mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-17 19:52:58 -06:00
010fb65bfd
This has the side-effect of removing the realm from Loggin in as. This can be changed by using user_name instead of display_name in master.kid.
122 lines
3.5 KiB
Python
122 lines
3.5 KiB
Python
from turbogears.identity.soprovider import *
|
|
from turbogears.identity.visitor import *
|
|
import logging
|
|
import os
|
|
|
|
log = logging.getLogger("turbogears.identity")
|
|
|
|
class IPA_User(object):
|
|
'''
|
|
Shell of a User definition. We don't really need much here.
|
|
'''
|
|
|
|
def __init__(self, user_name):
|
|
self.user_name = user_name
|
|
(principal, realm) = user_name.split('@')
|
|
self.display_name = principal
|
|
self.permissions = None
|
|
self.groups = None
|
|
return
|
|
|
|
class ProxyIdentity(object):
|
|
def __init__(self, visit_key, user=None):
|
|
self._user= user
|
|
self.visit_key= visit_key
|
|
|
|
def _get_user(self):
|
|
try:
|
|
return self._user
|
|
except AttributeError:
|
|
# User hasn't already been set
|
|
return None
|
|
user= property(_get_user)
|
|
|
|
def _get_user_name(self):
|
|
if not self._user:
|
|
return None
|
|
return self._user.user_name
|
|
user_name= property(_get_user_name)
|
|
|
|
def _get_display_name(self):
|
|
if not self._user:
|
|
return None
|
|
return self._user.display_name
|
|
display_name= property(_get_display_name)
|
|
|
|
def _get_anonymous(self):
|
|
return not self._user
|
|
anonymous= property(_get_anonymous)
|
|
|
|
def _get_permissions(self):
|
|
try:
|
|
return self._permissions
|
|
except AttributeError:
|
|
# Permissions haven't been computed yet
|
|
return None
|
|
permissions= property(_get_permissions)
|
|
|
|
def _get_groups(self):
|
|
try:
|
|
return self._groups
|
|
except AttributeError:
|
|
# Groups haven't been computed yet
|
|
return None
|
|
groups= property(_get_groups)
|
|
|
|
def logout(self):
|
|
'''
|
|
Remove the link between this identity and the visit.
|
|
'''
|
|
# Clear the current identity
|
|
anon= ProxyObjectIdentity(None,None)
|
|
#XXX if user is None anonymous will be true, no need to set attr.
|
|
#anon.anonymous= True
|
|
identity.set_current_identity( anon )
|
|
|
|
class ProxyIdentityProvider(SqlObjectIdentityProvider):
|
|
'''
|
|
IdentityProvider that uses REMOTE_USER from Apache
|
|
'''
|
|
def __init__(self):
|
|
super(ProxyIdentityProvider, self).__init__()
|
|
get = turbogears.config.get
|
|
# We can get any config variables here
|
|
log.info( "Proxy Identity starting" )
|
|
|
|
def create_provider_model(self):
|
|
pass
|
|
|
|
def validate_identity(self, user_name, password, visit_key):
|
|
user = IPA_User(user_name)
|
|
log.debug( "validate_identity %s" % user_name)
|
|
|
|
return ProxyIdentity(visit_key, user)
|
|
|
|
def validate_password(self, user, user_name, password):
|
|
'''Validation has already occurred in the proxy'''
|
|
return True
|
|
|
|
def load_identity(self, visit_key):
|
|
try:
|
|
user_name= cherrypy.request.headers['X-FORWARDED-USER']
|
|
os.environ["KRB5CCNAME"] = cherrypy.request.headers['X-FORWARDED-KEYTAB']
|
|
# user_name = "test@FREEIPA.ORG"
|
|
# os.environ["KRB5CCNAME"] = "FILE:/tmp/krb5cc_500"
|
|
except KeyError:
|
|
return None
|
|
set_login_attempted( True )
|
|
return self.validate_identity( user_name, None, visit_key )
|
|
|
|
def anonymous_identity( self ):
|
|
'''
|
|
This shouldn't ever happen in IPA but including it to include the
|
|
entire identity API.
|
|
'''
|
|
return ProxyIdentity( None )
|
|
|
|
def authenticated_identity(self, user):
|
|
'''
|
|
Constructs Identity object for user that has no associated visit_key.
|
|
'''
|
|
return ProxyIdentity(None, user)
|