def create_ldap_login_for_user(user): """a unit job that creates LDAP account record for the user, assuming that his or her LDAP user name is the same as the user name on the forum site. If the record already exists, LDAP provider name will be updated according to the live setting, otherwise a new record will be created. Always returns ``True``. """ ldap_url = askbot_settings.LDAP_URL ldap_provider_name = askbot_settings.LDAP_PROVIDER_NAME if '' in (ldap_url, ldap_provider_name): raise CommandError( 'Please, first set up LDAP settings ' 'at url /settings/EXTERNAL_KEYS,' 'relative to the base url of your forum site' ) try: assoc = UserAssociation.objects.get( openid_url = user.username, user = user ) except UserAssociation.DoesNotExist: assoc = UserAssociation( openid_url = user.username, user = user ) assoc.provider_name = ldap_provider_name assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return True
def set_password(cls, user=None, password=None, provider_name=None): """generic method to change password of any for any login provider that uses password and allows the password change function """ login_providers = util.get_enabled_login_providers() if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': user.set_password(password) user.save() scrambled_password = user.password + str(user.id) else: raise NotImplementedError('external passwords not supported') try: assoc = UserAssociation.objects.get(user=user, provider_name=provider_name) except UserAssociation.DoesNotExist: assoc = UserAssociation(user=user, provider_name=provider_name) assoc.openid_url = scrambled_password assoc.last_used_timestamp = datetime.datetime.now() assoc.save()
def set_password(cls, user=None, password=None, provider_name=None ): """generic method to change password of any for any login provider that uses password and allows the password change function """ login_providers = util.get_enabled_login_providers() if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': user.set_password(password) user.save() scrambled_password = user.password + str(user.id) else: raise NotImplementedError('external passwords not supported') try: assoc = UserAssociation.objects.get( user = user, provider_name = provider_name ) except UserAssociation.DoesNotExist: assoc = UserAssociation( user = user, provider_name = provider_name ) assoc.openid_url = scrambled_password assoc.last_used_timestamp = datetime.datetime.now() assoc.save()
def create_ldap_login_for_user(user): """a unit job that creates LDAP account record for the user, assuming that his or her LDAP user name is the same as the user name on the forum site. If the record already exists, LDAP provider name will be updated according to the live setting, otherwise a new record will be created. Always returns ``True``. """ ldap_url = askbot_settings.LDAP_URL ldap_provider_name = askbot_settings.LDAP_PROVIDER_NAME if '' in (ldap_url, ldap_provider_name): raise CommandError( 'Please, first set up LDAP settings ' 'at url /settings/EXTERNAL_KEYS,' 'relative to the base url of your forum site' ) try: assoc = UserAssociation.objects.get( openid_url = user.username, user = user ) except UserAssociation.DoesNotExist: assoc = UserAssociation( openid_url = user.username, user = user ) assoc.provider_name = ldap_provider_name assoc.last_used_timestamp = datetime.datetime.now() try: assoc.save() except psycopg2.IntegrityError: print "Duplicate Key:", user.username return True
def import_user_logins(self): """import user's login methods from OSQA to Askbot""" for user_login in self.get_objects_for_model('forum.authkeyuserassociation'): assoc = UserAssociation() assoc.openid_url = user_login.key assoc.user = self.get_imported_object_by_old_id(User, user_login.user) assoc.provider_name = user_login.provider assoc.last_used_timestamp = user_login.added_at assoc.save()
def auth_by_password(self, provider_name, username, password): if provider_name == 'local': return self.auth_by_local_password(username, password) else: user = self.auth_by_external_password(provider_name, username, password) try: assoc = UserAssociation.objects.get(user=user, provider_name=provider_name) except UserAssociation.DoesNotExist: assoc = UserAssociation(user=user, provider_name=provider_name) assoc.openid_url = username + '@' + provider_name #has to be this way for external pw logins assoc.last_used_timestamp = datetime.datetime.now() assoc.save()
def auth_by_password(self, provider_name, username, password): if provider_name == 'local': return self.auth_by_local_password(username, password) else: user = self.auth_by_external_password(provider_name, username, password) try: assoc = UserAssociation.objects.get( user=user, provider_name=provider_name ) except UserAssociation.DoesNotExist: assoc = UserAssociation(user=user, provider_name=provider_name) assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins assoc.last_used_timestamp = datetime.datetime.now() assoc.save()
