Source

moin-2.0 / build / lib / MoinMoin / auth / __init__.py

Full commit
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
# Copyright: 2005-2006 Bastian Blank, Florian Festi
# Copyright: MoinMoin:AlexanderSchremmer, Nick Phillips
# Copyright: MoinMoin:FrankieChow, MoinMoin:NirSoffer
# Copyright: 2005-2012 MoinMoin:ThomasWaldmann
# Copyright: 2007      MoinMoin:JohannesBerg
# License: GNU GPL v2 (or any later version), see LICENSE.txt for details.

"""
    MoinMoin - modular authentication handling

    Each authentication method is an object instance containing
    four methods:

      * ``login(user_obj, **kw)``
      * ``logout(user_obj, **kw)``
      * ``request(user_obj, **kw)``
      * ``login_hint()``

    The kw arguments that are passed in are currently:

       attended: boolean indicating whether a user (attended=True) or
                 a machine is requesting login, multistage auth is not
                 currently possible for machine logins [login only]
       username: the value of the 'username' form field (or None)
                 [login only]
       password: the value of the 'password' form field (or None)
                 [login only]
       cookie: a Cookie.SimpleCookie instance containing the cookie
               that the browser sent
       multistage: boolean indicating multistage login continuation
                   [may not be present, login only]

    login_hint() should return a HTML text that is displayed to the user right
    below the login form, it should tell the user what to do in case of a
    forgotten password and how to create an account (if applicable.)

    More may be added.

    The request method is called for each request except login/logout.

    The 'request' and 'logout' methods must return a tuple (user_obj, continue)
    where 'user_obj' can be:

      * None, to throw away any previous user_obj from previous auth methods
      * the passed in user_obj for no changes
      * a newly created MoinMoin.user.User instance

    and 'continue' is a boolean to indicate whether the next authentication
    method should be tried.

    The 'login' method must return an instance of MoinMoin.auth.LoginReturn
    which contains the members:

      * user_obj
      * continue_flag
      * multistage
      * message
      * redirect_to

    There are some helpful subclasses derived from this class for the most
    common cases, namely ContinueLogin(), CancelLogin(), MultistageFormLogin()
    and MultistageRedirectLogin().

    The user_obj and continue_flag members have the same semantics as for the
    request and logout methods.

    The messages that are returned by the various auth methods will be
    displayed to the user, since they will all be displayed usually auth
    methods will use the message feature only along with returning False for
    the continue flag.

    Note, however, that when no username is entered or the username is not
    found in the database, it may be appropriate to return with a message
    and the continue flag set to true (ContinueLogin) because a subsequent auth
    plugin might work even without the username (e.g. an openid auth plugin).

    The multistage member must evaluate to false or be callable. If it is
    callable, this indicates that the authentication method requires a second
    login stage. In that case, the multistage item will be called and should
    return an instance of
    MoinMoin.widget.html.FORM and the generic code will append some required
    hidden fields to it. It is also permissible to return some valid HTML,
    but that feature has very limited use since it breaks the authentication
    method chain.

    Note that because multistage login does not depend on anonymous session
    support, it is possible that users jump directly into the second stage
    by giving the appropriate parameters to the login action. Hence, auth
    methods should take care to recheck everything and not assume the user
    has gone through all previous stages.

    If the multistage login requires querying an external site that involves
    a redirect, the redirect_to member may be set instead of the multistage
    member. If this is set it must be a URL that user should be redirected to.
    Since the user must be able to come back to the authentication, any
    "%return" in the URL is replaced with the url-encoded form of the URL
    to the next authentication stage, any "%return_form" is replaced with
    the url-plus-encoded form (spaces encoded as +) of the same URL.

    After the user has submitted the required form or has been redirected back
    from the external site, execution of the auth login methods resumes with
    the auth item that requested the multistage login and its login method is
    called with the 'multistage' keyword parameter set to True.

    Each authentication method instance must also contain the members:

     * login_inputs: a list of required inputs, currently supported are
                      - 'username': username entry field
                      - 'password': password entry field
                      - 'special_no_input': manual login is required
                            but no form fields need to be filled in
                            (e.g. openid with forced provider)
                            in this case the theme may provide a short-
                            cut omitting the login form
     * logout_possible: boolean indicating whether this auth methods
                        supports logging out
     * name: name of the auth method, must be the same as given as the
             user object's auth_method keyword parameter.

    To simplify creating new authentication methods you can inherit from
    MoinMoin.auth.BaseAuth that does nothing for all three methods, but
    allows you to override only some methods.

    cfg.auth is a list of authentication object instances whose methods
    are called in the order they are listed. The session method is called
    for every request, when logging in or out these are called before the
    session method.

