Commits

Joel Rivera  committed ac59e78

Complete refactor of the "actions handlers" for the globus middleware authentication.

  • Participants
  • Parent commits 1579332
  • Branches gauth

Comments (0)

Files changed (1)

File lib/galaxy/web/framework/ext/globus/middleware.py

 
 
 log = logging.getLogger(__name__)
-
-
-class UserAuthentication(object):
-    default_nexus_server = 'nexus.api.globusonline.org'
-    auth_page = """\
+AUTH_PAGE = """\
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
 <html lang="en">
     <head>
     </body>
 </html>
 """
-    LOGOUT = 1
-    LOGIN = 2
-    AUTHENTICATED = 3
-    NOT_AUTHORIZED = 4
-    NOT_ALLOWED = 5
+
+
+def globus_url(env, client):
+    return (('https://www.globusonline.org/OAuth?response_type=code&'
+             'redirect_uri={0}&client_id={1}') 
+            .format(http_host_uri(env), client))
+
+
+def http_host_uri(env):
+    scheme = env['wsgi.url_scheme']
+    host = env['HTTP_HOST']
+    return '%s://%s' % (scheme, host)
+
+
+class UserAuthentication(object):
+    default_nexus_server = 'nexus.api.globusonline.org'
+    LOGOUT = 'LOGOUT'
+    LOGIN = 'LOGIN'
+    AUTHENTICATED = 'AUTHENTICATED'
+    NOT_AUTHORIZED = 'NOT_AUTHORIZED'
+    NOT_ALLOWED = 'NOT_ALLOWED'
 
     def __init__(self, app, nexclient, nexsecret,  nexserver=None,
                  groupid=None, gaccount_cmd=None):
                 "The nexus client 'globus_nexus_client' and client secret "
                 "'globus_nexus_secret' are required.")
         self.app = app
-        self.active_users =  {}
         if nexserver is None:
             nexserver = self.default_nexus_server
         self.nexus_client = nc = nexus.Client({'server': nexserver,
                                                'client': nexclient,
                                                'client_secret': nexsecret})
+        self.active_users = actu = {}
         self.handlers = {
-            self.LOGOUT: self._do_logout,
-            self.LOGIN:
-            LoginHandler(app, nc, active_users=self.active_users,
-                         gaccount_cmd=gaccount_cmd,
-                         groupid=groupid),
-            self.AUTHENTICATED: self._authenticate,
-            self.NOT_AUTHORIZED: self._not_authorized,
-            self.NOT_ALLOWED: self._user_not_allowed
+            self.LOGOUT: Logout(app, nc, active_users=actu),
+            self.LOGIN:  Login(app, nc, active_users=actu,
+                               gaccount_cmd=gaccount_cmd,
+                               groupid=groupid),
+            self.AUTHENTICATED: Authenticate(app, nc),
+            self.NOT_AUTHORIZED: NotAuthorized(app, nc),
+            self.NOT_ALLOWED: NotAllowed(app, nc)
         }
         
     def __call__(self, environ, start_response):
             code = qs['code'][0]
             return self.LOGIN, (code,)
         return self.NOT_AUTHORIZED, ()
-
-    def _user_not_allowed(self, session, start_response, environ, user):
-        """Handle the case when the user is not allowed in this instance
-        for the necessary group permissions.
-        """
-        if user is None:
-            message = 'The user is not allowed'
-        else:
-            message = ('The user <strong>%s</strong> is not '
-                       'allowed in this instance.' % user)
-        start_response( '403 Forbidden', [('Content-type', 'text/html')])
-        return self.auth_page % {'url': self.globus_url(environ),
-                                 'message': message}
-
-    def _not_authorized(self, session, start_response, environ):
-        start_response( '403 Forbidden', [('Content-type', 'text/html')] )
-        return self.auth_page % {'url': self.globus_url(environ),
-                                 'message': ''}
-
-    def _authenticate(self, session, start_response, environ, user, atoken):
-        environ['HTTP_REMOTE_USER'] = user['username'] # this will be modified by galaxy
-        environ['X-GLOBUS-USER'] = user['username']
-        environ['X-GLOBUS-TOKEN'] = atoken
-        return self.app(environ, start_response)
-        
-    def _do_logout(self, session, start_response, *args):
-        del self.active_users[session]
-        start_response( '303 See other', [('Content-type', 'text/html'),
-                                          ('Location', '/')])
-        return ''
-
         
     def _user_in_session(self, session):
         if session is not None and \
             return user, tokens['access']
         return None
 
-        
     def _req_cookie(self, environ):
         cookie = BaseCookie()
         cookie.load(environ.get('HTTP_COOKIE', ''))
             else:
                 return session.value
 
-    def globus_url(self, env):
-        return (('https://www.globusonline.org/OAuth?response_type=code&'
-                'redirect_uri={0}&client_id={1}') 
-                .format(self._host(env), self.nexus_client.client))
-
-    def _host(self, env):
-        scheme = env['wsgi.url_scheme']
-        host = env['HTTP_HOST']
-        return '%s://%s' % (scheme, host)
-        
         
 class ActionHandler(object):
     required_args = set([])
                 setattr(self, name, value)
 
 
-class LoginHandler(ActionHandler):
+class Authenticate(ActionHandler):
+
+    def __call__(self, session, start_response, environ, user, atoken):
+        #  HTTP_REMOTE_USER will be modified by galaxy.
+        environ['HTTP_REMOTE_USER'] = user['username'] 
+        environ['X-GLOBUS-USER'] = user['username']
+        environ['X-GLOBUS-TOKEN'] = atoken
+        return self.app(environ, start_response)
+        
+
+class Login(ActionHandler):
     required_args = set(('active_users', 'gaccount_cmd', 'groupid'))
 
     def __call__(self, session, start_response, environ, code):
         if membership:
             return membership['status'] == 'active'
         return False
+
+
+class Logout(ActionHandler):
+    required_args = set(('active_users',))
     
+    def __call__(self, session, start_response, *args):
+        del self.active_users[session]
+        start_response( '303 See other', [('Content-type', 'text/html'),
+                                          ('Location', '/')])
+        return ''
 
+
+class NotAuthorized(ActionHandler):
+    def __call__(self, session, start_response, environ):
+        start_response( '403 Forbidden', [('Content-type', 'text/html')] )
+        return AUTH_PAGE % {'url': globus_url(environ,
+                                              self.nexus_client.client),
+                            'message': ''}
+
+class NotAllowed(ActionHandler):
+    def __call__(self, session, start_response, environ, user):
+        """Handle the case when the user is not allowed in this instance
+        for the necessary group permissions.
+        """
+        if user is None:
+            message = 'The user is not allowed'
+        else:
+            message = ('The user <strong>%s</strong> is not '
+                       'allowed in this instance.' % user)
+        start_response( '403 Forbidden', [('Content-type', 'text/html')])
+        return AUTH_PAGE % {'url': globus_url(environ,
+                                              self.nexus_client.client),
+                            'message': message}