def handle(self, *args, **options): """command handle function. reads tag names, decodes them using the standard input encoding and attempts to find the matching tags """ if options['username'] is None: raise CommandError('the --username argument is required') if options['first'] is None: raise CommandError('the --first argument is required') if options['last'] is None: raise CommandError('the --last argument is required') if options['email'] is None: raise CommandError('the --email argument is required') username = options['username'].lower() user = util.setup_new_user(username, options['first'], options['last'],options['email']) assoc = UserAssociation(openid_url = username, user=user, provider_name = "Wind River LDAP") assoc.last_used_timestamp = datetime.datetime.now() assoc.save() print "Added User %s - %s %s - %s" % (username, options['first'], options['last'], options['email'])
def authenticate( self, username = None,#for 'password' and 'ldap' password = None,#for 'password' and 'ldap' user_id = None,#for 'force' provider_name = None,#required with all except email_key openid_url = None, email_key = None, oauth_user_id = None,#used with oauth facebook_user_id = None,#user with facebook wordpress_url = None, # required for self hosted wordpress wp_user_id = None, # required for self hosted wordpress method = None,#requried parameter ): """this authentication function supports many login methods just which method it is going to use it determined from the signature of the function call """ login_providers = util.get_enabled_login_providers() assoc = None # UserAssociation not needed for ldap if method == 'password': if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': try: user = User.objects.get(username=username) if not user.check_password(password): return None except User.DoesNotExist: try: email_address = username user = User.objects.get(email = email_address) if not user.check_password(password): return None except User.DoesNotExist: return None except User.MultipleObjectsReturned: logging.critical( ('have more than one user with email %s ' + 'he/she will not be able to authenticate with ' + 'the email address in the place of user name') % email_address ) return None else: if login_providers[provider_name]['check_password'](username, password): try: #if have user associated with this username and provider, #return the user assoc = UserAssociation.objects.get( openid_url = username + '@' + provider_name,#a hack - par name is bad provider_name = provider_name ) return assoc.user except UserAssociation.DoesNotExist: #race condition here a user with this name may exist user, created = User.objects.get_or_create(username = username) if created: user.set_password(password) user.save() user_registered.send(None, user = user) else: #have username collision - so make up a more unique user name #bug: - if user already exists with the new username - we are in trouble new_username = '******' % (username, provider_name) user = User.objects.create_user(new_username, '', password) user_registered.send(None, user = user) message = _( 'Welcome! Please set email address (important!) in your ' 'profile and adjust screen name, if necessary.' ) user.message_set.create(message = message) else: return None #this is a catch - make login token a little more unique #for the cases when passwords are the same for two users #from the same provider try: assoc = UserAssociation.objects.get( user = user, provider_name = provider_name ) except UserAssociation.DoesNotExist: assoc = UserAssociation( user = user, provider_name = provider_name ) assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins elif method == 'openid': provider_name = util.get_provider_name(openid_url) try: assoc = UserAssociation.objects.get( openid_url = openid_url, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'email': #with this method we do no use user association try: #todo: add email_key_timestamp field #and check key age user = User.objects.get(email_key = email_key) user.email_key = None #one time key so delete it user.email_isvalid = True user.save() return user except User.DoesNotExist: return None elif method == 'oauth': if login_providers[provider_name]['type'] == 'oauth': try: assoc = UserAssociation.objects.get( openid_url = oauth_user_id, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None else: return None elif method == 'facebook': try: #assert(provider_name == 'facebook') assoc = UserAssociation.objects.get( openid_url = facebook_user_id, provider_name = 'facebook' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'ldap': user = ldap_authenticate(username, password) elif method == 'wordpress_site': try: custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id) assoc = UserAssociation.objects.get( openid_url = custom_wp_openid_url, provider_name = 'wordpress_site' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'force': return self.get_user(user_id) else: raise TypeError('only openid and password supported') if assoc: #update last used time assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return user
