Commit 4b904cf9 authored by Kostas Papadimitriou's avatar Kostas Papadimitriou
Browse files

Allow multiple login methods per account

parent 7b996d13
# Copyright 2011 GRNET S.A. All rights reserved.
#
# Redistribution and use in source and binary forms, with or
# without modification, are permitted provided that the following
# conditions are met:
#
# 1. Redistributions of source code must retain the above
# copyright notice, this list of conditions and the following
# disclaimer.
#
# 2. Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following
# disclaimer in the documentation and/or other materials
# provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY GRNET S.A. ``AS IS'' AND ANY EXPRESS
# OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL GRNET S.A OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
# AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
# POSSIBILITY OF SUCH DAMAGE.
#
# The views and conclusions contained in the software and
# documentation are those of the authors and should not be
# interpreted as representing official policies, either expressed
# or implied, of GRNET S.A.
from django.core.urlresolvers import reverse
from django.utils.translation import ugettext as _
from astakos.im import settings
import logging
logger = logging.getLogger(__name__)
# providers registry
PROVIDERS = {}
class AuthProviderBase(type):
def __new__(cls, name, bases, dct):
include = False
if [b for b in bases if isinstance(b, AuthProviderBase)]:
type_id = dct.get('module')
if type_id:
include = True
if type_id in settings.IM_MODULES:
dct['module_enabled'] = True
newcls = super(AuthProviderBase, cls).__new__(cls, name, bases, dct)
if include:
PROVIDERS[type_id] = newcls
return newcls
class AuthProvider(object):
__metaclass__ = AuthProviderBase
module = None
module_active = False
module_enabled = False
one_per_user = False
def __init__(self, user=None):
self.user = user
def get_setting(self, name, default=None):
attr = 'AUTH_PROVIDER_%s_%s' % (self.module.upper(), name.upper())
return getattr(settings, attr, default)
def is_available_for_login(self):
""" A user can login using authentication provider"""
return self.is_active() and self.get_setting('CAN_LOGIN',
self.is_active())
def is_available_for_create(self):
""" A user can create an account using this provider"""
return self.is_active() and self.get_setting('CAN_CREATE',
self.is_active())
def is_available_for_add(self):
""" A user can assign provider authentication method"""
return self.is_active() and self.get_setting('CAN_ADD',
self.is_active())
def is_active(self):
return self.module in settings.IM_MODULES
class LocalAuthProvider(AuthProvider):
module = 'local'
title = _('Local password')
description = _('Create a local password for your account')
@property
def add_url(self):
return reverse('password_change')
add_description = _('Create a local password for your account')
login_template = 'auth/local_login_form.html'
add_template = 'auth/local_add_action.html'
one_per_user = True
details_tpl = _('You can login to your account using your'
' %(auth_backend)s password.')
@property
def extra_actions(self):
return [(_('Change password'), reverse('password_change')), ]
class ShibbolethAuthProvider(AuthProvider):
module = 'shibboleth'
title = _('Academic credentials (Shibboleth)')
description = _('Allows you to login to your account using your academic '
'credentials')
@property
def add_url(self):
return reverse('astakos.im.target.shibboleth.login')
add_description = _('Allows you to login to your account using your academic '
'credentials')
login_template = 'auth/shibboleth_login_form.html'
add_template = 'auth/shibboleth_add_action.html'
details_tpl = _('You can login to your account using your'
' shibboleth credentials. Shibboleth id: %(identifier)s')
def get_provider(id, user_obj=None, default=None):
"""
Return a provider instance from the auth providers registry.
"""
return PROVIDERS.get(id, default)(user_obj)
......@@ -36,6 +36,7 @@ from astakos.im.settings import IM_MODULES, INVITATIONS_ENABLED, IM_STATIC_URL,
GLOBAL_MESSAGES, PROFILE_EXTRA_LINKS
from astakos.im.api.admin import get_menu
from astakos.im.util import get_query
from astakos.im.auth_providers import PROVIDERS as AUTH_PROVIDERS
from django.conf import settings
from django.core.urlresolvers import reverse
......@@ -44,6 +45,10 @@ from django.utils import simplejson as json
def im_modules(request):
return {'im_modules': IM_MODULES}
def auth_providers(request):
return {'auth_providers': filter(lambda p:p.module_enabled,
AUTH_PROVIDERS.itervalues())}
def next(request):
return {'next' : get_query(request).get('next', '')}
......
......@@ -47,6 +47,7 @@ from django.utils.safestring import mark_safe
from django.contrib import messages
from django.utils.encoding import smart_str
from django.forms.models import fields_for_model
from django.db import transaction
from astakos.im.models import (
AstakosUser, Invitation, get_latest_terms,
......@@ -55,8 +56,9 @@ from astakos.im.models import (
from astakos.im.settings import (INVITATIONS_PER_LEVEL, DEFAULT_FROM_EMAIL,
BASEURL, SITENAME, RECAPTCHA_PRIVATE_KEY, DEFAULT_CONTACT_EMAIL,
RECAPTCHA_ENABLED, LOGGING_LEVEL, PASSWORD_RESET_EMAIL_SUBJECT,
NEWPASSWD_INVALIDATE_TOKEN
NEWPASSWD_INVALIDATE_TOKEN, MODERATION_ENABLED
)
from astakos.im import settings
from astakos.im.widgets import DummyWidget, RecaptchaWidget
from astakos.im.functions import send_change_email
......@@ -70,7 +72,23 @@ from random import random
logger = logging.getLogger(__name__)
class LocalUserCreationForm(UserCreationForm):
class StoreUserMixin(object):
@transaction.commit_on_success
def store_user(self, user, request):
user.save()
self.post_store_user(user, request)
return user
def post_store_user(self, user, request):
"""
Interface method for descendant backends to be able to do stuff within
the transaction enabled by store_user.
"""
pass
class LocalUserCreationForm(UserCreationForm, StoreUserMixin):
"""
Extends the built in UserCreationForm in several ways:
......@@ -113,7 +131,7 @@ class LocalUserCreationForm(UserCreationForm):
mark_safe("I agree with %s" % terms_link_html)
def clean_email(self):
email = self.cleaned_data['email']
email = self.cleaned_data['email'].lower()
if not email:
raise forms.ValidationError(_("This field is required"))
if reserved_email(email):
......@@ -143,12 +161,21 @@ class LocalUserCreationForm(UserCreationForm):
if not check.is_valid:
raise forms.ValidationError(_('You have not entered the correct words'))
def post_store_user(self, user, request):
"""
Interface method for descendant backends to be able to do stuff within
the transaction enabled by store_user.
"""
user.add_auth_provider('local', auth_backend='astakos')
user.set_password(self.cleaned_data['password1'])
def save(self, commit=True):
"""
Saves the email, first_name and last_name properties, after the normal
save behavior is complete.
