def _authenticateCredentials( self, credentialslist, plugins ):
"""Utility method to try to authenticate a list of credentials.
"""
results = []
try:
authenticators = plugins.listPlugins( IAuthenticationPlugin )
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('Authenticator plugin listing error', exc_info=True)
authenticators = ()
for credentials in credentialslist:
user_id, login_name = self._tryEmergencyUserAuthentication(
credentials )
if user_id is not None:
return [ (user_id, login_name) ]
view_name = createViewName('_authenticateCredentials', credentials.get('login'))
keywords = createKeywords(**credentials)
user_ids = self.ZCacheable_get( view_name=view_name
, keywords=keywords
, default=None
)
if user_ids is not None:
return user_ids
user_ids = [ ]
for authenticator_id, auth in authenticators:
try:
uid_and_info = auth.authenticateCredentials(
credentials )
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'AuthenticationPlugin %s error' % (
authenticator_id, )
logger.debug(msg, exc_info=True)
continue
else:
if uid_and_info is None:
continue
user_id, info = uid_and_info
if user_id is not None:
user_ids.append( (user_id, info) )
if user_ids:
self.ZCacheable_set( user_ids
, view_name=view_name
, keywords=keywords
)
results.extend( user_ids )
return results
def _authenticateCredentials(self, credentialslist, plugins):
"""Utility method to try to authenticate a list of credentials.
"""
results = []
try:
authenticators = plugins.listPlugins(IAuthenticationPlugin)
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('Authenticator plugin listing error', exc_info=True)
authenticators = ()
for credentials in credentialslist:
user_id, login_name = self._tryEmergencyUserAuthentication(
credentials)
if user_id is not None:
return [(user_id, login_name)]
view_name = createViewName('_authenticateCredentials',
credentials.get('login'))
keywords = createKeywords(**credentials)
user_ids = self.ZCacheable_get(view_name=view_name,
keywords=keywords,
default=None)
if user_ids is not None:
return user_ids
user_ids = []
for authenticator_id, auth in authenticators:
try:
uid_and_info = auth.authenticateCredentials(credentials)
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'AuthenticationPlugin %s error' % (
authenticator_id, )
logger.debug(msg, exc_info=True)
continue
else:
if uid_and_info is None:
continue
user_id, info = uid_and_info
if user_id is not None:
user_ids.append((user_id, info))
if user_ids:
self.ZCacheable_set(user_ids,
view_name=view_name,
keywords=keywords)
results.extend(user_ids)
return results
def _findUser( self, plugins, user_id, name=None, request=None ):
""" user_id -> decorated_user
"""
if user_id == self._emergency_user.getUserName():
return self._emergency_user
# See if the user can be retrieved from the cache
view_name = createViewName('_findUser', user_id)
keywords = createKeywords(user_id=user_id, name=name)
user = self.ZCacheable_get( view_name=view_name
, keywords=keywords
, default=None
)
if user is None:
user = self._createUser( plugins, user_id, name )
if IPropertiedUser.providedBy( user ):
propfinders = plugins.listPlugins( IPropertiesPlugin )
for propfinder_id, propfinder in propfinders:
data = propfinder.getPropertiesForUser( user, request )
if data:
user.addPropertysheet( propfinder_id, data )
groups = self._getGroupsForPrincipal( user, request
, plugins=plugins )
user._addGroups( groups )
rolemakers = plugins.listPlugins( IRolesPlugin )
for rolemaker_id, rolemaker in rolemakers:
roles = rolemaker.getRolesForPrincipal( user, request )
if roles:
user._addRoles( roles )
user._addRoles( ['Authenticated'] )
# Cache the user if caching is enabled
base_user = aq_base(user)
if getattr(base_user, '_p_jar', None) is None:
self.ZCacheable_set( base_user
, view_name=view_name
, keywords=keywords
)
return user.__of__( self )
def _findUser( self, plugins, user_id, name=None, request=None ):
""" user_id -> decorated_user
"""
if user_id == self._emergency_user.getUserName():
return self._emergency_user