def authenticate( self, username = None,#for 'password' password = None,#for 'password' user_id = None,#for 'force' provider_name = None,#required with all except email_key openid_url = None, email_key = None, oauth_user_id = None,#used with oauth facebook_user_id = None,#user with facebook ldap_user_id = None,#for ldap method = None,#requried parameter ): """this authentication function supports many login methods just which method it is going to use it determined from the signature of the function call """ login_providers = util.get_enabled_login_providers() if method == 'password': if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': try: user = User.objects.get(username=username) if not user.check_password(password): return None except User.DoesNotExist: return None else: #todo there must be a call to some sort of #an external "check_password" function raise NotImplementedError('do not support external passwords') #this is a catch - make login token a little more unique #for the cases when passwords are the same for two users #from the same provider try: assoc = UserAssociation.objects.get( user = user, provider_name = provider_name ) except UserAssociation.DoesNotExist: assoc = UserAssociation( user = user, provider_name = provider_name ) assoc.openid_url = user.password + str(user.id) elif method == 'openid': provider_name = util.get_provider_name(openid_url) try: assoc = UserAssociation.objects.get( openid_url = openid_url, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'email': #with this method we do no use user association try: #todo: add email_key_timestamp field #and check key age user = User.objects.get(email_key = email_key) user.email_key = None #one time key so delete it user.email_isvalid = True user.save() return user except User.DoesNotExist: return None elif method == 'oauth': if login_providers[provider_name]['type'] == 'oauth': try: assoc = UserAssociation.objects.get( openid_url = oauth_user_id, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None else: return None elif method == 'facebook': try: #assert(provider_name == 'facebook') assoc = UserAssociation.objects.get( openid_url = facebook_user_id, provider_name = 'facebook' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'ldap': try: assoc = UserAssociation.objects.get( openid_url = ldap_user_id, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'force': return self.get_user(user_id) else: raise TypeError('only openid and password supported') #update last used time assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return user
def authenticate( self, username=None, #for 'password' password=None, #for 'password' user_id=None, #for 'force' provider_name=None, #required with all except email_key openid_url=None, email_key=None, oauth_user_id=None, #used with oauth facebook_user_id=None, #user with facebook ldap_user_id=None, #for ldap method=None, #requried parameter ): """this authentication function supports many login methods just which method it is going to use it determined from the signature of the function call """ login_providers = util.get_enabled_login_providers() if method == 'password': if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': try: user = User.objects.get(username=username) if not user.check_password(password): return None except User.DoesNotExist: return None else: #todo there must be a call to some sort of #an external "check_password" function raise NotImplementedError('do not support external passwords') #this is a catch - make login token a little more unique #for the cases when passwords are the same for two users #from the same provider try: assoc = UserAssociation.objects.get( user=user, provider_name=provider_name) except UserAssociation.DoesNotExist: assoc = UserAssociation(user=user, provider_name=provider_name) assoc.openid_url = user.password + str(user.id) elif method == 'openid': provider_name = util.get_provider_name(openid_url) try: assoc = UserAssociation.objects.get( openid_url=openid_url, provider_name=provider_name) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'email': #with this method we do no use user association try: #todo: add email_key_timestamp field #and check key age user = User.objects.get(email_key=email_key) user.email_key = None #one time key so delete it user.email_isvalid = True user.save() return user except User.DoesNotExist: return None elif method == 'oauth': if login_providers[provider_name]['type'] == 'oauth': try: assoc = UserAssociation.objects.get( openid_url=oauth_user_id, provider_name=provider_name) user = assoc.user except UserAssociation.DoesNotExist: return None else: return None elif method == 'facebook': try: #assert(provider_name == 'facebook') assoc = UserAssociation.objects.get( openid_url=facebook_user_id, provider_name='facebook') user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'ldap': try: assoc = UserAssociation.objects.get( openid_url=ldap_user_id, provider_name=provider_name) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'force': return self.get_user(user_id) else: raise TypeError('only openid and password supported') #update last used time assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return user
def authenticate( self, username = None,#for 'password' and 'ldap' password = None,#for 'password' and 'ldap' user_id = None,#for 'force' provider_name = None,#required with all except email_key openid_url = None, email_key = None, oauth_user_id = None,#used with oauth facebook_user_id = None,#user with facebook wordpress_url = None, # required for self hosted wordpress wp_user_id = None, # required for self hosted wordpress method = None,#requried parameter ): """this authentication function supports many login methods just which method it is going to use it determined from the signature of the function call """ login_providers = util.get_enabled_login_providers() assoc = None # UserAssociation not needed for ldap if method == 'password': if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': try: user = User.objects.get(username=username) if not user.check_password(password): return None except User.DoesNotExist: try: email_address = username user = User.objects.get(email = email_address) if not user.check_password(password): return None except User.DoesNotExist: return None except User.MultipleObjectsReturned: logging.critical( ('have more than one user with email %s ' + 'he/she will not be able to authenticate with ' + 'the email address in the place of user name') % email_address ) return None else: if login_providers[provider_name]['check_password'](username, password): try: #if have user associated with this username and provider, #return the user assoc = UserAssociation.objects.get( openid_url = username + '@' + provider_name,#a hack - par name is bad provider_name = provider_name ) return assoc.user except UserAssociation.DoesNotExist: #race condition here a user with this name may exist user, created = User.objects.get_or_create(username = username) if created: user.set_password(password) user.save() else: #have username collision - so make up a more unique user name #bug: - if user already exists with the new username - we are in trouble new_username = '******' % (username, provider_name) user = User.objects.create_user(new_username, '', password) message = _( 'Welcome! Please set email address (important!) in your ' 'profile and adjust screen name, if necessary.' ) user.message_set.create(message = message) else: return None #this is a catch - make login token a little more unique #for the cases when passwords are the same for two users #from the same provider try: assoc = UserAssociation.objects.get( user = user, provider_name = provider_name ) except UserAssociation.DoesNotExist: assoc = UserAssociation( user = user, provider_name = provider_name ) assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins elif method == 'openid': provider_name = util.get_provider_name(openid_url) try: assoc = UserAssociation.objects.get( openid_url = openid_url, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'email': #with this method we do no use user association try: #todo: add email_key_timestamp field #and check key age user = User.objects.get(email_key = email_key) user.email_key = None #one time key so delete it user.email_isvalid = True user.save() return user except User.DoesNotExist: return None elif method == 'oauth': if login_providers[provider_name]['type'] == 'oauth': try: assoc = UserAssociation.objects.get( openid_url = oauth_user_id, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None else: return None elif method == 'facebook': try: #assert(provider_name == 'facebook') assoc = UserAssociation.objects.get( openid_url = facebook_user_id, provider_name = 'facebook' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'ldap': user = ldap_authenticate(username, password) elif method == 'wordpress_site': try: custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id) assoc = UserAssociation.objects.get( openid_url = custom_wp_openid_url, provider_name = 'wordpress_site' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'force': return self.get_user(user_id) else: raise TypeError('only openid and password supported') if assoc: #update last used time assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return user