"""
user = super(LocalUserCreationForm, self).save(commit=False)
user.renew_token()
if commit:
user.save()
logger._log(LOGGING_LEVEL, 'Created user %s' % user.email, [])
......@@ -176,15 +203,14 @@ class InvitedLocalUserCreationForm(LocalUserCreationForm):
def save(self, commit=True):
user = super(InvitedLocalUserCreationForm, self).save(commit=False)
level = user.invitation.inviter.level + 1
user.level = level
user.invitations = INVITATIONS_PER_LEVEL.get(level, 0)
user.update_invitations_level()
user.email_verified = True
if commit:
user.save()
return user
class ThirdPartyUserCreationForm(forms.ModelForm):
class ThirdPartyUserCreationForm(forms.ModelForm, StoreUserMixin):
id = forms.CharField(
widget=forms.HiddenInput(),
label='',
......@@ -224,7 +250,7 @@ class ThirdPartyUserCreationForm(forms.ModelForm):
mark_safe("I agree with %s" % terms_link_html)
def clean_email(self):
email = self.cleaned_data['email']
email = self.cleaned_data['email'].lower()
if not email:
raise forms.ValidationError(_("This field is required"))
return email
......@@ -235,10 +261,19 @@ class ThirdPartyUserCreationForm(forms.ModelForm):
raise forms.ValidationError(_('You have to agree with the terms'))
return has_signed_terms
def post_store_user(self, user, request):
pending = PendingThirdPartyUser.objects.get(
token=request.POST.get('third_party_token'),
third_party_identifier= \
self.cleaned_data.get('third_party_identifier'))
return user.add_pending_auth_provider(pending)
def save(self, commit=True):
user = super(ThirdPartyUserCreationForm, self).save(commit=False)
user.set_unusable_password()
user.provider = get_query(self.request).get('provider')
user.is_local = False
user.renew_token()
if commit:
user.save()
logger._log(LOGGING_LEVEL, 'Created user %s' % user.email, [])
......@@ -261,9 +296,7 @@ class InvitedThirdPartyUserCreationForm(ThirdPartyUserCreationForm):
def save(self, commit=True):
user = super(InvitedThirdPartyUserCreationForm, self).save(commit=False)
level = user.invitation.inviter.level + 1
user.level = level
user.invitations = INVITATIONS_PER_LEVEL.get(level, 0)
user.set_invitation_level()
user.email_verified = True
if commit:
user.save()
......@@ -279,9 +312,9 @@ class ShibbolethUserCreationForm(ThirdPartyUserCreationForm):
field = self.fields[name]
self.initial['additional_email'] = self.initial.get(name, field.initial)
self.initial['email'] = None
def clean_email(self):
email = self.cleaned_data['email']
email = self.cleaned_data['email'].lower()
if self.instance:
if self.instance.email == email:
raise forms.ValidationError(_("This is your current email."))
......@@ -296,19 +329,7 @@ class ShibbolethUserCreationForm(ThirdPartyUserCreationForm):
raise forms.ValidationError(_("This email is already used"))
super(ShibbolethUserCreationForm, self).clean_email()
return email
def save(self, commit=True):
user = super(ShibbolethUserCreationForm, self).save(commit=False)
try:
p = PendingThirdPartyUser.objects.get(
provider=user.provider,
third_party_identifier=user.third_party_identifier
)
except:
pass
else:
p.delete()
return user
class InvitedShibbolethUserCreationForm(ShibbolethUserCreationForm, InvitedThirdPartyUserCreationForm):
pass
......@@ -433,8 +454,15 @@ class ExtendedPasswordResetForm(PasswordResetForm):
user = AstakosUser.objects.get(email=email, is_active=True)
if not user.has_usable_password():
raise forms.ValidationError(_("This account has not a usable password."))
if not user.can_change_password():
raise forms.ValidationError(_('Password change for this account'
' is not supported.'))
except AstakosUser.DoesNotExist, e:
raise forms.ValidationError(_('That e-mail address doesn\'t have an associated user account. Are you sure you\'ve registered?'))
raise forms.ValidationError(_('That e-mail address doesn\'t have an'
' associated user account. Are you sure'
' you\'ve registered?'))
return email
def save(self, domain_override=None, email_template_name='registration/password_reset_email.html',
......@@ -443,9 +471,7 @@ class ExtendedPasswordResetForm(PasswordResetForm):
Generates a one-use only link for resetting password and sends to the user.
