Commit 66dce3b4 authored by Łukasz Nowak's avatar Łukasz Nowak Committed by Rafael Monnerat

Delegate token validation.

By requiring token_validation_method extraction plugin is only responsible
for low level implementation.
parent 8ea51d93
...@@ -40,6 +40,7 @@ from AccessControl.SecurityManagement import getSecurityManager,\ ...@@ -40,6 +40,7 @@ from AccessControl.SecurityManagement import getSecurityManager,\
setSecurityManager, newSecurityManager setSecurityManager, newSecurityManager
from DateTime import DateTime from DateTime import DateTime
from Products.ZSQLCatalog.SQLCatalog import SimpleQuery from Products.ZSQLCatalog.SQLCatalog import SimpleQuery
from zLOG import LOG, INFO
#Form for new plugin in ZMI #Form for new plugin in ZMI
manage_addERP5BearerExtractionPluginForm = PageTemplateFile( manage_addERP5BearerExtractionPluginForm = PageTemplateFile(
...@@ -47,10 +48,11 @@ manage_addERP5BearerExtractionPluginForm = PageTemplateFile( ...@@ -47,10 +48,11 @@ manage_addERP5BearerExtractionPluginForm = PageTemplateFile(
__name__='manage_addERP5BearerExtractionPluginForm') __name__='manage_addERP5BearerExtractionPluginForm')
def addERP5BearerExtractionPlugin(dispatcher, id, token_portal_type, def addERP5BearerExtractionPlugin(dispatcher, id, token_portal_type,
title=None, REQUEST=None): token_validation_method, title=None, REQUEST=None):
""" Add a ERP5BearerExtractionPlugin to a Pluggable Auth Service. """ """ Add a ERP5BearerExtractionPlugin to a Pluggable Auth Service. """
plugin = ERP5BearerExtractionPlugin(id, token_portal_type, title) plugin = ERP5BearerExtractionPlugin(id, token_portal_type,
token_validation_method, title)
dispatcher._setObject(plugin.getId(), plugin) dispatcher._setObject(plugin.getId(), plugin)
if REQUEST is not None: if REQUEST is not None:
...@@ -68,6 +70,7 @@ class ERP5BearerExtractionPlugin(BasePlugin): ...@@ -68,6 +70,7 @@ class ERP5BearerExtractionPlugin(BasePlugin):
meta_type = "ERP5 Bearer Extraction Plugin" meta_type = "ERP5 Bearer Extraction Plugin"
security = ClassSecurityInfo() security = ClassSecurityInfo()
token_portal_type = '' token_portal_type = ''
token_validation_method = ''
manage_options = (({'label': 'Edit', manage_options = (({'label': 'Edit',
'action': 'manage_editERP5BearerExtractionPluginForm',}, 'action': 'manage_editERP5BearerExtractionPluginForm',},
...@@ -80,15 +83,20 @@ class ERP5BearerExtractionPlugin(BasePlugin): ...@@ -80,15 +83,20 @@ class ERP5BearerExtractionPlugin(BasePlugin):
'mode':'w', 'mode':'w',
'label':'Portal Type with tokens' 'label':'Portal Type with tokens'
}, },
) {'id':'token_validation_method',
'type':'string',
'mode':'w',
'label':'Method to validate found token'
}, )
+ BasePlugin._properties[:] + BasePlugin._properties[:]
) )
def __init__(self, id, token_portal_type, title=None): def __init__(self, id, token_portal_type, token_validation_method, title=None):
#Register value #Register value
self._setId(id) self._setId(id)
self.title = title self.title = title
self.token_portal_type = token_portal_type self.token_portal_type = token_portal_type
self.token_validation_method = token_validation_method
#################################### ####################################
#ILoginPasswordHostExtractionPlugin# #ILoginPasswordHostExtractionPlugin#
...@@ -116,25 +124,31 @@ class ERP5BearerExtractionPlugin(BasePlugin): ...@@ -116,25 +124,31 @@ class ERP5BearerExtractionPlugin(BasePlugin):
