← Back to branch summary

~ubuntu-branches/ubuntu/natty/moin/natty-updates

« back to all changes in this revision

Viewing changes to MoinMoin/auth/sslclientcert.py

  • Committer: Bazaar Package Importer
  • Author(s): Jonas Smedegaard
  • Date: 2008-06-22 21:17:13 UTC
  • mfrom: (0.9.1 upstream)
  • Revision ID: james.westby@ubuntu.com-20080622211713-fpo2zrq3s5dfecxg
Tags: 1.7.0-3
Simplify /etc/moin/wikilist format: "USER URL" (drop unneeded middle
CONFIG_DIR that was wrongly advertised as DATA_DIR).  Make
moin-mass-migrate handle both formats and warn about deprecation of
the old one.

Show diffs side-by-side

added added

removed removed

Lines of Context:
MoinMoin/auth/sslclientcert.py
 
1
# -*- coding: iso-8859-1 -*-
 
2
"""
 
3
    MoinMoin - SSL client certificate authentication
 
4
 
 
5
    Currently not supported for Twisted web server, but only for web servers
 
6
    setting SSL_CLIENT_* environment (e.g. Apache).
 
7
 
 
8
    @copyright: 2003 Martin v. Loewis,
 
9
                2006 MoinMoin:ThomasWaldmann
 
10
    @license: GNU GPL, see COPYING for details.
 
11
"""
 
12
 
 
13
from MoinMoin import config, user
 
14
from MoinMoin.request import request_twisted
 
15
from MoinMoin.auth import BaseAuth
 
16
 
 
17
class SSLClientCertAuth(BaseAuth):
 
18
    """ authenticate via SSL client certificate """
 
19
 
 
20
    name = 'sslclientcert'
 
21
 
 
22
    def __init__(self, authorities=None,
 
23
                 email_key=True, name_key=True,
 
24
                 use_email=False, use_name=False):
 
25
        self.use_email = use_email
 
26
        self.authorities = authorities
 
27
        self.email_key = email_key
 
28
        self.name_key = name_key
 
29
        self.use_email = use_email
 
30
        self.use_name = use_name
 
31
        BaseAuth.__init__(self)
 
32
 
 
33
    def request(self, request, user_obj, **kw):
 
34
        u = None
 
35
        changed = False
 
36
        # check if we are running Twisted
 
37
        if isinstance(request, request_twisted.Request):
 
38
            return user_obj, True # not supported if we run twisted
 
39
            # Addendum: this seems to need quite some twisted insight and coding.
 
40
            # A pointer i got on #twisted: divmod's vertex.sslverify
 
41
            # If you really need this, feel free to implement and test it and
 
42
            # submit a patch if it works.
 
43
        else:
 
44
            env = request.env
 
45
            if env.get('SSL_CLIENT_VERIFY', 'FAILURE') == 'SUCCESS':
 
46
 
 
47
                # check authority list if given
 
48
                if self.authorities and env.get('SSL_CLIENT_I_DN_OU') in self.authorities:
 
49
                    return user_obj, True
 
50
 
 
51
                email_lower = None
 
52
                if self.email_key:
 
53
                    email = env.get('SSL_CLIENT_S_DN_Email', '').decode(config.charset)
 
54
                    email_lower = email.lower()
 
55
                commonname_lower = None
 
56
                if self.name_key:
 
57
                    commonname = env.get('SSL_CLIENT_S_DN_CN', '').decode(config.charset)
 
58
                    commonname_lower = commonname.lower()
 
59
                if email_lower or commonname_lower:
 
60
                    for uid in user.getUserList(request):
 
61
                        u = user.User(request, uid,
 
62
                                      auth_method=self.name, auth_attribs=())
 
63
                        if self.email_key and email_lower and u.email.lower() == email_lower:
 
64
                            u.auth_attribs = ('email', 'password')
 
65
                            if self.use_name and commonname_lower != u.name.lower():
 
66
                                u.name = commonname
 
67
                                changed = True
 
68
                                u.auth_attribs = ('email', 'name', 'password')
 
69
                            break
 
70
                        if self.name_key and commonname_lower and u.name.lower() == commonname_lower:
 
71
                            u.auth_attribs = ('name', 'password')
 
72
                            if self.use_email and email_lower != u.email.lower():
 
73
                                u.email = email
 
74
                                changed = True
 
75
                                u.auth_attribs = ('name', 'email', 'password')
 
76
                            break
 
77
                    else:
 
78
                        u = None
 
79
                    if u is None:
 
80
                        # user wasn't found, so let's create a new user object
 
81
                        u = user.User(request, name=commonname_lower, auth_username=commonname_lower,
 
82
                                      auth_method=self.name)
 
83
                        u.auth_attribs = ('name', 'password')
 
84
                        if self.use_email:
 
85
                            u.email = email
 
86
                            u.auth_attribs = ('name', 'email', 'password')
 
87
            elif user_obj and user_obj.auth_method == self.name:
 
88
                user_obj.valid = False
 
89
                return user_obj, False
 
90
        if u:
 
91
            u.create_or_update(changed)
 
92
        if u and u.valid:
 
93
            return u, True
 
94
        else:
 
95
            return user_obj, True