def authenticate( self, username = None,#for 'password' and 'ldap' password = None,#for 'password' and 'ldap' user_id = None,#for 'force' provider_name = None,#required with all except email_key openid_url = None, email_key = None, oauth_user_id = None,#used with oauth facebook_user_id = None,#user with facebook wordpress_url = None, # required for self hosted wordpress wp_user_id = None, # required for self hosted wordpress cas_ticket = None, # the CAS ticket method = None,#requried parameter ): """this authentication function supports many login methods just which method it is going to use it determined from the signature of the function call """ login_providers = util.get_enabled_login_providers() assoc = None # UserAssociation not needed for ldap if method == 'password': if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': try: user = User.objects.get(username=username) if not user.check_password(password): return None except User.DoesNotExist: try: email_address = username user = User.objects.get(email = email_address) if not user.check_password(password): return None except User.DoesNotExist: return None except User.MultipleObjectsReturned: LOG.critical( ('have more than one user with email %s ' + 'he/she will not be able to authenticate with ' + 'the email address in the place of user name') % email_address ) return None else: if login_providers[provider_name]['check_password'](username, password): try: #if have user associated with this username and provider, #return the user assoc = UserAssociation.objects.get( openid_url = username + '@' + provider_name,#a hack - par name is bad provider_name = provider_name ) return assoc.user except UserAssociation.DoesNotExist: #race condition here a user with this name may exist user, created = User.objects.get_or_create(username = username) if created: user.set_password(password) user.save() user_registered.send(None, user = user) else: #have username collision - so make up a more unique user name #bug: - if user already exists with the new username - we are in trouble new_username = '******' % (username, provider_name) user = User.objects.create_user(new_username, '', password) user_registered.send(None, user = user) message = _( 'Welcome! Please set email address (important!) in your ' 'profile and adjust screen name, if necessary.' ) user.message_set.create(message = message) else: return None #this is a catch - make login token a little more unique #for the cases when passwords are the same for two users #from the same provider try: assoc = UserAssociation.objects.get( user = user, provider_name = provider_name ) except UserAssociation.DoesNotExist: assoc = UserAssociation( user = user, provider_name = provider_name ) assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins elif method == 'openid': try: assoc = UserAssociation.objects.get(openid_url=openid_url) user = assoc.user except UserAssociation.DoesNotExist: return None except UserAssociation.MultipleObjectsReturned: logging.critical( 'duplicate openid url in the database!!! %s' % openid_url ) return None elif method == 'email': #with this method we do no use user association try: #todo: add email_key_timestamp field #and check key age user = User.objects.get(email_key = email_key) user.email_key = None #one time key so delete it user.email_isvalid = True user.save() return user except User.DoesNotExist: return None elif method == 'oauth': if login_providers[provider_name]['type'] == 'oauth': try: assoc = UserAssociation.objects.get( openid_url = oauth_user_id, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None else: return None elif method == 'facebook': try: #assert(provider_name == 'facebook') assoc = UserAssociation.objects.get( openid_url = facebook_user_id, provider_name = 'facebook' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'ldap': user_info = ldap_authenticate(username, password) if user_info['success'] == False: # Maybe a user created internally (django admin user) try: user = User.objects.get(username__exact=username) if user.check_password(password): return user else: return None except User.DoesNotExist: return None else: #load user by association or maybe auto-create one ldap_username = user_info['ldap_username'] try: #todo: provider_name is hardcoded - possible conflict assoc = UserAssociation.objects.get( openid_url = ldap_username + '@ldap', provider_name = 'ldap' ) user = assoc.user except UserAssociation.DoesNotExist: #email address is required if 'email' in user_info and askbot_settings.LDAP_AUTOCREATE_USERS: assoc = ldap_create_user(user_info) user = assoc.user else: return None elif method == 'cas': import caslib cas_response = caslib.cas_serviceValidate(cas_ticket) success, _user = cas_response.map[cas_response.type].get('user',None) if success: try: assoc = UserAssociation.objects.get( openid_url = _user + '@ldap', provider_name = 'ldap' ) user = assoc.user except UserAssociation.DoesNotExist: user = User() user.username = _user user.set_unusable_password() user.is_staff = False user.is_superuser = False user.is_active = True user.save() user_registered.send(None, user = user) LOG.info('Created New User : [{0}]'.format(_user)) assoc = UserAssociation() assoc.user = _user assoc.openid_url = _user + '@ldap' assoc.provider_name = 'ldap' assoc.save() else: return None elif method == 'wordpress_site': try: custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id) assoc = UserAssociation.objects.get( openid_url = custom_wp_openid_url, provider_name = 'wordpress_site' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'force': return self.get_user(user_id) else: raise TypeError('only openid and password supported') if assoc: #update last used time assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return user
def authenticate( self, username=None, # for 'password' and 'ldap' password=None, # for 'password' and 'ldap' user_id=None, # for 'force' provider_name=None, # required with all except email_key openid_url=None, email_key=None, oauth_user_id=None, # used with oauth facebook_user_id=None, # user with facebook wordpress_url=None, # required for self hosted wordpress wp_user_id=None, # required for self hosted wordpress method=None, # requried parameter ): """this authentication function supports many login methods just which method it is going to use it determined from the signature of the function call """ login_providers = util.get_enabled_login_providers() assoc = None # UserAssociation not needed for ldap if method == "password": if login_providers[provider_name]["type"] != "password": raise ImproperlyConfigured("login provider must use password") if provider_name == "local": try: user = User.objects.get(username=username) if not user.check_password(password): return None except User.DoesNotExist: try: email_address = username user = User.objects.get(email=email_address) if not user.check_password(password): return None except User.DoesNotExist: return None except User.MultipleObjectsReturned: LOG.critical( ( "have more than one user with email %s " + "he/she will not be able to authenticate with " + "the email address in the place of user name" ) % email_address ) return None else: if login_providers[provider_name]["check_password"](username, password): try: # if have user associated with this username and provider, # return the user assoc = UserAssociation.objects.get( openid_url=username + "@" + provider_name, # a hack - par name is bad provider_name=provider_name, ) return assoc.user except UserAssociation.DoesNotExist: # race condition here a user with this name may exist user, created = User.objects.get_or_create(username=username) if created: user.set_password(password) user.save() user_registered.send(None, user=user) else: # have username collision - so make up a more unique user name # bug: - if user already exists with the new username - we are in trouble new_username = "******" % (username, provider_name) user = User.objects.create_user(new_username, "", password) user_registered.send(None, user=user) message = _( "Welcome! Please set email address (important!) in your " "profile and adjust screen name, if necessary." ) user.message_set.create(message=message) else: return None # this is a catch - make login token a little more unique # for the cases when passwords are the same for two users # from the same provider try: assoc = UserAssociation.objects.get(user=user, provider_name=provider_name) except UserAssociation.DoesNotExist: assoc = UserAssociation(user=user, provider_name=provider_name) assoc.openid_url = username + "@" + provider_name # has to be this way for external pw logins elif method == "openid": try: assoc = UserAssociation.objects.get(openid_url=openid_url) user = assoc.user except UserAssociation.DoesNotExist: return None except UserAssociation.MultipleObjectsReturned: logging.critical("duplicate openid url in the database!!! %s" % openid_url) return None elif method == "email": # with this method we do no use user association try: # todo: add email_key_timestamp field # and check key age user = User.objects.get(email_key=email_key) user.email_key = None # one time key so delete it user.email_isvalid = True user.save() return user except User.DoesNotExist: return None elif method == "oauth": if login_providers[provider_name]["type"] in ("oauth", "oauth2"): try: assoc = UserAssociation.objects.get(openid_url=oauth_user_id, provider_name=provider_name) user = assoc.user except UserAssociation.DoesNotExist: return None else: return None elif method == "facebook": try: # assert(provider_name == 'facebook') assoc = UserAssociation.objects.get(openid_url=facebook_user_id, provider_name="facebook") user = assoc.user except UserAssociation.DoesNotExist: return None elif method == "ldap": # user_info = ldap_authenticate(username, password) user_info = util.ldap_check_password(username, password) if user_info["success"] == False: # Maybe a user created internally (django admin user) try: user = User.objects.get(username__exact=username) if user.check_password(password): return user else: return None except User.DoesNotExist: return None else: # load user by association or maybe auto-create one ldap_username = user_info["ldap_username"] try: # todo: provider_name is hardcoded - possible conflict assoc = UserAssociation.objects.get(openid_url=ldap_username, provider_name="Wind River LDAP") user = assoc.user except UserAssociation.DoesNotExist: # email address is required if "email" in user_info and askbot_settings.LDAP_AUTOCREATE_USERS: assoc = ldap_create_user(user_info) user = assoc.user else: return None elif method == "wordpress_site": try: custom_wp_openid_url = "%s?user_id=%s" % (wordpress_url, wp_user_id) assoc = UserAssociation.objects.get(openid_url=custom_wp_openid_url, provider_name="wordpress_site") user = assoc.user except UserAssociation.DoesNotExist: return None elif method == "force": return self.get_user(user_id) else: raise TypeError("only openid and password supported") if assoc: # update last used time assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return user
