def authenticateViaCallback(authenticator: Authenticator,
params: typing.Any) -> typing.Optional[User]:
"""
Given an username, this method will get invoked whenever the url for a callback
for an authenticator is requested.
The idea behind this is that, with authenticators that are based on url redirections
(SSO auths), we provide a mechanism to allow the authenticator to login the user.
This will:
* Check that the authenticator supports a callback, raise an error if it
doesn't support it.
* Invoke authenticator callback, and expects, on exit, a valid username.
If it gets None or '', it will raise an error.
* Register user inside uds if necesary, will invoke in the process
**getRealUsername** to get it, so keep it wher you can recover it.
* Update user group membership using Authenticator getGroups, so, in your
callbacks, remember to store (using provided environment storage, for example)
the groups of this user so your getGroups will work correctly.
"""
gm = auths.GroupsManager(authenticator)
authInstance = authenticator.getInstance()
# If there is no callback for this authenticator...
if authInstance.authCallback == auths.Authenticator.authCallback:
raise auths.exceptions.InvalidAuthenticatorException()
username = authInstance.authCallback(params, gm)
if username is None or username == '' or gm.hasValidGroups() is False:
raise auths.exceptions.InvalidUserException(
'User doesn\'t has access to UDS')
return __registerUser(authenticator, authInstance, username)
def authenticate(username: str, password: str, authenticator: Authenticator, useInternalAuthenticate: bool = False) -> typing.Optional[User]:
"""
Given an username, password and authenticator, try to authenticate user
@param username: username to authenticate
@param password: password to authenticate this user
@param authenticator: Authenticator (database object) used to authenticate with provided credentials
@param useInternalAuthenticate: If True, tries to authenticate user using "internalAuthenticate". If false, it uses "authenticate".
This is so because in some situations we may want to use a "trusted" method (internalAuthenticate is never invoked directly from web)
@return: None if authentication fails, User object (database object) if authentication is o.k.
"""
logger.debug('Authenticating user %s with authenticator %s', username, authenticator)
# If global root auth is enabled && user/password is correct,
if not useInternalAuthenticate and GlobalConfig.SUPER_USER_ALLOW_WEBACCESS.getBool(True) and username == GlobalConfig.SUPER_USER_LOGIN.get(True) and password == GlobalConfig.SUPER_USER_PASS.get(True):
return getRootUser()
gm = auths.GroupsManager(authenticator)
authInstance = authenticator.getInstance()
if useInternalAuthenticate is False:
res = authInstance.authenticate(username, password, gm)
else:
res = authInstance.internalAuthenticate(username, password, gm)
if res is False:
return None
logger.debug('Groups manager: %s', gm)
# If do not have any valid group
if gm.hasValidGroups() is False:
logger.info('User {} has been authenticated, but he does not belongs to any UDS know group')
return None
return __registerUser(authenticator, authInstance, username)
def authenticate(username, password, authenticator, useInternalAuthenticate=False):
'''
Given an username, password and authenticator, try to authenticate user
@param username: username to authenticate
@param password: password to authenticate this user
@param authenticator: Authenticator (database object) used to authenticate with provided credentials
@param useInternalAuthenticate: If True, tries to authenticate user using "internalAuthenticate". If false, it uses "authenticate".
This is so because in some situations we may want to use a "trusted" method (internalAuthenticate is never invoked directly from web)
@return: None if authentication fails, User object (database object) if authentication is o.k.
'''
logger.debug('Authenticating user {0} with authenticator {1}'.format(username, authenticator))
# If global root auth is enabled && user/password is correct,
if GlobalConfig.SUPER_USER_ALLOW_WEBACCESS.getBool(True) and username == GlobalConfig.SUPER_USER_LOGIN.get(True) and password == GlobalConfig.SUPER_USER_PASS.get(True):
return getRootUser()
gm = auths.GroupsManager(authenticator)
authInstance = authenticator.getInstance()
if useInternalAuthenticate is False:
res = authInstance.authenticate(username, password, gm)
else:
res = authInstance.internalAuthenticate(username, password, gm)
if res is False:
return None
logger.debug('Groups manager: {0}'.format(gm))
# If do not have any valid group
if gm.hasValidGroups() is False:
return None
return __registerUser(authenticator, authInstance, username)
def getJavascript(self, request: 'HttpRequest') -> typing.Optional[str]:
# We will authenticate ip here, from request.ip
# If valid, it will simply submit form with ip submited and a cached generated random password
ip = self.getIp()
gm = auths.GroupsManager(self.dbAuthenticator())
self.getGroups(ip, gm)
if gm.hasValidGroups() and self.dbAuthenticator().isValidUser(
ip, True):
return '''function setVal(element, value) {{
document.getElementById(element).value = value;
}}
setVal("id_user", "{ip}");
setVal("id_password", "{passwd}");
document.getElementById("loginform").submit();'''.format(
ip=ip, passwd='')
return 'alert("invalid authhenticator"); window.location.reload();'
