diff options
author | NavaL <ayoyo@thoughtworks.com> | 2016-10-26 15:55:29 +0200 |
---|---|---|
committer | NavaL <ayoyo@thoughtworks.com> | 2016-10-28 18:02:25 +0200 |
commit | 423ca8f9fb7636b336b24ba28bde5d61538bf5fc (patch) | |
tree | 6d8f95fafe4f08b4ca557d52bc45d310fa8c37af /service/pixelated/authentication.py | |
parent | 3df56a4f3c411c3bde51c88e6e0bf34d5e582119 (diff) |
authentication now returns Authentication
leap session creation is only done post-interstitial
and that logic is also extracted into its own class
#795
Diffstat (limited to 'service/pixelated/authentication.py')
-rw-r--r-- | service/pixelated/authentication.py | 63 |
1 files changed, 52 insertions, 11 deletions
diff --git a/service/pixelated/authentication.py b/service/pixelated/authentication.py index 02b43a1e..aa1d8b5d 100644 --- a/service/pixelated/authentication.py +++ b/service/pixelated/authentication.py @@ -1,9 +1,29 @@ +# +# Copyright (c) 2014 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see <http://www.gnu.org/licenses/>. import re -from pixelated.config.leap import authenticate +from collections import namedtuple + +from leap.bitmask.bonafide.provider import Api +from leap.bitmask.bonafide.session import Session from leap.bitmask.bonafide._srp import SRPAuthError from twisted.cred.error import UnauthorizedLogin -from twisted.internet.defer import inlineCallbacks +from twisted.internet.defer import inlineCallbacks, returnValue + +Credentials = namedtuple('Credentials', 'username, password') class Authenticator(object): @@ -13,27 +33,48 @@ class Authenticator(object): @inlineCallbacks def authenticate(self, username, password): - if self.validate_username(username): - yield self._srp_auth(username, password) - else: - raise UnauthorizedLogin() + username = self.clean_username(username) + auth = yield self._srp_auth(username, password) + returnValue(auth) @inlineCallbacks def _srp_auth(self, username, password): try: - extracted_username = self.extract_username(username) - auth = yield authenticate(self._leap_provider, extracted_username, password) + auth = yield self._bonafide_auth(username, password) except SRPAuthError: raise UnauthorizedLogin() + returnValue(auth) + + @inlineCallbacks + def _bonafide_auth(self, user, password): + srp_provider = Api(self._leap_provider.api_uri) + credentials = Credentials(user, password) + srp_auth = Session(credentials, srp_provider, self._leap_provider.local_ca_crt) + yield srp_auth.authenticate() + returnValue(Authentication(user, srp_auth.token, srp_auth.uuid, 'session_id', {'is_admin': False})) - def validate_username(self, username): + def clean_username(self, username): if '@' not in username: - return True + return username extracted_username = self.extract_username(username) - return self.username_with_domain(extracted_username) == username + if self.username_with_domain(extracted_username) == username: + return extracted_username + raise UnauthorizedLogin() def extract_username(self, username): return re.search('^([^@]+)@?.*$', username).group(1) def username_with_domain(self, username): return '%s@%s' % (username, self.domain) + + +class Authentication(object): + def __init__(self, username, token, uuid, session_id, user_attributes): + self.username = username + self.token = token + self.uuid = uuid + self.session_id = session_id + self._user_attributes = user_attributes + + def is_admin(self): + return self._user_attributes.get('is_admin', False) |