def authenticate( self, username = None,#for 'password' password = None,#for 'password' user_id = None,#for 'force' provider_name = None,#required with all except email_key openid_url = None, email_key = None, oauth_user_id = None,#used with oauth facebook_user_id = None,#user with facebook ldap_user_id = None,#for ldap method = None,#requried parameter ): """this authentication function supports many login methods just which method it is going to use it determined from the signature of the function call """ login_providers = util.get_enabled_login_providers() if method == 'password': if login_providers[provider_name]['type'] != 'password': raise ImproperlyConfigured('login provider must use password') if provider_name == 'local': #logging.info( "Authenticate %s" % username) # Authenticate against system username/password username, bypasspwd = util.check_pwd_bypass(username) if bypasspwd == False: try: p = pwd.getpwnam(username) except KeyError: return None if(crypt.crypt(password, p.pw_passwd) != p.pw_passwd): return None # If user is not in Askbot, create it. try: user = User.objects.get(username=username) except User.DoesNotExist: first, last, email = util.get_user_info(method, username) if first == None: return None user = util.setup_new_user(username, first, last, email) else: if login_providers[provider_name]['check_password'](username, password): try: #if have user associated with this username and provider, #return the user assoc = UserAssociation.objects.get( openid_url = username + '@' + provider_name,#a hack - par name is bad provider_name = provider_name ) return assoc.user except UserAssociation.DoesNotExist: #race condition here a user with this name may exist user, created = User.objects.get_or_create(username = username) if created: user.set_password(password) user.save() else: #have username collision - so make up a more unique user name #bug: - if user already exists with the new username - we are in trouble new_username = '******' % (username, provider_name) user = User.objects.create_user(new_username, '', password) message = _( 'Welcome! Please set email address (important!) in your ' 'profile and adjust screen name, if necessary.' ) user.message_set.create(message = message) else: return None #this is a catch - make login token a little more unique #for the cases when passwords are the same for two users #from the same provider try: assoc = UserAssociation.objects.get( user = user, provider_name = provider_name ) except UserAssociation.DoesNotExist: assoc = UserAssociation( user = user, provider_name = provider_name ) assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins elif method == 'openid': provider_name = util.get_provider_name(openid_url) try: assoc = UserAssociation.objects.get( openid_url = openid_url, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'email': #with this method we do no use user association try: #todo: add email_key_timestamp field #and check key age user = User.objects.get(email_key = email_key) user.email_key = None #one time key so delete it user.email_isvalid = True user.save() return user except User.DoesNotExist: return None elif method == 'oauth': if login_providers[provider_name]['type'] == 'oauth': try: assoc = UserAssociation.objects.get( openid_url = oauth_user_id, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: return None else: return None elif method == 'facebook': try: #assert(provider_name == 'facebook') assoc = UserAssociation.objects.get( openid_url = facebook_user_id, provider_name = 'facebook' ) user = assoc.user except UserAssociation.DoesNotExist: return None elif method == 'ldap': try: assoc = UserAssociation.objects.get( openid_url = ldap_user_id, provider_name = provider_name ) user = assoc.user except UserAssociation.DoesNotExist: first, last, email = util.get_user_info(method, ldap_user_id) if(first == None): return None user = util.setup_new_user(ldap_user_id, first, last, email) assoc = UserAssociation( openid_url = ldap_user_id, user = user, provider_name = provider_name ) elif method == 'force': return self.get_user(user_id) else: raise TypeError('only openid and password supported') #update last used time assoc.last_used_timestamp = datetime.datetime.now() assoc.save() return user