# See if the user can be retrieved from the cache
view_name = createViewName('_findUser', user_id)
keywords = createKeywords(user_id=user_id, name=name)
user = self.ZCacheable_get( view_name=view_name
, keywords=keywords
, default=None
)
if user is None:
user = self._createUser( plugins, user_id, name )
propfinders = plugins.listPlugins( IPropertiesPlugin )
for propfinder_id, propfinder in propfinders:
data = propfinder.getPropertiesForUser( user, request )
if data:
user.addPropertysheet( propfinder_id, data )
groups = self._getGroupsForPrincipal( user, request
, plugins=plugins )
user._addGroups( groups )
rolemakers = plugins.listPlugins( IRolesPlugin )
for rolemaker_id, rolemaker in rolemakers:
roles = rolemaker.getRolesForPrincipal( user, request )
if roles:
user._addRoles( roles )
user._addRoles( ['Authenticated'] )
# Cache the user if caching is enabled
base_user = aq_base(user)
if getattr(base_user, '_p_jar', None) is None:
self.ZCacheable_set( base_user
, view_name=view_name
, keywords=keywords
)
return user.__of__( self )
def _verifyUser(self, plugins, user_id=None, login=None):
""" user_id -> info_dict or None
"""
if user_id is None and login is None:
# Avoid possible hugely expensive and/or wrong behavior of
# plugin enumerators.
return None
# Masquerading: Lookup role_user
auth_user_login, role_user_login = splitmasq(login)
if role_user_login is not None:
login = role_user_login
criteria = {'exact_match': True}
if user_id is not None:
criteria['id'] = user_id
if login is not None:
criteria['login'] = login
view_name = createViewName('_verifyUser', user_id or login)
keywords = createKeywords(**criteria)
cached_info = self.ZCacheable_get(view_name=view_name,
keywords=keywords,
default=None)
if cached_info is not None:
return cached_info
enumerators = plugins.listPlugins(IUserEnumerationPlugin)
for enumerator_id, enumerator in enumerators:
try:
info = enumerator.enumerateUsers(**criteria)
if info:
# Put the computed value into the cache
self.ZCacheable_set(info[0],
view_name=view_name,
keywords=keywords)
return info[0]
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'UserEnumerationPlugin %s error' % enumerator_id
logger.debug(msg, exc_info=True)
return None
def _verifyUser( self, plugins, user_id=None, login=None ):
""" user_id -> info_dict or None
"""
if user_id is None and login is None:
# Avoid possible hugely expensive and/or wrong behavior of
# plugin enumerators.
return None
criteria = {'exact_match': True}
if user_id is not None:
criteria[ 'id' ] = user_id
if login is not None:
criteria[ 'login' ] = login
view_name = createViewName('_verifyUser', user_id or login)
keywords = createKeywords(**criteria)
cached_info = self.ZCacheable_get( view_name=view_name
, keywords=keywords
, default=None
)
if cached_info is not None:
return cached_info
enumerators = plugins.listPlugins( IUserEnumerationPlugin )
for enumerator_id, enumerator in enumerators:
try:
info = enumerator.enumerateUsers( **criteria )
if info:
# Put the computed value into the cache
self.ZCacheable_set( info[0]
, view_name=view_name
, keywords=keywords
)
return info[0]
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'UserEnumerationPlugin %s error' % enumerator_id
logger.debug(msg, exc_info=True)
return None
def _verifyUser( self, plugins, user_id=None, login=None ):
""" user_id -> boolean
"""
criteria = {}
if user_id is not None:
criteria[ 'id' ] = user_id
criteria[ 'exact_match' ] = True
if login is not None:
criteria[ 'login' ] = login
if criteria:
view_name = createViewName('_verifyUser', user_id or login)
cached_info = self.ZCacheable_get( view_name=view_name
, keywords=criteria
, default=None
)
if cached_info is not None:
return cached_info
enumerators = plugins.listPlugins( IUserEnumerationPlugin )
for enumerator_id, enumerator in enumerators:
try:
info = enumerator.enumerateUsers( **criteria )
if info:
id = self._computeMangledId( info[0] )
# Put the computed value into the cache
self.ZCacheable_set( id
, view_name=view_name
