def authenticate(self, username, password):
userdn = self._get_user_dn(username)
# first of all: try a bind to check user existence and password
try:
connection = ldap3.Connection(
self.uri,
user=userdn,
password=password,
auto_bind=self.BIND_METHODS[self.bindmethod])
except ldap3.core.exceptions.LDAPException as e:
raise AuthenticationError('LDAP connection failed (%s)' % e)
userlevel = -1
# check if the user has explicit rights
if username in self.userroles:
userlevel = self._access_levels[self.userroles[username]]
return User(username, userlevel)
# if no explicit user right was given, check group rights
groups = self._get_user_groups(connection, username)
for group in groups:
if group in self.grouproles:
userlevel = max(userlevel,
self._access_levels[self.grouproles[group]])
if userlevel >= 0:
return User(username, userlevel)
raise AuthenticationError('Login not permitted for the given user')
def authenticate(self, username, password):
username = username.strip()
if not username:
raise AuthenticationError('No username, please identify yourself!')
# check for exact match (also matches empty password if username
# matches)
for (user, pw, level) in self.passwd:
if user == username:
if not pw or pw == self._hash(password):
if not password and level > USER:
level = USER # limit passwordless entries to USER
return User(username, level)
else:
raise AuthenticationError('Invalid username or password!')
# check for unspecified user
for (user, pw, level) in self.passwd:
if user == '': # pylint: disable=compare-to-empty-string
if pw and pw == self._hash(password):
if level > USER:
level = USER # limit passworded anonymous to USER
return User(username, level)
elif not pw: # fix passwordless anonymous to GUEST
return User(username, GUEST)
# do not give a hint whether username or password is wrong...
raise AuthenticationError('Invalid username or password!')
def authenticate(self, username, password):
if username in self.aliases:
email, level = self.aliases[username]
else:
email, level = username, USER
ghost = GhostWrapper('https://' + self.ghosthost, self.log)
try:
realname = ghost.login(self.instrument,
email,
password,
strict=self.checkexp)
except ghostapi.errors.GhostAccessError:
self.log.exception('during authentication')
raise AuthenticationError('unknown user or wrong password') \
from None
except AuthenticationError:
self.log.exception('during authentication')
raise
except Exception as err:
self.log.exception('during authentication')
raise AuthenticationError('exception during authenticate(): %s' %
err) from None
if email == username:
# try to extract the user's real name from the user data
username = realname
return User(username, level, {
'ghost': ghost,
'keepalive': ghost.keepalive
})
def authenticate(self, username, password):
try:
credentials = queryUser(username)
if credentials[1] != self._hash(password):
raise AuthenticationError('wrong password')
return User(username, USER)
except AuthenticationError:
raise
except Exception as err:
raise AuthenticationError('exception during authenticate(): %s' %
err)
def authenticate(self, username, password):
try:
pam.authenticate(username, password, resetcred=0)
entry = pwd.getpwnam(username)
idx = access_re.search(to_utf8(entry.pw_gecos))
if idx:
access = int(idx.group('level'))
if access in (GUEST, USER, ADMIN):
return User(username, access)
return User(username, self.defaultlevel)
except pam.PAMError as err:
raise AuthenticationError('PAM authentication failed: %s' % err)
except Exception as err:
raise AuthenticationError(
'exception during PAM authentication: %s' % err)
def login(self, instr, email, password, strict):
"""Log in to GhOST with the given account (email address).
If strict is true, and the current experiment is a "user experiment",
the user must either be a local contact for the instrument or a user
assigned to the experiment.
"""
self.ghost_instrument = instr
# first, login to GhOST
error = None
try:
self.checkCredentials(email, password)
except ghostapi.errors.GhostApiException as err:
# this avoids leaking authentication details via tracebacks
error = str(err)
if error:
raise AuthenticationError('login failed: %s' % error)
# check local contact status
try:
instrs = self.getLCInstruments(email)
self.is_local_contact = any(i['name'] == instr for i in instrs)
except ghostapi.errors.GhostApiException:
# no access means: we are not local contact
pass
self.log.debug('user is local contact? %s', self.is_local_contact)
# we are a normal user => if configured, check that a proposal
# is scheduled for us today
if not self.is_local_contact and strict:
self.strictUserCheck(email)
# get user's real name for display in daemon
userdata = self.getUserData(email)
return userdata['firstname'] + ' ' + userdata['lastname']
def _get_group_name(self, connection, gid):
filter_str = self.groupfilter % {'gidnumber': gid}
if not connection.search(self.groupbasedn,
filter_str,
ldap3.LEVEL,
attributes=ldap3.ALL_ATTRIBUTES):
raise AuthenticationError('Group %s not found' % gid)
return connection.response[0]['attributes']['cn'][0]
def strictUserCheck(self, email):
"""Check if user may log in considering the current proposal:
* during user experiments, any user of that proposal may log in
* during service/other, any user may log in whose experiment is
scheduled for the current date
Raises AuthenticationError if access denied.
"""
sessions = self.getTodaysSessions()
if session.experiment.proptype == 'user':
if not any(ses['proposal_number'] == session.experiment.proposal
for ses in sessions):
raise AuthenticationError('user is neither local contact '
'nor member of current proposal')
elif not sessions:
raise AuthenticationError('user is neither local contact '
'nor has a proposal scheduled today')
def authenticate(self, username, password):
username = username.strip()
if not username:
raise AuthenticationError('No username, please identify yourself!')
# check for exact match (also matches empty password if username
# matches)
pw = nicoskeystore.getCredential(username, domain=self.userdomain)
if pw is None:
raise AuthenticationError('Invalid username or password!')
for (user, level) in self.access:
if user == username:
if pw == password:
if password == '' and level > USER: # pylint: disable=compare-to-empty-string
level = USER # limit passwordless entries to USER
return User(username, level)
else:
raise AuthenticationError('Invalid username or password!')
# do not give a hint whether username or password is wrong...
raise AuthenticationError('Invalid username or password!')
def _get_default_group(self, connection, username):
filter_str = self.userfilter % {'username': username}
if not connection.search(self.userbasedn,
filter_str,
ldap3.LEVEL,
attributes=ldap3.ALL_ATTRIBUTES):
raise AuthenticationError('User not found in LDAP directory')
return self._get_group_name(
connection, connection.response[0]['attributes']['gidNumber'])
def authenticate(self, username, password):
secret = nicoskeystore.getCredential(self.keystoretoken)
error = None
try:
oauth = OAuth2Session(client=LegacyApplicationClient(
client_id=self.clientid))
token = oauth.fetch_token(token_url=self.tokenurl,
username=username,
password=password,
client_id=self.clientid,
client_secret=secret)
except Exception as err:
# this avoids leaking credential details via tracebacks
error = str(err)
if error:
raise AuthenticationError('exception during authenticate(): %s' %
error)
if not oauth.authorized:
raise AuthenticationError('wrong password')
return User(username, USER, {
'token': token,
'clientid': self.clientid
})