# Not implemented as considered as unsecure. # Not implemented as considered as unsecure.
pass pass
if token is not None: if token is not None and self.token_portal_type \
and self.token_validation_method:
sm = getSecurityManager() sm = getSecurityManager()
if sm.getUser().getId() != SUPER_USER: if sm.getUser().getId() != SUPER_USER:
newSecurityManager(self, self.getUser(SUPER_USER)) newSecurityManager(self, self.getUser(SUPER_USER))
try: try:
now = DateTime()
token_document = self.portal_catalog.getResultValue( token_document = self.portal_catalog.getResultValue(
portal_type=self.token_portal_type, portal_type=self.token_portal_type,
reference=token, reference=token,
query=SimpleQuery(comparison_operator='>=', expiration_date=now), query=SimpleQuery(
comparison_operator='>=', expiration_date=DateTime()
),
validation_state='validated' validation_state='validated'
) )
if token_document is not None: if token_document is not None:
if token_document.getReference() == token and \ result = False
token_document.getExpirationDate() >= now and \ try:
token_document.getValidationState() == 'validated' and \ result = getattr(token_document,
token_document.getDestinationReference() is not None: self.token_validation_method)()
creds['external_login'] = \ except Exception:
token_document.getDestinationReference() LOG('BearerExtractionPlugin', INFO, 'Problem while calling token '
'validation method %r on %r:' % (self.token_validation_method,
token_document.getPath()), error=True)
if result is True:
creds['external_login'] = token_document.getDestinationReference()
finally: finally:
setSecurityManager(sm) setSecurityManager(sm)
if 'external_login' in creds: if 'external_login' in creds:
...@@ -153,15 +167,19 @@ class ERP5BearerExtractionPlugin(BasePlugin): ...@@ -153,15 +167,19 @@ class ERP5BearerExtractionPlugin(BasePlugin):
globals(), globals(),
__name__='manage_editERP5BearerExtractionPluginForm') __name__='manage_editERP5BearerExtractionPluginForm')
security.declareProtected(ManageUsers, 'manage_editERP5BearerExtractionPlugin') security.declareProtected(ManageUsers,
def manage_editERP5BearerExtractionPlugin(self, token_portal_type, RESPONSE=None): 'manage_editERP5BearerExtractionPlugin')
def manage_editERP5BearerExtractionPlugin(self, token_portal_type,
token_validation_method, RESPONSE=None):
"""Edit the object""" """Edit the object"""
error_message = '' error_message = ''
if token_portal_type == '' or token_portal_type is None: if token_portal_type == '' or token_portal_type is None or \
token_validation_method == '' or token_validation_method is None:
error_message += 'Token Portal Type is missing ' error_message += 'Token Portal Type is missing '
else: else:
self.token_portal_type = token_portal_type self.token_portal_type = token_portal_type
self.token_validation_method = token_validation_method
#Redirect #Redirect
if RESPONSE is not None: if RESPONSE is not None:
......
...@@ -36,6 +36,12 @@ ...@@ -36,6 +36,12 @@
<input type="text" name="token_portal_type" size="40" /> <input type="text" name="token_portal_type" size="40" />
</td> </td>
</tr> </tr>
<tr>
<td>Method to validate found token</td>
<td>
<input type="text" name="token_validation_method" value=""/>
</td>
</tr>
<tr> <tr>
<td colspan="2"> <input type="submit" value="add plugin"/> <td colspan="2"> <input type="submit" value="add plugin"/>
</td> </td>
......
...@@ -7,7 +7,7 @@ ...@@ -7,7 +7,7 @@
<form action="manage_editERP5BearerExtractionPlugin" method="POST"> <form action="manage_editERP5BearerExtractionPlugin" method="POST">
<table tal:define="token_portal_type request/token_portal_type|context/token_portal_type|string:;"> <table tal:define="token_portal_type request/token_portal_type|context/token_portal_type|string:; token_validation_method request/token_validation_method|context/token_validation_method|string:;">
<tr> <tr>
<td>Portal Type with tokens</td> <td>Portal Type with tokens</td>
...@@ -16,6 +16,13 @@ ...@@ -16,6 +16,13 @@
tal:attributes="value token_portal_type;" /> tal:attributes="value token_portal_type;" />
</td> </td>
</tr> </tr>
<tr>
<td>Method to validate found token</td>
<td>
<input type="text" name="token_validation_method" value=""
tal:attributes="value token_validation_method;" />
</td>
</tr>
<tr> <tr>
<td colspan="2"> <td colspan="2">
<input type="submit" value="save"/> <input type="submit" value="save"/>
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment