Don't rely on being about an issue when submitting a message to the

[roundup.git] / patches / 20020205.alternate_auth

From daniel_clark@us.ibm.com Wed Feb  6 04:27:15 2002
X-Sieve: cmu-sieve 2.0
Return-Path: <roundup-devel-admin@lists.sourceforge.net>
Received: (from uucp@localhost)
        by crown.off.ekorp.com (8.9.3/8.9.3) id RAA12435
        for rjones@ekit-inc.com; Tue, 5 Feb 2002 17:30:24 GMT
Received: from usw-sf-fw2.sourceforge.net(216.136.171.252), claiming to be "usw-sf-list1.sourceforge.net"
 via SMTP by mx3.ekorp.com, id smtpdAAALJaWqy; Tue Feb  5 17:30:22 2002
Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net)
        by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))
        id 16Y9Q6-0002kj-00; Tue, 05 Feb 2002 09:30:14 -0800
Received: from lotus2.lotus.com ([129.42.241.42])
        by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian))
        id 16Y9Ps-0002ee-00
        for <roundup-devel@lists.sourceforge.net>; Tue, 05 Feb 2002 09:30:00 -0800
Received: from internet2.lotus.com (internet2 [172.16.131.236])
        by lotus2.lotus.com (8.12.1/8.12.1) with ESMTP id g15HUnTQ013140
        for <roundup-devel@lists.sourceforge.net>; Tue, 5 Feb 2002 12:30:54 -0500 (EST)
Received: from a3mail.lotus.com (a3mail.lotus.com [9.95.5.66])
        by internet2.lotus.com (8.12.1/8.12.1) with ESMTP id g15HTHS0005917
        for <roundup-devel@lists.sourceforge.net>; Tue, 5 Feb 2002 12:29:17 -0500 (EST)
To: roundup-devel@lists.sourceforge.net
X-Mailer: Lotus Notes Release 5.0.8  June 18, 2001
Message-ID: <OF2C7B87C4.DF1574A8-ON85256B56.0060B9A2@lotus.com>
From: "Daniel Clark/CAM/Lotus" <daniel_clark@us.ibm.com>
X-MIMETrack: Serialize by Router on A3MAIL/CAM/H/Lotus(Build V5010_01222002 |January 22, 2002) at
 02/05/2002 12:25:48 PM
MIME-Version: 1.0
Content-type: text/plain;
  charset=iso-8859-1
Content-transfer-encoding: quoted-printable
Subject: [Roundup-devel] Alternative authentication for roundup
Sender: roundup-devel-admin@lists.sourceforge.net
Errors-To: roundup-devel-admin@lists.sourceforge.net
X-BeenThere: roundup-devel@lists.sourceforge.net
X-Mailman-Version: 2.0.5
Precedence: bulk
List-Help: <mailto:roundup-devel-request@lists.sourceforge.net?subject=help>
List-Post: <mailto:roundup-devel@lists.sourceforge.net>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/roundup-devel>,
        <mailto:roundup-devel-request@lists.sourceforge.net?subject=subscribe>
List-Id: <roundup-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/roundup-devel>,
        <mailto:roundup-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://www.geocrawler.com/redir-sf.php3?list=roundup-devel>
X-Original-Date: Tue, 5 Feb 2002 12:27:15 -0500
Date: Tue, 5 Feb 2002 12:27:15 -0500
Status: R 
X-Status: N

I'm trying to get roundup to work with an alternative method of
authentication (due to a corporate requirement of using a common intran=
et
password). I've created an "altauth" module to abstract the details of =
the
authentication. Since the hyperdb usernames and passwords seem to be
referenced in a lot of places in the code, I am just creating hyperdb
entries for the users if they exist and enter their correct passwords
against the alternate authentication source. For the most part this eff=
ects
the login_action function in cgi_client.py. I've completed some changes=

that make this work for the web interface, but as I am new to roundup a=
nd
relatively new to python I thought I'd post the changes for review. If
others would find this functionality useful I would be happy if these
changes (probably reworked) could make it into future releases.

The main things I think I still need to do are add equivalent changes t=
o
mailgw.py and handle messages from the alternative authentication sourc=
e
better.

