Back to index

moin  1.9.0~rc2
sslclientcert.py
Go to the documentation of this file.
00001 # -*- coding: iso-8859-1 -*-
00002 """
00003     MoinMoin - SSL client certificate authentication
00004 
00005     Currently not supported for Twisted web server, but only for web servers
00006     setting SSL_CLIENT_* environment (e.g. Apache).
00007 
00008     @copyright: 2003 Martin v. Loewis,
00009                 2006 MoinMoin:ThomasWaldmann
00010     @license: GNU GPL, see COPYING for details.
00011 """
00012 
00013 from MoinMoin import config, user
00014 from MoinMoin.auth import BaseAuth
00015 
00016 class SSLClientCertAuth(BaseAuth):
00017     """ authenticate via SSL client certificate """
00018 
00019     name = 'sslclientcert'
00020 
00021     def __init__(self, authorities=None,
00022                  email_key=True, name_key=True,
00023                  use_email=False, use_name=False,
00024                  autocreate=False):
00025         self.use_email = use_email
00026         self.authorities = authorities
00027         self.email_key = email_key
00028         self.name_key = name_key
00029         self.use_email = use_email
00030         self.use_name = use_name
00031         self.autocreate = autocreate
00032         BaseAuth.__init__(self)
00033 
00034     def request(self, request, user_obj, **kw):
00035         u = None
00036         changed = False
00037 
00038         env = request.environ
00039         if env.get('SSL_CLIENT_VERIFY', 'FAILURE') == 'SUCCESS':
00040 
00041             # check authority list if given
00042             if self.authorities and env.get('SSL_CLIENT_I_DN_OU') in self.authorities:
00043                 return user_obj, True
00044 
00045             email_lower = None
00046             if self.email_key:
00047                 email = env.get('SSL_CLIENT_S_DN_Email', '').decode(config.charset)
00048                 email_lower = email.lower()
00049             commonname_lower = None
00050             if self.name_key:
00051                 commonname = env.get('SSL_CLIENT_S_DN_CN', '').decode(config.charset)
00052                 commonname_lower = commonname.lower()
00053             if email_lower or commonname_lower:
00054                 for uid in user.getUserList(request):
00055                     u = user.User(request, uid,
00056                                   auth_method=self.name, auth_attribs=())
00057                     if self.email_key and email_lower and u.email.lower() == email_lower:
00058                         u.auth_attribs = ('email', 'password')
00059                         if self.use_name and commonname_lower != u.name.lower():
00060                             u.name = commonname
00061                             changed = True
00062                             u.auth_attribs = ('email', 'name', 'password')
00063                         break
00064                     if self.name_key and commonname_lower and u.name.lower() == commonname_lower:
00065                         u.auth_attribs = ('name', 'password')
00066                         if self.use_email and email_lower != u.email.lower():
00067                             u.email = email
00068                             changed = True
00069                             u.auth_attribs = ('name', 'email', 'password')
00070                         break
00071                 else:
00072                     u = None
00073                 if u is None:
00074                     # user wasn't found, so let's create a new user object
00075                     u = user.User(request, name=commonname_lower, auth_username=commonname_lower,
00076                                   auth_method=self.name)
00077                     u.auth_attribs = ('name', 'password')
00078                     if self.use_email:
00079                         u.email = email
00080                         u.auth_attribs = ('name', 'email', 'password')
00081         elif user_obj and user_obj.auth_method == self.name:
00082             user_obj.valid = False
00083             return user_obj, False
00084         if u and self.autocreate:
00085             u.create_or_update(changed)
00086         if u and u.valid:
00087             return u, True
00088         else:
00089             return user_obj, True