def authenticate(self, email, username, password, options): pam_username = None auto_register_username = None auto_register_email = None force_fail = False log.debug("use username: {} use email {} email {} username {}".format( options.get('login-use-username'), options.get('login-use-email', False), email, username)) # check email based login first because if email exists in Galaxy DB # we will be given the "public name" as username if _get_bool(options, 'login-use-email', False) and email is not None: if '@' in email: (email_user, email_domain) = email.split('@') pam_username = email_user if email_domain == options.get('maildomain', None): auto_register_email = email if username is not None: auto_register_username = username else: auto_register_username = email_user else: log.debug( 'PAM authenticate: warning: email does not match configured PAM maildomain' ) # no need to fail: if auto-register is not enabled, this # might still be a valid user else: log.debug( 'PAM authenticate: email must be used to login, but no valid email found' ) force_fail = True elif _get_bool(options, 'login-use-username', False): # if we get here via authenticate_user then # user will be "public name" and # email address will be as per registered user if username is not None: pam_username = username if email is not None: auto_register_email = email elif options.get('maildomain', None) is not None: # we can register a user with this username and mail domain # if auto registration is enabled auto_register_email = '{}@{}'.format( username, options['maildomain']) auto_register_username = username else: log.debug( 'PAM authenticate: username login selected but no username provided' ) force_fail = True else: log.debug('PAM authenticate: could not find username for PAM') force_fail = True if force_fail: return None, '', '' pam_service = options.get('pam-service', 'galaxy') use_helper = _get_bool(options, 'use-external-helper', False) log.debug("PAM auth: will use external helper: {}".format(use_helper)) authenticated = False if use_helper: authentication_helper = options.get('authentication-helper-script', '/bin/false').strip() log.debug("PAM auth: external helper script: {}".format( authentication_helper)) if not authentication_helper.startswith('/'): # don't accept relative path authenticated = False else: auth_cmd = shlex.split( '/usr/bin/sudo -n {}'.format(authentication_helper)) log.debug("PAM auth: external helper cmd: {}".format(auth_cmd)) proc = Popen(auth_cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE) message = '{}\n{}\n{}\n'.format(pam_service, pam_username, password) (output, error) = proc.communicate(message) status = proc.wait() if status != 0 and error != '': log.debug( "PAM auth: external authentication script had errors: status {} error {}" .format(status, error)) if output.strip() == 'True': authenticated = True else: authenticated = False else: try: import pam except ImportError: log.debug( 'PAM authenticate: could not load pam module, PAM authentication disabled' ) return None, '', '' p_auth = pam.pam() authenticated = p_auth.authenticate(pam_username, password, service=pam_service) if authenticated: log.debug( 'PAM authentication successful for {}'.format(pam_username)) return True, auto_register_email, auto_register_username else: log.debug('PAM authentication failed for {}'.format(pam_username)) return False, '', ''
def authenticate(self, email, username, password, options): """ See abstract method documentation. """ log.debug("LDAP authenticate: email is %s" % email) log.debug("LDAP authenticate: username is %s" % username) log.debug("LDAP authenticate: options are %s" % options) failure_mode = False # reject but continue if options.get('continue-on-failure', 'False') == 'False': failure_mode = None # reject and do not continue if _get_bool(options, 'login-use-username', False): if username is None: log.debug('LDAP authenticate: username must be used to login, cannot be None') return (failure_mode, '', '') else: if email is None: log.debug('LDAP authenticate: email must be used to login, cannot be None') return (failure_mode, '', '') try: import ldap except: log.debug('LDAP authenticate: could not load ldap module') return (failure_mode, '', '') # do LDAP search (if required) params = {'email': email, 'username': username, 'password': password} try: ldap_options_raw = _get_subs(options, 'ldap-options', params) except ConfigurationError: ldap_options = () else: ldap_options = _parse_ldap_options(ldap, ldap_options_raw) if 'search-fields' in options: try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) for opt in ldap_options: ldap.set_option(*opt) l = ldap.initialize(_get_subs(options, 'server', params)) l.protocol_version = 3 if 'search-user' in options: l.simple_bind_s(_get_subs(options, 'search-user', params), _get_subs(options, 'search-password', params)) else: l.simple_bind_s() # setup search attributes = [_.strip().format(**params) for _ in options['search-fields'].split(',')] suser = l.search_ext_s(_get_subs(options, 'search-base', params), ldap.SCOPE_SUBTREE, _get_subs(options, 'search-filter', params), attributes, timeout=60, sizelimit=1) # parse results if suser is None or len(suser) == 0: log.warning('LDAP authenticate: search returned no results') return (failure_mode, '', '') dn, attrs = suser[0] log.debug(("LDAP authenticate: dn is %s" % dn)) log.debug(("LDAP authenticate: search attributes are %s" % attrs)) if hasattr(attrs, 'has_key'): for attr in attributes: if attr in attrs: params[attr] = str(attrs[attr][0]) else: params[attr] = "" params['dn'] = dn except Exception: log.exception('LDAP authenticate: search exception') return (failure_mode, '', '') # end search # bind as user to check their credentials try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) for opt in ldap_options: ldap.set_option(*opt) l = ldap.initialize(_get_subs(options, 'server', params)) l.protocol_version = 3 l.simple_bind_s(_get_subs( options, 'bind-user', params), _get_subs(options, 'bind-password', params)) whoami = l.whoami_s() log.debug("LDAP authenticate: whoami is %s", whoami) if whoami is None: raise RuntimeError('LDAP authenticate: anonymous bind') except Exception: log.warning('LDAP authenticate: bind exception', exc_info=True) return (failure_mode, '', '') log.debug('LDAP authentication successful') return (True, _get_subs(options, 'auto-register-email', params), _get_subs(options, 'auto-register-username', params))
def authenticate(self, email, username, password, options): """ See abstract method documentation. """ log.debug("LDAP authenticate: email is %s" % email) log.debug("LDAP authenticate: username is %s" % username) log.debug("LDAP authenticate: options are %s" % options) failure_mode = False # reject but continue if options.get('continue-on-failure', 'False') == 'False': failure_mode = None # reject and do not continue if _get_bool(options, 'login-use-username', False): if username is None: log.debug('LDAP authenticate: username must be used to login, cannot be None') return (failure_mode, '', '') else: if email is None: log.debug('LDAP authenticate: email must be used to login, cannot be None') return (failure_mode, '', '') try: import ldap except: log.debug('LDAP authenticate: could not load ldap module') return (failure_mode, '', '') # do LDAP search (if required) params = {'email': email, 'username': username, 'password': password} if 'search-fields' in options: try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) l = ldap.initialize(_get_subs(options, 'server', params)) l.protocol_version = 3 if 'search-user' in options: l.simple_bind_s(_get_subs(options, 'search-user', params), _get_subs(options, 'search-password', params)) else: l.simple_bind_s() scope = ldap.SCOPE_SUBTREE # setup search attributes = [_.strip().format(**params) for _ in options['search-fields'].split(',')] result = l.search(_get_subs(options, 'search-base', params), scope, _get_subs(options, 'search-filter', params), attributes) # parse results _, suser = l.result(result, 60) dn, attrs = suser[0] log.debug(("LDAP authenticate: dn is %s" % dn)) log.debug(("LDAP authenticate: search attributes are %s" % attrs)) if hasattr(attrs, 'has_key'): for attr in attributes: if attr in attrs: params[attr] = str(attrs[attr][0]) else: params[attr] = "" params['dn'] = dn except Exception: log.exception('LDAP authenticate: search exception') return (failure_mode, '', '') # end search # bind as user to check their credentials try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) l = ldap.initialize(_get_subs(options, 'server', params)) l.protocol_version = 3 l.simple_bind_s(_get_subs( options, 'bind-user', params), _get_subs(options, 'bind-password', params)) except Exception: log.exception('LDAP authenticate: bind exception') return (failure_mode, '', '') log.debug('LDAP authentication successful') return (True, _get_subs(options, 'auto-register-email', params), _get_subs(options, 'auto-register-username', params))
