def set_password(cls,
user=None,
password=None,
provider_name=None
):
"""generic method to change password of
any for any login provider that uses password
and allows the password change function
"""
login_providers = util.get_enabled_login_providers()
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
user.set_password(password)
user.save()
scrambled_password = user.password + str(user.id)
else:
raise NotImplementedError('external passwords not supported')
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = scrambled_password
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
def create_ldap_login_for_user(user):
"""a unit job that creates LDAP account record for
the user, assuming that his or her LDAP user name
is the same as the user name on the forum site.
If the record already exists, LDAP provider name
will be updated according to the live setting,
otherwise a new record will be created.
Always returns ``True``.
"""
ldap_url = askbot_settings.LDAP_URL
ldap_provider_name = askbot_settings.LDAP_PROVIDER_NAME
if '' in (ldap_url, ldap_provider_name):
raise CommandError(
'Please, first set up LDAP settings '
'at url /settings/EXTERNAL_KEYS,'
'relative to the base url of your forum site'
)
try:
assoc = UserAssociation.objects.get(
openid_url = user.username,
user = user
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
openid_url = user.username,
user = user
)
assoc.provider_name = ldap_provider_name
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return True
def import_users(self):
"""Creates new Askbot users for each zendesk_models.User.
For each Zendesk user, see if there are any matching Askbot users
with the same email. If not, create a new Askbot user and copy
over any openauth id info as well.
See create_askbot_user() for a full list of fields that are copied over
from Zendesk.
"""
added_users = 0
for zd_user in zendesk_models.User.objects.all():
# if email is blank, just create a new user
if zd_user.email == '':
ab_user = create_askbot_user(zd_user)
# todo: check for failure?
if ab_user is None:
continue
added_users += 1
console.print_action(ab_user.username)
else:
# create new user if no matching user email was found
try:
ab_user = askbot_models.User.objects.get(
email=zd_user.email)
except askbot_models.User.DoesNotExist:
ab_user = create_askbot_user(zd_user)
if ab_user is None:
continue
added_users += 1
console.print_action("%d %s" %
(added_users, ab_user.username))
zd_user.askbot_user_id = ab_user.id
zd_user.save()
# save open auth info as well.
if zd_user.openid_url != None and \
'askbot.deps.django_authopenid' in settings.INSTALLED_APPS:
from askbot.deps.django_authopenid.models import UserAssociation
from askbot.deps.django_authopenid.util import get_provider_name
try:
assoc = UserAssociation(user=ab_user,
openid_url=zd_user.openid_url,
provider_name=get_provider_name(
zd_user.openid_url))
assoc.save()
except:
# unsupported provider
pass
console.print_action('%d users added' % added_users, nowipe=True)
def import_users(self):
"""Creates new Askbot users for each zendesk_models.User.
For each Zendesk user, see if there are any matching Askbot users
with the same email. If not, create a new Askbot user and copy
over any openauth id info as well.
See create_askbot_user() for a full list of fields that are copied over
from Zendesk.
"""
added_users = 0
for zd_user in zendesk_models.User.objects.all():
# if email is blank, just create a new user
if zd_user.email == '':
ab_user = create_askbot_user(zd_user)
# todo: check for failure?
if ab_user is None:
continue
added_users += 1
console.print_action(ab_user.username)
else:
# create new user if no matching user email was found
try:
ab_user = askbot_models.User.objects.get(email = zd_user.email)
except askbot_models.User.DoesNotExist:
ab_user = create_askbot_user(zd_user)
if ab_user is None:
continue
added_users += 1
console.print_action("%d %s" % (added_users, ab_user.username))
zd_user.askbot_user_id = ab_user.id
zd_user.save()
