authentication now returns Authentication

leap session creation is only done post-interstitial
and that logic is also extracted into its own class
 #795

1 files changed, 52 insertions, 11 deletions

diff --git a/service/pixelated/authentication.py b/service/pixelated/authentication.py
index 02b43a1e..aa1d8b5d 100644
--- a/service/pixelated/authentication.py
+++ b/service/pixelated/authentication.py
@@ -1,9 +1,29 @@
+#
+# Copyright (c) 2014 ThoughtWorks, Inc.
+#
+# Pixelated is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Pixelated is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with Pixelated. If not, see <http://www.gnu.org/licenses/>.
 import re
-from pixelated.config.leap import authenticate
+from collections import namedtuple
+
+from leap.bitmask.bonafide.provider import Api
+from leap.bitmask.bonafide.session import Session
 from leap.bitmask.bonafide._srp import SRPAuthError
 
 from twisted.cred.error import UnauthorizedLogin
-from twisted.internet.defer import inlineCallbacks
+from twisted.internet.defer import inlineCallbacks, returnValue
+
+Credentials = namedtuple('Credentials', 'username, password')
 
 
 class Authenticator(object):
@@ -13,27 +33,48 @@ class Authenticator(object):
 
     @inlineCallbacks
     def authenticate(self, username, password):
-        if self.validate_username(username):
-            yield self._srp_auth(username, password)
-        else:
-            raise UnauthorizedLogin()
+        username = self.clean_username(username)
+        auth = yield self._srp_auth(username, password)
+        returnValue(auth)
 
     @inlineCallbacks
     def _srp_auth(self, username, password):
         try:
-            extracted_username = self.extract_username(username)
-            auth = yield authenticate(self._leap_provider, extracted_username, password)
+            auth = yield self._bonafide_auth(username, password)
         except SRPAuthError:
             raise UnauthorizedLogin()
+        returnValue(auth)
+
+    @inlineCallbacks
+    def _bonafide_auth(self, user, password):
+        srp_provider = Api(self._leap_provider.api_uri)
+        credentials = Credentials(user, password)
+        srp_auth = Session(credentials, srp_provider, self._leap_provider.local_ca_crt)
+        yield srp_auth.authenticate()
+        returnValue(Authentication(user, srp_auth.token, srp_auth.uuid, 'session_id', {'is_admin': False}))
 
-    def validate_username(self, username):
+    def clean_username(self, username):
         if '@' not in username:
-                return True
+            return username
         extracted_username = self.extract_username(username)
-        return self.username_with_domain(extracted_username) == username
+        if self.username_with_domain(extracted_username) == username:
+            return extracted_username
+        raise UnauthorizedLogin()
 
     def extract_username(self, username):
         return re.search('^([^@]+)@?.*$', username).group(1)
 
     def username_with_domain(self, username):
         return '%s@%s' % (username, self.domain)
+
+
+class Authentication(object):
+    def __init__(self, username, token, uuid, session_id, user_attributes):
+        self.username = username
+        self.token = token
+        self.uuid = uuid
+        self.session_id = session_id
+        self._user_attributes = user_attributes
+
+    def is_admin(self):
+        return self._user_attributes.get('is_admin', False)