def set_project(cls, project_code): '''This is kept here because everybody is used to using this''' security = Environment.get_security() # FIXME: # Because it is possible to call this before one is # logged in. This is required to see the login screen. from pyasm.security import get_security_version security_version = get_security_version() if security_version != 1 and not project_code == 'admin': key = {'code': project_code} key2 = {'code': "*"} keys = [key, key2] if not security.check_access( "project", keys, access="allow", default="deny"): user = Environment.get_login() if user: user = user.get_value("login") raise SecurityException( "User [%s] is not permitted to view project [%s]" % (user, project_code)) else: raise SecurityException( "Not permitted to view project [%s]" % (project_code)) from pyasm.security import Site site = Site.get_site() PROJECT_KEY = "Project:global:%s:" % site Container.put(PROJECT_KEY, project_code)
def verify(self, login_name, password): encrypted = hashlib.md5(password).hexdigest() # get the login sobject from the database self.login = Login.get_by_login(login_name, use_upn=True) if not self.login: raise SecurityException("Login/Password combination incorrect") # encrypt and check the password if encrypted != self.login.get_value("password"): raise SecurityException("Login/Password combination incorrect") return True
def verify(my, login_name, password): #encrypted = md5.new(password).hexdigest() encrypted = hashlib.md5(password).hexdigest() # get the login sobject from the database my.login = Login.get_by_login(login_name) if not my.login: raise SecurityException("Login/Password combination incorrect") # encrypt and check the password print encrypted print my.login.get_value("password") if encrypted != my.login.get_value("password"): raise SecurityException("Login/Password combination incorrect") return True
def authenticate(my, login, password): # encrypt and check the password #encrypted = md5.new(password).hexdigest() encrypted = hashlib.md5(password).hexdigest() if encrypted != login.get_value("password"): raise SecurityException("Login/Password combination incorrect") return True
def load_user_data(self, login_name, domain=None): '''get user data from active directory''' # get all of the tactic groups self.tactic_groups = Search.eval("@SOBJECT(sthpw/login_group)") # get the mappings attrs_map = self.get_user_mapping() group_attrs_map = self.get_group_mapping() if self.ad_exists: self.data = self.get_info_from_ad(login_name, attrs_map, domain=domain) else: #group_path = "%s/AD_group_export.ldif" % BASE_DIR #self.group_data = self.get_info_from_file(login_name, group_attrs_map, group_path) path = "%s/AD_user_export.ldif" % BASE_DIR self.data = self.get_info_from_file(attrs_map, path) if not self.data.get('sAMAccountName'): raise SecurityException( "Could not get info from Active Directory for login [%s]. You may have selected the wrong domain." % login_name) return self.data
def init(self): self.search_type = "config/custom_script" security = Environment.get_security() if not security.check_access("builtin", "view_script_editor", "allow"): raise SecurityException( 'You are not allowed to access this widget.')
def _do_login(self): security = Environment.get_security() require_password = Config.get_value("security", "api_require_password") api_password = Config.get_value("security", "api_password") site = Site.get() allow_guest = site.allow_guest() # the xmlrpc login can be overridden to not require a password if require_password == "false" or (allow_guest and self.login_name == "guest"): security.login_user_without_password(self.login_name, expiry="NULL") elif api_password: if api_password == self.password: security.login_user_without_password(self.login_name, expiry="NULL") else: # if api password is incorrect, still try and authenticate with # user's password security.login_user(self.login_name, self.password, expiry="NULL") elif self.login_name == "guest": security.login_user_without_password(self.login_name) else: security.login_user(self.login_name, self.password, expiry="NULL") if not security.is_logged_in(): raise SecurityException("Cannot login as user: %s." % self.login_name)
def _test_access_level(my): security = Environment.get_security() from pyasm.security import get_security_version security_version = get_security_version() projects = Search.eval('@SOBJECT(sthpw/project)') if security_version >= 2: for project in projects: key = { "code": project.get_code() } key2 = { "code": "*" } keys = [key, key2] default = "deny" # other than sample3d, unittest as allowed above, a default low access level user # should not see other projects access = security.check_access("project", keys, "allow", default=default) process_keys = [{'process': 'anim'}] proc_access = security.check_access("process", process_keys, "allow") my.assertEquals(proc_access, True) if project.get_code() in ['sample3d','unittest']: my.assertEquals(access, True) else: my.assertEquals(access, False) else: raise SecurityException('Please test with security version 2. Set it in your config file')
