[Checkins]
SVN: PluggableAuthService/branches/shh-authentication-caching/
Implemented authentication caching in PAS._extractUserIds.
Stefan H. Holek
stefan at epy.co.at
Mon Aug 14 14:11:01 EDT 2006
Log message for revision 69485:
Implemented authentication caching in PAS._extractUserIds.
Changed:
U PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py
U PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py
A PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py
U PluggableAuthService/branches/shh-authentication-caching/utils.py
-=-
Modified: PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py 2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/PluggableAuthService.py 2006-08-14 18:11:00 UTC (rev 69485)
@@ -85,6 +85,7 @@
from PropertiedUser import PropertiedUser
from utils import _wwwdir
from utils import createViewName
+from utils import createKeywords
from utils import classImplements
security = ModuleSecurityInfo(
@@ -536,9 +537,6 @@
a user; accumulate a list of the IDs of such users over all
our authentication and extraction plugins.
"""
- result = []
- user_ids = []
-
try:
extractors = plugins.listPlugins( IExtractionPlugin )
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
@@ -554,6 +552,8 @@
logger.debug('Authenticator plugin listing error', exc_info=True)
authenticators = ()
+ result = []
+
for extractor_id, extractor in extractors:
try:
@@ -568,24 +568,32 @@
try:
credentials[ 'extractor' ] = extractor_id # XXX: in key?
+ # Test if ObjectCacheEntries.aggregateIndex would work
items = credentials.items()
items.sort()
except _SWALLOWABLE_PLUGIN_EXCEPTIONS:
logger.debug( 'Credentials error: %s' % credentials
, exc_info=True
)
- else:
- user_ids = []
+ continue
- if not user_ids:
+ # First try to authenticate against the emergency
+ # user and return immediately if authenticated
+ user_id, name = self._tryEmergencyUserAuthentication(
+ credentials )
- # first try to authenticate against the emergency
- # user, and return immediately if authenticated
- user_id, name = self._tryEmergencyUserAuthentication(
- credentials )
+ if user_id is not None:
+ return [ ( user_id, name ) ]
- if user_id is not None:
- return [ ( user_id, name ) ]
+ # Now see if the user ids can be retrieved from the cache
+ view_name = createViewName('_extractUserIds', credentials.get('login'))
+ keywords = createKeywords(**credentials)
+ user_ids = self.ZCacheable_get( view_name=view_name
+ , keywords=keywords
+ , default=None
+ )
+ if user_ids is None:
+ user_ids = []
for authenticator_id, auth in authenticators:
@@ -607,14 +615,20 @@
if user_id is not None:
user_ids.append( (user_id, info) )
+ if user_ids:
+ self.ZCacheable_set( user_ids
+ , view_name=view_name
+ , keywords=keywords
+ )
+
result.extend( user_ids )
- if not user_ids:
- user_id, name = self._tryEmergencyUserAuthentication(
- DumbHTTPExtractor().extractCredentials( request ) )
+ # Emergency user via HTTP basic auth always wins
+ user_id, name = self._tryEmergencyUserAuthentication(
+ DumbHTTPExtractor().extractCredentials( request ) )
- if user_id is not None:
- result.append( ( user_id, name ) )
+ if user_id is not None:
+ return [ ( user_id, name ) ]
return result
@@ -700,10 +714,8 @@
return self._emergency_user
# See if the user can be retrieved from the cache
- view_name = '_findUser-%s' % user_id
- keywords = { 'user_id' : user_id
- , 'name' : name
- }
+ view_name = createViewName('_findUser', user_id)
+ keywords = createKeywords(user_id=user_id, name=name)
user = self.ZCacheable_get( view_name=view_name
, keywords=keywords
, default=None
@@ -761,8 +773,9 @@
if criteria:
view_name = createViewName('_verifyUser', user_id or login)
+ keywords = createKeywords(**criteria)
cached_info = self.ZCacheable_get( view_name=view_name
- , keywords=criteria
+ , keywords=keywords
, default=None
)
@@ -780,7 +793,7 @@
# Put the computed value into the cache
self.ZCacheable_set( info[0]
, view_name=view_name
- , keywords=criteria
+ , keywords=keywords
)
return info[0]
@@ -928,6 +941,7 @@
for useradder_id, useradder in useradders:
if useradder.doAddUser( login, password ):
+ # XXX: Adds user to cache, but without roles...
