def lookup_full_user(username):
"""Look up the full user identity for username consisting of e.g. just an
email address.
The method to extract the full identity depends on the back end database.
If username matches either the openid link, the full ID or the dir version
from it, a tuple with the expanded username and the full user dictionary
is returned.
On no match a tuple with the unchanged username and an empty dictionary
is returned.
"""
# print "DEBUG: lookup full user for %s" % username
db_path = os.path.join(configuration.mig_code_base, 'server',
'MiG-users.db')
# print "DEBUG: Loading user DB"
id_map = load_user_db(db_path)
login_url = os.path.join(configuration.user_openid_providers[0], username)
distinguished_name = get_openid_user_dn(configuration, login_url)
# print "DEBUG: compare against %s" % full_id
if distinguished_name in id_map:
url_friendly = client_id_dir(distinguished_name)
return (url_friendly, id_map[distinguished_name])
return (username, {})
def extract_client_openid(configuration, environ, lookup_dn=True):
"""Extract unique user credentials from REMOTE_USER value in provided
environment.
NOTE: We must provide the environment as os.environ may be from the time
of load, which is not the right one for wsgi scripts.
If lookup_dn is set the resulting OpenID is translated to the corresponding
local account if any.
"""
# We accept utf8 chars (e.g. '\xc3') in client_login_field but they get
# auto backslash-escaped in environ so we need to unescape first
login = unescape(environ.get(client_login_field, '')).strip()
if not login:
return ""
if lookup_dn:
# Let backend do user_check
login = get_openid_user_dn(configuration, login, user_check=False)
return login
def extract_client_openid(configuration, environ, lookup_dn=True):
"""Extract unique user credentials from REMOTE_USER value in provided
environment.
NOTE: We must provide the environment as os.environ may be from the time
of load, which is not the right one for wsgi scripts.
If lookup_dn is set the resulting OpenID is translated to the corresponding
local account if any.
"""
_logger = configuration.logger
oid_db = ""
# We accept utf8 chars (e.g. '\xc3') in client_login_field but they get
# auto backslash-escaped in environ so we need to unescape first
_logger.debug('client_login_field: %s' % client_login_field)
login = unescape(environ.get(client_login_field, '')).strip()
_logger.debug('login: %s' % login)
_logger.debug('configuration.user_mig_oid_provider: %s' %
len(configuration.user_mig_oid_provider))
if not login:
return (oid_db, "")
if configuration.user_mig_oid_provider and \
login.startswith(configuration.user_mig_oid_provider):
oid_db = auth_openid_mig_db
elif configuration.user_ext_oid_provider and \
login.startswith(configuration.user_ext_oid_provider):
oid_db = auth_openid_ext_db
else:
_logger.warning("could not detect openid provider db for %s: %s" %
(login, environ))
_logger.debug('oid_db: %s' % oid_db)
if lookup_dn:
# Let backend do user_check
login = get_openid_user_dn(configuration, login, user_check=False)
if configuration.site_enable_gdp:
login = get_project_user_dn(configuration, environ["REQUEST_URI"],
login, 'https')
return (oid_db, login)
def checkLogin(self, username, password):
"""Check username and password in MiG user DB"""
db_path = os.path.join(configuration.mig_code_base, 'server',
'MiG-users.db')
# print "Loading user DB"
id_map = load_user_db(db_path)
# username may be None here
login_url = os.path.join(configuration.user_openid_providers[0],
username or '')
distinguished_name = get_openid_user_dn(configuration, login_url)
if distinguished_name in id_map:
user = id_map[distinguished_name]
print "looked up user %s in DB: %s" % (username, user)
enc_pw = user.get('password', None)
# print "DEBUG: Check password against enc %s" % enc_pw
if password and base64.b64encode(password) == user['password']:
print "Correct password for user %s" % username
self.user_dn = distinguished_name
self.user_dn_dir = client_id_dir(distinguished_name)
return True
else:
print "Failed password check for user %s" % username
print "Invalid login for user %s" % username
return False