From daniel_clark@us.ibm.com Wed Feb 6 04:27:15 2002 X-Sieve: cmu-sieve 2.0 Return-Path: Received: (from uucp@localhost) by crown.off.ekorp.com (8.9.3/8.9.3) id RAA12435 for rjones@ekit-inc.com; Tue, 5 Feb 2002 17:30:24 GMT Received: from usw-sf-fw2.sourceforge.net(216.136.171.252), claiming to be "usw-sf-list1.sourceforge.net" via SMTP by mx3.ekorp.com, id smtpdAAALJaWqy; Tue Feb 5 17:30:22 2002 Received: from localhost ([127.0.0.1] helo=usw-sf-list1.sourceforge.net) by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian)) id 16Y9Q6-0002kj-00; Tue, 05 Feb 2002 09:30:14 -0800 Received: from lotus2.lotus.com ([129.42.241.42]) by usw-sf-list1.sourceforge.net with esmtp (Exim 3.31-VA-mm2 #1 (Debian)) id 16Y9Ps-0002ee-00 for ; Tue, 05 Feb 2002 09:30:00 -0800 Received: from internet2.lotus.com (internet2 [172.16.131.236]) by lotus2.lotus.com (8.12.1/8.12.1) with ESMTP id g15HUnTQ013140 for ; Tue, 5 Feb 2002 12:30:54 -0500 (EST) Received: from a3mail.lotus.com (a3mail.lotus.com [9.95.5.66]) by internet2.lotus.com (8.12.1/8.12.1) with ESMTP id g15HTHS0005917 for ; Tue, 5 Feb 2002 12:29:17 -0500 (EST) To: roundup-devel@lists.sourceforge.net X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-ID: From: "Daniel Clark/CAM/Lotus" X-MIMETrack: Serialize by Router on A3MAIL/CAM/H/Lotus(Build V5010_01222002 |January 22, 2002) at 02/05/2002 12:25:48 PM MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable Subject: [Roundup-devel] Alternative authentication for roundup Sender: roundup-devel-admin@lists.sourceforge.net Errors-To: roundup-devel-admin@lists.sourceforge.net X-BeenThere: roundup-devel@lists.sourceforge.net X-Mailman-Version: 2.0.5 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: X-Original-Date: Tue, 5 Feb 2002 12:27:15 -0500 Date: Tue, 5 Feb 2002 12:27:15 -0500 Status: R X-Status: N I'm trying to get roundup to work with an alternative method of authentication (due to a corporate requirement of using a common intran= et password). I've created an "altauth" module to abstract the details of = the authentication. Since the hyperdb usernames and passwords seem to be referenced in a lot of places in the code, I am just creating hyperdb entries for the users if they exist and enter their correct passwords against the alternate authentication source. For the most part this eff= ects the login_action function in cgi_client.py. I've completed some changes= that make this work for the web interface, but as I am new to roundup a= nd relatively new to python I thought I'd post the changes for review. If others would find this functionality useful I would be happy if these changes (probably reworked) could make it into future releases. The main things I think I still need to do are add equivalent changes t= o mailgw.py and handle messages from the alternative authentication sourc= e better. --- cgi_client.py Tue Feb 5 21:56:30 2002 +++ cgi_client.py-altauth Tue Feb 5 21:56:30 2002 @@ -27,6 +27,13 @@ import roundupdb, htmltemplate, date, hyperdb, password from roundup.i18n import _ +try: + from altauth import altauth + import password as password_module + altauth_exists =3D 1 +except: + altauth_exists =3D 0 + class Unauthorised(ValueError): pass @@ -807,7 +814,24 @@ password =3D self.form['__login_password'].value else: password =3D '' + # if using alternate authentication, perform it. + if altauth_exists: + auth =3D altauth(self.user, password) # make sure the user exists + if altauth_exists: + if auth.exists: + try: + uid =3D self.db.user.lookup(self.user) + except KeyError: + username =3D str(self.user) + self.db =3D self.instance.open('admin') + cl =3D self.db.user + props =3D {'username':username, 'realname':auth.re= alname, + 'organisation':auth.org, 