1
# -*- coding: iso-8859-1 -*-
3
MoinMoin - SSL client certificate authentication
5
Currently not supported for Twisted web server, but only for web servers
6
setting SSL_CLIENT_* environment (e.g. Apache).
8
@copyright: 2003 Martin v. Loewis,
9
2006 MoinMoin:ThomasWaldmann
10
@license: GNU GPL, see COPYING for details.
13
from MoinMoin import config, user
14
from MoinMoin.request import request_twisted
15
from MoinMoin.auth import BaseAuth
17
class SSLClientCertAuth(BaseAuth):
18
""" authenticate via SSL client certificate """
20
name = 'sslclientcert'
22
def __init__(self, authorities=None,
23
email_key=True, name_key=True,
24
use_email=False, use_name=False):
25
self.use_email = use_email
26
self.authorities = authorities
27
self.email_key = email_key
28
self.name_key = name_key
29
self.use_email = use_email
30
self.use_name = use_name
31
BaseAuth.__init__(self)
33
def request(self, request, user_obj, **kw):
36
# check if we are running Twisted
37
if isinstance(request, request_twisted.Request):
38
return user_obj, True # not supported if we run twisted
39
# Addendum: this seems to need quite some twisted insight and coding.
40
# A pointer i got on #twisted: divmod's vertex.sslverify
41
# If you really need this, feel free to implement and test it and
42
# submit a patch if it works.
45
if env.get('SSL_CLIENT_VERIFY', 'FAILURE') == 'SUCCESS':
47
# check authority list if given
48
if self.authorities and env.get('SSL_CLIENT_I_DN_OU') in self.authorities:
53
email = env.get('SSL_CLIENT_S_DN_Email', '').decode(config.charset)
54
email_lower = email.lower()
55
commonname_lower = None
57
commonname = env.get('SSL_CLIENT_S_DN_CN', '').decode(config.charset)
58
commonname_lower = commonname.lower()
59
if email_lower or commonname_lower:
60
for uid in user.getUserList(request):
61
u = user.User(request, uid,
62
auth_method=self.name, auth_attribs=())
63
if self.email_key and email_lower and u.email.lower() == email_lower:
64
u.auth_attribs = ('email', 'password')
65
if self.use_name and commonname_lower != u.name.lower():
68
u.auth_attribs = ('email', 'name', 'password')
70
if self.name_key and commonname_lower and u.name.lower() == commonname_lower:
71
u.auth_attribs = ('name', 'password')
72
if self.use_email and email_lower != u.email.lower():
75
u.auth_attribs = ('name', 'email', 'password')
80
# user wasn't found, so let's create a new user object
81
u = user.User(request, name=commonname_lower, auth_username=commonname_lower,
82
auth_method=self.name)
83
u.auth_attribs = ('name', 'password')
86
u.auth_attribs = ('name', 'email', 'password')
87
elif user_obj and user_obj.auth_method == self.name:
88
user_obj.valid = False
89
return user_obj, False
91
u.create_or_update(changed)