# save open auth info as well.
if zd_user.openid_url != None and \
'askbot.deps.django_authopenid' in settings.INSTALLED_APPS:
from askbot.deps.django_authopenid.models import UserAssociation
from askbot.deps.django_authopenid.util import get_provider_name
try:
assoc = UserAssociation(
user = ab_user,
openid_url = zd_user.openid_url,
provider_name = get_provider_name(zd_user.openid_url)
)
assoc.save()
except:
# unsupported provider
pass
console.print_action('%d users added' % added_users, nowipe = True)
def finalize_generic_signin(
request = None,
user = None,
login_provider_name = None,
user_identifier = None,
redirect_url = None
):
"""non-view function
generic signin, run after all protocol-dependent details
have been resolved
"""
if request.user.is_authenticated():
#this branch is for adding a new association
if user is None:
#register new association
UserAssociation(
user = request.user,
provider_name = login_provider_name,
openid_url = user_identifier,
last_used_timestamp = datetime.datetime.now()
).save()
return HttpResponseRedirect(redirect_url)
elif user != request.user:
#prevent theft of account by another pre-existing user
logging.critical(
'possible account theft attempt by %s,%d to %s %d' % \
(
request.user.username,
request.user.id,
user.username,
user.id
)
)
logout(request)#log out current user
login(request, user)#login freshly authenticated user
return HttpResponseRedirect(redirect_url)
else:
#user just checks if another login still works
msg = _('Your %(provider)s login works fine') % \
{'provider': login_provider_name}
request.user.message_set.create(message = msg)
return HttpResponseRedirect(redirect_url)
else:
if user is None:
#need to register
request.method = 'GET'#this is not a good thing to do
#but necessary at the moment to reuse the register()
#method
return register(
request,
login_provider_name=login_provider_name,
user_identifier=user_identifier
)
else:
#login branch
login(request, user)
logging.debug('login success')
return HttpResponseRedirect(redirect_url)
def import_user_logins(self):
"""import user's login methods from OSQA to Askbot"""
for user_login in self.get_objects_for_model('forum.authkeyuserassociation'):
assoc = UserAssociation()
assoc.openid_url = user_login.key
assoc.user = self.get_imported_object_by_old_id(User, user_login.user)
assoc.provider_name = user_login.provider
assoc.last_used_timestamp = user_login.added_at
assoc.save()
def import_users(self):
added_users = 0
for zd_user in zendesk_models.User.objects.all():
#a whole bunch of fields are actually dropped now
#see what's available in users.xml meanings of some
#values there is not clear
#if email is blank, just create a new user
if zd_user.email == '':
ab_user = create_askbot_user(zd_user)
if ab_user in None:
print 'Warning: could not create user %s ' % zd_user.name
continue
console.print_action(ab_user.username)
else:
#else see if user with the same email already exists
#and only create new askbot user if email is not yet in the
#database
try:
ab_user = askbot_models.User.objects.get(email = zd_user.email)
except askbot_models.User.DoesNotExist:
ab_user = create_askbot_user(zd_user)
if ab_user is None:
continue
console.print_action(ab_user.username, nowipe = True)
added_users += 1
zd_user.askbot_user_id = ab_user.id
zd_user.save()
if zd_user.openid_url != None and \
'askbot.deps.django_authopenid' in settings.INSTALLED_APPS:
from askbot.deps.django_authopenid.models import UserAssociation
from askbot.deps.django_authopenid.util import get_provider_name
try:
assoc = UserAssociation(
user = ab_user,
openid_url = zd_user.openid_url,
provider_name = get_provider_name(zd_user.openid_url)
)
assoc.save()
except:
#drop user association
pass
transaction.commit()
console.print_action('%d users added' % added_users, nowipe = True)
def import_users(self):
added_users = 0
for zd_user in zendesk_models.User.objects.all():
#a whole bunch of fields are actually dropped now
#see what's available in users.xml meanings of some
#values there is not clear
#if email is blank, just create a new user
if zd_user.email == '':
ab_user = create_askbot_user(zd_user)
if ab_user in None:
print 'Warning: could not create user %s ' % zd_user.name
continue
console.print_action(ab_user.username)
else:
#else see if user with the same email already exists
#and only create new askbot user if email is not yet in the
#database
try:
ab_user = askbot_models.User.objects.get(email = zd_user.email)
except askbot_models.User.DoesNotExist:
ab_user = create_askbot_user(zd_user)
if ab_user is None:
continue
console.print_action(ab_user.username, nowipe = True)
added_users += 1
zd_user.askbot_user_id = ab_user.id
zd_user.save()
