def ldap_create_user_default(user_info, request):
"""takes the result returned by the :func:`ldap_authenticate`
and returns a :class:`UserAssociation` object
"""
# create new user in local db
user = User()
user.username = user_info.get('django_username', user_info['ldap_username'])
user.set_unusable_password()
user.first_name = user_info['first_name']
user.last_name = user_info['last_name']
user.email = user_info['email']
user.is_staff = False
user.is_superuser = False
user.is_active = True
user.save()
user_registered.send(None, user=user, request=request)
LOG.info('Created New User : [{0}]'.format(user_info['ldap_username']))
assoc = UserAssociation()
assoc.user = user
assoc.openid_url = user_info['ldap_username'] + '@ldap'
assoc.provider_name = 'ldap'
assoc.save()
return assoc
def create_ldap_login_for_user(user):
"""a unit job that creates LDAP account record for
the user, assuming that his or her LDAP user name
is the same as the user name on the forum site.
If the record already exists, LDAP provider name
will be updated according to the live setting,
otherwise a new record will be created.
Always returns ``True``.
"""
ldap_url = askbot_settings.LDAP_URL
ldap_provider_name = askbot_settings.LDAP_PROVIDER_NAME
if '' in (ldap_url, ldap_provider_name):
raise CommandError(
'Please, first set up LDAP settings '
'at url /settings/EXTERNAL_KEYS,'
'relative to the base url of your forum site'
)
try:
assoc = UserAssociation.objects.get(
openid_url = user.username,
user = user
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
openid_url = user.username,
user = user
)
assoc.provider_name = ldap_provider_name
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return True
def create_ldap_login_for_user(user):
"""a unit job that creates LDAP account record for
the user, assuming that his or her LDAP user name
is the same as the user name on the forum site.
If the record already exists, LDAP provider name
will be updated according to the live setting,
otherwise a new record will be created.
Always returns ``True``.
"""
ldap_url = askbot_settings.LDAP_URL
ldap_provider_name = askbot_settings.LDAP_PROVIDER_NAME
if '' in (ldap_url, ldap_provider_name):
raise CommandError(
'Please, first set up LDAP settings '
'at url /settings/EXTERNAL_KEYS,'
'relative to the base url of your forum site'
)
try:
assoc = UserAssociation.objects.get(
openid_url = user.username,
user = user
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
openid_url = user.username,
user = user
)
assoc.provider_name = ldap_provider_name
assoc.last_used_timestamp = datetime.datetime.now()
try:
assoc.save()
except psycopg2.IntegrityError:
print "Duplicate Key:", user.username
return True
def import_user_logins(self):
"""import user's login methods from OSQA to Askbot"""
for user_login in self.get_objects_for_model('forum.authkeyuserassociation'):
assoc = UserAssociation()
assoc.openid_url = user_login.key
assoc.user = self.get_imported_object_by_old_id(User, user_login.user)
assoc.provider_name = user_login.provider
assoc.last_used_timestamp = user_login.added_at
assoc.save()
def import_user_logins(self):
"""import user's login methods from OSQA to Askbot"""
for user_login in self.get_objects_for_model('forum.authkeyuserassociation'):
assoc = UserAssociation()
assoc.openid_url = user_login.key
assoc.user = self.get_imported_object_by_old_id(User, user_login.user)
assoc.provider_name = user_login.provider
assoc.last_used_timestamp = user_login.added_at
assoc.save()
def cas_get_or_create_user(cas_response):
"""takes the result returned by the :func:`ldap_authenticate`
and returns a :class:`UserAssociation` object
"""
# create new user in local db
try:
logging.debug("Getting user association for %s", cas_response.get('user'))
assoc = UserAssociation.objects.get(
openid_url = cas_response.get('user') + '@ldap',
provider_name = 'ldap'
)
return assoc
except UserAssociation.DoesNotExist:
try:
user = User.objects.get(username=cas_response.get('user'))
except User.DoesNotExist:
user = User()
user.username = cas_response.get('django_username', cas_response.get('user'))
user.set_unusable_password()
user.first_name = cas_response['attributes'].get('firstName', None)
user.last_name = cas_response['attributes'].get('lastName', None)
user.email = cas_response['attributes'].get('email', None)
user.is_staff = False
user.is_superuser = False
user.is_active = True
user.save()
user_registered.send(None, user = user)
logging.debug('Created New User : [{0}]'.format(cas_response.get('user')))
assoc = UserAssociation()
assoc.user = user
assoc.openid_url = cas_response.get('user') + '@ldap'
assoc.provider_name = 'ldap'
assoc.save()
return assoc
def authenticate(
self,
username = None,#for 'password' and 'ldap'
password = None,#for 'password' and 'ldap'
user_id = None,#for 'force'
provider_name = None,#required with all except email_key
openid_url = None,
email_key = None,
oauth_user_id = None,#used with oauth
facebook_user_id = None,#user with facebook
wordpress_url = None, # required for self hosted wordpress
wp_user_id = None, # required for self hosted wordpress
cas_ticket = None, # the CAS ticket
method = None,#requried parameter
):
"""this authentication function supports many login methods
just which method it is going to use it determined
from the signature of the function call
