IdentityManagement: sosmbprovider.2.py

# sosmbprovider.py
"""
NOTE: This is intended as "example code", not as a finished product!
Use at your own risk. (etc.)

Written by Joel Pearson for the TurboGears project.

This is a TurboGears Identity provider where passwords are checked against
a Windows/Samba domain. It is a subclass of SqlObjectIdentityProvider,
which provides all functionality except password checking, including
the models for users and groups.

Requires Python Win32 extensions, so it only works on Windows servers.

To use:

1) Install the Win32 extensions.

2) Follow all instructions provided for setting up and using the SqlObjectProvider,
including creating the tables and adding users and groups. Try logging in.
MAKE SURE THIS WORKS BEFORE PROCEEDING!

3) Save this file into the identity folder under your TurboGears installation
as "sosmbprovider.py".

4) Edit the entry_points.txt file of your TurboGears installation (such as
C:\Python24\Lib\site-packages\TurboGears-0.9a6-py2.4.egg\EGG-INFO\entry_points.txt)
and add the following line under the [turbogears.identity.provider] section:

sosmbprovider = turbogears.identity.sosmbprovider:SoSmbIdentityProvider

5) Add the following lines under the [global] section in a config file (such as app.cfg):

identity.provider='sosmbprovider'
identity.sosmbprovider.smb_domain="PUT_YOUR_DOMAIN_HERE"

6) Restart TurboGears, and try to log in. Identity should authenticate logins
using the usernames and passwords of the domain you specified in step 4.

IMPORTANT: You still have to create a user record in the database for each
domain user that you want to have log in. The only difference between this 
provider and the standard sqlobject provider is that sosmbprovider ignores 
the password field in the user model, and validates the user-supplied password
against the domain password, instead.

"""

from soprovider import *

from win32security import LogonUser, LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT
from win32security import error as LogonError
    
# Global class references -- these will be set when the Provider is initialised.
user_class= None
group_class= None
permission_class= None
visit_class = None
smb_domain = None

class SoSmbIdentityProvider(SqlObjectIdentityProvider):
    '''
    IdentityProvider that uses a model from a database (via SQLObject).
    '''
    
    def __init__(self):
        super(SoSmbIdentityProvider, self).__init__()
        get = turbogears.config.get
        global user_class, group_class, permission_class, visit_class
        global smb_domain

        user_class_path= get( "identity.soprovider.model.user", 
                              __name__ + ".TG_User" )
        #log.debug('userclassp:%s'% user_class_path)
        #user_class_path = 'kronos.model.Person'
        user_class= load_class(user_class_path)
        if user_class:
            log.info("Succesfully loaded \"%s\"" % user_class_path)
        try:
            self.user_class_db_encoding= \
                user_class.sqlmeta.columns['user_name'].dbEncoding
        except (KeyError, AttributeError):
            self.user_class_db_encoding= 'UTF-8'
        group_class_path= get( "identity.soprovider.model.group",
                                __name__ + ".TG_Group" )
        group_class= load_class(group_class_path)
        if group_class:
            log.info("Succesfully loaded \"%s\"" % group_class_path)
            
        permission_class_path= get( "identity.soprovider.model.permission",
                                    __name__ + ".TG_Permission" )
        permission_class= load_class(permission_class_path)
        if permission_class:
            log.info("Succesfully loaded \"%s\"" % permission_class_path)
        
        visit_class_path= get( "visit.soprovider.model",
                                __name__ + ".TG_VisitIdentity" )
        visit_class= load_class(visit_class_path)
        if visit_class:
            log.info("Succesfully loaded \"%s\"" % visit_class_path)
        
        smb_domain = get("identity.sosmbprovider.smb_domain", None)
            
    def validate_identity( self, user_name, password, visit_key ):
        '''
        Look up the identity represented by user_name and determine whether the
        password is correct.
        
        Must return either None if the credentials weren't valid or an object
        with the following properties:
            user_name: original user name
            user: a provider dependant object (TG_User or similar)
            groups: a set of group IDs
            permissions: a set of permission IDs
        '''
        try:
            user_name= to_db_encoding( user_name, self.user_class_db_encoding )
            user= user_class.by_user_name( user_name )

            if not self.validate_password(user_name, password):
                log.info( "Passwords don't match for user: %s", user_name )
                return None
            
            # Link the user to the visit
            try:
                link= visit_class.by_visit_key( visit_key )
                link.user_id= user.id
            except SQLObjectNotFound:
                link= visit_class( visit_key=visit_key, user_id=user.id )
            return SqlObjectIdentity( visit_key, user )
            
        except SQLObjectNotFound:
            log.warning( "No such user: %s", user_name )
            return None


    def validate_password(self, user_name, password):
        '''
        Validates user_name and password against a Windows/Samba domain
        specified in the identity.sosmbprovider.smb_domain config parameter.
        It's just a wrapper for win32security.LogonUser().
        '''
        global smb_domain
        try:
            token = LogonUser(user_name, 
                              smb_domain, 
                              password, 
                              LOGON32_LOGON_NETWORK,
                              LOGON32_PROVIDER_DEFAULT)
        except LogonError, e:
            #print e
            return False
        else:
            return bool(token)   # usually True