def _doCertificateLogon(self, request):
"""Attempt to logon using the client certificate
This can only succeed if:
* the client certificate CN matches a username
* cert_logins is not disabled in the configuration file
"""
from ccsd_session import startSession, startBasicSession
from crcnetd.modules.ccs_contact import getUserCache
# Check incoming peer certificate
cert = request.channel.transport.socket.get_peer_certificate()
subj = cert.get_subject()
domain = config_get('network','domain', '')
username = "******" % (subj.CN , domain)
allow_login = config_getboolean(None, "cert_logins", True)
if not allow_login:
None
# CN matches a MAC address
#return startBasicSession(username, SESSION_RW)
# Does the CN match a username?
users = getUserCache(ADMIN_SESSION_ID)
if username in users.keys():
if users[username]["enabled"]:
# Make sure a session exists for the user
return startSession(users[username]['login_id'], SESSION_RW)
# CN matches a MAC address
#return startBasicSession(username, SESSION_RW)
return None
def hasPerms(self, mode, group):
"""Checks that the specified session has the appropriate group
memberships"""
# Import here to avoid circular dependencies
from crcnetd.modules.ccs_contact import getUserCache, getCustomerCache, getGroupCache
# Check session is of appropriate type
if mode == SESSION_RW:
if self.mode != SESSION_RW:
return SESSION_NONE
# normal users have AUTH_AUTHENTICATED by default
if group == AUTH_AUTHENTICATED:
return mode
# If we have a cached permission record, return that
if group in self.permCache.keys():
return self.permCache[group]
# Check group membership
users = getUserCache(self.session_id)
customers = getCustomerCache(self.session_id)
groups = getGroupCache(self.session_id)
admin_id = users[self.login_id]["admin_id"]
if self._isGroupMember(admin_id, groups[group], groups):
self.permCache[group] = mode
return mode
self.permCache[group] = SESSION_NONE
return SESSION_NONE
def cookieLogin(username, token):
"""Allows authentication with the server using a stored token.
Looks up token & username in the cookies table. If a match is found
the authentication is successful.
Returns a session description dictionary as returned by the session
object.
"""
from crcnetd.modules.ccs_contact import getUserCache
# Validate username / token
#if len(username) <= 0:
# raise ccsd_session_error("Username too short, must be > 0 characters!")
#if len(username) > 16:
# raise ccsd_session_error("Username too long, must be < 16 characters!")
if len(token) <= 0:
raise ccsd_session_error("Token too short, must be > 0 characters!")
if len(token) > 32 :
raise ccsd_session_error("Token too long, must be < 32 characters!")
#Get the login_id from the users cache
users = getUserCache(ADMIN_SESSION_ID)
if username in users.keys():
login_id = users[username]['login_id']
else:
raise ccsd_session_error("Invalid username or cookie token!")
# Check username / token
if not _validateCookieToken(login_id, token):
raise ccsd_session_error("Invalid username or cookie token!")
# Return the users read-only session
return startSession(login_id, SESSION_RO)
def getGroupMemberships(self):
"""Returns a list of all groups this session belongs to"""
# Import here to avoid circular dependencies
from crcnetd.modules.ccs_contact import getUserCache, getCustomerCache, getGroupCache
# Check group membership
users = getUserCache(self.session_id)
customers = getCustomerCache(self.session_id)
groups = getGroupCache(self.session_id)
if self.login_id in users.keys():
contact_id = users[self.login_id]["admin_id"]
else:
return []
# Cache memberships
res = []
for group in groups.keys():
if self._isGroupMember(contact_id, groups[group], groups):
res.append(group)
return res
def _validatePassword(username, password):
"""Helper routine for login. Validates the users password"""
from crcnetd.modules.ccs_contact import getUserCache
session = getSessionE(ADMIN_SESSION_ID)
users = getUserCache(ADMIN_SESSION_ID)
# Check if user exists
if username not in users.keys():
log_warn("No user %s" % username)
return None
# Get password
passwd = users[username]["passwd"]
if len(passwd) <= 0:
log_warn("No password set for %s" % username)
return None
# Check password
if crypt.crypt(password, passwd) != passwd:
log_info("Password check failed for %s" % username)
return None
return users[username]['login_id']