'address':auth.e= mail, + 'phone':auth.phone} + uid =3D cl.create(**props) + self.user =3D cl.get(uid, 'username') + self.db.commit() try: uid =3D self.db.user.lookup(self.user) except KeyError: @@ -819,6 +843,20 @@ return 0 # and that the password is correct + if altauth_exists: + if auth.success: + name =3D str(self.user) + self.db =3D self.instance.open(name) + value =3D password_module.Password(password.strip()) + password_dict =3D {'password':value} + user =3D self.db.user + user.set(uid, **password_dict) + self.db.commit() + else: + self.make_user_anonymous()o + action =3D self.form['__destination_url'].value + self.login(message=3D_(auth.message), action=3Daction)= + return 0 pw =3D self.db.user.get(uid, 'password') if password !=3D pw: self.make_user_anonymous() example altauth.py: __doc__ =3D """ Alternative authentication for roundup """ import pipes, os, string class altauth: """ Arguments: username : username password : password in plaintext Instance variables: realname : username's real name org : username's organization email : username's email address phone : username's phone number code : return code from alternate authentication message : message from alternate authentication exists : does user exist in alternate autentication source? success : did user enter a valid user / password combo? """ def __init__(self, username=3DNone, password=3DNone): # Make sure user and password have values - else java cwauthcmd= hangs. if username is None: username =3D "test" if password is None: password =3D "test" # In Bluepages, your username is your email address, but this m= ight not # be true for other authentication sources. self.email =3D username # Get realname, phone and org from Bluepages cmd =3D "phone ldap emailaddress=3D%s format givenname sn telep= honenumber dept" % self.email s =3D os.popen(cmd).readlines()[0].strip().split() self.realname =3D string.join(s[:-2]) self.phone =3D s[-2] self.org =3D s[-1] # Open a pipeline to java cwauth stuff. The most secure option = I could think of # besides JPE (Java Python Extension), which I couldn't get to = work. os.umask(077) t=3Dpipes.Template() t.append('java cwauthcmd', '--') tmpfile =3D os.tmpnam() f=3Dt.open(tmpfile, 'w') f.write(username + " " + password) f.close() self.code =3D int(open(tmpfile).read().strip()) os.remove(tmpfile) if self.code =3D=3D 0: self.message =3D "Success. The authentication was successfu= l." self.exists =3D 1 self.success =3D 1 elif self.code =3D=3D 2: self.message =3D "Not registered. Visit http://w3.ibm.com/p= assword/" self.exists =3D 0 self.success =3D 0 elif self.code =3D=3D 3: self.message =3D "LDAP Error. There was an error communicat= ing with Bluepages." self.exists =3D 0 self.success =3D 0 elif self.code =3D=3D 4: self.message =3D "No Record Found. No user was found havin= g that e-mail address." self.exists =3D 0 self.success =3D 0 elif self.code =3D=3D 5: self.message =3D "Multiple Records Found. More than one ent= ry exists for that e-mail address." self.exists =3D 1 self.success =3D 0 elif self.code =3D=3D 6: self.message =3D "Incorrect password. Try again or visit ht= tp://w3.ibm.com/password" self.exists =3D 1 self.success =3D 0 else: self.message =3D "Unknown result code. Contact daniel_clark= @us.ibm.com" self.exists =3D 0 self.success =3D 0 -- Daniel Clark =A7 Sys Admin & Assistant Release Engineer IBM =BB Lotus =BB Messaging Technology Group =A7 http://w3.mtg.lotus.co= m Tieline 693-7353 =A7 External 617-693-7353 =A7 Mobile 617-877-0702 AIM as djbclark =A7 Sametime as Daniel Clark/CAM/Lotus = _______________________________________________ Roundup-devel mailing list Roundup-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/roundup-devel