user = self.getUser( login )
break
Modified: PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py 2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/tests/test_PluggableAuthService.py 2006-08-14 18:11:00 UTC (rev 69485)
@@ -572,7 +572,7 @@
self.assertEqual( user_ids[0][0], 'qux' )
self.assertEqual( user_ids[1][0], 'foo' )
- def test__extractUserIds_broken_extractor( self ):
+ def test__extractUserIds_broken_extractor_before_good_extractor( self ):
from Products.PluggableAuthService.interfaces.plugins \
import IExtractionPlugin, IAuthenticationPlugin
@@ -595,8 +595,8 @@
plugins = zcuf._getOb( 'plugins' )
- plugins.activatePlugin( IExtractionPlugin, 'borked' )
- plugins.activatePlugin( IExtractionPlugin, 'login' )
+ plugins.activatePlugin( IExtractionPlugin, 'borked' ) # 1
+ plugins.activatePlugin( IExtractionPlugin, 'login' ) # 2
plugins.activatePlugin( IAuthenticationPlugin, 'login' )
request = self._makeRequest( form={ 'login' : 'foo'
@@ -609,11 +609,48 @@
self.assertEqual( len( user_ids ), 1 )
self.assertEqual( user_ids[0][0], 'foo' )
- def test_authenticate_emergency_user_with_broken_extractor( self ):
+ def test__extractUserIds_broken_extractor_after_good_extractor( self ):
from Products.PluggableAuthService.interfaces.plugins \
import IExtractionPlugin, IAuthenticationPlugin
+ plugins = self._makePlugins()
+ zcuf = self._makeOne( plugins )
+
+ login = DummyPlugin()
+ directlyProvides( login, IExtractionPlugin, IAuthenticationPlugin )
+ login.extractCredentials = _extractLogin
+ login.authenticateCredentials = _authLogin
+
+ zcuf._setObject( 'login', login )
+
+ borked = DummyPlugin()
+ directlyProvides( borked, IExtractionPlugin )
+ borked.extractCredentials = lambda req: 'abc'
+
+ zcuf._setObject( 'borked', borked )
+
+ plugins = zcuf._getOb( 'plugins' )
+
+ plugins.activatePlugin( IExtractionPlugin, 'login' ) # 1
+ plugins.activatePlugin( IExtractionPlugin, 'borked' ) # 2
+ plugins.activatePlugin( IAuthenticationPlugin, 'login' )
+
+ request = self._makeRequest( form={ 'login' : 'foo'
+ , 'password' : 'bar' } )
+
+ user_ids = zcuf._extractUserIds( request=request
+ , plugins=zcuf.plugins
+ )
+
+ self.assertEqual( len( user_ids ), 1 )
+ self.assertEqual( user_ids[0][0], 'foo' )
+
+ def test__extractUserIds_authenticate_emergency_user_with_broken_extractor( self ):
+
+ from Products.PluggableAuthService.interfaces.plugins \
+ import IExtractionPlugin, IAuthenticationPlugin
+
from AccessControl.User import UnrestrictedUser
from Products.PluggableAuthService import PluggableAuthService
@@ -624,21 +661,61 @@
PluggableAuthService.emergency_user = eu
+ try:
+ plugins = self._makePlugins()
+ zcuf = self._makeOne( plugins )
+
+ borked = DummyPlugin()
+ directlyProvides( borked, IExtractionPlugin )
+ borked.extractCredentials = lambda req: 'abc'
+
+ zcuf._setObject( 'borked', borked )
+
+ plugins = zcuf._getOb( 'plugins' )
+
+ plugins.activatePlugin( IExtractionPlugin, 'borked' )
+
+ request = self._makeRequest( form={ 'login' : eu.getUserName()
+ , 'password' : eu._getPassword() } )
+
+ user_ids = zcuf._extractUserIds( request=request