"""
for user in self.users_cache:
url = reverse('django.contrib.auth.views.password_reset_confirm',
kwargs={'uidb36':int_to_base36(user.id),
'token':token_generator.make_token(user)})
url = user.astakosuser.get_password_reset_url(token_generator)
url = urljoin(BASEURL, url)
t = loader.get_template(email_template_name)
c = {
......@@ -468,7 +494,9 @@ class EmailChangeForm(forms.ModelForm):
def clean_new_email_address(self):
addr = self.cleaned_data['new_email_address']
if AstakosUser.objects.filter(email__iexact=addr):
raise forms.ValidationError(_(u'This email address is already in use. Please supply a different email address.'))
raise forms.ValidationError(_(u"This email address is already "
"in use. Please supply a "
"different email address."))
return addr
def save(self, email_template_name, request, commit=True):
......@@ -552,13 +580,17 @@ class ExtendedSetPasswordForm(SetPasswordForm):
def __init__(self, user, *args, **kwargs):
super(ExtendedSetPasswordForm, self).__init__(user, *args, **kwargs)
@transaction.commit_on_success()
def save(self, commit=True):
try:
self.user = AstakosUser.objects.get(id=self.user.id)
if NEWPASSWD_INVALIDATE_TOKEN or self.cleaned_data.get('renew'):
self.user.renew_token()
self.user.flush_sessions()
#self.user.flush_sessions()
if not self.user.has_auth_provider('local'):
self.user.add_auth_provider('local', auth_backend='astakos')
except BaseException, e:
logger.exception(e)
pass
......
......@@ -40,6 +40,7 @@ from time import asctime
from datetime import datetime, timedelta
from base64 import b64encode
from urlparse import urlparse
from urllib import quote
from random import randint
from django.db import models, IntegrityError
......@@ -51,19 +52,37 @@ from django.core.mail import send_mail
from django.db import transaction
from django.db.models.signals import post_save, pre_save, post_syncdb
from django.db.models import Q
from django.core.urlresolvers import reverse
from django.utils.http import int_to_base36
from django.contrib.auth.tokens import default_token_generator
from django.conf import settings
from django.utils.importlib import import_module
from django.core.validators import email_re
from astakos.im.settings import (
DEFAULT_USER_LEVEL, INVITATIONS_PER_LEVEL,
AUTH_TOKEN_DURATION, BILLING_FIELDS, QUEUE_CONNECTION, SITENAME,
EMAILCHANGE_ACTIVATION_DAYS, LOGGING_LEVEL
)
from astakos.im import auth_providers
QUEUE_CLIENT_ID = 3 # Astakos.
logger = logging.getLogger(__name__)
class AstakosUserManager(models.Manager):
def get_auth_provider_user(self, provider, **kwargs):
"""
Retrieve AstakosUser instance associated with the specified third party
id.
"""
kwargs = dict(map(lambda x: ('auth_providers__%s' % x[0], x[1]),
kwargs.iteritems()))
return self.get(auth_providers__module=provider, **kwargs)
class AstakosUser(User):
"""
Extends ``django.contrib.auth.models.User`` by defining additional fields.
......@@ -71,8 +90,18 @@ class AstakosUser(User):
# Use UserManager to get the create_user method, etc.
objects = UserManager()
affiliation = models.CharField('Affiliation', max_length=255, blank=True)
provider = models.CharField('Provider', max_length=255, blank=True)
affiliation = models.CharField('Affiliation', max_length=255, blank=True,
null=True)
