[Checkins] SVN: PluggableAuthService/branches/shh-authentication-caching/ Implemented authentication caching in PAS._extractUserIds.

Stefan H. Holek stefan at epy.co.at
Mon Aug 14 14:11:01 EDT 2006


Log message for revision 69485:
  Implemented authentication caching in PAS._extractUserIds.
  

Changed:
  U   PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py
  U   PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py
  A   PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py
  U   PluggableAuthService/branches/shh-authentication-caching/utils.py

-=-
Modified: PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py	2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py	2006-08-14 18:11:00 UTC (rev 69485)
@@ -85,6 +85,7 @@
 from PropertiedUser import PropertiedUser
 from utils import _wwwdir
 from utils import createViewName
+from utils import createKeywords
 from utils import classImplements
 
 security = ModuleSecurityInfo(
@@ -536,9 +537,6 @@
           a user;  accumulate a list of the IDs of such users over all
           our authentication and extraction plugins.
         """
-        result = []
-        user_ids = []
-
         try:
             extractors = plugins.listPlugins( IExtractionPlugin )
         except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
@@ -554,6 +552,8 @@
             logger.debug('Authenticator plugin listing error', exc_info=True)
             authenticators = ()
 
+        result = []
+
         for extractor_id, extractor in extractors:
 
             try:
@@ -568,24 +568,32 @@
 
                 try:
                     credentials[ 'extractor' ] = extractor_id # XXX: in key?
+                    # Test if ObjectCacheEntries.aggregateIndex would work
                     items = credentials.items()
                     items.sort()
                 except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
                     logger.debug( 'Credentials error: %s' % credentials
                                 , exc_info=True
                                 )
-                else:
-                    user_ids = []
+                    continue
 
-                if not user_ids:
+                # First try to authenticate against the emergency
+                # user and return immediately if authenticated
+                user_id, name = self._tryEmergencyUserAuthentication(
+                                                            credentials )
 
-                    # first try to authenticate against the emergency
-                    # user, and return immediately if authenticated
-                    user_id, name = self._tryEmergencyUserAuthentication(
-                                                                credentials )
+                if user_id is not None:
+                    return [ ( user_id, name ) ]
 
-                    if user_id is not None:
-                        return [ ( user_id, name ) ]
+                # Now see if the user ids can be retrieved from the cache
+                view_name = createViewName('_extractUserIds', credentials.get('login'))
+                keywords = createKeywords(**credentials)
+                user_ids = self.ZCacheable_get( view_name=view_name
+                                              , keywords=keywords
+                                              , default=None
+                                              )
+                if user_ids is None:
+                    user_ids = []
 
                     for authenticator_id, auth in authenticators:
 
@@ -607,14 +615,20 @@
                         if user_id is not None:
                             user_ids.append( (user_id, info) )
 
+                    if user_ids:
+                        self.ZCacheable_set( user_ids
+                                           , view_name=view_name
+                                           , keywords=keywords
+                                           )
+
                 result.extend( user_ids )
 
-        if not user_ids:
-            user_id, name = self._tryEmergencyUserAuthentication(
-                    DumbHTTPExtractor().extractCredentials( request ) )
+        # Emergency user via HTTP basic auth always wins
+        user_id, name = self._tryEmergencyUserAuthentication(
+                DumbHTTPExtractor().extractCredentials( request ) )
 
-            if user_id is not None:
-                result.append( ( user_id, name ) )
+        if user_id is not None:
+            return [ ( user_id, name ) ]
 
         return result
 
@@ -700,10 +714,8 @@
             return self._emergency_user
 
         # See if the user can be retrieved from the cache
-        view_name = '_findUser-%s' % user_id
-        keywords = { 'user_id' : user_id
-                   , 'name' : name
-                   }
+        view_name = createViewName('_findUser', user_id)
+        keywords = createKeywords(user_id=user_id, name=name)
         user = self.ZCacheable_get( view_name=view_name
                                   , keywords=keywords
                                   , default=None
@@ -761,8 +773,9 @@
 
         if criteria:
             view_name = createViewName('_verifyUser', user_id or login)
+            keywords = createKeywords(**criteria)
             cached_info = self.ZCacheable_get( view_name=view_name
-                                             , keywords=criteria
+                                             , keywords=keywords
                                              , default=None
                                              )
 