+ , plugins=zcuf.plugins
+ )
+
+ self.assertEqual( len( user_ids ), 1 )
+ self.assertEqual( user_ids[0][0], 'foo' )
+ finally:
+ PluggableAuthService.emergency_user = old_eu
+
+ def test__extractUserIds_broken_authenticator_before_good_authenticator( self ):
+
+ from Products.PluggableAuthService.interfaces.plugins \
+ import IExtractionPlugin, IAuthenticationPlugin
+
plugins = self._makePlugins()
zcuf = self._makeOne( plugins )
+ login = DummyPlugin()
+ directlyProvides( login, IExtractionPlugin, IAuthenticationPlugin )
+ login.extractCredentials = _extractLogin
+ login.authenticateCredentials = _authLogin
+
+ zcuf._setObject( 'login', login )
+
borked = DummyPlugin()
- directlyProvides( borked, IExtractionPlugin )
- borked.extractCredentials = lambda req: 'abc'
+ directlyProvides( borked, IAuthenticationPlugin )
+ borked.authenticateCredentials = lambda creds: creds['nonesuch']
zcuf._setObject( 'borked', borked )
plugins = zcuf._getOb( 'plugins' )
- plugins.activatePlugin( IExtractionPlugin, 'borked' )
+ plugins.activatePlugin( IExtractionPlugin, 'login' )
+ plugins.activatePlugin( IAuthenticationPlugin, 'borked' ) # 1
+ plugins.activatePlugin( IAuthenticationPlugin, 'login' ) # 2
- request = self._makeRequest( form={ 'login' : eu.getUserName()
- , 'password' : eu._getPassword() } )
+ request = self._makeRequest( form={ 'login' : 'foo'
+ , 'password' : 'bar' } )
user_ids = zcuf._extractUserIds( request=request
, plugins=zcuf.plugins
@@ -647,10 +724,8 @@
self.assertEqual( len( user_ids ), 1 )
self.assertEqual( user_ids[0][0], 'foo' )
- PluggableAuthService.emergency_user = old_eu
+ def test__extractUserIds_broken_authenticator_after_good_authenticator( self ):
- def test__extractUserIds_broken_authenticator( self ):
-
from Products.PluggableAuthService.interfaces.plugins \
import IExtractionPlugin, IAuthenticationPlugin
@@ -673,8 +748,8 @@
plugins = zcuf._getOb( 'plugins' )
plugins.activatePlugin( IExtractionPlugin, 'login' )
- plugins.activatePlugin( IAuthenticationPlugin, 'borked' )
- plugins.activatePlugin( IAuthenticationPlugin, 'login' )
+ plugins.activatePlugin( IAuthenticationPlugin, 'login' ) # 1
+ plugins.activatePlugin( IAuthenticationPlugin, 'borked' ) # 2
request = self._makeRequest( form={ 'login' : 'foo'
, 'password' : 'bar' } )
@@ -686,6 +761,101 @@
self.assertEqual( len( user_ids ), 1 )
self.assertEqual( user_ids[0][0], 'foo' )
+ def test__extractUserIds_authenticate_emergency_user_with_broken_authenticator( self ):
+
+ from Products.PluggableAuthService.interfaces.plugins \
+ import IExtractionPlugin, IAuthenticationPlugin
+
+ from AccessControl.User import UnrestrictedUser
+
+ from Products.PluggableAuthService import PluggableAuthService
+
+ old_eu = PluggableAuthService.emergency_user
+
+ eu = UnrestrictedUser( 'foo', 'bar', ( 'manage', ), () )
+
+ PluggableAuthService.emergency_user = eu
+
+ try:
+ plugins = self._makePlugins()
+ zcuf = self._makeOne( plugins )
+
+ login = DummyPlugin()
+ directlyProvides( login, IExtractionPlugin )
+
+ # Make the first attempt at emergency user authentication fail
+ # (but not the extractor itself).