def _do_login(my): security = Environment.get_security() require_password = Config.get_value("security", "api_require_password") api_password = Config.get_value("security", "api_password") # the xmlrpc login can be overridden to not require a password if require_password == "false": security.login_user_without_password(my.login_name, expiry="NULL") elif api_password: if api_password == my.password: security.login_user_without_password(my.login_name, expiry="NULL") else: # if api password is incorrect, still try and authenticate with # user's password security.login_user(my.login_name, my.password, expiry="NULL") else: security.login_user(my.login_name, my.password, expiry="NULL") if not security.is_logged_in(): raise SecurityException("Cannot login as user: %s." % my.login_name)
def _do_login(my): security = Environment.get_security() ticket = security.login_with_ticket(my.ticket) if not ticket: raise SecurityException( "Cannot login with key: %s. Session may have expired." % my.ticket)
def get_info_from_ad(my, login_name, attrs_map, domain=None): data = {} if login_name == 'admin': return data """ if login_name.find("\\") != -1: domain, login_name = login_name.split("\\") else: domain = None """ python = Config.get_value('services', 'python') if not python: python = 'python' try: # get the info from a separate process from subprocess import Popen, PIPE if domain: cmd = [ python, "%s/ad_get_user_info.py" % BASE_DIR, '-d', domain, "-u", login_name ] else: cmd = [ python, "%s/ad_get_user_info.py" % BASE_DIR, "-u", login_name, ] output = Popen(cmd, stdout=PIPE).communicate()[0] import StringIO output = StringIO.StringIO(output) data = my.get_info_from_file(attrs_map, output) # get the license type from active directory license_type = data.get('tacticLicenseType') if not license_type: # TEST!!!! for MMS # FIXME: this logic is questionable. # if the user has no defined groups in Active Directory, then # it should use the default license type. if not my.groups: license_type = my.get_default_license_type() data['license_type'] = license_type else: data['license_type'] = "user" except ADException: raise SecurityException( "Could not get info from Active Directory for login [%s]" % login_name) return data
def verify(self, login_name, password): '''Method to authenticate the user with a given login name and a given password @params: login_name: string value of the login. Note that the login will contain a windows domain. ie: login_name = 'domain\foo' passwod: string value of the password ''' # This function must be override and must return True to authenticate raise SecurityException("Custom Authenticate class must override verify method")
def _do_login(self): allow_guest = Config.get_value("security", "allow_guest") if allow_guest == 'true': allow_guest = True else: allow_guest = False security = Environment.get_security() login = security.login_with_ticket(self.ticket, allow_guest=allow_guest) if not login: raise SecurityException("Cannot login with key: %s. Session may have expired." % self.ticket)
def verify(my, login_name, password): path = Config.get_value("checkin", "ldap_path") server = Config.get_value("checkin", "ldap_server") assert path, server path = path.replace("{login}", login_name) import ldap try: l = ldap.open(server) l.simple_bind_s(path, password) return True except: raise SecurityException("Login/Password combination incorrect")
class ADAuthenticate(Authenticate): '''Test authenticate mechanism which caches user info''' def __init__(my): my.ad_exists = True if os.name != 'nt': my.ad_exists = False my.groups = set() my.data = {} my.tactic_groups = [] def get_mode(my): return 'cache' def verify(my, login_name, password): if login_name.find("\\") != -1: domain, base_login_name = login_name.split("\\") else: base_login_name = login_name domain = None # confirm that there is a domain present if required require_domain = Config.get_value("active_directory", "require_domain") domain_component = Config.get_value("active_directory","domain_component") script_path = Config.get_value("active_directory","allow_script") if script_path: flag = False try: from tactic.command import PythonCmd from pyasm.command import Command kwargs = {'login' : login_name} cmd = PythonCmd(script_path=script_path, **kwargs) #flag = Command.execute_cmd(cmd) flag = cmd.execute() except