def doLogin(self):
"""Login handler"""
if 'submit' in self.query:
if 'user' in self.query:
self.user = self.query['user']
else:
self.clearUser()
if 'password' in self.query:
self.password = self.query['password']
else:
self.password = None
if not hit_rate_limit(configuration, "openid",
self.client_address[0], self.user) and \
self.checkLogin(self.user, self.password):
if not self.query['success_to']:
self.query['success_to'] = '%s/id/' % self.server.base_url
print "doLogin succeded: redirect to %s" % self.query['success_to']
self.redirect(self.query['success_to'])
update_rate_limit(configuration, "openid",
self.client_address[0], self.user, True)
else:
# TODO: Login failed - is this correct behaviour?
print "doLogin failed for %s!" % self.user
# print "doLogin full query: %s" % self.query
self.clearUser()
self.redirect(self.query['success_to'])
update_rate_limit(configuration, "openid",
self.client_address[0], self.user, False)
elif 'cancel' in self.query:
self.redirect(self.query['fail_to'])
else:
assert 0, 'strange login %r' % (self.query,)
def check_auth_publickey(self, username, key):
"""Public key auth against usermap"""
offered = None
if hit_rate_limit(configuration, "sftp-key", self.client_addr[0],
username, max_fails=10):
logger.warning("Rate limiting login from %s" % self.client_addr[0])
elif self.allow_publickey and self.users.has_key(username):
# list of User login objects for username
entries = self.users[username]
offered = key.get_base64()
for entry in entries:
if entry.public_key is not None:
# TODO: Add ssh tunneling on resource frontends
# before enforcing ip check
# and \
# (entry.ip_addr is None or
# entry.ip_addr == self.client_addr[0]):
allowed = entry.public_key.get_base64()
self.logger.debug("Public key check for %s" % username)
if allowed == offered:
self.logger.info("Public key match for %s" % username)
self.authenticated_user = username
update_rate_limit(configuration, "sftp-key",
self.client_addr[0], username, True)
return paramiko.AUTH_SUCCESSFUL
err_msg = 'Public key authentication failed for %s:\n%s' % \
(username, offered)
self.logger.error(err_msg)
print err_msg
update_rate_limit(configuration, "sftp-key", self.client_addr[0],
username, False)
return paramiko.AUTH_FAILED
def _check_auth_publickey(self, username, key):
"""Verify supplied username and public key against user DB"""
offered = None
if hit_rate_limit(configuration, "davs", self.client_address[0],
username):
logger.warning("Rate limiting login from %s" % \
self.client_address[0])
elif self.users.has_key(username):
# list of User login objects for username
entries = self.users[username]
offered = key.get_base64()
for entry in entries:
if entry.public_key is not None:
allowed = entry.public_key.get_base64()
logger.debug("Public key check for %s" % username)
if allowed == offered:
logger.info("Public key match for %s" % username)
self.authenticated_user = username
update_rate_limit(configuration, "davs",
self.client_address[0], username,
True)
return True
update_rate_limit(configuration, "davs", self.client_address[0],
username, False)
return False
def validate_authentication(self, username, password, handler):
"""Password auth against usermap.
Please note that we take serious steps to secure against password
cracking, but that it _may_ still be possible to achieve with a big
effort.
Paranoid users / grid owners should not enable password access in the
first place!
"""
logger.debug("Authenticating %s" % username)
self.update_logins(username)
offered = None
if hit_rate_limit(configuration, "ftps", handler.remote_ip, username):
logger.warning("Rate limiting login from %s" % handler.remote_ip)
elif 'password' in configuration.user_ftps_auth and \
self.has_user(username):
# list of User login objects for username
entries = [self.user_table[username]]
offered = password
for entry in entries:
if entry['pwd'] is not None:
allowed = entry['pwd']
logger.debug("Password check for %s" % username)
if check_password_hash(offered, allowed):
logger.info("Authenticated %s" % username)
self.authenticated_user = username
update_rate_limit(configuration, "ftps",
handler.remote_ip, username, True)
return True
err_msg = "Password authentication failed for %s" % username
logger.error(err_msg)
print err_msg
self.authenticated_user = None
update_rate_limit(configuration, "ftps", handler.remote_ip, username,
False)
# Must raise AuthenticationFailed exception since version 1.0.0 instead
# of returning bool
raise AuthenticationFailed(err_msg)
def check_auth_password(self, username, password):
"""Password auth against usermap.
Please note that we take serious steps to secure against password
cracking, but that it _may_ still be possible to achieve with a big
effort.
Paranoid users / grid owners should not enable password access in the
first place!