    When creating a new MoinMoin.user.User object, you can give a keyword
    argument "auth_attribs" to User.__init__ containing a list of user
    attributes that are determined and fixed by this auth method and may
    not be changed by the user in their preferences.
    You also have to give the keyword argument "auth_method" containing the
    name of the authentication method.
"""


from MoinMoin import log
logging = log.getLogger(__name__)

from werkzeug import redirect, abort, url_quote, url_quote_plus
from flask import url_for, session, request
from flask import g as flaskg
from flask import current_app as app
from jinja2 import Markup

from MoinMoin import user
from MoinMoin.i18n import _, L_, N_


def get_multistage_continuation_url(auth_name, extra_fields={}):
    """get_continuation_url - return a multistage continuation URL

       This function returns a URL that when loaded continues a multistage
       authentication at the auth method requesting it (parameter auth_name.)
       Additional fields are added to the URL from the extra_fields dict.

       :param auth_name: name of the auth method requesting the continuation
       :param extra_fields: extra GET fields to add to the URL
    """
    # logically, this belongs to request, but semantically it should
    # live in auth so people do auth.get_multistage_continuation_url()

    # the url should be absolute so we use _external
    url = url_for('frontend.login', login_submit='1', stage=auth_name, _external=True, **extra_fields)
    logging.debug("multistage_continuation_url: {0}".format(url))
    return url


class LoginReturn(object):
    """ LoginReturn - base class for auth method login() return value"""
    def __init__(self, user_obj, continue_flag, message=None, multistage=None,
                 redirect_to=None):
        self.user_obj = user_obj
        self.continue_flag = continue_flag
        self.message = message
        self.multistage = multistage
        self.redirect_to = redirect_to

class ContinueLogin(LoginReturn):
    """ ContinueLogin - helper for auth method login that just continues """
    def __init__(self, user_obj, message=None):
        LoginReturn.__init__(self, user_obj, True, message=message)

class CancelLogin(LoginReturn):
    """ CancelLogin - cancel login showing a message """
    def __init__(self, message):
        LoginReturn.__init__(self, None, False, message=message)

class MultistageFormLogin(LoginReturn):
    """ MultistageFormLogin - require user to fill in another form """
    def __init__(self, multistage):
        LoginReturn.__init__(self, None, False, multistage=multistage)

class MultistageRedirectLogin(LoginReturn):
    """ MultistageRedirectLogin - redirect user to another site before continuing login """
    def __init__(self, url):
        LoginReturn.__init__(self, None, False, redirect_to=url)


class BaseAuth(object):
    name = None
    login_inputs = []
    logout_possible = False
    def __init__(self, trusted=False, **kw):
        self.trusted = trusted
        if kw:
            raise TypeError("got unexpected arguments %r" % kw)
    def login(self, user_obj, **kw):
        return ContinueLogin(user_obj)
    def request(self, user_obj, **kw):
        return user_obj, True
    def logout(self, user_obj, **kw):
        if self.name and user_obj and user_obj.auth_method == self.name:
            logging.debug("{0}: logout - invalidating user {1!r}".format(self.name, user_obj.name))
            user_obj.valid = False
        return user_obj, True
    def login_hint(self):
        return None

class MoinAuth(BaseAuth):
    """ handle login from moin login form """
    def __init__(self, **kw):
        super(MoinAuth, self).__init__(**kw)

    login_inputs = ['username', 'password']
    name = 'moin'
    logout_possible = True

    def login(self, user_obj, **kw):
        username = kw.get('username')
        password = kw.get('password')

        # simply continue if something else already logged in successfully
        if user_obj and user_obj.valid:
            return ContinueLogin(user_obj)

        if not username and not password:
            return ContinueLogin(user_obj)

        logging.debug("{0}: performing login action".format(self.name))

        if username and not password:
            return ContinueLogin(user_obj, _('Missing password. Please enter user name and password.'))

        u = user.User(name=username, password=password, auth_method=self.name, trusted=self.trusted)
        if u.valid:
            logging.debug("{0}: successfully authenticated user {1!r} (valid)".format(self.name, u.name))
            return ContinueLogin(u)
        else:
            logging.debug("{0}: could not authenticate user {1!r} (not valid)".format(self.name, username))
            return ContinueLogin(user_obj, _("Invalid username or password."))

    def login_hint(self):
        msg = _('If you do not have an account, <a href="%(register_url)s">you can create one now</a>. ',
                register_url=url_for('frontend.register'))
        msg += _('<a href="%(recover_url)s">Forgot your password?</a>',
                 recover_url=url_for('frontend.lostpass'))
        return Markup(msg)


class GivenAuth(BaseAuth):
    """ reuse a given authentication, e.g. http basic auth (or any other auth)
        done by the web server, that sets REMOTE_USER environment variable.
        This is the default behaviour.
        You can also specify to read another environment variable (env_var).
        Alternatively you can directly give a fixed user name (user_name)
        that will be considered as authenticated.
    """
    name = 'given' # was 'http' in 1.8.x and before

    def __init__(self,
                 env_var=None,  # environment variable we want to read (default: REMOTE_USER)
                 user_name=None,  # can be used to just give a specific user name to log in
                 autocreate=False,  # create/update the user profile for the auth. user
                 strip_maildomain=False,  # joe@example.org -> joe
                 strip_windomain=False,  # DOMAIN\joe -> joe
                 titlecase=False,  # joe doe -> Joe Doe
                 remove_blanks=False,  # Joe Doe -> JoeDoe
                 coding='utf-8',  # for decoding REMOTE_USER correctly
                 **kw
                ):
        super(GivenAuth, self).__init__(**kw)
        self.env_var = env_var
        self.user_name = user_name
        self.autocreate = autocreate
        self.strip_maildomain = strip_maildomain
        self.strip_windomain = strip_windomain
        self.titlecase = titlecase
        self.remove_blanks = remove_blanks
        self.coding = coding

    def decode_username(self, name):
        """ decode the name we got from the environment var to unicode """
        if isinstance(name, str):
            name = name.decode(self.coding)
        return name

    def transform_username(self, name):
        """ transform the name we got (unicode in, unicode out)