if zd_user.openid_url != None and \
'askbot.deps.django_authopenid' in settings.INSTALLED_APPS:
from askbot.deps.django_authopenid.models import UserAssociation
from askbot.deps.django_authopenid.util import get_provider_name
try:
assoc = UserAssociation(
user = ab_user,
openid_url = zd_user.openid_url,
provider_name = get_provider_name(zd_user.openid_url)
)
assoc.save()
except:
#drop user association
pass
transaction.commit()
console.print_action('%d users added' % added_users, nowipe = True)
def auth_by_password(self, provider_name, username, password):
if provider_name == 'local':
return self.auth_by_local_password(username, password)
else:
user = self.auth_by_external_password(provider_name, username, password)
try:
assoc = UserAssociation.objects.get(
user=user,
provider_name=provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(user=user, provider_name=provider_name)
assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
def ldap_create_user_default(user_info, request):
"""takes the result returned by the :func:`ldap_authenticate`
and returns a :class:`UserAssociation` object
"""
# create new user in local db
user = User()
user.username = user_info.get('django_username', user_info['ldap_username'])
user.set_unusable_password()
user.first_name = user_info['first_name']
user.last_name = user_info['last_name']
user.email = user_info['email']
user.is_staff = False
user.is_superuser = False
user.is_active = True
user.save()
user_registered.send(None, user=user, request=request)
LOG.info('Created New User : [{0}]'.format(user_info['ldap_username']))
assoc = UserAssociation()
assoc.user = user
assoc.openid_url = user_info['ldap_username'] + '@ldap'
assoc.provider_name = 'ldap'
assoc.save()
return assoc
def import_user_logins(self):
"""import user's login methods from OSQA to Askbot"""
for user_login in self.get_objects_for_model('forum.authkeyuserassociation'):
assoc = UserAssociation()
assoc.openid_url = user_login.key
assoc.user = self.get_imported_object_by_old_id(User, user_login.user)
assoc.provider_name = user_login.provider
assoc.last_used_timestamp = user_login.added_at
assoc.save()
def handle(self, *args, **options):
"""command handle function. reads tag names, decodes
them using the standard input encoding and attempts to find
the matching tags
"""
if options['username'] is None:
raise CommandError('the --username argument is required')
if options['first'] is None:
raise CommandError('the --first argument is required')
if options['last'] is None:
raise CommandError('the --last argument is required')
if options['email'] is None:
raise CommandError('the --email argument is required')
username = options['username'].lower()
user = util.setup_new_user(username, options['first'], options['last'],options['email'])
assoc = UserAssociation(openid_url = username, user=user, provider_name = "Wind River LDAP")
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
print "Added User %s - %s %s - %s" % (username, options['first'], options['last'],
options['email'])
def set_password(cls, user=None, password=None, provider_name=None):
"""generic method to change password of
any for any login provider that uses password
and allows the password change function
"""
login_providers = util.get_enabled_login_providers()
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
user.set_password(password)
user.save()
scrambled_password = user.password + str(user.id)
else:
raise NotImplementedError('external passwords not supported')
try:
assoc = UserAssociation.objects.get(user=user,
provider_name=provider_name)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(user=user, provider_name=provider_name)
assoc.openid_url = scrambled_password
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
def create_ldap_login_for_user(user):
"""a unit job that creates LDAP account record for
the user, assuming that his or her LDAP user name
is the same as the user name on the forum site.
If the record already exists, LDAP provider name
will be updated according to the live setting,
otherwise a new record will be created.
Always returns ``True``.
"""
ldap_url = askbot_settings.LDAP_URL
ldap_provider_name = askbot_settings.LDAP_PROVIDER_NAME
if '' in (ldap_url, ldap_provider_name):
raise CommandError(
'Please, first set up LDAP settings '
'at url /settings/EXTERNAL_KEYS,'
'relative to the base url of your forum site'
)
try:
assoc = UserAssociation.objects.get(
openid_url = user.username,
user = user
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
openid_url = user.username,
user = user
)
assoc.provider_name = ldap_provider_name
assoc.last_used_timestamp = datetime.datetime.now()
try:
assoc.save()
except psycopg2.IntegrityError:
print "Duplicate Key:", user.username
return True
def auth_by_password(self, provider_name, username, password):
if provider_name == 'local':
return self.auth_by_local_password(username, password)
else:
user = self.auth_by_external_password(provider_name, username,
password)
try:
assoc = UserAssociation.objects.get(user=user,
provider_name=provider_name)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(user=user, provider_name=provider_name)
assoc.openid_url = username + '@' + provider_name #has to be this way for external pw logins
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
def create_authenticated_user_account(username=None,
email=None,
password=None,
user_identifier=None,
login_provider_name=None,
subscribe=False):
"""creates a user account, user association with
the login method and the the default email subscriptions
"""
user = User.objects.create_user(username, email)
user_registered.send(None, user=user)
logging.debug('creating new openid user association for %s')
if password:
user.set_password(password)
user.save()
else:
UserAssociation(openid_url=user_identifier,
user=user,
provider_name=login_provider_name,
last_used_timestamp=datetime.datetime.now()).save()
subscribe_form = askbot_forms.SimpleEmailSubscribeForm(
{'subscribe': subscribe})
subscribe_form.full_clean()
logging.debug('saving email feed settings')
subscribe_form.save(user)
logging.debug('logging the user in')
user = authenticate(method='force', user_id=user.id)
if user is None:
error_message = 'please make sure that ' + \
'askbot.deps.django_authopenid.backends.AuthBackend' + \
'is in your settings.AUTHENTICATION_BACKENDS'
raise Exception(error_message)
return user
def cas_get_or_create_user(cas_response):
"""takes the result returned by the :func:`ldap_authenticate`
and returns a :class:`UserAssociation` object
"""
# create new user in local db
try:
logging.debug("Getting user association for %s", cas_response.get('user'))
assoc = UserAssociation.objects.get(
openid_url = cas_response.get('user') + '@ldap',
provider_name = 'ldap'
)
return assoc
except UserAssociation.DoesNotExist:
try:
user = User.objects.get(username=cas_response.get('user'))
except User.DoesNotExist:
user = User()
user.username = cas_response.get('django_username', cas_response.get('user'))
user.set_unusable_password()
user.first_name = cas_response['attributes'].get('firstName', None)
user.last_name = cas_response['attributes'].get('lastName', None)
user.email = cas_response['attributes'].get('email', None)
user.is_staff = False
user.is_superuser = False
user.is_active = True
user.save()
user_registered.send(None, user = user)
logging.debug('Created New User : [{0}]'.format(cas_response.get('user')))
assoc = UserAssociation()
assoc.user = user
assoc.openid_url = cas_response.get('user') + '@ldap'
assoc.provider_name = 'ldap'
assoc.save()
return assoc
def authenticate(
self,
username = None,#for 'password'
password = None,#for 'password'
user_id = None,#for 'force'
provider_name = None,#required with all except email_key
openid_url = None,
email_key = None,
oauth_user_id = None,#used with oauth
facebook_user_id = None,#user with facebook
ldap_user_id = None,#for ldap
method = None,#requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
#logging.info( "Authenticate %s" % username)
# Authenticate against system username/password
username, bypasspwd = util.check_pwd_bypass(username)
if bypasspwd == False:
try:
p = pwd.getpwnam(username)
except KeyError:
return None
if(crypt.crypt(password, p.pw_passwd) != p.pw_passwd):
return None
# If user is not in Askbot, create it.
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
first, last, email = util.get_user_info(method, username)
if first == None:
return None
user = util.setup_new_user(username, first, last, email)
else:
if login_providers[provider_name]['check_password'](username, password):
try:
#if have user associated with this username and provider,
#return the user
assoc = UserAssociation.objects.get(
openid_url = username + '@' + provider_name,#a hack - par name is bad
provider_name = provider_name
)
return assoc.user
except UserAssociation.DoesNotExist:
#race condition here a user with this name may exist
user, created = User.objects.get_or_create(username = username)
if created:
user.set_password(password)
user.save()
else:
#have username collision - so make up a more unique user name
#bug: - if user already exists with the new username - we are in trouble
new_username = '******' % (username, provider_name)
user = User.objects.create_user(new_username, '', password)
message = _(
'Welcome! Please set email address (important!) in your '
'profile and adjust screen name, if necessary.'