+ login.extractCredentials = lambda req: {'login': '', 'password': ''}
+
+ zcuf._setObject( 'login', login )
+
+ borked = DummyPlugin()
+ directlyProvides( borked, IAuthenticationPlugin )
+ borked.authenticateCredentials = lambda creds: creds['nonesuch']
+
+ zcuf._setObject( 'borked', borked )
+
+ plugins = zcuf._getOb( 'plugins' )
+
+ plugins.activatePlugin( IExtractionPlugin, 'login' )
+ plugins.activatePlugin( IAuthenticationPlugin, 'borked' )
+
+ request = self._makeRequest( form={ 'login' : eu.getUserName()
+ , 'password' : eu._getPassword() } )
+
+ user_ids = zcuf._extractUserIds( request=request
+ , plugins=zcuf.plugins
+ )
+
+ self.assertEqual( len( user_ids ), 1 )
+ self.assertEqual( user_ids[0][0], 'foo' )
+ finally:
+ PluggableAuthService.emergency_user = old_eu
+
+ def test__extractUserIds_emergency_user_always_wins( self ):
+
+ from Products.PluggableAuthService.interfaces.plugins \
+ import IExtractionPlugin, IAuthenticationPlugin
+
+ from AccessControl.User import UnrestrictedUser
+
+ from Products.PluggableAuthService import PluggableAuthService
+
+ old_eu = PluggableAuthService.emergency_user
+
+ eu = UnrestrictedUser( 'foo', 'bar', ( 'manage', ), () )
+
+ PluggableAuthService.emergency_user = eu
+
+ try:
+ plugins = self._makePlugins()
+ zcuf = self._makeOne( plugins )
+
+ login = DummyPlugin()
+ directlyProvides( login, IExtractionPlugin, IAuthenticationPlugin )
+ login.extractCredentials = lambda req: {'login': 'baz', 'password': ''}
+ login.authenticateCredentials = _authLogin
+
+ zcuf._setObject( 'login', login )
+
+ plugins = zcuf._getOb( 'plugins' )
+
+ plugins.activatePlugin( IExtractionPlugin, 'login' )
+ plugins.activatePlugin( IAuthenticationPlugin, 'login' )
+
+ request = self._makeRequest( form={ 'login' : eu.getUserName()
+ , 'password' : eu._getPassword() } )
+
+ # This should authenticate the emergency user and not 'baz'
+ user_ids = zcuf._extractUserIds( request=request
+ , plugins=zcuf.plugins
+ )
+
+ self.assertEqual( len( user_ids ), 1 )
+ self.assertEqual( user_ids[0][0], 'foo' )
+ finally:
+ PluggableAuthService.emergency_user = old_eu
+
def test__getObjectContext_no_steps( self ):
zcuf = self._makeOne()
Added: PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py 2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py 2006-08-14 18:11:00 UTC (rev 69485)
@@ -0,0 +1,69 @@
+
+import unittest
+
+from Products.PluggableAuthService.utils import createViewName
+from Products.PluggableAuthService.utils import createKeywords
+
+
+class UtilityTests(unittest.TestCase):
+
+ def test_createViewName(self):
+ self.assertEqual(createViewName('foo', 'bar'), 'foo-bar')
+
+ def test_createViewName_no_user_handle(self):
+ self.assertEqual(createViewName('foo', None), 'foo')
+
+ def test_createViewName_latin1_umlaut_in_method(self):
+ self.assertEqual(createViewName('f\366o'), 'f\366o')
+
+ def test_createViewName_utf8_umlaut_in_method(self):
+ self.assertEqual(createViewName('f\303\266o'), 'f\303\266o')
+
+ def test_createViewName_unicode_umlaut_in_method(self):
+ self.assertEqual(createViewName(u'f\366o'), 'f\303\266o')
+
+ def test_createViewName_latin1_umlaut_in_handle(self):
+ self.assertEqual(createViewName('foo', 'b\344r'), 'foo-b\344r')
+
+ def test_createViewName_utf8_umlaut_in_handle(self):