, keywords=criteria
)
return id
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
LOG('PluggableAuthService', BLATHER,
'UserEnumerationPlugin %s error' % enumerator_id,
error=sys.exc_info())
return 0
def _verifyUser( self, plugins, user_id=None, login=None ):
""" user_id -> boolean
"""
criteria = {}
if user_id is not None:
criteria[ 'id' ] = user_id
criteria[ 'exact_match' ] = True
if login is not None:
criteria[ 'login' ] = login
if criteria:
view_name = createViewName('_verifyUser', user_id or login)
cached_info = self.ZCacheable_get( view_name=view_name
, keywords=criteria
, default=None
)
if cached_info is not None:
return cached_info
enumerators = plugins.listPlugins( IUserEnumerationPlugin )
for enumerator_id, enumerator in enumerators:
try:
info = enumerator.enumerateUsers( **criteria )
if info:
id = self._computeMangledId( info[0] )
# Put the computed value into the cache
self.ZCacheable_set( id
, view_name=view_name
, keywords=criteria
)
return id
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
LOG('PluggableAuthService', BLATHER,
'UserEnumerationPlugin %s error' % enumerator_id,
error=sys.exc_info())
return 0
def _verifyUser( self, plugins, user_id=None, login=None ):
""" user_id -> info_dict or None
"""
criteria = {}
if user_id is not None:
criteria[ 'id' ] = user_id
criteria[ 'exact_match' ] = True
if login is not None:
criteria[ 'login' ] = login
if criteria:
view_name = createViewName('_verifyUser', user_id or login)
keywords = createKeywords(**criteria)
cached_info = self.ZCacheable_get( view_name=view_name
, keywords=keywords
, default=None
)
if cached_info is not None:
return cached_info
enumerators = plugins.listPlugins( IUserEnumerationPlugin )
for enumerator_id, enumerator in enumerators:
try:
info = enumerator.enumerateUsers( **criteria )
if info:
# Put the computed value into the cache
self.ZCacheable_set( info[0]
, view_name=view_name
, keywords=keywords
)
return info[0]
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'UserEnumerationPlugin %s error' % enumerator_id
logger.debug(msg, exc_info=True)
return None
def _verifyUser( self, plugins, user_id=None, login=None ):
""" user_id -> info_dict or None
"""
criteria = {}
if user_id is not None:
criteria[ 'id' ] = user_id
criteria[ 'exact_match' ] = True
if login is not None:
criteria[ 'login' ] = login
if criteria:
view_name = createViewName('_verifyUser', user_id or login)
cached_info = self.ZCacheable_get( view_name=view_name
, keywords=criteria
, default=None
)
if cached_info is not None:
return cached_info
enumerators = plugins.listPlugins( IUserEnumerationPlugin )
for enumerator_id, enumerator in enumerators:
try:
info = enumerator.enumerateUsers( **criteria )
if info:
# Put the computed value into the cache
self.ZCacheable_set( info[0]
, view_name=view_name
, keywords=criteria
)
return info[0]
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'UserEnumerationPlugin %s error' % enumerator_id
logger.debug(msg, exc_info=True)
return None
def _extractUserIds( self, request, plugins ):
""" request -> [ validated_user_id ]
o For each set of extracted credentials, try to authenticate
a user; accumulate a list of the IDs of such users over all
our authentication and extraction plugins.
"""
try:
extractors = plugins.listPlugins( IExtractionPlugin )
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('Extractor plugin listing error', exc_info=True)
extractors = ()
if not extractors:
extractors = ( ( 'default', DumbHTTPExtractor() ), )
try:
authenticators = plugins.listPlugins( IAuthenticationPlugin )
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('Authenticator plugin listing error', exc_info=True)
authenticators = ()
result = []
for extractor_id, extractor in extractors:
try:
credentials = extractor.extractCredentials( request )
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug( 'ExtractionPlugin %s error' % extractor_id
, exc_info=True
)
continue
if credentials:
try:
credentials[ 'extractor' ] = extractor_id # XXX: in key?
