ERP5ExternalOauth2ExtractionPlugin.py 10.7 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49
# -*- coding: utf-8 -*-
##############################################################################
#
# Copyright (c) 2012 Nexedi SA and Contributors. All Rights Reserved.
#
# WARNING: This program as such is intended to be used by professional
# programmers who take the whole responsibility of assessing all potential
# consequences resulting from its eventual inadequacies and bugs
# End users who are looking for a ready-to-use solution with commercial
# guarantees and support are strongly advised to contract a Free Software
# Service Company
#
# This program is Free Software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
#
##############################################################################

from Products.ERP5Type.Globals import InitializeClass
from AccessControl import ClassSecurityInfo

from Products.PageTemplates.PageTemplateFile import PageTemplateFile
from Products.PluggableAuthService.interfaces import plugins
from Products.PluggableAuthService.utils import classImplements
from Products.PluggableAuthService.plugins.BasePlugin import BasePlugin
from Products.ERP5Security.ERP5UserManager import SUPER_USER
from Products.PluggableAuthService.PluggableAuthService import DumbHTTPExtractor
from AccessControl.SecurityManagement import getSecurityManager,\
    setSecurityManager, newSecurityManager
from Products.ERP5Type.Cache import DEFAULT_CACHE_SCOPE
import socket
from Products.ERP5Security.ERP5UserManager import getUserByLogin
from zLOG import LOG, ERROR, INFO

try:
  import facebook
except ImportError:
  facebook = None

50 51 52 53 54 55 56
try:
  import apiclient.discovery
  import httplib2
  import oauth2client.client
except ImportError:
  httplib2 = None

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
#Form for new plugin in ZMI
manage_addERP5FacebookExtractionPluginForm = PageTemplateFile(
  'www/ERP5Security_addERP5FacebookExtractionPlugin', globals(),
  __name__='manage_addERP5FacebookExtractionPluginForm')

def addERP5FacebookExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
  """ Add a ERP5FacebookExtractionPlugin to a Pluggable Auth Service. """

  plugin = ERP5FacebookExtractionPlugin(id, title)
  dispatcher._setObject(plugin.getId(), plugin)

  if REQUEST is not None:
      REQUEST['RESPONSE'].redirect(
          '%s/manage_workspace'
          '?manage_tabs_message='
          'ERP5FacebookExtractionPlugin+added.'
          % dispatcher.absolute_url())

75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
#Form for new plugin in ZMI
manage_addERP5GoogleExtractionPluginForm = PageTemplateFile(
  'www/ERP5Security_addERP5GoogleExtractionPlugin', globals(),
  __name__='manage_addERP5GoogleExtractionPluginForm')

def addERP5GoogleExtractionPlugin(dispatcher, id, title=None, REQUEST=None):
  """ Add a ERP5GoogleExtractionPlugin to a Pluggable Auth Service. """

  plugin = ERP5GoogleExtractionPlugin(id, title)
  dispatcher._setObject(plugin.getId(), plugin)

  if REQUEST is not None:
      REQUEST['RESPONSE'].redirect(
          '%s/manage_workspace'
          '?manage_tabs_message='
          'ERP5GoogleExtractionPlugin+added.'
          % dispatcher.absolute_url())

93
class ERP5ExternalOauth2ExtractionPlugin:
94

95
  cache_factory_name = 'extrenal_oauth2_token_cache_factory'
96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121
  security = ClassSecurityInfo()

  def __init__(self, id, title=None):
    #Register value
    self._setId(id)
    self.title = title

  #####################
  # memcached helpers #
  #####################
  def _getCacheFactory(self):
    portal = self.getPortalObject()
    cache_tool = portal.portal_caches
    cache_factory = cache_tool.getRamCacheRoot().get(self.cache_factory_name)
    #XXX This conditional statement should be remove as soon as
    #Broadcasting will be enable among all zeo clients.
    #Interaction which update portal_caches should interact with all nodes.
    if cache_factory is None \
        and getattr(cache_tool, self.cache_factory_name, None) is not None:
      #ram_cache_root is not up to date for current node
      cache_tool.updateCache()
    cache_factory = cache_tool.getRamCacheRoot().get(self.cache_factory_name)
    if cache_factory is None:
      raise KeyError
    return cache_factory

122
  def setToken(self, key, body):
123 124 125 126 127 128
    cache_factory = self._getCacheFactory()
    cache_duration = cache_factory.cache_duration
    for cache_plugin in cache_factory.getCachePluginList():
      cache_plugin.set(key, DEFAULT_CACHE_SCOPE,
                       body, cache_duration=cache_duration)

129
  def getToken(self, key):
130 131 132 133 134 135 136 137 138 139 140 141
    cache_factory = self._getCacheFactory()
    for cache_plugin in cache_factory.getCachePluginList():
      cache_entry = cache_plugin.get(key, DEFAULT_CACHE_SCOPE)
      if cache_entry is not None:
        return cache_entry.getValue()
    raise KeyError('Key %r not found' % key)

  ####################################
  #ILoginPasswordHostExtractionPlugin#
  ####################################
  security.declarePrivate('extractCredentials')
  def extractCredentials(self, request):
142 143 144 145 146 147 148
    """ Extract Oauth2 credentials from the request header. """
    Base_createOauth2User = getattr(self.getPortalObject(),
      'Base_createOauth2User', None)
    if Base_createOauth2User is None:
      LOG('ERP5ExternalOauth2ExtractionPlugin', INFO,
          'No Base_createOauth2User script available, install '
            'erp5_credential_oauth2, disabled authentication.')
149 150 151 152 153 154
      return DumbHTTPExtractor().extractCredentials(request)

    creds = {}
    token = None
    if request._auth is not None:
      # 1st - try to fetch from Authorization header
Łukasz Nowak's avatar
Łukasz Nowak committed
155
      if self.header_string.lower() in request._auth.lower():
156 157 158 159 160 161 162 163 164 165
        l = request._auth.split()
        if len(l) == 2:
          token = l[1]

    if token is None:
      # no token
      return DumbHTTPExtractor().extractCredentials(request)