def authenticate(self, email, username, password, options): pam_username = None auto_register_username = None auto_register_email = None force_fail = False log.debug( "use username: {} use email {} email {} username {}".format( options.get("login-use-username"), options.get("login-use-email", False), email, username ) ) # check email based login first because if email exists in Galaxy DB # we will be given the "public name" as username if _get_bool(options, "login-use-email", False) and email is not None: if "@" in email: (email_user, email_domain) = email.split("@") pam_username = email_user if email_domain == options.get("maildomain", None): auto_register_email = email if username is not None: auto_register_username = username else: auto_register_username = email_user else: log.debug("PAM authenticate: warning: email does not match configured PAM maildomain") # no need to fail: if auto-register is not enabled, this # might still be a valid user else: log.debug("PAM authenticate: email must be used to login, but no valid email found") force_fail = True elif _get_bool(options, "login-use-username", False): # if we get here via authenticate_user then # user will be "public name" and # email address will be as per registered user if username is not None: pam_username = username if email is not None: auto_register_email = email elif options.get("maildomain", None) is not None: # we can register a user with this username and mail domain # if auto registration is enabled auto_register_email = "{}@{}".format(username, options["maildomain"]) auto_register_username = username else: log.debug("PAM authenticate: username login selected but no username provided") force_fail = True else: log.debug("PAM authenticate: could not find username for PAM") force_fail = True if force_fail: return None, "", "" pam_service = options.get("pam-service", "galaxy") use_helper = _get_bool(options, "use-external-helper", False) log.debug("PAM auth: will use external helper: {}".format(use_helper)) authenticated = False if use_helper: authentication_helper = options.get("authentication-helper-script", "/bin/false").strip() log.debug("PAM auth: external helper script: {}".format(authentication_helper)) if not authentication_helper.startswith("/"): # don't accept relative path authenticated = False else: auth_cmd = shlex.split("/usr/bin/sudo -n {}".format(authentication_helper)) log.debug("PAM auth: external helper cmd: {}".format(auth_cmd)) proc = Popen(auth_cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE) message = "{}\n{}\n{}\n".format(pam_service, pam_username, password) (output, error) = proc.communicate(message) status = proc.wait() if status != 0 and error != "": log.debug( "PAM auth: external authentication script had errors: status {} error {}".format(status, error) ) if output.strip() == "True": authenticated = True else: authenticated = False else: try: import pam except ImportError: log.debug("PAM authenticate: could not load pam module, PAM authentication disabled") return None, "", "" p_auth = pam.pam() authenticated = p_auth.authenticate(pam_username, password, service=pam_service) if authenticated: log.debug("PAM authentication successful for {}".format(pam_username)) return True, auto_register_email, auto_register_username else: log.debug("PAM authentication failed for {}".format(pam_username)) return False, "", ""
def authenticate(self, email, username, password, options): """ See abstract method documentation. """ log.debug("LDAP authenticate: email is %s" % email) log.debug("LDAP authenticate: username is %s" % username) log.debug("LDAP authenticate: options are %s" % options) failure_mode = False # reject but continue if options.get('continue-on-failure', 'False') == 'False': failure_mode = None # reject and do not continue if _get_bool(options, 'login-use-username', False): if username is None: log.debug( 'LDAP authenticate: username must be used to login, cannot be None' ) return (failure_mode, '', '') else: if email is None: log.debug( 'LDAP authenticate: email must be used to login, cannot be None' ) return (failure_mode, '', '') try: import ldap except: log.debug('LDAP authenticate: could not load ldap module') return (failure_mode, '', '') # do LDAP search (if required) params = {'email': email, 'username': username, 'password': password} if 'search-fields' in options: try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) l = ldap.initialize(_get_subs(options, 'server', params)) l.protocol_version = 3 if 'search-user' in options: l.simple_bind_s( _get_subs(options, 'search-user', params), _get_subs(options, 'search-password', params)) else: l.simple_bind_s() scope = ldap.SCOPE_SUBTREE # setup search attributes = [ _.strip().format(**params) for _ in options['search-fields'].split(',') ] result = l.search(_get_subs(options, 'search-base', params), scope, _get_subs(options, 'search-filter', params), attributes) # parse results _, suser = l.result(result, 60) dn, attrs = suser[0] log.debug(("LDAP authenticate: dn is %s" % dn)) log.debug( ("LDAP authenticate: search attributes are %s" % attrs)) if hasattr(attrs, 'has_key'): for attr in attributes: if attr in attrs: params[attr] = str(attrs[attr][0]) else: params[attr] = "" params['dn'] = dn except Exception: log.exception('LDAP authenticate: search exception') return (failure_mode, '', '') # end search # bind as user to check their credentials try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) l = ldap.initialize(_get_subs(options, 'server', params)) l.protocol_version = 3 l.simple_bind_s(_get_subs(options, 'bind-user', params), _get_subs(options, 'bind-password', params)) except Exception: log.exception('LDAP authenticate: bind exception') return (failure_mode, '', '') log.debug('LDAP authentication successful') return (True, _get_subs(options, 'auto-register-email', params), _get_subs(options, 'auto-register-username', params))
def authenticate(self, email, username, password, options): """ See abstract method documentation. """ log.debug("LDAP authenticate: email is %s" % email) log.debug("LDAP authenticate: username is %s" % username) log.debug("LDAP authenticate: options are %s" % options) failure_mode = False # reject but continue if options.get("continue-on-failure", "False") == "False": failure_mode = None # reject and do not continue if _get_bool(options, "login-use-username", False): if username is None: log.debug("LDAP authenticate: username must be used to login, cannot be None") return (failure_mode, "", "") else: if email is None: log.debug("LDAP authenticate: email must be used to login, cannot be None") return (failure_mode, "", "") try: import ldap except: log.debug("LDAP authenticate: could not load ldap module") return (failure_mode, "", "") # do LDAP search (if required) params = {"email": email, "username": username, "password": password} try: ldap_options_raw = _get_subs(options, "ldap-options", params) except ConfigurationError: ldap_options = () else: ldap_options = _parse_ldap_options(ldap, ldap_options_raw) if "search-fields" in options: try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) for opt in ldap_options: ldap.set_option(*opt) l = ldap.initialize(_get_subs(options, "server", params)) l.protocol_version = 3 if "search-user" in options: l.simple_bind_s( _get_subs(options, "search-user", params), _get_subs(options, "search-password", params) ) else: l.simple_bind_s() # setup search attributes = [_.strip().format(**params) for _ in options["search-fields"].split(",")] suser = l.search_ext_s( _get_subs(options, "search-base", params), ldap.SCOPE_SUBTREE, _get_subs(options, "search-filter", params), attributes, timeout=60, sizelimit=1, ) # parse results if suser is None or len(suser) == 0: log.warn("LDAP authenticate: search returned no results") return (failure_mode, "", "") dn, attrs = suser[0] log.debug(("LDAP authenticate: dn is %s" % dn)) log.debug(("LDAP authenticate: search attributes are %s" % attrs)) if hasattr(attrs, "has_key"): for attr in attributes: if attr in attrs: params[attr] = str(attrs[attr][0]) else: params[attr] = "" params["dn"] = dn except Exception: log.exception("LDAP authenticate: search exception") return (failure_mode, "", "") # end search # bind as user to check their credentials try: # setup connection ldap.set_option(ldap.OPT_REFERRALS, 0) for opt in ldap_options: ldap.set_option(*opt) l = ldap.initialize(_get_subs(options, "server", params)) l.protocol_version = 3 l.simple_bind_s(_get_subs(options, "bind-user", params), _get_subs(options, "bind-password", params)) whoami = l.whoami_s() log.debug("LDAP authenticate: whoami is %s", whoami) p = re.compile(ur"[^\\]*$") username_from_whoami = re.search(p, whoami).group() params["usernameFromWhoami"] = username_from_whoami if whoami is None: raise RuntimeError("LDAP authenticate: anonymous bind") except Exception: log.warn("LDAP authenticate: bind exception", exc_info=True) return (failure_mode, "", "") log.debug("LDAP authentication successful") log.debug("We got the username from the whoami address: %s", username_from_whoami) return ( True, _get_subs(options, "auto-register-email", params), _get_subs(options, "auto-register-username", params), )