = {'login': login_name}
cmd = PythonCmd(script_path=script_path, **kwargs)
#flag = Command.execute_cmd(cmd)
flag = cmd.execute()
except Exception, e:
print e
raise
if flag != True:
return False
if require_domain == "true" and not domain:
raise SecurityException("Domain Selection Required")
# skip authentication if ad does not exist
if not self.ad_exists:
print "WARNING: Active directory does not exist ... skipping verify"
return True
ad_connect = ADConnect()
ad_connect.set_user(base_login_name)
ad_connect.set_password(password)
info = ad_connect.lookup()
try:
lookup_domain = info[1]
except:
lookup_domain = ''
# lookup domain takes prescedence
if lookup_domain:
domain = lookup_domain
#ad_connect.set_domain(lookup_domain)
elif domain:
pass
#ad_connect.set_domain(domain)
domain = "%s%s" % (domain, domain_component)
ad_connect.set_domain(domain)
#ad_connect.set_user(base_login_name)
#ad_connect.set_password(password)
is_logged_in = ad_connect.logon()
# preload data for further use later with original full login_name
if is_logged_in:
self.load_user_data(base_login_name, domain)
else:
# If AD authentication fails, attempt login via Tactic database+
# (Only allow login for external users)
login = Login.get_by_login(base_login_name)
if login and login.get_value('location',
no_exception=True) == 'external':
auth_class = "pyasm.security.TacticAuthenticate"
authenticate = Common.create_from_class_path(auth_class)
is_authenticated = authenticate.verify(base_login_name,
password)
if is_authenticated == True:
return True
return is_logged_in