"""
offered = None
if hit_rate_limit(configuration, "sftp-pw", self.client_addr[0],
username):
logger.warning("Rate limiting login from %s" % self.client_addr[0])
elif self.allow_password and self.users.has_key(username):
# list of User login objects for username
entries = self.users[username]
offered = password
for entry in entries:
if entry.password is not None:
# TODO: Add ssh tunneling on resource frontends
# before enforcing ip check
# and \
#(entry.ip_addr is None or
# entry.ip_addr == self.client_addr[0]):
allowed = entry.password
self.logger.debug("Password check for %s" % username)
if check_password_hash(offered, allowed):
self.logger.info("Authenticated %s" % username)
self.authenticated_user = username
update_rate_limit(configuration, "sftp-pw",
self.client_addr[0], username, True)
return paramiko.AUTH_SUCCESSFUL
err_msg = "Password authentication failed for %s" % username
self.logger.error(err_msg)
print err_msg
update_rate_limit(configuration, "sftp-pw", self.client_addr[0],
username, False)
return paramiko.AUTH_FAILED
def authDomainUser(self, realmname, username, password, environ):
"""Returns True if this username/password pair is valid for the realm,
False otherwise. Used for basic authentication.
We explicitly compare against saved hash rather than password value.
"""
#print "DEBUG: env in authDomainUser: %s" % environ
addr = _get_addr(environ)
self._expire_rate_limit()
#logger.info("refresh user %s" % username)
update_users(configuration, self.userMap, username)
#logger.info("in authDomainUser from %s" % addr)
success = False
if hit_rate_limit(configuration, "davs", addr, username):
logger.warning("Rate limiting login from %s" % addr)
elif self._check_auth_password(addr, realmname, username, password):
logger.info("Accepted login for %s from %s" % (username, addr))
success = True
else:
logger.warning("Invalid login for %s from %s" % (username, addr))
update_rate_limit(configuration, "davs", addr, username, success)
logger.info("valid digest user %s" % username)
return success
def _check_auth_password(self, username, password):
"""Verify supplied username and password against user DB"""
offered = None
if hit_rate_limit(configuration, "davs", self.client_address[0],
username):
logger.warning("Rate limiting login from %s" % \
self.client_address[0])
elif self.users.has_key(username):
# list of User login objects for username
entries = self.users[username]
offered = password
for entry in entries:
if entry.password is not None:
allowed = entry.password
logger.debug("Password check for %s" % username)
if check_password_hash(offered, allowed):
self.authenticated_user = username
update_rate_limit(configuration, "davs",
self.client_address[0], username,
True)
return True
update_rate_limit(configuration, "davs", self.client_address[0],
username, False)
return False
def handleAllow(self, query):
"""Handle requests to allow authentication:
Must verify user is already logged in or validate username/password
pair against user DB.
"""
request = self.server.lastCheckIDRequest.get(self.user)
print "handleAllow with last request %s from user %s" % \
(request, self.user)
# print "DEBUG: full query %s" % query
# Old IE 8 does not send contents of submit buttons thus only the
# fields login_as and password are set with the allow requests. We
# manually add a yes here if so to avoid the else case.
if not 'yes' in query and not 'no' in query:
query['yes'] = 'yes'
if 'yes' in query:
if 'login_as' in query:
self.user = self.query['login_as']
#print "handleAllow set user %s" % self.user
elif 'identifier' in query:
self.user = self.query['identifier']
if request.idSelect():
# Do any ID expansion to a specified format
if configuration.daemon_conf['expandusername']:
user_id = lookup_full_identity(query.get('identifier', ''))
else:
user_id = query.get('identifier', '')
identity = self.server.base_url + 'id/' + user_id
else:
identity = request.identity
print "handleAllow with identity %s" % identity
if 'password' in self.query:
print "setting password"
self.password = self.query['password']
else:
print "no password in query"
self.password = None
if not hit_rate_limit(configuration, "openid",
self.client_address[0], self.user) and \
self.checkLogin(self.user, self.password):
print "handleAllow validated login %s" % identity
trust_root = request.trust_root
if self.query.get('remember', 'no') == 'yes':
self.server.approved[(identity, trust_root)] = 'always'
print "handleAllow approving login %s" % identity
response = self.approved(request, identity)
update_rate_limit(configuration, "openid",
self.client_address[0], self.user, True)
else:
print "handleAllow rejected login %s" % identity
self.clearUser()
response = self.rejected(request, identity)
update_rate_limit(configuration, "openid",
self.client_address[0], self.user, False)
elif 'no' in query:
response = request.answer(False)
else:
assert False, 'strange allow post. %r' % (query,)
self.displayResponse(response)
