import logging import features from collections import namedtuple from data import model from data.users.shared import can_create_user from util.validation import generate_valid_usernames logger = logging.getLogger(__name__) UserInformation = namedtuple('UserInformation', ['username', 'email', 'id']) DISABLED_MESSAGE = 'User creation is disabled. Please contact your adminstrator to gain access.' class FederatedUsers(object): """ Base class for all federated users systems. """ def __init__(self, federated_service, requires_email): self._federated_service = federated_service self._requires_email = requires_email @property def federated_service(self): return self._federated_service @property def supports_fresh_login(self): return True @property def supports_encrypted_credentials(self): return True @property def requires_distinct_cli_password(self): # Since the federated auth provides a password which works on the CLI. return False def get_user(self, username_or_email): """ Retrieves the user with the given username or email, returning a tuple containing a UserInformation (if success) and the error message (on failure). """ raise NotImplementedError def verify_credentials(self, username_or_email, password): """ Verifies the given credentials against the backing federated service, returning a tuple containing a UserInformation (on success) and the error message (on failure). """ raise NotImplementedError def query_users(self, query, limit=20): """ If implemented, get_user must be implemented as well. """ return (None, 'Not supported') def link_user(self, username_or_email): (user_info, err_msg) = self.get_user(username_or_email) if user_info is None: return (None, err_msg) return self.get_and_link_federated_user_info(user_info) def get_and_link_federated_user_info(self, user_info, internal_create=False): return self._get_and_link_federated_user_info(user_info.username, user_info.email, internal_create=internal_create) def verify_and_link_user(self, username_or_email, password): """ Verifies the given credentials and, if valid, creates/links a database user to the associated federated service. """ (credentials, err_msg) = self.verify_credentials(username_or_email, password) if credentials is None: return (None, err_msg) return self._get_and_link_federated_user_info(credentials.username, credentials.email) def confirm_existing_user(self, username, password): """ Confirms that the given *database* username and service password are valid for the linked service. This method is used when the federated service's username is not known. """ db_user = model.user.get_user(username) if not db_user: return (None, 'Invalid user') federated_login = model.user.lookup_federated_login(db_user, self._federated_service) if not federated_login: return (None, 'Invalid user') (credentials, err_msg) = self.verify_credentials(federated_login.service_ident, password) if credentials is None: return (None, err_msg) return (db_user, None) def service_metadata(self): """ Returns a dictionary of extra metadata to present to *superusers* about this auth engine. For example, LDAP returns the base DN so we can display to the user during sync setup. """ return {} def check_group_lookup_args(self, group_lookup_args): """ Verifies that the given group lookup args point to a valid group. Returns a tuple consisting of a boolean status and an error message (if any). """ return (False, 'Not supported') def iterate_group_members(self, group_lookup_args, page_size=None, disable_pagination=False): """ Returns an iterator over all the members of the group matching the given lookup args dictionary. The format of the lookup args dictionary is specific to the implementation. """ return (None, 'Not supported') def _get_and_link_federated_user_info(self, username, email, internal_create=False): db_user = model.user.verify_federated_login(self._federated_service, username) if not db_user: # We must create the user in our db. Check to see if this is allowed (except for internal # creation, which is always allowed). if not internal_create and not can_create_user(email): return (None, DISABLED_MESSAGE) valid_username = None for valid_username in generate_valid_usernames(username): if model.user.is_username_unique(valid_username): break if not valid_username: logger.error('Unable to pick a username for user: %s', username) return (None, 'Unable to pick a username. Please report this to your administrator.') prompts = model.user.get_default_user_prompts(features) try: db_user = model.user.create_federated_user(valid_username, email, self._federated_service, username, set_password_notification=False, email_required=self._requires_email, confirm_username=features.USERNAME_CONFIRMATION, prompts=prompts) except model.InvalidEmailAddressException as iae: return (None, iae.message) else: # Update the db attributes from the federated service. if email and db_user.email != email: db_user.email = email db_user.save() return (db_user, None)