"""
login_providers = util.get_enabled_login_providers()
assoc = None # UserAssociation not needed for ldap
if method == 'password':
if login_providers[provider_name]['type'] != 'password':
raise ImproperlyConfigured('login provider must use password')
if provider_name == 'local':
try:
user = User.objects.get(username=username)
if not user.check_password(password):
return None
except User.DoesNotExist:
try:
email_address = username
user = User.objects.get(email = email_address)
if not user.check_password(password):
return None
except User.DoesNotExist:
return None
except User.MultipleObjectsReturned:
LOG.critical(
('have more than one user with email %s ' +
'he/she will not be able to authenticate with ' +
'the email address in the place of user name') % email_address
)
return None
else:
if login_providers[provider_name]['check_password'](username, password):
try:
#if have user associated with this username and provider,
#return the user
assoc = UserAssociation.objects.get(
openid_url = username + '@' + provider_name,#a hack - par name is bad
provider_name = provider_name
)
return assoc.user
except UserAssociation.DoesNotExist:
#race condition here a user with this name may exist
user, created = User.objects.get_or_create(username = username)
if created:
user.set_password(password)
user.save()
user_registered.send(None, user = user)
else:
#have username collision - so make up a more unique user name
#bug: - if user already exists with the new username - we are in trouble
new_username = '******' % (username, provider_name)
user = User.objects.create_user(new_username, '', password)
user_registered.send(None, user = user)
message = _(
'Welcome! Please set email address (important!) in your '
'profile and adjust screen name, if necessary.'
)
user.message_set.create(message = message)
else:
return None
#this is a catch - make login token a little more unique
#for the cases when passwords are the same for two users
#from the same provider
try:
assoc = UserAssociation.objects.get(
user = user,
provider_name = provider_name
)
except UserAssociation.DoesNotExist:
assoc = UserAssociation(
user = user,
provider_name = provider_name
)
assoc.openid_url = username + '@' + provider_name#has to be this way for external pw logins
elif method == 'openid':
try:
assoc = UserAssociation.objects.get(openid_url=openid_url)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
except UserAssociation.MultipleObjectsReturned:
logging.critical(
'duplicate openid url in the database!!! %s' % openid_url
)
return None
elif method == 'email':
#with this method we do no use user association
try:
#todo: add email_key_timestamp field
#and check key age
user = User.objects.get(email_key = email_key)
user.email_key = None #one time key so delete it
user.email_isvalid = True
user.save()
return user
except User.DoesNotExist:
return None
elif method == 'oauth':
if login_providers[provider_name]['type'] == 'oauth':
try:
assoc = UserAssociation.objects.get(
openid_url = oauth_user_id,
provider_name = provider_name
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
else:
return None
elif method == 'facebook':
try:
#assert(provider_name == 'facebook')
assoc = UserAssociation.objects.get(
openid_url = facebook_user_id,
provider_name = 'facebook'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'ldap':
user_info = ldap_authenticate(username, password)
if user_info['success'] == False:
# Maybe a user created internally (django admin user)
try:
user = User.objects.get(username__exact=username)
if user.check_password(password):
return user
else:
return None
except User.DoesNotExist:
return None
else:
#load user by association or maybe auto-create one
ldap_username = user_info['ldap_username']
try:
#todo: provider_name is hardcoded - possible conflict
assoc = UserAssociation.objects.get(
openid_url = ldap_username + '@ldap',
provider_name = 'ldap'
)
user = assoc.user
except UserAssociation.DoesNotExist:
#email address is required
if 'email' in user_info and askbot_settings.LDAP_AUTOCREATE_USERS:
assoc = ldap_create_user(user_info)
user = assoc.user
else:
return None
elif method == 'cas':
import caslib
cas_response = caslib.cas_serviceValidate(cas_ticket)
success, _user = cas_response.map[cas_response.type].get('user',None)
if success:
try:
assoc = UserAssociation.objects.get(
openid_url = _user + '@ldap',
provider_name = 'ldap'
)
user = assoc.user
except UserAssociation.DoesNotExist:
user = User()
user.username = _user
user.set_unusable_password()
user.is_staff = False
user.is_superuser = False
user.is_active = True
user.save()
user_registered.send(None, user = user)
LOG.info('Created New User : [{0}]'.format(_user))
assoc = UserAssociation()
assoc.user = _user
assoc.openid_url = _user + '@ldap'
assoc.provider_name = 'ldap'
assoc.save()
else:
return None
elif method == 'wordpress_site':
try:
custom_wp_openid_url = '%s?user_id=%s' % (wordpress_url, wp_user_id)
assoc = UserAssociation.objects.get(
openid_url = custom_wp_openid_url,
provider_name = 'wordpress_site'
)
user = assoc.user
except UserAssociation.DoesNotExist:
return None
elif method == 'force':
return self.get_user(user_id)
else:
raise TypeError('only openid and password supported')
if assoc:
#update last used time
assoc.last_used_timestamp = datetime.datetime.now()
assoc.save()
return user