auth_pam.py 2.39 KB
Newer Older
ale's avatar
ale committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
# Copyright (c) 2008 Autistici/Inventati <info@autistici.org>
#
# Permission is hereby granted, free of charge, to any person
# obtaining a copy of this software and associated documentation
# files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use,
# copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the
# Software is furnished to do so, subject to the following
# conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
# OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
# HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
# OTHER DEALINGS IN THE SOFTWARE.

import PAM
import logging
import pwd
import grp
from sso_server.auth import AuthBase

log = logging.getLogger(__name__)


def get_user_groups(username):
    pwent = pwd.getpwnam(username)
    groups = set([grp.getgrgid(pwent[3])[0]])
    for grent in grp.getgrall():
        if username in grent[3]:
            groups.add(grent[0])
    return groups


class Auth(AuthBase):
    """PAM-based authentication.

45 46 47 48
    Uses PAM to authenticate users. The default service is 'sso', but you can
    use a different one specifying the AUTH_PAM_SERVICE variable in the
    configuration.

ale's avatar
ale committed
49 50 51
    """

    def __init__(self, config):
52
        self.service = config.get('AUTH_PAM_SERVICE', 'sso')
ale's avatar
ale committed
53

54
    def authenticate(self, username, password, otp=None):
ale's avatar
ale committed
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71
        pam = PAM.pam()
        pam.start(self.service)
        pam.set_item(PAM.PAM_USER, username)
        def fake_conv(auth, queryList, userdata):
            return [(password, 0)]
        pam.set_item(PAM.PAM_CONV, fake_conv)
        try:
            pam.authenticate()
            pam.acct_mgmt()
            return True
        except PAM.error, resp:
            log.error('PAM auth failed: %s', resp)
            return False

    def match_groups(self, username, groups):
        user_groups = get_user_groups(username)
        return user_groups.intersection(groups)