Mercurial > hg > bitsyauth
view bitsyauth/__init__.py @ 52:aabc968611bc
STUB: bitsyauth/__init__.py
| author | Jeff Hammel <k0scist@gmail.com> |
|---|---|
| date | Sun, 23 Feb 2014 17:08:13 -0800 |
| parents | 54a53bbe5be9 |
| children | d9e712cfd098 |
line wrap: on
line source
""" bitsyauth: wrapper module for paste auth """ import markup import random import re import sys from cStringIO import StringIO from markup.form import Form from paste.auth import basic, cookie, digest, form, multi, auth_tkt from webob import Request, Response, exc try: from skimpyGimpy import skimpyAPI CAPTCHA = True except ImportError: CAPTCHA = False dictionary_file = '/usr/share/dict/american-english' def random_word(): """generate a random word for CAPTCHA auth""" min_length = 5 # minimum word length if not globals().has_key('dictionary'): # read the dictionary -- this may be platform dependent # XXX could use a backup dictionary _dictionary = file(dictionary_file).readlines() _dictionary = [ i.strip() for i in _dictionary ] _dictionary = [ i.lower() for i in _dictionary if i.isalpha() and i > min_length ] globals()['dictionary'] = _dictionary return random.Random().choice(dictionary) class BitsyAuthInnerWare(object): """inner auth; does login checking""" def __init__(self, app, passwords, newuser=None, site=None, realm=None): """ a simple auth implementation: inner middleware * app: the WSGI app to be wrapped * passwords: callable that return a dictionary of {'user': 'password'} * newuser: callable to make a new user, taking name + pw * site: name of the site * realm: realm for HTTP digest authentication """ self.app = app self.passwords = passwords self.site = site or '' self.realm = realm or self.site self.captcha = True self.urls = { 'login': '/login', 'join': '/join', } # CAPTCHAs # using skimpygimpy (for now) self.keys = {} # keys, words for CAPTCHA request self.content_type = { 'image_captcha': 'image/png', 'wav_captcha': 'audio/wav' } # new user creation if newuser: self.newuser = newuser else: self.urls.pop('join') # don't do joining # WSGI app securely wrapped self.wrapped_app = self.security_wrapper() if not CAPTCHA: self.captcha = False ### WSGI/HTTP layer def __call__(self, environ, start_response): orig_environ = dict(environ) self.request = Request(environ) self.request.path_info = self.request.path_info.rstrip('/') self.redirect_to = '/' + self.request.script_name.lstrip('/') # URLs intrinsic to BitsyAuth if self.request.path_info == '/logout': response = self.redirect() return response(self.request.environ, start_response) if self.request.path_info in self.url_lookup(): response = self.make_response() return response(self.request.environ, start_response) # digest auth if 'Authorization' in self.request.headers.keys(): return self.wrapped_app(self.request.environ, start_response) response = Request(orig_environ).get_response(self.app) # respond to 401s if response.status_int == 401: # Unauthorized if self.request.environ.get('REMOTE_USER'): return exc.HTTPForbidden() else: response = self.request.get_response(self.wrapped_app) user = self.request.environ.get('REMOTE_USER') if user: self.request.environ['paste.auth_tkt.set_user'](user) return response(self.request.environ, start_response) ### authentication function def digest_authfunc(self, environ, realm, user): return self.passwords()[user] # passwords stored in m5 digest def authfunc(self, environ, user, password): return self.hash(user, password) == self.passwords()[user] def hash(self, user, password): # use md5 digest for now return digest.digest_password(self.realm, user, password) def security_wrapper(self): """return the app securely wrapped""" multi_auth = multi.MultiHandler(self.app) # digest authentication multi_auth.add_method('digest', digest.middleware, self.realm, self.digest_authfunc) multi_auth.set_query_argument('digest', key='auth') # form authentication template = self.login(wrap=True, action='%s') multi_auth.add_method('form', form.middleware, self.authfunc, template=template) multi_auth.set_default('form') return multi_auth # might have to wrap cookie.middleware(BitsyAuth(multi(app))) ::shrug:: return cookie.middleware(multi_auth) ### methods dealing with intrinsic URLs def url_lookup(self): retval = dict([ (value, key) for key, value in self.urls.items() ]) if self.captcha: retval.update(dict([(('/join/%s.png' % key), 'image_captcha') for key in self.keys])) return retval def get_response(self, text, content_type='text/html'): res = Response(content_type=content_type, body=text) res.content_length = len(res.body) return res def make_response(self): url_lookup = self.url_lookup() path = self.request.path_info assert path in url_lookup # login and join shouldn't be accessible when logged in if self.request.environ.get('REMOTE_USER'): return self.redirect("You are already logged in") handler = url_lookup[path] function = getattr(self, handler) if self.request.method == 'GET': # XXX could/should do this with decorators return self.get_response(function(wrap=True), content_type=self.content_type.get(handler,'text/html')) if self.request.method == 'POST': post_func = getattr(self, handler + "_post") errors = post_func() if errors: return self.get_response(function(errors=errors, wrap=True)) else: location = self.request.POST.get('referer') return self.redirect("Welcome!", location=location) def redirect(self, message='', location=None): """redirect from instrinsic urls""" return exc.HTTPSeeOther(message, location=location or self.redirect_to) def image_captcha(self, wrap=True): """return data for the image""" key = self.request.path_info.split('/join/')[-1] key = int(key.split('.png')[0]) return skimpyAPI.Png(self.keys[key], scale=3.0).data() ### forms and their display methods ### login def login_form(self, referer=None, action=None): form = Form(action=action or '', submit='Login') form.add_element('textfield', 'Name', input_name='username') form.add_element('password', 'Password', input_name='password') if referer: form.add_element('hidden', 'referer', value=referer) return form def login(self, errors=None, wrap=False, action=None): """login div""" referer = None if hasattr(self, 'request'): referer = self.request.referer form = self.login_form(action=action, referer=referer) join = self.urls.get('join') retval = form(errors) if join: retval += '<br/>\n' + markup.a('join', href="%s" % join) retval = markup.div(retval) if wrap: title = 'login' if self.site: pagetitle = '%s - %s' % (title, self.site) retval = markup.wrap(markup.h1(title.title()) + retval, pagetitle=pagetitle) return retval def login_post(self): """handle a login POST request""" user = self.request.POST.get('username') password = self.request.POST.get('password') passwords = self.passwords() error = False if user not in passwords: error = True else: error = not self.authfunc(self.request.environ, user, password) if error: return { 'Name': 'Wrong username or password' } self.request.environ['REMOTE_USER'] = user self.request.environ['paste.auth_tkt.set_user'](user) ### join def captcha_pre(self, word, key): """CAPTCHA with pre-formatted text""" return skimpyAPI.Pre(word, scale=1.2).data() def captcha_png(self, word, key): """CAPTCHA with a PNG image""" return markup.image('/join/%s.png' % key) def join_form(self): captcha = '' if self.captcha: # data for CAPTCHA key = random.Random().randint(0, sys.maxint) word = random_word() self.keys[key] = word captcha = StringIO() captcha_text = "Please type the word below so I know you're not a computer:" captcha_help = "(please %s if the page is unreadable)" % markup.link('/join?captcha=image', 'go here') print >> captcha, markup.p('%s<br/> %s' % (captcha_text, markup.i(captcha_help))) # determine type of CAPTCHA captchas = ' '.join(self.request.GET.getall('captcha')) if not captchas: captchas = 'pre' captcha_funcs=dict(pre=self.captcha_pre, image=self.captcha_png,) captchas = [ captcha_funcs[i](word, key) for i in captchas.split() if i in captcha_funcs ] captchas = '\n'.join([markup.p(i) for i in captchas]) print >> captcha, captchas print >> captcha, markup.p(markup.input(None, **dict(name='captcha', type='text'))) captcha = captcha.getvalue() form = Form(action=self.urls['join'], submit='Join', post_html=captcha) form.add_element('textfield', 'Name') form.add_password_confirmation() form.add_element('hidden', 'key', value=str(key)) return form def join(self, errors=None, wrap=False): """join div or page if wrap""" form = self.join_form() retval = markup.div(form(errors)) if wrap: pagetitle = title = 'join' if self.site: pagetitle = '%s - %s' % (title, self.site) if self.captcha: errors = errors or {} captcha_err = errors.get('CAPTCHA', '') if captcha_err: captcha_err = markup.p(markup.em(captcha_err), **{'class': 'error'}) retval = markup.wrap(markup.h1(title.title()) + captcha_err + retval, pagetitle=pagetitle) return retval def join_post(self): """handle a join POST request""" form = self.join_form() errors = form.validate(self.request.POST) # validate captcha if CAPTCHA: key = self.request.POST.get('key') try: key = int(key) except ValueError: key = None if not key: errors['CAPTCHA'] = 'Please type the funky looking word' word = self.keys.pop(key, None) if not word: errors['CAPTCHA'] = 'Please type the funky looking word' if word != self.request.POST.get('captcha','').lower(): errors['CAPTCHA'] = 'Sorry, you typed the wrong word' name = self.request.POST.get('Name', '') if not name: if not errors.has_key('Name'): errors['Name'] = [] errors['Name'].append('Please enter a user name') if name in self.passwords(): if not errors.has_key('Name'): errors['Name'] = [] errors['Name'].append('The name %s is already taken' % name) if not errors: # create a new user self.newuser(name, self.hash(name, self.request.POST['Password'])) self.request.environ['REMOTE_USER'] = name # login the new user self.request.environ['paste.auth_tkt.set_user'](name) return errors class BitsyAuth(object): """outer middleware for auth; does the cookie handling and wrapping""" def __init__(self, app, global_conf, passwords, newuser, site='', secret='secret'): self.app = app self.path = '/logout' self.cookie = '__ac' auth = BitsyAuthInnerWare(app, passwords=passwords, newuser=newuser, site=site) self.hash = auth.hash # paste.auth.auth_tkt self.cookie_handler = auth_tkt.make_auth_tkt_middleware( auth, global_conf, secret, cookie_name=self.cookie, logout_path='/logout') def __call__(self, environ, start_response): try: return self.cookie_handler(environ, start_response) except auth_tkt.BadTicket: environ.pop('HTTP_COOKIE') # kill all cookies! bad! XXX return self.cookie_handler(environ, start_response) return self.logout(environ, start_response) def logout(self, environ, start_response): req = Request(environ) keys = [ 'REMOTE_USER' ] # keys = [ 'REMOTE_USER', 'AUTH_TYPE', 'paste.auth.cookie', 'paste.cookies', 'HTTP_COOKIE' ] # XXX zealous kill for key in keys: req.environ.pop(key, None) # return response body = '<html><head><title>logout</title></head><body>logout</body></html>' res = Response(content_type='text/html', body=body) req.cookies.pop(self.cookie, None) res.delete_cookie(self.cookie) res.unset_cookie(self.cookie) return res(environ, start_response)