def __init__(self, context):
self.context = context
childContext = Context(context)
childContext.addService(Logger("SecurityDBApi"))
self.securityApi = SecurityDBApi(childContext)
self.securityTokenFactory = SecurityTokenFactory(
childContext, CherryPySecurityTokenImpl)
self.siteDBApi = self.securityApi.api
context.addService(self.securityApi)
context.addService(self.siteDBApi)
context.addService(self.securityTokenFactory)
RedirectorToLogin.context = staticmethod(lambda: self.context)
RedirectToLocalPage.context = staticmethod(lambda: self.context)
RedirectAway.context = staticmethod(lambda: self.context)
from Framework.Context import Context
from Tools.SecurityModuleCore.SecurityDBApi import SecurityDBApi
import codecs
if __name__ == "__main__":
parser = OptionParser ()
parser.add_option ("-f", "--file",
help="input HN shadow passwd",
default="passwd",
dest="source")
parser.add_option ("-d", "--db",
help="target SiteDB database",
default="sitedb_test.db",
dest="db")
options, args = parser.parse_args ()
context = Context ()
context.addService (Logger ("importHNShadow"))
api = SecurityDBApi (context)
context.Logger().message ("HN file is " + options.source )
shadowFile = codecs.open (options.source, "r", "ascii", "replace")
for line in shadowFile:
contact = line.split(":")
if " " in contact[4]:
forename, surname = contact[4].split (" ", 1)
else:
forename, surname = (contact[4], contact[4])
api.importHNAccount (username=contact[0].encode ("ascii", "replace"),
passwd=contact[1],
forename=forename.encode ("ascii", "replace"),
email=contact[7].strip(),
surname=surname.encode ("ascii", "replace"))
def __init__ (self, context):
self.context = context
Controller.__init__ (self, context, __file__)
self.security_api = SecurityDBApi (context)
self.context.addService (self.security_api)
self.context.addService (Logger ("SECURITY_MODULE_CONTROLLER"))
class SecurityModule (Controller):
def __init__ (self, context):
self.context = context
Controller.__init__ (self, context, __file__)
self.security_api = SecurityDBApi (context)
self.context.addService (self.security_api)
self.context.addService (Logger ("SECURITY_MODULE_CONTROLLER"))
def readyToRun (self):
pass
@templatepage
def login (self, requestedPage="../Studio/login", **args):#FIXME: Get the real requested page
# VK: requested page is truncated at first &, all parameters passed via args, put them back
for key in args.keys():
requestedPage+="&%s=%s"%(key,args[key])
# raise cherrypy.HTTPRedirect ("/base/SecurityModule/loginReal?requestedPage=%s" % requestedPage)
# raise cherrypy.HTTPRedirect (self.context.CmdLineArgs ().opts.baseUrl + "/SecurityModule/loginReal?requestedPage=%s" % requestedPage)
return {'requestedPage': requestedPage}
@expose
def loginReal (self, requestedPage, **args):#FIXME: Get the real requested page
# VK: requested page is truncated at first &, all parameters passed via args, put them back
for key in args.keys():
requestedPage+="&%s=%s"%(key,args[key])
return self.templatePage ("login", {'requestedPage': requestedPage})
@templatepage
@require_args ("user", "password", "requestedPage", onFail=RedirectorToLogin)
def authenticate (self, user, password, requestedPage="../Studio/login"): #FIXME: Get the real requested page
#TODO: adapt to the new schema.