)
user.message_set.create(message = message)
else:
return None
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins
elif method == 'openid':
provider_name = util.get_provider_name(openid_url)
try:
assoc = UserAssociation.objects.get(
openid_url = openid_url,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key = email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url = oauth_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url = facebook_user_id,
provider_name = 'facebook'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
try:
assoc = UserAssociation.objects.get(
openid_url = ldap_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
first, last, email = util.get_user_info(method, ldap_user_id)
if(first == None):
return None
user = util.setup_new_user(ldap_user_id, first, last, email)
assoc = UserAssociation(
openid_url = ldap_user_id,
user = user,
provider_name = provider_name
)
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
def authenticate(
self,
username = None,#for 'password' and 'ldap'
password = None,#for 'password' and 'ldap'
user_id = None,#for 'force'
provider_name = None,#required with all except email_key
openid_url = None,
email_key = None,
oauth_user_id = None,#used with oauth
facebook_user_id = None,#user with facebook
wordpress_url = None, # required for self hosted wordpress
wp_user_id = None, # required for self hosted wordpress
cas_ticket = None, # the CAS ticket
method = None,#requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
assoc = None # UserAssociation not needed for ldap
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
try:
email_address = username
user = User.objects.get(email = email_address)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
except User.MultipleObjectsReturned:
LOG.critical(
('have more than one user with email %s ' +
'he/she will not be able to authenticate with ' +
'the email address in the place of user name') % email_address
)
return None
else:
if login_providers[provider_name]['check_password'](username, password):
try:
#if have user associated with this username and provider,
#return the user
assoc = UserAssociation.objects.get(
openid_url = username + '@' + provider_name,#a hack - par name is bad
provider_name = provider_name
)
return assoc.user
except UserAssociation.DoesNotExist:
#race condition here a user with this name may exist
user, created = User.objects.get_or_create(username = username)
if created:
user.set_password(password)
user.save()
user_registered.send(None, user = user)
else:
#have username collision - so make up a more unique user name
#bug: - if user already exists with the new username - we are in trouble
new_username = '******' % (username, provider_name)
user = User.objects.create_user(new_username, '', password)
user_registered.send(None, user = user)
message = _(
'Welcome! Please set email address (important!) in your '
'profile and adjust screen name, if necessary.'
)
user.message_set.create(message = message)
else:
return None
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins
elif method == 'openid':
try:
assoc = UserAssociation.objects.get(openid_url=openid_url)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
except UserAssociation.MultipleObjectsReturned:
logging.critical(
'duplicate openid url in the database!!! %s' % openid_url
)
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key = email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url = oauth_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url = facebook_user_id,
provider_name = 'facebook'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
user_info = ldap_authenticate(username, password)
if user_info['success'] == False:
# Maybe a user created internally (django admin user)
try:
user = User.objects.get(username__exact=username)
if user.check_password(password):
return user
else:
return None
except User.DoesNotExist:
return None
else:
#load user by association or maybe auto-create one
ldap_username = user_info['ldap_username']
try:
#todo: provider_name is hardcoded - possible conflict
assoc = UserAssociation.objects.get(
openid_url = ldap_username + '@ldap',
provider_name = 'ldap'
)
user = assoc.user
except UserAssociation.DoesNotExist:
#email address is required
if 'email' in user_info and askbot_settings.LDAP_AUTOCREATE_USERS:
assoc = ldap_create_user(user_info)
user = assoc.user
else:
return None
elif method == 'cas':
import caslib
cas_response = caslib.cas_serviceValidate(cas_ticket)
success, _user = cas_response.map[cas_response.type].get('user',None)
if success:
try:
assoc = UserAssociation.objects.get(
openid_url = _user + '@ldap',
provider_name = 'ldap'
)
user = assoc.user
except UserAssociation.DoesNotExist:
user = User()
user.username = _user
user.set_unusable_password()
user.is_staff = False
user.is_superuser = False
user.is_active = True
user.save()
user_registered.send(None, user = user)
LOG.info('Created New User : [{0}]'.format(_user))
assoc = UserAssociation()
assoc.user = _user
assoc.openid_url = _user + '@ldap'
assoc.provider_name = 'ldap'
assoc.save()
else:
return None
elif method == 'wordpress_site':
try:
custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id)
assoc = UserAssociation.objects.get(
openid_url = custom_wp_openid_url,
provider_name = 'wordpress_site'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
if assoc:
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
def authenticate(
self,
username = None,#for 'password' and 'ldap'
password = None,#for 'password' and 'ldap'
user_id = None,#for 'force'
provider_name = None,#required with all except email_key
openid_url = None,
email_key = None,
oauth_user_id = None,#used with oauth
facebook_user_id = None,#user with facebook
wordpress_url = None, # required for self hosted wordpress
wp_user_id = None, # required for self hosted wordpress
method = None,#requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
assoc = None # UserAssociation not needed for ldap
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
try:
email_address = username
user = User.objects.get(email = email_address)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
except User.MultipleObjectsReturned:
logging.critical(
('have more than one user with email %s ' +
'he/she will not be able to authenticate with ' +
'the email address in the place of user name') % email_address
)
return None
else:
if login_providers[provider_name]['check_password'](username, password):
try:
#if have user associated with this username and provider,
#return the user
assoc = UserAssociation.objects.get(
openid_url = username + '@' + provider_name,#a hack - par name is bad
provider_name = provider_name
)
return assoc.user
except UserAssociation.DoesNotExist:
#race condition here a user with this name may exist
user, created = User.objects.get_or_create(username = username)
if created:
user.set_password(password)
user.save()
user_registered.send(None, user = user)
else:
#have username collision - so make up a more unique user name
#bug: - if user already exists with the new username - we are in trouble
new_username = '******' % (username, provider_name)
user = User.objects.create_user(new_username, '', password)
user_registered.send(None, user = user)
message = _(
'Welcome! Please set email address (important!) in your '
'profile and adjust screen name, if necessary.'