    # token is available
    user = None
166
    user_entry = None
167
    try:
168
      user = self.getToken(self.prefix + token)
169
    except KeyError:
170 171 172
      user_entry = self.getUserEntry(token)
      if user_entry is not None:
        user = user_entry['reference']
173 174 175 176 177

    if user is None:
      # fallback to default way
      return DumbHTTPExtractor().extractCredentials(request)

Łukasz Nowak's avatar
Typo.  
Łukasz Nowak committed
178
    tag = '%s_user_creation_in_progress' % user
179 180 181 182 183 184 185 186 187 188 189 190

    if self.getPortalObject().portal_activities.countMessageWithTag(tag) > 0:
      self.REQUEST['USER_CREATION_IN_PROGRESS'] = user
    else:
      # create the user if not found
      person_list = getUserByLogin(self.getPortalObject(), user)
      if len(person_list) == 0:
        sm = getSecurityManager()
        if sm.getUser().getId() != SUPER_USER:
          newSecurityManager(self, self.getUser(SUPER_USER))
        try:
          self.REQUEST['USER_CREATION_IN_PROGRESS'] = user
191 192
          if user_entry is None:
            user_entry = self.getUserEntry(token)
193
          try:
194
            self.Base_createOauth2User(tag, **user_entry)
195
          except Exception:
196
            LOG('ERP5ExternalOauth2ExtractionPlugin', ERROR,
197 198 199 200 201
              'Issue while calling creation script:', error=True)
            raise
        finally:
          setSecurityManager(sm)
    try:
202
      self.setToken(self.prefix + token, user)
203 204 205 206 207 208 209 210 211 212 213
    except KeyError:
      # allow to work w/o cache
      pass
    creds['external_login'] = user
    creds['remote_host'] = request.get('REMOTE_HOST', '')
    try:
      creds['remote_address'] = request.getClientAddr()
    except AttributeError:
      creds['remote_address'] = request.get('REMOTE_ADDR', '')
    return creds

214 215 216 217 218 219 220 221 222 223
class ERP5FacebookExtractionPlugin(ERP5ExternalOauth2ExtractionPlugin, BasePlugin):
  """
  Plugin to authenicate as machines.
  """

  meta_type = "ERP5 Facebook Extraction Plugin"
  prefix = 'fb_'
  header_string = 'facebook'

  def getUserEntry(self, token):
224 225 226 227 228
    if facebook is None:
      LOG('ERP5FacebookExtractionPlugin', INFO,
          'No facebook module, install facebook-sdk package. '
            'Authentication disabled.')
      return None
229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252
    timeout = socket.getdefaulttimeout()
    try:
      # require really fast interaction
      socket.setdefaulttimeout(5)
      facebook_entry = facebook.GraphAPI(token).get_object("me")
    except Exception:
      facebook_entry = None
    finally:
      socket.setdefaulttimeout(timeout)

    user_entry = {}
    if facebook_entry is not None:
      # sanitise value
      try:
        for k in ('first_name', 'last_name', 'id', 'email'):
          if k == 'id':
            user_entry['reference'] = self.prefix + facebook_entry[k].encode(
              'utf-8')
          else:
            user_entry[k] = facebook_entry[k].encode('utf-8')
      except KeyError:
        user_entry = None
    return user_entry

253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284
class ERP5GoogleExtractionPlugin(ERP5ExternalOauth2ExtractionPlugin, BasePlugin):
  """
  Plugin to authenicate as machines.
  """

  meta_type = "ERP5 Google Extraction Plugin"
  prefix = 'go_'
  header_string = 'google'

  def getUserEntry(self, token):
    if httplib2 is None:
      LOG('ERP5GoogleExtractionPlugin', INFO,
        'No Google modules available, please install google-api-python-client '
        'package. Authentication disabled..')
      return None
    timeout = socket.getdefaulttimeout()
    try:
      # require really fast interaction
      socket.setdefaulttimeout(5)
      http = oauth2client.client.AccessTokenCredentials(token, 'ERP5 Client'
        ).authorize(httplib2.Http())
      service = apiclient.discovery.build("oauth2", "v1", http=http)
      google_entry = service.userinfo().get().execute()
    except Exception:
      google_entry = None
    finally:
      socket.setdefaulttimeout(timeout)

    user_entry = {}
    if google_entry is not None:
      # sanitise value
      try:
Łukasz Nowak's avatar
Typo.  
Łukasz Nowak committed
285
        for k in (('first_name', 'given_name'),
286 287 288 289 290 291 292 293 294 295
            ('last_name', 'family_name'),
            ('reference', 'id'),
            ('email', 'email')):
          value = google_entry[k[1]].encode('utf-8')
          if k[0] == 'reference':
            value = self.prefix + value
          user_entry[k[0]] = value
      except KeyError:
        user_entry = None
    return user_entry
296 297 298 299 300 301 302

#List implementation of class
classImplements( ERP5FacebookExtractionPlugin,
                plugins.ILoginPasswordHostExtractionPlugin
               )
InitializeClass(ERP5FacebookExtractionPlugin)

303 304 305 306 307
classImplements( ERP5GoogleExtractionPlugin,
                plugins.ILoginPasswordHostExtractionPlugin
               )
InitializeClass(ERP5GoogleExtractionPlugin)