[Checkins] SVN: cipher.googlepam/trunk/ Support multiple Google groups.
Marius Gedminas
cvs-admin at zope.org
Tue Oct 9 08:37:07 UTC 2012
Log message for revision 127946:
Support multiple Google groups.
The authenticating user has to be a member of any one of the specified
groups for access to be allowed.
Changed:
U cipher.googlepam/trunk/CHANGES.txt
U cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf
U cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
U cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py
-=-
Modified: cipher.googlepam/trunk/CHANGES.txt
===================================================================
--- cipher.googlepam/trunk/CHANGES.txt 2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/CHANGES.txt 2012-10-09 08:37:03 UTC (rev 127946)
@@ -1,10 +1,11 @@
CHANGES
=======
-1.4.1 (unreleased)
+1.5.0 (unreleased)
------------------
-- Nothing changed yet.
+- Support multiple Google groups. The authenticating user has to be a member
+ of any one of them for access to be allowed.
1.4.0 (2012-10-08)
Modified: cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf 2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/src/cipher/googlepam/googlepam.conf 2012-10-09 08:37:03 UTC (rev 127946)
@@ -2,7 +2,7 @@
##domain=example.com
##admin-username=admin
##admin-password=good-pwd
-##group=group1
+##group=group1, group2
excludes = root
prompt = Google Password:
#cache = file
Modified: cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py 2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/src/cipher/googlepam/pam_google.py 2012-10-09 08:37:03 UTC (rev 127946)
@@ -229,8 +229,9 @@
# Note: We could do that check before asking for the password, but
# then we would give away the fact that the username is incorrect.
if self.config.has_option(SECTION_NAME, 'group'):
- group = self.config.get(SECTION_NAME, 'group')
- LOG.debug('Group found: %s', group)
+ groups = [g.strip() for g in
+ self.config.get(SECTION_NAME, 'group').split(',')]
+ LOG.debug('Groups found: %s', ', '.join(groups))
service = self.GroupsService(
domain=self.config.get(SECTION_NAME, 'domain'),
email=self._get_email(
@@ -239,16 +240,21 @@
)
service.ProgrammaticLogin()
try:
- if not service.IsMember(self.pamh.user, group):
+ for group in groups:
+ if service.IsMember(self.pamh.user, group):
+ LOG.debug('User "%s" is a member of group "%s".',
+ self.pamh.user, group)
+ break
+ else:
LOG.info(
- 'User "%s" is not a member of group "%s".',
- self.pamh.user, group)
+ 'User "%s" is not a member of %s %s.',
+ self.pamh.user,
+ "group" if len(groups) == 1 else "any of groups",
+ ', '.join('"%s"' % group for group in groups))
return self.pamh.PAM_AUTH_ERR
except AppsForYourDomainException, err:
LOG.exception('Admin user has insufficient priviledges.')
return self.pamh.PAM_AUTH_ERR
- LOG.debug(
- 'User "%s" is a member of group "%s".', self.pamh.user, group)
service = self.AppsService(
domain=self.config.get(SECTION_NAME, 'domain'),
Modified: cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py
===================================================================
--- cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py 2012-10-08 18:03:00 UTC (rev 127945)
+++ cipher.googlepam/trunk/src/cipher/googlepam/tests/test_doc.py 2012-10-09 08:37:03 UTC (rev 127946)
@@ -93,6 +93,8 @@
return True
if username in ('user1', 'user2') and group == 'group2':
return True
+ if username == 'user4' and group == 'group3':
+ return True
return False
@@ -185,7 +187,7 @@
This test goes through all scenarios top to bottom.
- User is in exlcudes list:
+ User is in excludes list:
>>> pam.pamh = FakePamHandle('root', 'pwd')
>>> pam.authenticate()
@@ -269,6 +271,34 @@
"""
+def doctest_GooglePAM_authenticate_multiple_groups():
+ """class GooglePAM: authenticate()
+
+ >>> pam = pam_google.GooglePAM(
+ ... FakePamHandle(), 0,
+ ... ['script', '-c', os.path.join(HERE, 'multi-group.conf')])
+
+ User is in the wrong group:
+
+ >>> pam.pamh = FakePamHandle('user4', 'good-pwd')
+ >>> pam.authenticate()
+ INFO - User "user4" is not a member of any of groups "group1", "group2".
+ 9
+
+ Successful authentication:
+
+ >>> pam.pamh = FakePamHandle('user1', 'good-pwd')
+ >>> pam.authenticate()
+ INFO - Authentication succeeded: user1
+ 0
+
+ >>> pam.pamh = FakePamHandle('user2', 'good-pwd')
+ >>> pam.authenticate()
+ INFO - Authentication succeeded: user2
+ 0
+
+ """
+
def doctest_FileCache():
"""class FileCache
@@ -329,7 +359,7 @@
pam_google.GooglePAM.AppsService = FakeAppsService
test.orig_GroupsService = pam_google.GooglePAM.GroupsService
pam_google.GooglePAM.GroupsService = FakeGroupsService
- conf_file = os.path.join(os.path.dirname(__file__), 'googlepam.conf')
+ conf_file = os.path.join(HERE, 'googlepam.conf')
pam_google.parser.set_default('config_file', conf_file)
def tearDown(test):
More information about the checkins
mailing list