moved common authorization/authentication classes into their own module to...

moved common authorization/authentication classes into their own module to better reflect their functionality; added checks for admin role name into principal retrievers

moved common authorization/authentication classes into their own module to...
moved common authorization/authentication classes into their own module to better reflect their functionality; added checks for admin role name into principal retrievers
929e91fe · sveseli · 7eb201cb · 929e91fe · 929e91fe · 929e91fe
Commit 929e91fe authored 9 years ago by sveseli
--- a/src/python/dm/common/service/impl/__init__.py
+++ b/src/python/dm/common/service/impl/__init__.py
--- a/src/python/dm/common/service/impl/authorizationPrincipalAuthenticator.py
+++ b/src/python/dm/common/service/impl/authorizationPrincipalAuthenticator.py
--- a/src/python/dm/common/service/impl/authorizationManager.py
+++ b/src/python/dm/common/service/impl/authorizationManager.py
@@ -7,49 +7,33 @@ from dm.common.objects.dmObjectManager import DmObjectManager
 from dm.common.utility.configurationManager import ConfigurationManager
 from dm.common.utility.objectCache import ObjectCache
 from dm.common.utility.cryptUtility import CryptUtility
+from dm.common.utility.objectUtility import ObjectUtility
+from dm.common.utility.singleton import Singleton
-class AuthorizationManager(DmObjectManager):
+class AuthorizationPrincipalManager(DmObjectManager, Singleton):
    DEFAULT_CACHE_SIZE = 10000 # number of items
    DEFAULT_CACHE_OBJECT_LIFETIME = 3600 # seconds
-    CONFIG_SECTION_NAME = 'AuthorizationManager'
+    CONFIG_SECTION_NAME = 'AuthorizationPrincipalManager'
-    ADMIN_GROUP_NAME_KEY = 'admingroupname'
+    ADMIN_ROLE_NAME_KEY = 'adminrolename'
    PRINCIPAL_RETRIEVER_KEY = 'principalretriever'
    PRINCIPAL_AUTHENTICATOR_KEY = 'principalauthenticator'
-    # Get singleton instance.
-    @classmethod
-    def getInstance(cls):
-        from dm.common.service.impl.authorizationManager import AuthorizationManager
-        try:
-            am = AuthorizationManager()
-        except AuthorizationManager, ex:
-            am = ex
-        return am
    # Singleton instance.
    __instance = None
    def __init__(self):
-        if AuthorizationManager.__instance:
+        if AuthorizationPrincipalManager.__instance:
-            raise AuthorizationManager.__instance
+            return
-        AuthorizationManager.__instance = self
+        AuthorizationPrincipalManager.__instance = self
        DmObjectManager.__init__(self)
        self.configurationManager = ConfigurationManager.getInstance()
        self.principalRetriever = None
        self.principalAuthenticatorList = []
-        self.objectCache = ObjectCache(AuthorizationManager.DEFAULT_CACHE_SIZE, AuthorizationManager.DEFAULT_CACHE_OBJECT_LIFETIME)
+        self.objectCache = ObjectCache(AuthorizationPrincipalManager.DEFAULT_CACHE_SIZE, AuthorizationPrincipalManager.DEFAULT_CACHE_OBJECT_LIFETIME)
        self.configure()
-    def createObjectInstance(self, moduleName, className, constructor):
-        self.logger.debug('Creating object: %s, %s, %s' % (moduleName, className, constructor))
-        cmd = 'from %s import %s' % (moduleName, className)
-        exec cmd
-        cmd = 'objectInstance = %s' % (constructor)
-        exec cmd
-        return objectInstance
    @classmethod
    def cryptPassword(cls, cleartext):
        return CryptUtility.cryptPassword(cleartext)
@@ -59,31 +43,32 @@ class AuthorizationManager(DmObjectManager):
        return CryptUtility.cryptPasswordWithPbkdf2(cleartext)
    def configure(self):
-        configItems = self.configurationManager.getConfigItems(AuthorizationManager.CONFIG_SECTION_NAME)
+        configItems = self.configurationManager.getConfigItems(AuthorizationPrincipalManager.CONFIG_SECTION_NAME)
        self.logger.debug('Got config items: %s' % configItems)
-        adminGroupName = self.configurationManager.getConfigOption(AuthorizationManager.CONFIG_SECTION_NAME, AuthorizationManager.ADMIN_GROUP_NAME_KEY)
+        adminRoleName = self.configurationManager.getConfigOption(AuthorizationPrincipalManager.CONFIG_SECTION_NAME, AuthorizationPrincipalManager.ADMIN_ROLE_NAME_KEY)
        # Create principal retriever
-        principalRetriever = self.configurationManager.getConfigOption(AuthorizationManager.CONFIG_SECTION_NAME, AuthorizationManager.PRINCIPAL_RETRIEVER_KEY)
+        principalRetriever = self.configurationManager.getConfigOption(AuthorizationPrincipalManager.CONFIG_SECTION_NAME, AuthorizationPrincipalManager.PRINCIPAL_RETRIEVER_KEY)
-        (moduleName,className,constructor) = self.configurationManager.getModuleClassConstructorTuple(principalRetriever)    
+        (moduleName,className,constructor) = self.configurationManager.getModuleClassConstructorTuple(principalRetriever, AuthorizationPrincipalManager)    
        self.logger.debug('Creating principal retriever class: %s' % className)
-        self.principalRetriever = self.createObjectInstance(moduleName, className, constructor)
+        self.principalRetriever = ObjectUtility.createObjectInstance(moduleName, className, constructor)
-        self.principalRetriever.setAdminGroupName(adminGroupName)
+        if adminRoleName is not None:
+            self.principalRetriever.setAdminRoleName(adminRoleName)
        self.logger.debug('Authorization principal retriever: %s' % (self.principalRetriever))
        # Create principal authenticators
        for (key,value) in configItems:
-            if key.startswith(AuthorizationManager.PRINCIPAL_AUTHENTICATOR_KEY):
+            if key.startswith(AuthorizationPrincipalManager.PRINCIPAL_AUTHENTICATOR_KEY):
-                (moduleName,className,constructor) = self.configurationManager.getModuleClassConstructorTuple(value)    
+                (moduleName,className,constructor) = self.configurationManager.getModuleClassConstructorTuple(value, AuthorizationPrincipalManager)    
                self.logger.debug('Creating principal authenticator class: %s' % className)
-                principalAuthenticator = self.createObjectInstance(moduleName, className, constructor)
+                principalAuthenticator = ObjectUtility.createObjectInstance(moduleName, className, constructor)
                self.addAuthorizationPrincipalAuthenticator(principalAuthenticator)
                self.logger.debug('Authorization principal authenticator: %s' % (principalAuthenticator))
    def addAuthorizationPrincipalAuthenticator(self, principalAuthenticator):
        self.principalAuthenticatorList.append(principalAuthenticator)
-    def getAuthorizationPrincipal(self, username, password):
+    def getAuthenticatedAuthorizationPrincipal(self, username, password):
        """ Get principal based on a username and password """
        # First try cache.
        #self.logger.debug('Trying username %s from the cache' % username)
@@ -116,7 +101,7 @@ class AuthorizationManager(DmObjectManager):
 #######################################################################
 # Testing.
 if __name__ == '__main__':
-    am = AuthorizationManager.getInstance()
+    am = AuthorizationPrincipalManager.getInstance()
    authPrincipal = am.getAuthorizationPrincipal('sveseli', 'sv')
    print 'Auth principal: ', authPrincipal