self.context.Logger().message("Trying to authenticate %s" % user)
passwdEntry = self.security_api.getPasswordFromUsername (user)
if not passwdEntry.has_key (0):
return {'redirect': requestedPage}
encryptedPassword = passwdEntry[0]['passwd']
#if request.headers['Ssl-Client-S-Dn'] != '(null)':
#context.Logger().message("Authenticated by certificate")
#context.Logger().message(request.headers['Ssl-Client-S-Dn'])
#user = self.security_api.getUsernameFromDN(request.headers['Ssl-Client-S-Dn'])[0]['username']
if encryptedPassword == crypt.crypt (password, encryptedPassword):
self.context.Logger().message("Valid password for user %s" % user)
cherrypy.response.cookie['dn'] = encryptCookie (user, self.security_api)
cherrypy.response.cookie['dn']['path'] = '/'
cherrypy.response.cookie['dn']['max-age'] = 3600*24
cherrypy.response.cookie['dn']['version'] = 1
datetimeCookie = strftime("%Y-%m-%dT%H:%M:%S", datetime.now ().timetuple ())
cherrypy.response.cookie['authentication_time'] = encryptCookie (datetimeCookie, self.security_api)
cherrypy.response.cookie['authentication_time']["path"] = '/'
cherrypy.response.cookie['authentication_time']['max-age'] = 3600*24
cherrypy.response.cookie['dn']['version'] = 1
cherrypy.response.cookie['originator_hash'] = encryptCookie ("some_hash", self.security_api)
cherrypy.response.cookie['originator_hash']['path'] = '/'
cherrypy.response.cookie['originator_hash']['max-age'] = 3600*24
cherrypy.response.cookie['originator_hash']['version'] = 1
return {'redirect': requestedPage}
return {'redirect': requestedPage}
@templatepage
def logout (self, redirect="../SecurityModule/login", *args, **kw):
# VK: requested page is truncated at first &, all parameters passed via args, put them back
for key in kw.keys():
redirect+="&%s=%s"%(key,kw[key])
cherrypy.response.cookie['dn'] = encryptCookie ("guest", self.security_api)
cherrypy.response.cookie['dn']['path'] = '/'
cherrypy.response.cookie['dn']['max-age'] = 3600*24
cherrypy.response.cookie['dn']['version'] = 1
datetimeCookie = strftime("%Y-%m-%dT%H:%M:%S", datetime.now ().timetuple ())
cherrypy.response.cookie['authentication_time'] = encryptCookie (datetimeCookie, self.security_api)
cherrypy.response.cookie['authentication_time']["path"] = '/'
cherrypy.response.cookie['authentication_time']['max-age'] = 3600*24
cherrypy.response.cookie['dn']['version'] = 1
cherrypy.response.cookie['originator_hash'] = encryptCookie ("some_hash", self.security_api)
cherrypy.response.cookie['originator_hash']['path'] = '/'
cherrypy.response.cookie['originator_hash']['max-age'] = 3600*24
cherrypy.response.cookie['originator_hash']['version'] = 1
return {'redirect': redirect}
@exposeSerialized (serializer = PythonDictSerializer ('user'))
def userInfo (self, *args, **kw):
#TODO: add a query to get the DN from the id.
token = SecurityToken ()
return {"dn": token.dn}
@expose
@is_authorized (Role ("Global Admin"), Group ("global"), onFail=RedirectorToLogin ("../SecurityModule/login"))
def becomeUser (self, username, requestedPage, **args):
cherrypy.response.cookie['dn'] = encryptCookie (username, self.security_api)
cherrypy.response.cookie['dn']['path'] = '/'
cherrypy.response.cookie['dn']['max-age'] = 3600*24
cherrypy.response.cookie['dn']['version'] = 1
datetimeCookie = strftime("%Y-%m-%dT%H:%M:%S", datetime.now ().timetuple ())
cherrypy.response.cookie['authentication_time'] = encryptCookie (datetimeCookie, self.security_api)
cherrypy.response.cookie['authentication_time']["path"] = '/'
cherrypy.response.cookie['authentication_time']['max-age'] = 3600*24
cherrypy.response.cookie['dn']['version'] = 1
cherrypy.response.cookie['originator_hash'] = encryptCookie ("some_hash", self.security_api)
cherrypy.response.cookie['originator_hash']['path'] = '/'
cherrypy.response.cookie['originator_hash']['max-age'] = 3600*24
cherrypy.response.cookie['originator_hash']['version'] = 1
return self.templatePage ("authenticate", {'redirect': requestedPage})
@expose
@is_authenticated (onFail=NotAuthenticated)
def checkIfAuthenticated (self):
return "This page can be seen only if you are authenticated."