# Test if ObjectCacheEntries.aggregateIndex would work
items = credentials.items()
items.sort()
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug( 'Credentials error: %s' % credentials
, exc_info=True
)
continue
# First try to authenticate against the emergency
# user and return immediately if authenticated
user_id, name = self._tryEmergencyUserAuthentication(
credentials )
if user_id is not None:
return [ ( user_id, name ) ]
# Now see if the user ids can be retrieved from the cache
view_name = createViewName('_extractUserIds', credentials.get('login'))
keywords = createKeywords(**credentials)
user_ids = self.ZCacheable_get( view_name=view_name
, keywords=keywords
, default=None
)
if user_ids is None:
user_ids = []
for authenticator_id, auth in authenticators:
try:
uid_and_info = auth.authenticateCredentials(
credentials )
if uid_and_info is None:
continue
user_id, info = uid_and_info
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'AuthenticationPlugin %s error' % (
authenticator_id, )
logger.debug(msg, exc_info=True)
continue
if user_id is not None:
user_ids.append( (user_id, info) )
if user_ids:
self.ZCacheable_set( user_ids
, view_name=view_name
, keywords=keywords
)
result.extend( user_ids )
# Emergency user via HTTP basic auth always wins
user_id, name = self._tryEmergencyUserAuthentication(
DumbHTTPExtractor().extractCredentials( request ) )
if user_id is not None:
return [ ( user_id, name ) ]
return result
def _extractUserIds(self, request, plugins):
""" request -> [ validated_user_id ]
o For each set of extracted credentials, try to authenticate
a user; accumulate a list of the IDs of such users over all
our authentication and extraction plugins.
"""
try:
extractors = plugins.listPlugins(IExtractionPlugin)
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('Extractor plugin listing error', exc_info=True)
extractors = ()
if not extractors:
extractors = (('default', DumbHTTPExtractor()), )
try:
authenticators = plugins.listPlugins(IAuthenticationPlugin)
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('Authenticator plugin listing error', exc_info=True)
authenticators = ()
result = []
for extractor_id, extractor in extractors:
try:
credentials = extractor.extractCredentials(request)
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('ExtractionPlugin %s error' % extractor_id,
exc_info=True)
continue
if credentials:
try:
credentials['extractor'] = extractor_id # XXX: in key?
# Test if ObjectCacheEntries.aggregateIndex would work
items = credentials.items()
items.sort()
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug('Credentials error: %s' % credentials,
exc_info=True)
continue
# First try to authenticate against the emergency
# user and return immediately if authenticated
user_id, name = self._tryEmergencyUserAuthentication(
credentials)
if user_id is not None:
return [(user_id, name)]
# Now see if the user ids can be retrieved from the cache
view_name = createViewName('_extractUserIds',
credentials.get('login'))
keywords = createKeywords(**credentials)
user_ids = self.ZCacheable_get(view_name=view_name,
keywords=keywords,
default=None)
if user_ids is None:
user_ids = []
for authenticator_id, auth in authenticators:
try:
uid_and_info = auth.authenticateCredentials(
credentials)
if uid_and_info is None:
continue
user_id, info = uid_and_info
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
msg = 'AuthenticationPlugin %s error' % (
authenticator_id, )
logger.debug(msg, exc_info=True)
continue
if user_id is not None:
user_ids.append((user_id, info))
if user_ids:
self.ZCacheable_set(user_ids,
view_name=view_name,
keywords=keywords)
result.extend(user_ids)
# Emergency user via HTTP basic auth always wins
user_id, name = self._tryEmergencyUserAuthentication(
DumbHTTPExtractor().extractCredentials(request))
if user_id is not None:
return [(user_id, name)]
return result