def authenticate(username, password):
'''Authenticate username and password against database.
Returns account object if user was authenticated, else None.
'''
# FIXME Log stuff?
auth = False
account = None
# Try to find the account in the database. If it's not found we can try
# LDAP.
try:
account = Account.objects.get(login__iexact=username)
except Account.DoesNotExist:
if ldapauth.available:
user = ldapauth.authenticate(username, password)
# If we authenticated, store the user in database.
if user:
account = Account(
login=user.username,
name=user.get_real_name(),
ext_sync='ldap'
)
account.set_password(password)
account.save()
_handle_ldap_admin_status(user, account)
# We're authenticated now
auth = True
if account and account.locked:
_logger.info("Locked user %s tried to log in", account.login)
if (account and
account.ext_sync == 'ldap' and
ldapauth.available and
not auth and
not account.locked):
try:
auth = ldapauth.authenticate(username, password)
except ldapauth.NoAnswerError:
# Fallback to stored password if ldap is unavailable
auth = False
else:
if auth:
account.set_password(password)
account.save()
_handle_ldap_admin_status(auth, account)
else:
return
if account and not auth:
auth = account.check_password(password)
if auth and account:
return account
else:
return None
def authenticate(username, password):
'''Authenticate username and password against database.
Returns account object if user was authenticated, else None.
'''
# FIXME Log stuff?
auth = False
account = None
# Try to find the account in the database. If it's not found we can try
# LDAP.
try:
account = Account.objects.get(login__iexact=username)
except Account.DoesNotExist:
if ldapauth.available:
user = ldapauth.authenticate(username, password)
# If we authenticated, store the user in database.
if user:
account = Account(
login=user.username,
name=user.get_real_name(),
ext_sync='ldap'
)
account.set_password(password)
account.save()
# We're authenticated now
auth = True
if (account and account.ext_sync == 'ldap' and
ldapauth.available and not auth):
try:
auth = ldapauth.authenticate(username, password)
except ldapauth.NoAnswerError:
# Fallback to stored password if ldap is unavailable
auth = False
else:
if auth:
account.set_password(password)
account.save()
else:
return
if account and not auth:
auth = account.check_password(password)
if auth and account:
return account
else:
return None
def authenticate_remote_user(request):
"""Authenticate username from http header REMOTE_USER
Returns:
:return: If the user was authenticated, an account.
If the user was blocked from logging in, False.
Otherwise, None.
:rtype: Account, False, None
"""
username = get_remote_username(request)
if not username:
return None
# We now have a username-ish
try:
account = Account.objects.get(login=username)
except Account.DoesNotExist:
# Store the remote user in the database and return the new account
account = Account(login=username,
name=username,
ext_sync='REMOTE_USER')
account.set_password(fake_password(32))
account.save()
_logger.info("Created user %s from header REMOTE_USER", account.login)
template = 'Account "{actor}" created due to REMOTE_USER HTTP header'
LogEntry.add_log_entry(account,
'create-account',
template=template,
subsystem='auth')
return account
# Bail out! Potentially evil user
if account.locked:
_logger.info("Locked user %s tried to log in", account.login)
template = 'Account "{actor}" was prevented from logging in: blocked'
LogEntry.add_log_entry(account,
'login-prevent',
template=template,
subsystem='auth')
return False
return account