+ self.assertEqual(createViewName('foo', 'b\303\244r'), 'foo-b\303\244r')
+
+ def test_createViewName_unicode_umlaut_in_handle(self):
+ self.assertEqual(createViewName('foo', u'b\344r'), 'foo-b\303\244r')
+
+ def test_createKeywords(self):
+ self.assertEqual(createKeywords(foo='bar'),
+ {'keywords': '8843d7f92416211de9ebb963ff4ce28125932878'})
+
+ def test_createKeywords_multiple(self):
+ self.assertEqual(createKeywords(foo='bar', baz='peng'),
+ {'keywords': '0237196c9a6c711223d087676671351510c265be'})
+
+ def test_createKeywords_latin1_umlaut(self):
+ self.assertEqual(createKeywords(foo='bar', baz='M\344dchen'),
+ {'keywords': '1a952e3797b287f60e034c19dacd0eca49c4f437'})
+
+ def test_createKeywords_utf8_umlaut(self):
+ self.assertEqual(createKeywords(foo='bar', baz='M\303\244dchen'),
+ {'keywords': '62e00b7ef8978f85194632b90e829006b0410472'})
+
+ def test_createKeywords_unicode_umlaut(self):
+ self.assertEqual(createKeywords(foo='bar', baz=u'M\344dchen'),
+ {'keywords': '62e00b7ef8978f85194632b90e829006b0410472'})
+
+ def test_createKeywords_utf16_umlaut(self):
+ self.assertEqual(createKeywords(foo='bar', baz=u'M\344dchen'.encode('utf-16')),
+ {'keywords': 'a884c1b0242a14f253e0e361ff1cee808eb18aff'})
+
+ def test_createKeywords_unicode_chinese(self):
+ self.assertEqual(createKeywords(foo='bar', baz=u'\u03a4\u03b6'),
+ {'keywords': '03b19dff4adbd3b8a2f158456f0f26efe35e1f2c'})
+
+
+def test_suite():
+ return unittest.TestSuite((
+ unittest.makeSuite(UtilityTests),
+ ))
+
+if __name__ == '__main__':
+ unittest.main(defaultTest='test_suite')
Property changes on: PluggableAuthService/branches/shh-authentication-caching/tests/test_utils.py
___________________________________________________________________
Name: svn:keywords
+ Author Date Id Revision
Name: svn:eol-style
+ native
Modified: PluggableAuthService/branches/shh-authentication-caching/utils.py
===================================================================
--- PluggableAuthService/branches/shh-authentication-caching/utils.py 2006-08-14 17:58:09 UTC (rev 69484)
+++ PluggableAuthService/branches/shh-authentication-caching/utils.py 2006-08-14 18:11:00 UTC (rev 69485)
@@ -13,6 +13,7 @@
#
##############################################################################
import os
+import sha
import unittest
from types import TupleType, ListType
@@ -197,13 +198,36 @@
return suite
+
+def makestr(s):
+ """Converts 's' to a non-Unicode string"""
+ if isinstance(s, unicode):
+ s = s.encode('utf-8')
+ return str(s)
+
def createViewName(method_name, user_handle=None):
"""
Centralized place for creating the "View Name" that identifies
- a ZCacheable record in a PASRAMCacheManager
+ a ZCacheable record in a RAMCacheManager
"""
if not user_handle:
- return method_name
+ return makestr(method_name)
else:
- return '%s-%s' % (method_name, user_handle)
+ return '%s-%s' % (makestr(method_name), makestr(user_handle))
+def createKeywords(**kw):
+ """
+ Centralized place for creating the keywords that identify
+ a ZCacheable record in a RAMCacheManager.
+
+ Keywords are hashed so we don't accidentally expose sensitive
+ information.
+ """
+ keywords = sha.new()
+
+ for k, v in kw.items():
+ keywords.update(makestr(k))
+ keywords.update(makestr(v))
+
+ return {'keywords': keywords.hexdigest()}
+
More information about the Checkins
mailing list