# DEPRECATED FIELDS: provider, third_party_identifier moved in
# AstakosUserProvider model.
provider = models.CharField('Provider', max_length=255, blank=True,
null=True)
# ex. screen_name for twitter, eppn for shibboleth
third_party_identifier = models.CharField('Third-party identifier',
max_length=255, null=True,
blank=True)
#for invitations
user_level = DEFAULT_USER_LEVEL
......@@ -87,9 +116,6 @@ class AstakosUser(User):
updated = models.DateTimeField('Update date')
is_verified = models.BooleanField('Is verified?', default=False)
# ex. screen_name for twitter, eppn for shibboleth
third_party_identifier = models.CharField('Third-party identifier', max_length=255, null=True, blank=True)
email_verified = models.BooleanField('Email verified?', default=False)
has_credits = models.BooleanField('Has credits?', default=False)
......@@ -100,10 +126,9 @@ class AstakosUser(User):
__has_signed_terms = False
__groupnames = []
class Meta:
unique_together = ("provider", "third_party_identifier")
objects = AstakosUserManager()
def __init__(self, *args, **kwargs):
super(AstakosUser, self).__init__(*args, **kwargs)
self.__has_signed_terms = self.has_signed_terms
......@@ -145,13 +170,12 @@ class AstakosUser(User):
if not self.id:
# set username
while not self.username:
username = uuid.uuid4().hex[:30]
username = self.email
try:
AstakosUser.objects.get(username = username)
except AstakosUser.DoesNotExist, e:
self.username = username
if not self.provider:
self.provider = 'local'
report_user_event(self)
self.validate_unique_email_isactive()
if self.is_active and self.activation_sent:
......@@ -236,6 +260,148 @@ class AstakosUser(User):
return False
return True
def set_invitations_level(self):
"""
Update user invitation level
"""
level = self.invitation.inviter.level + 1
self.level = level
self.invitations = INVITATIONS_PER_LEVEL.get(level, 0)
def can_login_with_auth_provider(self, provider):
if not self.has_auth_provider(provider):
return False
else:
return auth_providers.get_provider(provider).is_available_for_login()
def can_add_provider(self, provider, **kwargs):
provider_settings = auth_providers.get_provider(provider)
if not provider_settings.is_available_for_login():
return False
if self.has_auth_provider(provider) and \
provider_settings.one_per_user:
return False
return True
def can_remove_auth_provider(self, provider):
if len(self.get_active_auth_providers()) <= 1:
return False
return True
def can_change_password(self):
return self.has_auth_provider('local', auth_backend='astakos')
def has_auth_provider(self, provider, **kwargs):
return bool(self.auth_providers.filter(module=provider,
**kwargs).count())
def add_auth_provider(self, provider, **kwargs):
self.auth_providers.create(module=provider, active=True, **kwargs)
def add_pending_auth_provider(self, pending):
"""
Convert PendingThirdPartyUser object to AstakosUserAuthProvider entry for
the current user.
"""
if not isinstance(pending, PendingThirdPartyUser):
pending = PendingThirdPartyUser.objects.get(token=pending)
provider = self.add_auth_provider(pending.provider,
identifier=pending.third_party_identifier)
if email_re.match(pending.email) and pending.email != self.email:
self.additionalmail_set.get_or_create(email=pending.email)
pending.delete()
return provider
def remove_auth_provider(self, provider, **kwargs):
self.auth_providers.get(module=provider, **kwargs).delete()
# user urls
def get_resend_activation_url(self):
return reverse('send_activation', {'user_id': self.pk})
def get_activation_url(self, nxt=False):
url = "%s?auth=%s" % (reverse('astakos.im.views.activate'),
quote(self.auth_token))
if nxt:
url += "&next=%s" % quote(nxt)
return url
def get_password_reset_url(self, token_generator=default_token_generator):
return reverse('django.contrib.auth.views.password_reset_confirm',
kwargs={'uidb36':int_to_base36(self.id),
'token':token_generator.make_token(self)})
def get_auth_providers(self):
return self.auth_providers.all()
def get_available_auth_providers(self):
"""
Returns a list of providers available for user to connect to.
"""
providers = []
for module, provider_settings in auth_providers.PROVIDERS.iteritems():
if self.can_add_provider(module):
providers.append(provider_settings(self))
return providers
def get_active_auth_providers(self):
providers = []
for provider in self.auth_providers.active():
if auth_providers.get_provider(provider.module).is_available_for_login():
providers.append(provider)
return providers
class AstakosUserAuthProviderManager(models.Manager):
def active(self):
return self.filter(active=True)
class AstakosUserAuthProvider(models.Model):
"""
Available user authentication methods.
"""
affiliation = models.CharField('Affiliation', max_length=255, blank=True,
null=True, default=None)
user = models.ForeignKey(AstakosUser, related_name='auth_providers')
module = models.CharField('Provider', max_length=255, blank=False,
default='local')
identifier = models.CharField('Third-party identifier',
max_length=255, null=True,
blank=True)