Provide simple Bearer extraction plugin.

Bearer is token used in OAuth 2. This plugin extracts this token from Authorisation header and uses defined portal type query in order to check if token is valid and for which user.

Provide simple Bearer extraction plugin.
Bearer is token used in OAuth 2. This plugin extracts this token from Authorisation header and uses defined portal type query in order to check if token is valid and for which user.
30e131ed · Łukasz Nowak · Rafael Monnerat · 8670f40a · 30e131ed · 30e131ed
Commit 30e131ed authored Apr 25, 2012 by Łukasz Nowak Committed by Rafael Monnerat Sep 17, 2012
3 changed files
--- a/product/ERP5Security/ERP5BearerExtractionPlugin.py
+++ b/product/ERP5Security/ERP5BearerExtractionPlugin.py
+# -*- coding: utf-8 -*-
+##############################################################################
+#
+# Copyright (c) 2012 Nexedi SA and Contributors. All Rights Reserved.
+#
+# WARNING: This program as such is intended to be used by professional
+# programmers who take the whole responsibility of assessing all potential
+# consequences resulting from its eventual inadequacies and bugs
+# End users who are looking for a ready-to-use solution with commercial
+# guarantees and support are strongly advised to contract a Free Software
+# Service Company
+#
+# This program is Free Software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+#
+##############################################################################
+
+from Products.ERP5Type.Globals import InitializeClass
+from AccessControl import ClassSecurityInfo
+
+from Products.PageTemplates.PageTemplateFile import PageTemplateFile
+from Products.PluggableAuthService.interfaces import plugins
+from Products.PluggableAuthService.utils import classImplements
+from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
+from Products.ERP5Security.ERP5UserManager import SUPER_USER
+from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor
+
+from AccessControl.SecurityManagement import getSecurityManager,\
+    setSecurityManager, newSecurityManager
+from DateTime import DateTime
+from Products.ZSQLCatalog.SQLCatalog import SimpleQuery
+
+#Form for new plugin in ZMI
+manage_addERP5BearerExtractionPluginForm = PageTemplateFile(
+  'www/ERP5Security_addERP5BearerExtractionPlugin', globals(),
+  __name__='manage_addERP5BearerExtractionPluginForm')
+
+def addERP5BearerExtractionPlugin(dispatcher, id, token_portal_type,
+  title=None, REQUEST=None):
+  """ Add a ERP5BearerExtractionPlugin to a Pluggable Auth Service. """
+
+  plugin = ERP5BearerExtractionPlugin(id, token_portal_type, title)
+  dispatcher._setObject(plugin.getId(), plugin)
+
+  if REQUEST is not None:
+      REQUEST['RESPONSE'].redirect(
+          '%s/manage_workspace'
+          '?manage_tabs_message='
+          'ERP5BearerExtractionPlugin+added.'
+          % dispatcher.absolute_url())
+
+class ERP5BearerExtractionPlugin(BasePlugin):
+  """
+  Plugin to authenicate as machines.
+  """
+
+  meta_type = "ERP5 Bearer Extraction Plugin"
+  security = ClassSecurityInfo()
+
+  def __init__(self, id, token_portal_type, title=None):
+    #Register value
+    self._setId(id)
+    self.title = title
+    self.token_portal_type = token_portal_type
+
+  ####################################
+  #ILoginPasswordHostExtractionPlugin#
+  ####################################
+  security.declarePrivate('extractCredentials')
+  def extractCredentials(self, request):
+    """ Extract credentials from the request header. """
+    creds = {}
+    authorisation = request._auth
+    if authorisation is not None:
+      if 'Bearer' in authorisation:
+        l = authorisation.split()
+        if len(l) == 2:
+          token = l[1]
+          sm = getSecurityManager()
+          if sm.getUser().getId() != SUPER_USER:
+            newSecurityManager(self, self.getUser(SUPER_USER))
+          try:
+            now = DateTime()
+            token_document = self.portal_catalog.getResultValue(
+              portal_type=self.token_portal_type,
+              reference=token,
+              query=SimpleQuery(comparison_operator='<=', expiration_date=now),
+              validation_state='validated'
+            )
+            if token_document is not None:
+              if token_document.getReference() == token and \
+                token_document.getExpirationDate() <= now and \
+                token_document.getValidationState() == 'validated' and \
+                token_document.getDestinationReference() is not None:
+                  creds['external_login'] = \
+                    token_document.getDestinationReference()
+          finally:
+            setSecurityManager(sm)
+          if 'external_login' in  creds:
+            creds['external_login'] = token
+            creds['remote_host'] = request.get('REMOTE_HOST', '')
+            try:
+              creds['remote_address'] = request.getClientAddr()
+            except AttributeError:
+              creds['remote_address'] = request.get('REMOTE_ADDR', '')
+            return creds
+
+
+    # fallback to default way
+    return DumbHTTPExtractor().extractCredentials(request)
+
+#List implementation of class
+classImplements( ERP5BearerExtractionPlugin,
+                plugins.ILoginPasswordHostExtractionPlugin
+               )
+InitializeClass(ERP5BearerExtractionPlugin)
--- a/product/ERP5Security/__init__.py
+++ b/product/ERP5Security/__init__.py
@@ -27,6 +27,7 @@ import ERP5RoleManager
 import ERP5UserFactory
 import ERP5KeyAuthPlugin
 import ERP5ExternalAuthenticationPlugin
+import ERP5BearerExtractionPlugin

