def _doCertificateLogon(self, request): """Attempt to logon using the client certificate This can only succeed if: * the client certificate CN matches a username * cert_logins is not disabled in the configuration file """ from ccsd_session import startSession, startBasicSession from crcnetd.modules.ccs_contact import getUserCache # Check incoming peer certificate cert = request.channel.transport.socket.get_peer_certificate() subj = cert.get_subject() domain = config_get('network','domain', '') username = "******" % (subj.CN , domain) allow_login = config_getboolean(None, "cert_logins", True) if not allow_login: None # CN matches a MAC address #return startBasicSession(username, SESSION_RW) # Does the CN match a username? users = getUserCache(ADMIN_SESSION_ID) if username in users.keys(): if users[username]["enabled"]: # Make sure a session exists for the user return startSession(users[username]['login_id'], SESSION_RW) # CN matches a MAC address #return startBasicSession(username, SESSION_RW) return None
def hasPerms(self, mode, group): """Checks that the specified session has the appropriate group memberships""" # Import here to avoid circular dependencies from crcnetd.modules.ccs_contact import getUserCache, getCustomerCache, getGroupCache # Check session is of appropriate type if mode == SESSION_RW: if self.mode != SESSION_RW: return SESSION_NONE # normal users have AUTH_AUTHENTICATED by default if group == AUTH_AUTHENTICATED: return mode # If we have a cached permission record, return that if group in self.permCache.keys(): return self.permCache[group] # Check group membership users = getUserCache(self.session_id) customers = getCustomerCache(self.session_id) groups = getGroupCache(self.session_id) admin_id = users[self.login_id]["admin_id"] if self._isGroupMember(admin_id, groups[group], groups): self.permCache[group] = mode return mode self.permCache[group] = SESSION_NONE return SESSION_NONE
def cookieLogin(username, token): """Allows authentication with the server using a stored token. Looks up token & username in the cookies table. If a match is found the authentication is successful. Returns a session description dictionary as returned by the session object. """ from crcnetd.modules.ccs_contact import getUserCache # Validate username / token #if len(username) <= 0: # raise ccsd_session_error("Username too short, must be > 0 characters!") #if len(username) > 16: # raise ccsd_session_error("Username too long, must be < 16 characters!") if len(token) <= 0: raise ccsd_session_error("Token too short, must be > 0 characters!") if len(token) > 32 : raise ccsd_session_error("Token too long, must be < 32 characters!") #Get the login_id from the users cache users = getUserCache(ADMIN_SESSION_ID) if username in users.keys(): login_id = users[username]['login_id'] else: raise ccsd_session_error("Invalid username or cookie token!") # Check username / token if not _validateCookieToken(login_id, token): raise ccsd_session_error("Invalid username or cookie token!") # Return the users read-only session return startSession(login_id, SESSION_RO)
def getGroupMemberships(self): """Returns a list of all groups this session belongs to""" # Import here to avoid circular dependencies from crcnetd.modules.ccs_contact import getUserCache, getCustomerCache, getGroupCache # Check group membership users = getUserCache(self.session_id) customers = getCustomerCache(self.session_id) groups = getGroupCache(self.session_id) if self.login_id in users.keys(): contact_id = users[self.login_id]["admin_id"] else: return [] # Cache memberships res = [] for group in groups.keys(): if self._isGroupMember(contact_id, groups[group], groups): res.append(group) return res
def _validatePassword(username, password): """Helper routine for login. Validates the users password""" from crcnetd.modules.ccs_contact import getUserCache session = getSessionE(ADMIN_SESSION_ID) users = getUserCache(ADMIN_SESSION_ID) # Check if user exists if username not in users.keys(): log_warn("No user %s" % username) return None # Get password passwd = users[username]["passwd"] if len(passwd) <= 0: log_warn("No password set for %s" % username) return None # Check password if crypt.crypt(password, passwd) != passwd: log_info("Password check failed for %s" % username) return None return users[username]['login_id']