@@ -780,7 +793,7 @@
                         # Put the computed value into the cache
                         self.ZCacheable_set( info[0]
                                            , view_name=view_name
-                                           , keywords=criteria
+                                           , keywords=keywords
                                            )
                         return info[0]
 
@@ -928,6 +941,7 @@
 
         for useradder_id, useradder in useradders:
             if useradder.doAddUser( login, password ):
+                # XXX: Adds user to cache, but without roles...
                 user = self.getUser( login )
                 break
 

Modified: PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py	2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py	2006-08-14 18:11:00 UTC (rev 69485)
@@ -572,7 +572,7 @@
         self.assertEqual( user_ids[0][0], 'qux' )
         self.assertEqual( user_ids[1][0], 'foo' )
 
-    def test__extractUserIds_broken_extractor( self ):
+    def test__extractUserIds_broken_extractor_before_good_extractor( self ):
 
         from Products.PluggableAuthService.interfaces.plugins \
             import IExtractionPlugin, IAuthenticationPlugin
@@ -595,8 +595,8 @@
 
         plugins = zcuf._getOb( 'plugins' )
 
-        plugins.activatePlugin( IExtractionPlugin, 'borked' )
-        plugins.activatePlugin( IExtractionPlugin, 'login' )
+        plugins.activatePlugin( IExtractionPlugin, 'borked' )   # 1
+        plugins.activatePlugin( IExtractionPlugin, 'login' )    # 2
         plugins.activatePlugin( IAuthenticationPlugin, 'login' )
 
         request = self._makeRequest( form={ 'login' : 'foo'
@@ -609,11 +609,48 @@
         self.assertEqual( len( user_ids ), 1 )
         self.assertEqual( user_ids[0][0], 'foo' )
 
-    def test_authenticate_emergency_user_with_broken_extractor( self ):
+    def test__extractUserIds_broken_extractor_after_good_extractor( self ):
 
         from Products.PluggableAuthService.interfaces.plugins \
             import IExtractionPlugin, IAuthenticationPlugin
 
+        plugins = self._makePlugins()
+        zcuf = self._makeOne( plugins )
+
+        login = DummyPlugin()
+        directlyProvides( login, IExtractionPlugin, IAuthenticationPlugin )
+        login.extractCredentials = _extractLogin
+        login.authenticateCredentials = _authLogin
+
+        zcuf._setObject( 'login', login )
+
+        borked = DummyPlugin()
+        directlyProvides( borked, IExtractionPlugin )
+        borked.extractCredentials = lambda req: 'abc'
+
+        zcuf._setObject( 'borked', borked )
+
+        plugins = zcuf._getOb( 'plugins' )
+
+        plugins.activatePlugin( IExtractionPlugin, 'login' )    # 1
+        plugins.activatePlugin( IExtractionPlugin, 'borked' )   # 2
+        plugins.activatePlugin( IAuthenticationPlugin, 'login' )
+
+        request = self._makeRequest( form={ 'login' : 'foo'
+                                          , 'password' : 'bar' } )
+
+        user_ids = zcuf._extractUserIds( request=request
+                                       , plugins=zcuf.plugins
+                                       )
+
+        self.assertEqual( len( user_ids ), 1 )
+        self.assertEqual( user_ids[0][0], 'foo' )
+
+    def test__extractUserIds_authenticate_emergency_user_with_broken_extractor( self ):
+
+        from Products.PluggableAuthService.interfaces.plugins \
+            import IExtractionPlugin, IAuthenticationPlugin
+
         from AccessControl.User import UnrestrictedUser
 
         from Products.PluggableAuthService import PluggableAuthService
@@ -624,21 +661,61 @@
 
         PluggableAuthService.emergency_user = eu
 
+        try:
+            plugins = self._makePlugins()
+            zcuf = self._makeOne( plugins )
+
+            borked = DummyPlugin()
+            directlyProvides( borked, IExtractionPlugin )
+            borked.extractCredentials = lambda req: 'abc'
+
+            zcuf._setObject( 'borked', borked )
+
+            plugins = zcuf._getOb( 'plugins' )
+
+            plugins.activatePlugin( IExtractionPlugin, 'borked' )
+
+            request = self._makeRequest( form={ 'login' : eu.getUserName()
+                                              , 'password' : eu._getPassword() } )
+
+            user_ids = zcuf._extractUserIds( request=request
+                                           , plugins=zcuf.plugins
+                                           )
+
+            self.assertEqual( len( user_ids ), 1 )
+            self.assertEqual( user_ids[0][0], 'foo' )
+        finally:
+            PluggableAuthService.emergency_user = old_eu
+
+    def test__extractUserIds_broken_authenticator_before_good_authenticator( self ):
+
+        from Products.PluggableAuthService.interfaces.plugins \
+            import IExtractionPlugin, IAuthenticationPlugin
+
         plugins = self._makePlugins()
         zcuf = self._makeOne( plugins )
 
+        login = DummyPlugin()
+        directlyProvides( login, IExtractionPlugin, IAuthenticationPlugin )
+        login.extractCredentials = _extractLogin
+        login.authenticateCredentials = _authLogin
+
+        zcuf._setObject( 'login', login )
+
         borked = DummyPlugin()
-        directlyProvides( borked, IExtractionPlugin )
-        borked.extractCredentials = lambda req: 'abc'
+        directlyProvides( borked, IAuthenticationPlugin )
+        borked.authenticateCredentials = lambda creds: creds['nonesuch']
 
         zcuf._setObject( 'borked', borked )
 
         plugins = zcuf._getOb( 'plugins' )
 
-        plugins.activatePlugin( IExtractionPlugin, 'borked' )
+        plugins.activatePlugin( IExtractionPlugin, 'login' )
+        plugins.activatePlugin( IAuthenticationPlugin, 'borked' )   # 1
+        plugins.activatePlugin( IAuthenticationPlugin, 'login' )    # 2
 
-        request = self._makeRequest( form={ 'login' : eu.getUserName()
-                                          , 'password' : eu._getPassword() } )
+        request = self._makeRequest( form={ 'login' : 'foo'
+                                          , 'password' : 'bar' } )
 
         user_ids = zcuf._extractUserIds( request=request
                                        , plugins=zcuf.plugins
@@ -647,10 +724,8 @@
         self.assertEqual( len( user_ids ), 1 )
         self.assertEqual( user_ids[0][0], 'foo' )
 
-        PluggableAuthService.emergency_user = old_eu
+    def test__extractUserIds_broken_authenticator_after_good_authenticator( self ):
 
-    def test__extractUserIds_broken_authenticator( self ):
-
         from Products.PluggableAuthService.interfaces.plugins \
             import IExtractionPlugin, IAuthenticationPlugin
 
@@ -673,8 +748,8 @@
         plugins = zcuf._getOb( 'plugins' )
 
         plugins.activatePlugin( IExtractionPlugin, 'login' )
-        plugins.activatePlugin( IAuthenticationPlugin, 'borked' )
-        plugins.activatePlugin( IAuthenticationPlugin, 'login' )
+        plugins.activatePlugin( IAuthenticationPlugin, 'login' )    # 1
+        plugins.activatePlugin( IAuthenticationPlugin, 'borked' )   # 2
 
         request = self._makeRequest( form={ 'login' : 'foo'
                                           , 'password' : 'bar' } )
@@ -686,6 +761,101 @@
         self.assertEqual( len( user_ids ), 1 )
         self.assertEqual( user_ids[0][0], 'foo' )
 
