def authenticate(self, username, password): userdn = self._get_user_dn(username) # first of all: try a bind to check user existence and password try: connection = ldap3.Connection( self.uri, user=userdn, password=password, auto_bind=self.BIND_METHODS[self.bindmethod]) except ldap3.core.exceptions.LDAPException as e: raise AuthenticationError('LDAP connection failed (%s)' % e) userlevel = -1 # check if the user has explicit rights if username in self.userroles: userlevel = self._access_levels[self.userroles[username]] return User(username, userlevel) # if no explicit user right was given, check group rights groups = self._get_user_groups(connection, username) for group in groups: if group in self.grouproles: userlevel = max(userlevel, self._access_levels[self.grouproles[group]]) if userlevel >= 0: return User(username, userlevel) raise AuthenticationError('Login not permitted for the given user')
def authenticate(self, username, password): username = username.strip() if not username: raise AuthenticationError('No username, please identify yourself!') # check for exact match (also matches empty password if username # matches) for (user, pw, level) in self.passwd: if user == username: if not pw or pw == self._hash(password): if not password and level > USER: level = USER # limit passwordless entries to USER return User(username, level) else: raise AuthenticationError('Invalid username or password!') # check for unspecified user for (user, pw, level) in self.passwd: if user == '': # pylint: disable=compare-to-empty-string if pw and pw == self._hash(password): if level > USER: level = USER # limit passworded anonymous to USER return User(username, level) elif not pw: # fix passwordless anonymous to GUEST return User(username, GUEST) # do not give a hint whether username or password is wrong... raise AuthenticationError('Invalid username or password!')
def authenticate(self, username, password): if username in self.aliases: email, level = self.aliases[username] else: email, level = username, USER ghost = GhostWrapper('https://' + self.ghosthost, self.log) try: realname = ghost.login(self.instrument, email, password, strict=self.checkexp) except ghostapi.errors.GhostAccessError: self.log.exception('during authentication') raise AuthenticationError('unknown user or wrong password') \ from None except AuthenticationError: self.log.exception('during authentication') raise except Exception as err: self.log.exception('during authentication') raise AuthenticationError('exception during authenticate(): %s' % err) from None if email == username: # try to extract the user's real name from the user data username = realname return User(username, level, { 'ghost': ghost, 'keepalive': ghost.keepalive })
def authenticate(self, username, password): try: credentials = queryUser(username) if credentials[1] != self._hash(password): raise AuthenticationError('wrong password') return User(username, USER) except AuthenticationError: raise except Exception as err: raise AuthenticationError('exception during authenticate(): %s' % err)
def authenticate(self, username, password): try: pam.authenticate(username, password, resetcred=0) entry = pwd.getpwnam(username) idx = access_re.search(to_utf8(entry.pw_gecos)) if idx: access = int(idx.group('level')) if access in (GUEST, USER, ADMIN): return User(username, access) return User(username, self.defaultlevel) except pam.PAMError as err: raise AuthenticationError('PAM authentication failed: %s' % err) except Exception as err: raise AuthenticationError( 'exception during PAM authentication: %s' % err)
def login(self, instr, email, password, strict): """Log in to GhOST with the given account (email address). If strict is true, and the current experiment is a "user experiment", the user must either be a local contact for the instrument or a user assigned to the experiment. """ self.ghost_instrument = instr # first, login to GhOST error = None try: self.checkCredentials(email, password) except ghostapi.errors.GhostApiException as err: # this avoids leaking authentication details via tracebacks error = str(err) if error: raise AuthenticationError('login failed: %s' % error) # check local contact status try: instrs = self.getLCInstruments(email) self.is_local_contact = any(i['name'] == instr for i in instrs) except ghostapi.errors.GhostApiException: # no access means: we are not local contact pass self.log.debug('user is local contact? %s', self.is_local_contact) # we are a normal user => if configured, check that a proposal # is scheduled for us today if not self.is_local_contact and strict: self.strictUserCheck(email) # get user's real name for display in daemon userdata = self.getUserData(email) return userdata['firstname'] + ' ' + userdata['lastname']
def _get_group_name(self, connection, gid): filter_str = self.groupfilter % {'gidnumber': gid} if not connection.search(self.groupbasedn, filter_str, ldap3.LEVEL, attributes=ldap3.ALL_ATTRIBUTES): raise AuthenticationError('Group %s not found' % gid) return connection.response[0]['attributes']['cn'][0]
def strictUserCheck(self, email): """Check if user may log in considering the current proposal: * during user experiments, any user of that proposal may log in * during service/other, any user may log in whose experiment is scheduled for the current date Raises AuthenticationError if access denied. """ sessions = self.getTodaysSessions() if session.experiment.proptype == 'user': if not any(ses['proposal_number'] == session.experiment.proposal for ses in sessions): raise AuthenticationError('user is neither local contact ' 'nor member of current proposal') elif not sessions: raise AuthenticationError('user is neither local contact ' 'nor has a proposal scheduled today')
def authenticate(self, username, password): username = username.strip() if not username: raise AuthenticationError('No username, please identify yourself!') # check for exact match (also matches empty password if username # matches) pw = nicoskeystore.getCredential(username, domain=self.userdomain) if pw is None: raise AuthenticationError('Invalid username or password!') for (user, level) in self.access: if user == username: if pw == password: if password == '' and level > USER: # pylint: disable=compare-to-empty-string level = USER # limit passwordless entries to USER return User(username, level) else: raise AuthenticationError('Invalid username or password!') # do not give a hint whether username or password is wrong... raise AuthenticationError('Invalid username or password!')
def _get_default_group(self, connection, username): filter_str = self.userfilter % {'username': username} if not connection.search(self.userbasedn, filter_str, ldap3.LEVEL, attributes=ldap3.ALL_ATTRIBUTES): raise AuthenticationError('User not found in LDAP directory') return self._get_group_name( connection, connection.response[0]['attributes']['gidNumber'])
def authenticate(self, username, password): secret = nicoskeystore.getCredential(self.keystoretoken) error = None try: oauth = OAuth2Session(client=LegacyApplicationClient( client_id=self.clientid)) token = oauth.fetch_token(token_url=self.tokenurl, username=username, password=password, client_id=self.clientid, client_secret=secret) except Exception as err: # this avoids leaking credential details via tracebacks error = str(err) if error: raise AuthenticationError('exception during authenticate(): %s' % error) if not oauth.authorized: raise AuthenticationError('wrong password') return User(username, USER, { 'token': token, 'clientid': self.clientid })