--- a/src/python/dm/common/service/impl/authorizationPrincipalRetriever.py
+++ b/src/python/dm/common/service/impl/authorizationPrincipalRetriever.py
 #!/usr/bin/env python
+from dm.common.constants import dmRole
 from dm.common.utility.loggingManager import LoggingManager
 class AuthorizationPrincipalRetriever:
    def __init__(self, name=None):
-        self.adminGroupName = None
+        self.adminRoleName = dmRole.DM_ADMIN_ROLE
        self.name = name
        self.logger = LoggingManager.getInstance().getLogger(self.__class__.__name__)
    def getName(self):
        return self.name
-    def setAdminGroupName(self, adminGroupName):
+    def setAdminRoleName(self, adminRoleName):
-        self.adminGroupName = adminGroupName
+        self.adminRoleName = adminRoleName
    def getAuthorizationPrincipal(self, username):
        return None
+    def checkAutorizationPrincipalRole(self, principal):
+        if principal is None or self.adminRoleName is None:
+            return
+        userInfo = principal.getUserInfo()
+        if userInfo is None:
+            return
+        for userSystemRoleName in user.get('userSystemRoleNameList', []):
+            if userSystemRoleName == self.adminRoleName:
+                principal.setRole(dmRole.DM_ADMIN_ROLE)
 #######################################################################
 # Testing.
 if __name__ == '__main__':

--- a/src/python/dm/common/service/impl/cryptedPasswordPrincipalAuthenticator.py
+++ b/src/python/dm/common/service/impl/cryptedPasswordPrincipalAuthenticator.py
--- a/src/python/dm/common/service/impl/dbPrincipalRetriever.py
+++ b/src/python/dm/common/service/impl/dbPrincipalRetriever.py
@@ -15,13 +15,10 @@ class DbPrincipalRetriever(AuthorizationPrincipalRetriever):
        principal = None
        try:
            user = self.dbApi.getUserWithPasswordByUsername(username)
-            principal = AuthorizationPrincipal(username, user.get('password'))
+            principal = AuthorizationPrincipal(name=username, token=user.get('password'))
            principal.setRole(dmRole.DM_USER_ROLE)
            principal.setUserInfo(user)
-            if self.adminGroupName is not None:
+            self.checkAutorizationPrincipalRole(principal)
-                for userGroup in user.get('userGroupList', []):
-                    if userGroup.get('name') == self.adminGroupName:
-                        principal.setRole(dmRole.DM_ADMIN_ROLE)
        except Exception, ex:
            self.logger.debug(ex)
        return principal

--- a/src/python/dm/common/service/impl/ldapPasswordPrincipalAuthenticator.py
+++ b/src/python/dm/common/service/impl/ldapPasswordPrincipalAuthenticator.py
--- a/src/python/dm/common/service/impl/noOpPrincipalRetriever.py
+++ b/src/python/dm/common/service/impl/noOpPrincipalRetriever.py
@@ -11,10 +11,11 @@ class NoOpPrincipalRetriever(AuthorizationPrincipalRetriever):
        AuthorizationPrincipalRetriever.__init__(self, self.__class__.__name__)
    def getAuthorizationPrincipal(self, username):
+        # Set password to be the same as username
        noOpPassword = CryptUtility.cryptPasswordWithPbkdf2(username)
-        principal = AuthorizationPrincipal(username, noOpPassword)
+        principal = AuthorizationPrincipal(name=username, token=noOpPassword)
        principal.setRole(dmRole.DM_USER_ROLE)
-        if self.adminGroupName is not None:
+        if self.adminRoleName is not None:
            principal.setRole(dmRole.DM_ADMIN_ROLE)
        return principal