 def mergedLocalRoles(object):
  """Returns a merging of object and its ancestors'
@@ -62,6 +63,7 @@ registerMultiPlugin(ERP5RoleManager.ERP5RoleManager.meta_type)
 registerMultiPlugin(ERP5UserFactory.ERP5UserFactory.meta_type)
 registerMultiPlugin(ERP5KeyAuthPlugin.ERP5KeyAuthPlugin.meta_type)
 registerMultiPlugin(ERP5ExternalAuthenticationPlugin.ERP5ExternalAuthenticationPlugin.meta_type)
+registerMultiPlugin(ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin.meta_type)

 def initialize(context):

@@ -119,6 +121,15 @@ def initialize(context):
                         , icon='www/portal.gif'
                         )

+    context.registerClass( ERP5BearerExtractionPlugin.ERP5BearerExtractionPlugin
+                         , permission=ManageUsers
+                         , constructors=(
+                            ERP5BearerExtractionPlugin.manage_addERP5BearerExtractionPluginForm,
+                            ERP5BearerExtractionPlugin.addERP5BearerExtractionPlugin, )
+                         , visibility=None
+                         , icon='www/portal.gif'
+                         )
+
 from AccessControl.SecurityInfo import ModuleSecurityInfo
 ModuleSecurityInfo('Products.ERP5Security.ERP5UserManager').declarePublic(
  'getUserByLogin')
--- a/product/ERP5Security/www/ERP5Security_addERP5BearerExtractionPlugin.zpt
+++ b/product/ERP5Security/www/ERP5Security_addERP5BearerExtractionPlugin.zpt
+<h1 tal:replace="structure context/manage_page_header">PAGE HEADER</h1>
+<h2 tal:define="form_title string:Add ERP5 Bearer Extraction Plugin"
+    tal:replace="structure context/manage_form_title">FORM TITLE</h2>
+
+<p class="form-help">Please input the configuration</p>
+
+<form action="addERP5BearerExtractionPlugin" method="POST">
+<table cellspacing="0" cellpadding="2" border="0">
+  <tr>
+    <td align="left" valign="top">
+    <div class="form-label">
+    Id
+    </div>
+    </td>
+    <td align="left" valign="top">
+    <input type="text" name="id" size="40" />
+    </td>
+  </tr>
+  <tr>
+    <td align="left" valign="top">
+    <div class="form-label">
+    Title
+    </div>
+    </td>
+    <td align="left" valign="top">
+    <input type="text" name="title" size="40" />
+    </td>
+  </tr>
+  <tr>
+    <td align="left" valign="top">
+    <div class="form-label">
+    Portal Type with tokens
+    </div>
+    </td>
+    <td align="left" valign="top">
+    <input type="text" name="token_portal_type" size="40" />
+    </td>
+  </tr>
+  <tr>
+    <td colspan="2"> <input type="submit" value="add plugin"/>
+    </td>
+  </tr>
+</table>
+</form>
+
+<h1 tal:replace="structure context/manage_page_footer">PAGE FOOTER</h1>