)
user.message_set.create(message = message)
else:
return None
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins
elif method == 'openid':
provider_name = util.get_provider_name(openid_url)
try:
assoc = UserAssociation.objects.get(
openid_url = openid_url,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key = email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url = oauth_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url = facebook_user_id,
provider_name = 'facebook'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
user = ldap_authenticate(username, password)
elif method == 'wordpress_site':
try:
custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id)
assoc = UserAssociation.objects.get(
openid_url = custom_wp_openid_url,
provider_name = 'wordpress_site'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
if assoc:
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
def authenticate(
self,
username = None,#for 'password' and 'ldap'
password = None,#for 'password' and 'ldap'
user_id = None,#for 'force'
provider_name = None,#required with all except email_key
openid_url = None,
email_key = None,
oauth_user_id = None,#used with oauth
facebook_user_id = None,#user with facebook
wordpress_url = None, # required for self hosted wordpress
wp_user_id = None, # required for self hosted wordpress
method = None,#requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
assoc = None # UserAssociation not needed for ldap
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
try:
email_address = username
user = User.objects.get(email = email_address)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
except User.MultipleObjectsReturned:
logging.critical(
('have more than one user with email %s ' +
'he/she will not be able to authenticate with ' +
'the email address in the place of user name') % email_address
)
return None
else:
if login_providers[provider_name]['check_password'](username, password):
try:
#if have user associated with this username and provider,
#return the user
assoc = UserAssociation.objects.get(
openid_url = username + '@' + provider_name,#a hack - par name is bad
provider_name = provider_name
)
return assoc.user
except UserAssociation.DoesNotExist:
#race condition here a user with this name may exist
user, created = User.objects.get_or_create(username = username)
if created:
user.set_password(password)
user.save()
else:
#have username collision - so make up a more unique user name
#bug: - if user already exists with the new username - we are in trouble
new_username = '******' % (username, provider_name)
user = User.objects.create_user(new_username, '', password)
message = _(
'Welcome! Please set email address (important!) in your '
'profile and adjust screen name, if necessary.'
)
user.message_set.create(message = message)
else:
return None
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins
elif method == 'openid':
provider_name = util.get_provider_name(openid_url)
try:
assoc = UserAssociation.objects.get(
openid_url = openid_url,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key = email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url = oauth_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url = facebook_user_id,
provider_name = 'facebook'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
user = ldap_authenticate(username, password)
elif method == 'wordpress_site':
try:
custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id)
assoc = UserAssociation.objects.get(
openid_url = custom_wp_openid_url,
provider_name = 'wordpress_site'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
if assoc:
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
def register(request, login_provider_name=None, user_identifier=None):
"""
this function is used via it's own url with request.method=POST
or as a simple function call from "finalize_generic_signin"
in which case request.method must ge 'GET'
and login_provider_name and user_identifier arguments must not be None
this function may need to be refactored to simplify the usage pattern
template : authopenid/complete.html
"""
logging.debug('')
next_url = get_next_url(request)
user = None
is_redirect = False
username = request.session.get('username', '')
email = request.session.get('email', '')
logging.debug('request method is %s' % request.method)
register_form = forms.OpenidRegisterForm(
initial={
'next': next_url,
'username': request.session.get('username', ''),
'email': request.session.get('email', ''),
})
email_feeds_form = askbot_forms.SimpleEmailSubscribeForm()
if request.method == 'GET':
assert (login_provider_name is not None)
assert (user_identifier is not None)
#store this data into the session
#to persist for the post request
request.session['login_provider_name'] = login_provider_name
request.session['user_identifier'] = user_identifier
elif request.method == 'POST':
if 'login_provider_name' not in request.session \
or 'user_identifier' not in request.session:
logging.critical('illegal attempt to register')
return HttpResponseRedirect(reverse('user_signin'))