@expose
@is_authorized (Role ("Global Admin"), Group ("global"), onFail=NotAuthenticated)
def checkIfAuthorized (self):
return "This page can be seen only if you are authorized."
@expose
def getMasthead(self):
pass
import codecs
if __name__ == "__main__":
parser = OptionParser()
parser.add_option("-f",
"--file",
help="input HN shadow passwd",
default="passwd",
dest="source")
parser.add_option("-d",
"--db",
help="target SiteDB database",
default="sitedb_test.db",
dest="db")
options, args = parser.parse_args()
context = Context()
context.addService(Logger("importHNShadow"))
api = SecurityDBApi(context)
context.Logger().message("HN file is " + options.source)
shadowFile = codecs.open(options.source, "r", "ascii", "replace")
for line in shadowFile:
contact = line.split(":")
if " " in contact[4]:
forename, surname = contact[4].split(" ", 1)
else:
forename, surname = (contact[4], contact[4])
api.importHNAccount(username=contact[0].encode("ascii", "replace"),
passwd=contact[1],
forename=forename.encode("ascii", "replace"),
email=contact[7].strip(),
surname=surname.encode("ascii", "replace"))
from Framework import Context
from Framework.Logger import Logger
from Crypto.Cipher import Blowfish
from base64 import b64encode, b64decode
import crypt
import time, calendar, datetime
from Tools.SecurityModuleCore.SecurityDBApi import SecurityDBApi
print "**** Security Module tests ****"
context = Context()
context.addService(Logger("securitymoduletest"))
api = SecurityDBApi(context)
context.Logger().message("Test roles:")
context.Logger().message(
" swakef as prod operator: %s" %
api.hasGroupResponsibility("swakef", "production", "Production Operator"))
context.Logger().message(
" metson as RAL DM: %s" %
api.hasSiteResponsibility("metson", "RAL", "Data Manager"))
context.Logger().message(
" metson as site 1 Site Admin: %s" %
api.hasSiteResponsibility("metson", "1", "Site Admin"))
context.Logger().message("hasGroup:")
context.Logger().message(" swakef as member of production group: %s" %
api.hasGroup("swakef", "production"))
context.Logger().message(" metson as member of production group: %s" %
from Framework import Context
from Framework.Logger import Logger
from Crypto.Cipher import Blowfish
from base64 import b64encode, b64decode
import crypt
import time, calendar, datetime
from Tools.SecurityModuleCore.SecurityDBApi import SecurityDBApi
print "**** Security Module tests ****"
context = Context ()
context.addService (Logger ("securitymoduletest"))
api = SecurityDBApi (context)
context.Logger().message("Test roles:")
context.Logger().message(" swakef as prod operator: %s" % api.hasGroupResponsibility ("swakef", "production", "Production Operator"))
context.Logger().message(" metson as RAL DM: %s" % api.hasSiteResponsibility ("metson", "RAL", "Data Manager"))
context.Logger().message(" metson as site 1 Site Admin: %s" % api.hasSiteResponsibility ("metson", "1", "Site Admin"))
context.Logger().message("hasGroup:")
context.Logger().message(" swakef as member of production group: %s" % api.hasGroup ("swakef", "production"))
context.Logger().message(" metson as member of production group: %s" % api.hasGroup ("metson", "production"))
context.Logger().message(" metson as member of global group: %s" % api.hasGroup ("metson", "global"))
context.Logger().message("hasSite:")
context.Logger().message(" swakef as associated to RAL: %s" % api.hasSite ("swakef", "RAL"))
context.Logger().message(" metson as associated to RAL: %s" % api.hasSite("metson", "RAL"))
context.Logger().message(" metson as associated to site 1: %s" % api.hasSite("metson", "1"))
context.Logger().message("hasResponsibility:")