+    def test__extractUserIds_authenticate_emergency_user_with_broken_authenticator( self ):
+
+        from Products.PluggableAuthService.interfaces.plugins \
+            import IExtractionPlugin, IAuthenticationPlugin
+
+        from AccessControl.User import UnrestrictedUser
+
+        from Products.PluggableAuthService import PluggableAuthService
+
+        old_eu = PluggableAuthService.emergency_user
+
+        eu = UnrestrictedUser( 'foo', 'bar', ( 'manage', ), () )
+
+        PluggableAuthService.emergency_user = eu
+
+        try:
+            plugins = self._makePlugins()
+            zcuf = self._makeOne( plugins )
+
+            login = DummyPlugin()
+            directlyProvides( login, IExtractionPlugin )
+
+            # Make the first attempt at emergency user authentication fail
+            # (but not the extractor itself).
+            login.extractCredentials = lambda req: {'login': '', 'password': ''}
+
+            zcuf._setObject( 'login', login )
+
+            borked = DummyPlugin()
+            directlyProvides( borked, IAuthenticationPlugin )
+            borked.authenticateCredentials = lambda creds: creds['nonesuch']
+
+            zcuf._setObject( 'borked', borked )
+
+            plugins = zcuf._getOb( 'plugins' )
+
+            plugins.activatePlugin( IExtractionPlugin, 'login' )
+            plugins.activatePlugin( IAuthenticationPlugin, 'borked' )
+
+            request = self._makeRequest( form={ 'login' : eu.getUserName()
+                                              , 'password' : eu._getPassword() } )
+
+            user_ids = zcuf._extractUserIds( request=request
+                                           , plugins=zcuf.plugins
+                                           )
+
+            self.assertEqual( len( user_ids ), 1 )
+            self.assertEqual( user_ids[0][0], 'foo' )
+        finally:
+            PluggableAuthService.emergency_user = old_eu
+
+    def test__extractUserIds_emergency_user_always_wins( self ):
+
+        from Products.PluggableAuthService.interfaces.plugins \
+            import IExtractionPlugin, IAuthenticationPlugin
+
+        from AccessControl.User import UnrestrictedUser
+
+        from Products.PluggableAuthService import PluggableAuthService
+
+        old_eu = PluggableAuthService.emergency_user
+
+        eu = UnrestrictedUser( 'foo', 'bar', ( 'manage', ), () )
+
+        PluggableAuthService.emergency_user = eu
+
+        try:
+            plugins = self._makePlugins()
+            zcuf = self._makeOne( plugins )
+
+            login = DummyPlugin()
+            directlyProvides( login, IExtractionPlugin, IAuthenticationPlugin )
+            login.extractCredentials = lambda req: {'login': 'baz', 'password': ''}
+            login.authenticateCredentials = _authLogin
+
+            zcuf._setObject( 'login', login )
+
+            plugins = zcuf._getOb( 'plugins' )
+
+            plugins.activatePlugin( IExtractionPlugin, 'login' )
+            plugins.activatePlugin( IAuthenticationPlugin, 'login' )
+
+            request = self._makeRequest( form={ 'login' : eu.getUserName()
+                                              , 'password' : eu._getPassword() } )
+
+            # This should authenticate the emergency user and not 'baz'
+            user_ids = zcuf._extractUserIds( request=request
+                                           , plugins=zcuf.plugins
+                                           )
+
+            self.assertEqual( len( user_ids ), 1 )
+            self.assertEqual( user_ids[0][0], 'foo' )
+        finally:
+            PluggableAuthService.emergency_user = old_eu
+
     def test__getObjectContext_no_steps( self ):
 
         zcuf = self._makeOne()