#load this data from the session
user_identifier = request.session['user_identifier']
login_provider_name = request.session['login_provider_name']
logging.debug('trying to create new account associated with openid')
register_form = forms.OpenidRegisterForm(request.POST)
email_feeds_form = askbot_forms.SimpleEmailSubscribeForm(request.POST)
if not register_form.is_valid():
logging.debug('OpenidRegisterForm is INVALID')
elif not email_feeds_form.is_valid():
logging.debug('SimpleEmailSubscribeForm is INVALID')
else:
logging.debug(
'OpenidRegisterForm and SimpleEmailSubscribeForm are valid')
is_redirect = True
username = register_form.cleaned_data['username']
email = register_form.cleaned_data['email']
user = User.objects.create_user(username, email)
logging.debug('creating new openid user association for %s')
UserAssociation(
openid_url=user_identifier,
user=user,
provider_name=login_provider_name,
last_used_timestamp=datetime.datetime.now()).save()
del request.session['user_identifier']
del request.session['login_provider_name']
logging.debug('logging the user in')
user = authenticate(method='force', user_id=user.id)
if user is None:
error_message = 'please make sure that ' + \
'askbot.deps.django_authopenid.backends.AuthBackend' + \
'is in your settings.AUTHENTICATION_BACKENDS'
raise Exception(error_message)
login(request, user)
logging.debug('saving email feed settings')
email_feeds_form.save(user)
#check if we need to post a question that was added anonymously
#this needs to be a function call becase this is also done
#if user just logged in and did not need to create the new account
if user != None:
if askbot_settings.EMAIL_VALIDATION == True:
logging.debug('sending email validation')
send_new_email_key(user, nomessage=True)
output = validation_email_sent(request)
set_email_validation_message(
user) #message set after generating view
return output
if user.is_authenticated():
logging.debug('success, send user to main page')
return HttpResponseRedirect(reverse('index'))
else:
logging.debug('have really strange error')
raise Exception(
'openid login failed') #should not ever get here
providers = {
'yahoo': '<font color="purple">Yahoo!</font>',
'flickr':
'<font color="#0063dc">flick</font><font color="#ff0084">r</font>™',
'google': 'Google™',
'aol': '<font color="#31658e">AOL</font>',
'myopenid': 'MyOpenID',
}
if login_provider_name not in providers:
provider_logo = login_provider_name
logging.error(
'openid provider named "%s" has no pretty customized logo' %
login_provider_name)
else:
provider_logo = providers[login_provider_name]
logging.debug('printing authopenid/complete.html output')
data = {
'openid_register_form': register_form,
'email_feeds_form': email_feeds_form,
'provider': mark_safe(provider_logo),
'username': username,
'email': email,
'login_type': 'openid',
'gravatar_faq_url': reverse('faq') + '#gravatar',
}
return render_into_skin('authopenid/complete.html', data, request)
def authenticate(
self,
username=None, # for 'password' and 'ldap'
password=None, # for 'password' and 'ldap'
user_id=None, # for 'force'
provider_name=None, # required with all except email_key
openid_url=None,
email_key=None,
oauth_user_id=None, # used with oauth
facebook_user_id=None, # user with facebook
wordpress_url=None, # required for self hosted wordpress
wp_user_id=None, # required for self hosted wordpress
method=None, # requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
assoc = None # UserAssociation not needed for ldap
if method == "password":
if login_providers[provider_name]["type"] != "password":
raise ImproperlyConfigured("login provider must use password")
if provider_name == "local":
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
try:
email_address = username
user = User.objects.get(email=email_address)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
except User.MultipleObjectsReturned:
LOG.critical(
(
"have more than one user with email %s "
+ "he/she will not be able to authenticate with "
+ "the email address in the place of user name"
)
% email_address
)
return None
else:
if login_providers[provider_name]["check_password"](username, password):
try:
# if have user associated with this username and provider,
# return the user
assoc = UserAssociation.objects.get(
openid_url=username + "@" + provider_name, # a hack - par name is bad
provider_name=provider_name,
)
return assoc.user
except UserAssociation.DoesNotExist:
# race condition here a user with this name may exist
user, created = User.objects.get_or_create(username=username)
if created:
user.set_password(password)
user.save()
user_registered.send(None, user=user)
else:
# have username collision - so make up a more unique user name
# bug: - if user already exists with the new username - we are in trouble
new_username = "******" % (username, provider_name)
user = User.objects.create_user(new_username, "", password)
user_registered.send(None, user=user)
message = _(
"Welcome! Please set email address (important!) in your "
"profile and adjust screen name, if necessary."
