From 995049a04fb15bd4e1cf27bf11e3be46f84e3bfe Mon Sep 17 00:00:00 2001 From: Folker Bernitt Date: Tue, 19 Jan 2016 13:36:31 +0100 Subject: Add mutli-user mode to user-agent - Issue #576 - To start in multi user, run with --multi-user --provider provider-name.tld --- service/pixelated/resources/auth.py | 177 ++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) create mode 100644 service/pixelated/resources/auth.py (limited to 'service/pixelated/resources/auth.py') diff --git a/service/pixelated/resources/auth.py b/service/pixelated/resources/auth.py new file mode 100644 index 00000000..7076490d --- /dev/null +++ b/service/pixelated/resources/auth.py @@ -0,0 +1,177 @@ +# +# Copyright (c) 2016 ThoughtWorks, Inc. +# +# Pixelated is free software: you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Pixelated is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with Pixelated. If not, see . + +import logging + +from leap.auth import SRPAuth +from leap.exceptions import SRPAuthenticationError +from twisted.cred.checkers import ANONYMOUS +from twisted.cred.credentials import ICredentials +from twisted.cred.error import UnauthorizedLogin +from twisted.internet import defer, threads +from twisted.web._auth.wrapper import UnauthorizedResource +from twisted.web.error import UnsupportedMethod +from zope.interface import implements, implementer, Attribute +from twisted.cred import portal, checkers, credentials +from twisted.web import util +from twisted.cred import error +from twisted.web.resource import IResource, ErrorPage + +from pixelated.adapter.welcome_mail import add_welcome_mail +from pixelated.config.leap import authenticate_user +from pixelated.config.services import Services +from pixelated.resources import IPixelatedSession + + +log = logging.getLogger(__name__) + + +@implementer(checkers.ICredentialsChecker) +class LeapPasswordChecker(object): + credentialInterfaces = ( + credentials.IUsernamePassword, + credentials.IUsernameHashedPassword + ) + + def __init__(self, setup_args, leap_provider): + self._setup_args = setup_args + self._leap_provider = leap_provider + + def requestAvatarId(self, credentials): + def _validate_credentials(): + try: + srp_auth = SRPAuth(self._leap_provider.api_uri, self._leap_provider.local_ca_crt) + srp_auth.authenticate(credentials.username, credentials.password) + except SRPAuthenticationError: + raise UnauthorizedLogin() + + def _authententicate_user(_): + return authenticate_user(self._leap_provider, credentials.username, credentials.password) + + d = threads.deferToThread(_validate_credentials) + d.addCallback(_authententicate_user) + return d + + +class ISessionCredential(ICredentials): + + request = Attribute('the current request') + + +@implementer(ISessionCredential) +class SessionCredential(object): + def __init__(self, request): + self.request = request + + +@implementer(checkers.ICredentialsChecker) +class SessionChecker(object): + credentialInterfaces = (ISessionCredential,) + + def requestAvatarId(self, credentials): + session = self.get_session(credentials.request) + if session.is_logged_in(): + return defer.succeed(session.user_uuid) + else: + return defer.succeed(ANONYMOUS) + + def get_session(self, request): + return IPixelatedSession(request.getSession()) + + +class LeapUser(object): + + def __init__(self, leap_session): + self._leap_session = leap_session + + @defer.inlineCallbacks + def start_services(self, services_factory): + services = Services(self._leap_session) + yield services.setup() + + if self._leap_session.fresh_account: + yield add_welcome_mail(self._leap_session.mail_store) + + services_factory.add_session(self._leap_session.user_auth.uuid, services) + + def init_http_session(self, request): + session = IPixelatedSession(request.getSession()) + session.user_uuid = self._leap_session.user_auth.uuid + + +class PixelatedRealm(object): + implements(portal.IRealm) + + def __init__(self, root_resource, anonymous_resource): + self._root_resource = root_resource + self._anonymous_resource = anonymous_resource + + def requestAvatar(self, avatarId, mind, *interfaces): + if IResource in interfaces: + if avatarId == checkers.ANONYMOUS: + return IResource, checkers.ANONYMOUS, lambda: None + else: + leap_session = avatarId + user = LeapUser(leap_session) + return IResource, user, lambda: None + raise NotImplementedError() + + +@implementer(IResource) +class PixelatedAuthSessionWrapper(object): + + isLeaf = False + + def __init__(self, portal, root_resource, anonymous_resource, credentialFactories): + self._portal = portal + self._credentialFactories = credentialFactories + self._root_resource = root_resource + self._anonymous_resource = anonymous_resource + + def render(self, request): + raise UnsupportedMethod(()) + + def getChildWithDefault(self, path, request): + request.postpath.insert(0, request.prepath.pop()) + + return self._authorizedResource(request) + + def _authorizedResource(self, request): + creds = SessionCredential(request) + return util.DeferredResource(self._login(creds)) + + def _login(self, credentials): + d = self._portal.login(credentials, None, IResource) + d.addCallbacks(self._loginSucceeded, self._loginFailed) + return d + + def _loginSucceeded(self, args): + interface, avatar, logout = args + + if avatar == checkers.ANONYMOUS: + return self._anonymous_resource + else: + return self._root_resource + + def _loginFailed(self, result): + if result.check(error.Unauthorized, error.LoginFailed): + return UnauthorizedResource(self._credentialFactories) + else: + log.err( + result, + "HTTPAuthSessionWrapper.getChildWithDefault encountered " + "unexpected error") + return ErrorPage(500, None, None) -- cgit v1.2.3