Added: PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py	2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py	2006-08-14 18:11:00 UTC (rev 69485)
@@ -0,0 +1,69 @@
+
+import unittest
+
+from Products.PluggableAuthService.utils import createViewName
+from Products.PluggableAuthService.utils import createKeywords
+
+
+class UtilityTests(unittest.TestCase):
+
+    def test_createViewName(self):
+        self.assertEqual(createViewName('foo', 'bar'), 'foo-bar')
+
+    def test_createViewName_no_user_handle(self):
+        self.assertEqual(createViewName('foo', None), 'foo')
+
+    def test_createViewName_latin1_umlaut_in_method(self):
+        self.assertEqual(createViewName('f\366o'), 'f\366o')
+
+    def test_createViewName_utf8_umlaut_in_method(self):
+        self.assertEqual(createViewName('f\303\266o'), 'f\303\266o')
+
+    def test_createViewName_unicode_umlaut_in_method(self):
+        self.assertEqual(createViewName(u'f\366o'), 'f\303\266o')
+
+    def test_createViewName_latin1_umlaut_in_handle(self):
+        self.assertEqual(createViewName('foo', 'b\344r'), 'foo-b\344r')
+
+    def test_createViewName_utf8_umlaut_in_handle(self):
+        self.assertEqual(createViewName('foo', 'b\303\244r'), 'foo-b\303\244r')
+
+    def test_createViewName_unicode_umlaut_in_handle(self):
+        self.assertEqual(createViewName('foo', u'b\344r'), 'foo-b\303\244r')
+
+    def test_createKeywords(self):
+        self.assertEqual(createKeywords(foo='bar'),
+                {'keywords': '8843d7f92416211de9ebb963ff4ce28125932878'})
+
+    def test_createKeywords_multiple(self):
+        self.assertEqual(createKeywords(foo='bar', baz='peng'),
+                {'keywords': '0237196c9a6c711223d087676671351510c265be'})
+
+    def test_createKeywords_latin1_umlaut(self):
+        self.assertEqual(createKeywords(foo='bar', baz='M\344dchen'),
+                {'keywords': '1a952e3797b287f60e034c19dacd0eca49c4f437'})
+
+    def test_createKeywords_utf8_umlaut(self):
+        self.assertEqual(createKeywords(foo='bar', baz='M\303\244dchen'),
+                {'keywords': '62e00b7ef8978f85194632b90e829006b0410472'})
+
+    def test_createKeywords_unicode_umlaut(self):
+        self.assertEqual(createKeywords(foo='bar', baz=u'M\344dchen'),
+                {'keywords': '62e00b7ef8978f85194632b90e829006b0410472'})
+
+    def test_createKeywords_utf16_umlaut(self):
+        self.assertEqual(createKeywords(foo='bar', baz=u'M\344dchen'.encode('utf-16')),
+                {'keywords': 'a884c1b0242a14f253e0e361ff1cee808eb18aff'})
+
+    def test_createKeywords_unicode_chinese(self):
+        self.assertEqual(createKeywords(foo='bar', baz=u'\u03a4\u03b6'),
+                {'keywords': '03b19dff4adbd3b8a2f158456f0f26efe35e1f2c'})
+
+
+def test_suite():
+    return unittest.TestSuite((
+        unittest.makeSuite(UtilityTests),
+    ))
+
+if __name__ == '__main__':
+    unittest.main(defaultTest='test_suite')


Property changes on: PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py
___________________________________________________________________
Name: svn:keywords
   + Author Date Id Revision
Name: svn:eol-style
   + native

Modified: PluggableAuthService/branches/shh-authentication-caching/utils.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/utils.py	2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/utils.py	2006-08-14 18:11:00 UTC (rev 69485)
@@ -13,6 +13,7 @@
 #
 ##############################################################################
 import os
+import sha
 import unittest
 from types import TupleType, ListType
 
@@ -197,13 +198,36 @@
 
     return suite
 
+
+def makestr(s):
+    """Converts 's' to a non-Unicode string"""
+    if isinstance(s, unicode):
+        s = s.encode('utf-8')
+    return str(s)
+
 def createViewName(method_name, user_handle=None):
     """
         Centralized place for creating the "View Name" that identifies
-        a ZCacheable record in a PASRAMCacheManager
+        a ZCacheable record in a RAMCacheManager
     """
     if not user_handle:
-        return method_name
+        return makestr(method_name)
     else:
-        return '%s-%s' % (method_name, user_handle)
+        return '%s-%s' % (makestr(method_name), makestr(user_handle))
 
+def createKeywords(**kw):
+    """
+        Centralized place for creating the keywords that identify
+        a ZCacheable record in a RAMCacheManager.
+
+        Keywords are hashed so we don't accidentally expose sensitive
+        information.
+    """
+    keywords = sha.new()
+
+    for k, v in kw.items():
+        keywords.update(makestr(k))
+        keywords.update(makestr(v))
+
+    return {'keywords': keywords.hexdigest()}
+



More information about the Checkins mailing list