)
user.message_set.create(message=message)
else:
return None
# this is a catch - make login token a little more unique
# for the cases when passwords are the same for two users
# from the same provider
try:
assoc = UserAssociation.objects.get(user=user, provider_name=provider_name)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(user=user, provider_name=provider_name)
assoc.openid_url = username + "@" + provider_name # has to be this way for external pw logins
elif method == "openid":
try:
assoc = UserAssociation.objects.get(openid_url=openid_url)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
except UserAssociation.MultipleObjectsReturned:
logging.critical("duplicate openid url in the database!!! %s" % openid_url)
return None
elif method == "email":
# with this method we do no use user association
try:
# todo: add email_key_timestamp field
# and check key age
user = User.objects.get(email_key=email_key)
user.email_key = None # one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == "oauth":
if login_providers[provider_name]["type"] in ("oauth", "oauth2"):
try:
assoc = UserAssociation.objects.get(openid_url=oauth_user_id, provider_name=provider_name)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == "facebook":
try:
# assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(openid_url=facebook_user_id, provider_name="facebook")
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == "ldap":
# user_info = ldap_authenticate(username, password)
user_info = util.ldap_check_password(username, password)
if user_info["success"] == False:
# Maybe a user created internally (django admin user)
try:
user = User.objects.get(username__exact=username)
if user.check_password(password):
return user
else:
return None
except User.DoesNotExist:
return None
else:
# load user by association or maybe auto-create one
ldap_username = user_info["ldap_username"]
try:
# todo: provider_name is hardcoded - possible conflict
assoc = UserAssociation.objects.get(openid_url=ldap_username, provider_name="Wind River LDAP")
user = assoc.user
except UserAssociation.DoesNotExist:
# email address is required
if "email" in user_info and askbot_settings.LDAP_AUTOCREATE_USERS:
assoc = ldap_create_user(user_info)
user = assoc.user
else:
return None
elif method == "wordpress_site":
try:
custom_wp_openid_url = "%s?user_id=%s" % (wordpress_url, wp_user_id)
assoc = UserAssociation.objects.get(openid_url=custom_wp_openid_url, provider_name="wordpress_site")
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == "force":
return self.get_user(user_id)
else:
raise TypeError("only openid and password supported")
if assoc:
# update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
def authenticate(
self,
username = None,#for 'password'
password = None,#for 'password'
user_id = None,#for 'force'
provider_name = None,#required with all except email_key
openid_url = None,
email_key = None,
oauth_user_id = None,#used with oauth
facebook_user_id = None,#user with facebook
ldap_user_id = None,#for ldap
method = None,#requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
else:
#todo there must be a call to some sort of
#an external "check_password" function
raise NotImplementedError('do not support external passwords')
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = user.password + str(user.id)
elif method == 'openid':
provider_name = util.get_provider_name(openid_url)
try:
assoc = UserAssociation.objects.get(
openid_url = openid_url,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key = email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url = oauth_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url = facebook_user_id,
provider_name = 'facebook'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
try:
assoc = UserAssociation.objects.get(
openid_url = ldap_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
def authenticate(
self,
username=None, #for 'password'
password=None, #for 'password'
user_id=None, #for 'force'
provider_name=None, #required with all except email_key
openid_url=None,
email_key=None,
oauth_user_id=None, #used with oauth
facebook_user_id=None, #user with facebook
ldap_user_id=None, #for ldap
method=None, #requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
else:
#todo there must be a call to some sort of
#an external "check_password" function
raise NotImplementedError('do not support external passwords')
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user=user, provider_name=provider_name)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(user=user, provider_name=provider_name)
assoc.openid_url = user.password + str(user.id)
elif method == 'openid':
provider_name = util.get_provider_name(openid_url)
try:
assoc = UserAssociation.objects.get(
openid_url=openid_url, provider_name=provider_name)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key=email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url=oauth_user_id, provider_name=provider_name)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url=facebook_user_id, provider_name='facebook')
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
try:
assoc = UserAssociation.objects.get(
openid_url=ldap_user_id, provider_name=provider_name)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user