            Note: if you need something more special, you could create your own
                  auth class, inherit from this class and overwrite this function.
        """
        assert isinstance(name, unicode)
        if self.strip_maildomain:
            # split off mail domain, e.g. "user@example.org" -> "user"
            name = name.split(u'@')[0]

        if self.strip_windomain:
            # split off window domain, e.g. "DOMAIN\user" -> "user"
            name = name.split(u'\\')[-1]

        if self.titlecase:
            # this "normalizes" the login name, e.g. meier, Meier, MEIER -> Meier
            name = name.title()

        if self.remove_blanks:
            # remove blanks e.g. "Joe Doe" -> "JoeDoe"
            name = u''.join(name.split())

        return name

    def request(self, user_obj, **kw):
        u = None
        # always revalidate auth
        if user_obj and user_obj.auth_method == self.name:
            user_obj = None
        # something else authenticated before us
        if user_obj:
            logging.debug("already authenticated, doing nothing")
            return user_obj, True

        if self.user_name is not None:
            auth_username = self.user_name
        elif self.env_var is None:
            auth_username = request.remote_user
        else:
            auth_username = request.environ.get(self.env_var)

        logging.debug("auth_username = {0!r}".format(auth_username))
        if auth_username:
            auth_username = self.decode_username(auth_username)
            auth_username = self.transform_username(auth_username)
            logging.debug("auth_username (after decode/transform) = {0!r}".format(auth_username))
            u = user.User(auth_username=auth_username,
                          auth_method=self.name, auth_attribs=('name', 'password'), trusted=self.trusted)

        logging.debug("u: {0!r}".format(u))
        if u and self.autocreate:
            logging.debug("autocreating user")
            u.create_or_update()
        if u and u.valid:
            logging.debug("returning valid user {0!r}".format(u))
            return u, True # True to get other methods called, too
        else:
            logging.debug("returning {0!r}".format(user_obj))
            return user_obj, True


def handle_login(userobj, **kw):
    """
    Process a 'login' request by going through the configured authentication
    methods in turn. The passable keyword arguments are explained in more
    detail at the top of this file.
    """

    stage = kw.get('stage')
    params = {'username': kw.get('login_username'),
              'password': kw.get('login_password'),
              'openid': kw.get('login_openid'),
              'multistage': (stage and True) or None,
              'attended': True
             }
    # add the other parameters from the form
    for param in kw.keys():
        params[param] = kw.get(param)

    for authmethod in app.cfg.auth:
        if stage and authmethod.name != stage:
            continue
        ret = authmethod.login(userobj, **params)

        userobj = ret.user_obj
        cont = ret.continue_flag
        if stage:
            stage = None
            del params['multistage']

        if ret.multistage:
            flaskg._login_multistage = ret.multistage
            flaskg._login_multistage_name = authmethod.name
            return userobj

        if ret.redirect_to:
            nextstage = get_multistage_continuation_url(authmethod.name)
            url = ret.redirect_to
            url = url.replace('%return_form', url_quote_plus(nextstage))
            url = url.replace('%return', url_quote(nextstage))
            abort(redirect(url))
        msg = ret.message
        if msg and not msg in flaskg._login_messages:
            flaskg._login_messages.append(msg)

        if not cont:
            break

    return userobj

def handle_logout(userobj):
    """ Logout the passed user from every configured authentication method. """
    if userobj is None:
        # not logged in
        return userobj

    for authmethod in app.cfg.auth:
        userobj, cont = authmethod.logout(userobj)
        if not cont:
            break
    return userobj

def handle_request(userobj):
    """ Handle the per-request callbacks of the configured authentication methods. """
    for authmethod in app.cfg.auth:
        userobj, cont = authmethod.request(userobj)
        if not cont:
            break
    return userobj

def setup_from_session():
    userobj = None
    if 'user.itemid' in session:
        itemid = session['user.itemid']
        trusted = session['user.trusted']
        auth_method = session['user.auth_method']
        auth_attribs = session['user.auth_attribs']
        logging.debug("got from session: {0!r} {1!r} {2!r} {3!r}".format(itemid, trusted, auth_method, auth_attribs))
        logging.debug("current auth methods: {0!r}".format(app.cfg.auth_methods))
        if auth_method and auth_method in app.cfg.auth_methods:
            userobj = user.User(itemid,
                                auth_method=auth_method,
                                auth_attribs=auth_attribs,
                                trusted=trusted)
    logging.debug("session started for user {0!r}".format(userobj))
    return userobj