--- cgi_client.py Tue Feb  5 21:56:30 2002
+++ cgi_client.py-altauth     Tue Feb  5 21:56:30 2002
@@ -27,6 +27,13 @@
 import roundupdb, htmltemplate, date, hyperdb, password
 from roundup.i18n import _

+try:
+    from altauth import altauth
+    import password as password_module
+    altauth_exists =3D 1
+except:
+    altauth_exists =3D 0
+
 class Unauthorised(ValueError):
     pass

@@ -807,7 +814,24 @@
             password =3D self.form['__login_password'].value
         else:
             password =3D ''
+        # if using alternate authentication, perform it.
+        if altauth_exists:
+            auth =3D altauth(self.user, password)
         # make sure the user exists
+        if altauth_exists:
+            if auth.exists:
+                try:
+                    uid =3D self.db.user.lookup(self.user)
+                except KeyError:
+                    username =3D str(self.user)
+                    self.db =3D self.instance.open('admin')
+                    cl =3D self.db.user
+                    props =3D {'username':username, 'realname':auth.re=
alname,
+                             'organisation':auth.org, 'address':auth.e=
mail,
+                             'phone':auth.phone}
+                    uid =3D cl.create(**props)
+                    self.user =3D cl.get(uid, 'username')
+                    self.db.commit()
         try:
             uid =3D self.db.user.lookup(self.user)
         except KeyError:
@@ -819,6 +843,20 @@
             return 0

         # and that the password is correct
+        if altauth_exists:
+            if auth.success:
+                name =3D str(self.user)
+                self.db =3D self.instance.open(name)
+                value =3D password_module.Password(password.strip())
+                password_dict =3D {'password':value}
+                user =3D self.db.user
+                user.set(uid, **password_dict)
+                self.db.commit()
+            else:
+                self.make_user_anonymous()o
+                action =3D self.form['__destination_url'].value
+                self.login(message=3D_(auth.message), action=3Daction)=

+                return 0
         pw =3D self.db.user.get(uid, 'password')
         if password !=3D pw:
             self.make_user_anonymous()


example altauth.py:

__doc__ =3D """
Alternative authentication for roundup
"""

import pipes, os, string

class altauth:
    """
    Arguments:
        username : username
        password : password in plaintext

    Instance variables:
        realname : username's real name
        org      : username's organization
        email    : username's email address
        phone    : username's phone number

        code     : return code from alternate authentication
        message  : message from alternate authentication
        exists   : does user exist in alternate autentication source?
        success  : did user enter a valid user / password combo?
    """
    def __init__(self, username=3DNone, password=3DNone):
        # Make sure user and password have values - else java cwauthcmd=
 hangs.
        if username is None:
            username =3D "test"
        if password is None:
            password =3D "test"

        # In Bluepages, your username is your email address, but this m=
ight not
        # be true for other authentication sources.
        self.email =3D username

        # Get realname, phone and org from Bluepages
        cmd =3D "phone ldap emailaddress=3D%s format givenname sn telep=
honenumber dept" % self.email
        s =3D os.popen(cmd).readlines()[0].strip().split()
        self.realname =3D string.join(s[:-2])
        self.phone =3D s[-2]
        self.org =3D s[-1]

        # Open a pipeline to java cwauth stuff. The most secure option =
I could think of
        # besides JPE (Java Python Extension), which I couldn't get to =
work.
        os.umask(077)
        t=3Dpipes.Template()
        t.append('java cwauthcmd', '--')
        tmpfile =3D os.tmpnam()
        f=3Dt.open(tmpfile, 'w')
        f.write(username + " " + password)
        f.close()
        self.code =3D int(open(tmpfile).read().strip())
        os.remove(tmpfile)

        if self.code =3D=3D 0:
            self.message =3D "Success. The authentication was successfu=
l."
            self.exists =3D 1
            self.success =3D 1
        elif self.code =3D=3D 2:
            self.message =3D "Not registered. Visit http://w3.ibm.com/p=
assword/"
            self.exists =3D 0
            self.success =3D 0
        elif self.code =3D=3D 3:
            self.message =3D "LDAP Error. There was an error communicat=
ing with Bluepages."
            self.exists =3D 0
            self.success =3D 0
        elif self.code =3D=3D 4:
            self.message  =3D "No Record Found. No user was found havin=
g that e-mail address."
            self.exists =3D 0
            self.success =3D 0
        elif self.code =3D=3D 5:
            self.message =3D "Multiple Records Found. More than one ent=
ry exists for that e-mail address."
            self.exists =3D 1
            self.success =3D 0
        elif self.code =3D=3D 6:
            self.message =3D "Incorrect password. Try again or visit ht=
tp://w3.ibm.com/password"
            self.exists =3D 1
            self.success =3D 0
        else:
            self.message =3D "Unknown result code. Contact daniel_clark=
@us.ibm.com"
            self.exists =3D 0
            self.success =3D 0


--
Daniel Clark =A7 Sys Admin & Assistant Release Engineer
IBM =BB Lotus =BB Messaging Technology Group =A7 http://w3.mtg.lotus.co=
m
Tieline 693-7353 =A7 External 617-693-7353 =A7 Mobile 617-877-0702
AIM as djbclark =A7 Sametime as Daniel Clark/CAM/Lotus
=



_______________________________________________
Roundup-devel mailing list
Roundup-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/roundup-devel