Exception, e: print e raise if flag != True: return False if require_domain == "true" and not domain: raise SecurityException("Domain Selection Required") # skip authentication if ad does not exist if not my.ad_exists: print "WARNING: Active directory does not exist ... skipping verify" return True ad_connect = ADConnect() ad_connect.set_user(base_login_name) ad_connect.set_password(password) info = ad_connect.lookup() try: lookup_domain = info[1] except: lookup_domain = '' # lookup domain takes prescedence if lookup_domain: domain = lookup_domain #ad_connect.set_domain(lookup_domain) elif domain: pass #ad_connect.set_domain(domain) domain = "%s%s"%(domain,domain_component) ad_connect.set_domain(domain) #ad_connect.set_user(base_login_name) #ad_connect.set_password(password) is_logged_in = ad_connect.logon() # preload data for further use later with original full login_name if is_logged_in: my.load_user_data(base_login_name, domain) return is_logged_in
def get_info_from_file(my, attrs_map, path): '''for testing purposes''' data = {} if type(path) in types.StringTypes: f = open(path, 'r') else: f = path lines = [] error_flag = False error = '' for line in f: if line.startswith("ERROR") or line.startswith("WARNING"): error_flag = True error = line print line continue if error_flag: print line continue if line.strip() == '': continue if line.startswith(" "): line = line.strip() lines[-1].append(line) else: line = line.strip() lines.append([line]) if error_flag: raise SecurityException(error) for line in lines: line = "".join(line) #print "line: ", line name, value = line.split(": ", 1) if name == 'memberOf': my.handle_group(value) continue attr_name = attrs_map.get(name) #print name if not attr_name: continue data[attr_name] = value # get the license type from active directory license_type = data.get('license_type') if not license_type: # TEST!!!! for MMS # FIXME: this logic is questionable. # if the user has no defined groups in Active Directory, then # it should use the default license type. if not my.groups: license_type = my.get_default_license_type() data['license_type'] = license_type else: data['license_type'] = "user" return data
def authenticate(my, login, password): # This function must be override and must return True to authenticate raise SecurityException("Must override authenticate method")
class ADAuthenticate(Authenticate): '''Test authenticate mechanism which caches user info''' def __init__(self): self.ad_exists = True if os.name != 'nt': self.ad_exists = False self.groups = set() self.data = {} self.tactic_groups = [] def get_mode(self): return 'cache' def verify(self, login_name, password): if login_name.find("\\") != -1: domain, base_login_name = login_name.split("\\") else: base_login_name = login_name domain = None # confirm that there is a domain present if required require_domain = Config.get_value("active_directory", "require_domain") domain_component = Config.get_value("active_directory", "domain_component") script_path = Config.get_value("active_directory", "allow_script") if script_path: flag = False try: from tactic.command import PythonCmd from pyasm.command import Command kwargs = {'login': login_name} cmd = PythonCmd(script_path=script_path, **kwargs) #flag = Command.execute_cmd(cmd) flag = cmd.execute() except Exception, e: print e raise if flag != True: return False if require_domain == "true" and not domain: raise SecurityException("Domain Selection Required") # skip authentication if ad does not exist if not self.ad_exists: print "WARNING: Active directory does not exist ... skipping verify" return True ad_connect = ADConnect() ad_connect.set_user(base_login_name) ad_connect.set_password(password) info = ad_connect.lookup() try: lookup_domain = info[1] except: lookup_domain = '' # lookup domain takes prescedence if lookup_domain: domain = lookup_domain #ad_connect.set_domain(lookup_domain) elif domain: pass #ad_connect.set_domain(domain) domain = "%s%s" % (domain, domain_component) ad_connect.set_domain(domain) #ad_connect.set_user(base_login_name) #ad_connect.set_password(password) is_logged_in = ad_connect.logon() # preload data for further use later with original full login_name if is_logged_in: self.load_user_data(base_login_name, domain) else: # If AD authentication fails, attempt login via Tactic database+ # (Only allow login for external users) login = Login.get_by_login(base_login_name) if login and login.get_value('location', no_exception=True) == 'external': auth_class = "pyasm.security.TacticAuthenticate" authenticate = Common.create_from_class_path(auth_class) is_authenticated = authenticate.verify(base_login_name, password) if is_authenticated == True: return True return is_logged_in